Presentation is loading. Please wait.

Presentation is loading. Please wait.

Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison

Published byJuniper Moody Modified over 8 years ago

Similar presentations

Presentation on theme: "Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison"— Presentation transcript:

1 Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu

2 Vinod GanapathyRetrofitting Legacy Code for Security2 Principle of Design for Security  Historic example: MULTICS [Corbato et al. ‘65]  More recent examples: Operating systems Database servers To create a secure system, design it to be secure from the ground up

3 Vinod GanapathyRetrofitting Legacy Code for Security3 Relevance of the Principle today  Deadline-driven software development Design.Build.(Patch)* is here to stay  Diverse/Evolving security requirements MULTICS security study [Karger and Schell, ‘72] Most deployed software is not designed for security

4 Vinod GanapathyRetrofitting Legacy Code for Security4 Retrofitting legacy code Need systematic techniques to retrofit legacy code for security Legacy code Retrofitted code INSECURE SECURE

5 Vinod GanapathyRetrofitting Legacy Code for Security5 Retrofitting legacy code  Enforcing type safety CCured [Necula et al. ’02]  Partitioning for privilege separation PrivTrans [Brumley and Song, ’04]  Enforcing authorization policies Need systematic techniques to retrofit legacy code for security

6 Vinod GanapathyRetrofitting Legacy Code for Security6 Resource manager Enforcing authorization policies Resource user Operation requestResponse Authorization policy ‹ Alice, /etc/passwd, File_Read › Reference monitor Allowed? YES/NO

7 Vinod GanapathyRetrofitting Legacy Code for Security7 Retrofitting for authorization  Mandatory access control for Linux Linux Security Modules [Wright et al.,’02] SELinux [Loscocco and Smalley,’01]  Secure windowing systems Trusted X, Compartmented-mode workstation, X11/SELinux [Epstein et al.,’90][Berger et al.,’90][Kilpatrick et al.,’03]  Java Virtual Machine/SELinux [Fletcher,‘06]  IBM Websphere/SELinux [Hocking et al.,‘06] Painstaking, manual procedure

8 Vinod GanapathyRetrofitting Legacy Code for Security8 Contributions  Fingerprints: New abstraction to represent security-sensitive operations  Reduced effort to retrofit legacy code for authorization policy enforcement From several years to a few hours Applied to X server, Linux kernel, PennMUSH Analyses and transformations for authorization policy enforcement

9 Vinod GanapathyRetrofitting Legacy Code for Security9 Outline  Motivation  Problem Example Retrofitting legacy code: Lifecycle  Solution

10 Vinod GanapathyRetrofitting Legacy Code for Security10 X server with multiple X clients REMOTE LOCAL

11 Vinod GanapathyRetrofitting Legacy Code for Security11 REMOTE Malicious remote X client LOCAL

12 Vinod GanapathyRetrofitting Legacy Code for Security12 REMOTE Undesirable information flow LOCAL

13 Vinod GanapathyRetrofitting Legacy Code for Security13 Desirable information flow LOCAL REMOTE

14 Vinod GanapathyRetrofitting Legacy Code for Security14 Other policies to enforce  Prevent unauthorized Copy and paste Modification of inputs meant for other clients Changes to window settings of other clients Retrieval of bitmaps: Screenshots [Berger et al., ’90] [Epstein et al., ‘90] [Kilpatrick et al., ‘03]

15 Vinod GanapathyRetrofitting Legacy Code for Security15 X server X server with authorization X client Operation requestResponse Authorization policy Reference monitor Allowed? YES/NO

16 Vinod GanapathyRetrofitting Legacy Code for Security16 Outline  Motivation  Problem Example Retrofitting legacy code: Lifecycle  Solution

17 Vinod GanapathyRetrofitting Legacy Code for Security17 Retrofitting lifecycle 1.Identify security-sensitive operations 2.Locate where they are performed in code 3.Instrument these locations Input_Event Create Destroy Copy Paste Map Security-sensitive operations Source Code Policy checks Can the client receive this Input_Event ?

