Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Type System for Expressive Security Policies David Walker Cornell University.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "A Type System for Expressive Security Policies David Walker Cornell University."— Presentation transcript:

1 A Type System for Expressive Security Policies David Walker Cornell University

2 PoPL ’00David Walker, Cornell University2 Extensible Systems Extensible systems are everywhere: –web browsers, extensible operating systems, servers and databases Critical Problem: Security Code System Interface Download, Link & Execute

3 PoPL ’00David Walker, Cornell University3 Certified Code Attach annotations (types, proofs,...) to untrusted code Annotations make verification of security properties feasible Untrusted Code System Interface Download & Verify Annotations Link & Execute Secure Code

4 PoPL ’00David Walker, Cornell University4 Certifying Compilation An Advantage –Increased Trustworthiness verification occurs after compilation compiler bugs will not result in security holes A Disadvantage –Certificates may be difficult to produce

5 PoPL ’00David Walker, Cornell University5 Producing Certified Code High-level Program Compile Optimize Annotated Program Transmit Certificate production must be automated Necessary components: 1) a source-level programming language 2) a compiler to compile, annotate, and optimize source programs 3) a transmission language that certifies security properties user annotations

6 PoPL ’00David Walker, Cornell University6 So Far... Type Safe High-level Program Compile Optimize Typed Program Transmit 1) a strongly typed source-level programming language 2) a type-preserving compiler to compile, annotate, and optimize source programs 3) a transmission language that certifies type-safety properties types

7 PoPL ’00David Walker, Cornell University7 Examples Proof-Carrying Code [Necula & Lee] –compilers produce type safety proofs Typed Assembly Language [Morrisett, Walker, et al] –guarantees type safety properties Efficient Code Certification [Kozen] –uses typing information to guarantee control- flow and memory safety properties Proof-Carrying Code [Appel & Felty] –construct types from low-level primitives

8 PoPL ’00David Walker, Cornell University8 Conventional Type Safety Conventional types ensure basic safety: –basic operations performed correctly –abstraction/interfaces hide data representations and system code Conventional types don't describe complex policies –eg: policies that depend upon history Melissa virus reads Outlook contacts list and then sends 50 emails

9 PoPL ’00David Walker, Cornell University9 Security in Practice Security via code instrumentation –insert security state and check dynamically –use static analysis to minimize run-time overhead –SFI [Wahbe et al], –SASI [Erlingsson & Schneider], –Naccio [Evans & Twyman], –[Colcombet & Fradet], …

10 PoPL ’00David Walker, Cornell University10 This Paper Combines two ideas: –certifying compilation –security via code instrumentation The Result: –a system for secure certified code high-level security policy specifications an automatic translation into low-level code security enforced by static & dynamic checking

11 PoPL ’00David Walker, Cornell University11 Strategy Security Automata specify security properties [Erlingsson & Schneider] Compilation inserts typing annotations & dynamic checks where necessary A dependently-typed target language provides a framework for verification –can express & enforce any security automaton policy –provably sound

12 PoPL ’00David Walker, Cornell University12 Security Architecture High-level Program Compile Optimize Secure Typed Program Transmit Security Automaton Secure Typed Interface Type Check System Interface Annotate Secure Executable

13 PoPL ’00David Walker, Cornell University13 Security Automata A general mechanism for specifying security policies Enforce any safety property –access control policies: “cannot access file foo” –resource bound policies: “allocate no more than 1M of memory” –the Melissa policy: “no network send after file read”

14 PoPL ’00David Walker, Cornell University14 Example Policy: No send operation after a read operation States: start, has read, bad Inputs (program operations): send, read Transitions (state x input -> state): –start x read(f) -> has read start has read read(f) sendread(f) bad send

15 PoPL ’00David Walker, Cornell University15 Example Cont’d start has read read(f) sendread(f) bad send % untrusted program% s.a.: start state send(); % ok -> start read(f); % ok -> has read send(); % bad, security violation S.A. monitor program execution Entering the bad state = security violation

16 PoPL ’00David Walker, Cornell University16 Enforcing S.A. Specs Every security-relevant operation has an associated function: check op Trusted, provided by policy writer check op implements the s.a. transition function check send (state) = if state = start then start else bad

17 PoPL ’00David Walker, Cornell University17 Enforcing S.A. Specs Rewrite programs: let next_state = check send (current_state) in if next_state = bad then halt else % next state is ok send()

18 PoPL ’00David Walker, Cornell University18 Questions How do we verify instrumented code? –is this safe? let next_state = check send (other_state) in if next_state = bad then halt else % next state is ok send() Can we optimize certified code?