18 Vinod GanapathyRetrofitting Legacy Code for Security18 Problems  Time-consuming X11/SELinux ~ 2 years [Kilpatrick et al., ‘03] Linux Security Modules ~ 2 years [Wright et al., ‘02]  Error-prone [Zhang et al., ‘02][Jaeger et al., ‘04] Violation of complete mediation Time-of-check to Time-of-use bugs

19 Vinod GanapathyRetrofitting Legacy Code for Security19 Our approach  Retrofitting takes just a few hours Automatic analysis: ~ minutes Interpreting results: ~ hours  Basis to prove security of retrofitted code Reduces errors Reduces manual effort

20 Vinod GanapathyRetrofitting Legacy Code for Security20 Approach overview Legacy code Retrofitted code Miner Fingerprints Matcher

21 Vinod GanapathyRetrofitting Legacy Code for Security21 Outline  Motivation  Problem  Solution Fingerprints [CCS’05] Dynamic fingerprint mining Static fingerprint mining

22 Vinod GanapathyRetrofitting Legacy Code for Security22 What are fingerprints?  Resource accesses that are unique to a security-sensitive operation  Denote key steps needed to perform the security-sensitive operation on a resource Code-level signatures of security-sensitive operations

23 Vinod GanapathyRetrofitting Legacy Code for Security23 Examples of fingerprints  Input_Event :- Cmp xEvent->type == KeyPress Input_Event Create Destroy Copy Paste Map Security-sensitive operations Source Code

24 Vinod GanapathyRetrofitting Legacy Code for Security24 Examples of fingerprints  Input_Event :- Cmp xEvent->type == KeyPress  Input_Event :- Cmp xEvent->type == MouseMove  Map :- Set Window->mapped to True & Set xEvent->type to MapNotify  Enumerate :- Read Window->firstChild & Read Window->nextSib & Cmp Window ≠ 0

25 Vinod GanapathyRetrofitting Legacy Code for Security25 MapSubWindows(Window *pParent, Client *pClient) { Window *pWin; … // Run through linked list of child windows pWin = pParent->firstChild; … for (;pWin != 0; pWin=pWin->nextSib) {... // Code that maps each child window... } Fingerprint matching  X server function MapSubWindows Performs Enumerate Enumerate :- Read Window->firstChild & Read Window->nextSib & Cmp Window ≠ 0

26 Vinod GanapathyRetrofitting Legacy Code for Security26 MapSubWindows(Window *pParent, Client *pClient) { Window *pWin; … // Run through linked list of child windows if CHECK(pClient,pParent,Enumerate) == ALLOWED { pWin = pParent->firstChild; … for (;pWin != 0; pWin=pWin->nextSib) {... // Code that maps each child window... } } else { HANDLE_FAILURE } } Placing authorization checks  X server function MapSubWindows

27 Vinod GanapathyRetrofitting Legacy Code for Security27 Fingerprint matching  Currently employ simple pattern matching  More sophisticated matching possible Metacompilation [Engler et al., ‘01] MOPS [Chen and Wagner, ‘02]  Inserting authorization checks is akin to static aspect-weaving [Kiczales et al., ’97]  Other aspect-weaving techniques possible Runtime aspect-weaving

28 Vinod GanapathyRetrofitting Legacy Code for Security28 Outline  Motivation  Problem  Solution Fingerprints Dynamic fingerprint mining [Oakland’06] Static fingerprint mining

29 Vinod GanapathyRetrofitting Legacy Code for Security29 Dynamic fingerprint mining Input_Event Create Destroy Copy Paste Map Security-sensitive operations Source Code Output: Fingerprints Input_Event :- Cmp xEvent->type == KeyPress

30 Vinod GanapathyRetrofitting Legacy Code for Security30 Dynamic fingerprint mining  Security-sensitive operations [NSA’03]  Use this information to induce the program to perform security-sensitive operations Input_Event Input to window from device Create Create new window Destroy Destroy existing window Map Map window to console

31 Vinod GanapathyRetrofitting Legacy Code for Security31 Problem definition  S: Set of security-sensitive operations  D: Descriptions of operations in S  R: Set of resource accesses Read/Set/Cmp of Window / xEvent  Each s є S has a fingerprint A fingerprint is a subset of R Contains a resource access unique to s  Problem: Find fingerprints for each security-sensitive operation in S using D

32 Vinod GanapathyRetrofitting Legacy Code for Security32 Traces contain fingerprints  Induce security-sensitive operation Typing to window will induce Input_Event  Fingerprint must be in runtime trace Cmp xEvent->type == KeyPress Input_Event Create Destroy Copy Paste Map Security-sensitive operations Source CodeRuntime trace

33 Vinod GanapathyRetrofitting Legacy Code for Security33 Compare traces to localize  Localize fingerprint in trace Trace difference and intersection Input_Event Create Destroy Copy Paste Map Security-sensitive operations Source CodeRuntime trace