19 PoPL ’00David Walker, Cornell University19 Verification Basic types ensure standard type safety –functions and data used as intended and cannot be confused –security checks can’t be circumvented Introduce a logic into the type system to express complex invariants Use the logic to encode the s.a. policy Use the logic to prove checks unnecessary

20 PoPL ’00David Walker, Cornell University20 Target Language Types Predicates: –describe security states –describe automaton transitions –describe dependencies between values Function types include predicates so they can specify preconditions: –foo:  [  1,  2,P 1 (  1,  2 ),P 2 (  1 )].  1 ->  2

21 PoPL ’00David Walker, Cornell University21 Secure Functions Each security-relevant function has a type specifying 3 additional preconditions eg: the send function: – P 1 : in_state(current_state) – P 2 : transition send (current_state,next_state) – P 3 : next_state  bad Pre: P 1 & P 2 & P 3 Post: in_state(next_state) The precondition ensures calling send won’t result in a security violation

22 PoPL ’00David Walker, Cornell University22 Run-time Security Checks Dynamic checks propagate information into the type system eg: check send (state) Post:  next_state. transition send (state,next_state) & result = next_state conditional tests: if state = bad then % assume state = bad... else % assume state  bad...

23 PoPL ’00David Walker, Cornell University23 Example % P 1 : in_state(current_state) let next_state = check_send(current_state) in % P 2 : transition send (current_state,next_state) if next_state = bad then halt else % P 3 : next_state  bad send() % P 1 & P 2 & P 3 imply send is ok

24 PoPL ’00David Walker, Cornell University24 Optimization Analysis of s.a. structure makes redundant check elimination possible –eg: –supply the type checker with the fact transition send (start,start) and verify: if current = start then send(); send (); send (); … start has read read(f) sendread(f) bad send

25 PoPL ’00David Walker, Cornell University25 Related Work Program verification –abstract interpretation, data flow & control flow analysis, model checking, soft typing, verification condition generation & theorem proving,... Dependent types in compiler ILs –Xi & Pfenning, Crary & Weirich,... Security properties of typed languages –Leroy & Rouaix,...

26 PoPL ’00David Walker, Cornell University26 Summary A recipe for secure certified code: –types ensure basic safety prevent dynamic checks from being circumvented provide a framework for reasoning about programs –security automata specify expressive policies dynamic checking when policies can’t be proven statically

Download ppt "A Type System for Expressive Security Policies David Walker Cornell University."

Similar presentations

Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.

Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.
David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 20: Total Correctness; Proof-

David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 20: Total Correctness; Proof-
The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko.

The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko.
March 4, 2005Susmit Sarkar 1 A Cost-Effective Foundational Certified Code System Susmit Sarkar Thesis Proposal.

March 4, 2005Susmit Sarkar 1 A Cost-Effective Foundational Certified Code System Susmit Sarkar Thesis Proposal.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
ECE 720T5 Fall 2012 Cyber-Physical Systems Rodolfo Pellizzoni.

ECE 720T5 Fall 2012 Cyber-Physical Systems Rodolfo Pellizzoni.
Nicholas Moore Bianca Curutan Pooya Samizadeh McMaster University March 30, 2012.

Nicholas Moore Bianca Curutan Pooya Samizadeh McMaster University March 30, 2012.
ActionScript In-lined Reference Monitoring in Prolog Meera Sridhar and Kevin W. Hamlen The University of Texas at Dallas January 18, 2010 Supported by.

ActionScript In-lined Reference Monitoring in Prolog Meera Sridhar and Kevin W. Hamlen The University of Texas at Dallas January 18, 2010 Supported by.
Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.

Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.

1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
Automated Soundness Proofs for Dataflow Analyses and Transformations via Local Rules Sorin Lerner* Todd Millstein** Erika Rice* Craig Chambers* * University.

Automated Soundness Proofs for Dataflow Analyses and Transformations via Local Rules Sorin Lerner* Todd Millstein** Erika Rice* Craig Chambers* * University.
An Introduction to Proof-Carrying Code David Walker Princeton University (slides kindly donated by George Necula; modified by David Walker)

An Introduction to Proof-Carrying Code David Walker Princeton University (slides kindly donated by George Necula; modified by David Walker)
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI 297 5.31.2005.

The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI
Code-Carrying Proofs Aytekin Vargun Rensselaer Polytechnic Institute.

Code-Carrying Proofs Aytekin Vargun Rensselaer Polytechnic Institute.
An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.

An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.
AndroidCompiler. Layout Motivation Literature Review AndroidCompiler Future Works.

AndroidCompiler. Layout Motivation Literature Review AndroidCompiler Future Works.
CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)

CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)
Coolaid: Debugging Compilers with Untrusted Code Verification Bor-Yuh Evan Chang with George Necula, Robert Schneck, and Kun Gao May 14, 2003 OSQ Retreat.

Coolaid: Debugging Compilers with Untrusted Code Verification Bor-Yuh Evan Chang with George Necula, Robert Schneck, and Kun Gao May 14, 2003 OSQ Retreat.

Similar presentations

Ads by Google