34 Vinod GanapathyRetrofitting Legacy Code for Security34 Runtime traces  Trace the program and record reads/writes to resource data structures Window and xEvent in our experiments  Example: from X server startup (In function SetWindowtoDefaults ) Set Window->prevSib to 0 Set Window->firstChild to 0 Set Window->lastChild to 0 … about 1400 such resource accesses

35 Vinod GanapathyRetrofitting Legacy Code for Security35 Using traces for fingerprinting  Obtain traces for each security-sensitive operation Series of controlled tracing experiments  Examples Typing to keyboard generates Input_Event Creating new window generates Create Creating window also generates Map Closing existing window generates Destroy

36 Vinod GanapathyRetrofitting Legacy Code for Security36 Comparison with “diff” and “∩” Open xterm Close xterm Move xterm Open browser Switch windows Create Destroy Map Unmap Input_Event Annotation is a manual step

37 Vinod GanapathyRetrofitting Legacy Code for Security37 - Move xterm Create = Open xterm ∩ Open browser Comparison with “diff” and “∩” Open xterm Close xterm Move xterm Open browser Switch windows Create Destroy Map Unmap Input_Event Perform same set operations on resource accesses

38 Vinod GanapathyRetrofitting Legacy Code for Security38 Set equations  Each trace has a set of labels Open xterm : { Create, Map } Browser: { Create, Destroy, Map, Unmap } Move xterm : { Map, Input_Event }  Need set equation for { Create } Compute an exact cover for this set Open xterm ∩ Open browser – Move xterm  Perform the same set operations on the set of resource accesses in each trace

39 Vinod GanapathyRetrofitting Legacy Code for Security39 Experimental methodology Source code Server with logging enabled Raw traces Relevant portions of traces Pruned traces gcc –-enable-logging Run experiments and collect traces Localize security-sensitive operation Compare traces with “diff” and “∩”

40 Vinod GanapathyRetrofitting Legacy Code for Security40 Dynamic mining: Results Size Each fingerprint localized to within 126 resource accesses

41 Vinod GanapathyRetrofitting Legacy Code for Security41 1.Incomplete: False negatives 2.High-level description needed 3.Operations are manually induced Limitations of dynamic mining Input_Event Create Destroy Copy Paste Map Security-sensitive operations Source CodeRuntime trace

42 Vinod GanapathyRetrofitting Legacy Code for Security42 Outline  Motivation  Problem  Solution Fingerprints Dynamic fingerprint mining Static fingerprint mining [ICSE’07]

43 Vinod GanapathyRetrofitting Legacy Code for Security43 Static fingerprint mining Input_Event Create Destroy Copy Paste Map Security-sensitive operations Source Code Output: Candidate Fingerprints Cmp xEvent->type == KeyPress Resources Window xEvent

44 Vinod GanapathyRetrofitting Legacy Code for Security44 Problem definition  R: Set of resource accesses Read/Set/Cmp of Window / xEvent  Each trace of the program contains a set of resource accesses from R  Problem: Compute smallest mutually disjoint partition P = {C 1, C 2, …, C n } of R R = C 1 U C 2 U … U C n Resource accesses in each trace of the program are composed of elements of P

45 Vinod GanapathyRetrofitting Legacy Code for Security45 Problem definition  C 1, C 2, …, C n called candidate fingerprints  Hypothesis: Candidate fingerprints represent security-sensitive operations C1C1 C2C2 C3C3 C4C4 C1C1 C2C2 C4C4 C4C4

46 Vinod GanapathyRetrofitting Legacy Code for Security46  Each entry point implicitly defines a set of traces through the program  Resource accesses performed by these traces can be statically characterized Entry points define traces Source CodeProgram traces API

47 Vinod GanapathyRetrofitting Legacy Code for Security47 Static analysis  Extract resource accesses potentially possible via each entry point  Example from the X server Entry point: MapSubWindows(…) Resource accesses: Set xEvent->type To MapNotify Set Window->mapped To True Read Window->firstChild Read Window->nextSib Cmp Window ≠ 0

48 Vinod GanapathyRetrofitting Legacy Code for Security48 Resource accesses MapSub Windows Map Window Keyboard Input Set xEvent->type To MapNotify Set Window->mapped To True Read Window->firstChild Read Window->nextSib Cmp Window ≠ 0 Cmp xEvent->type== KeyPress 270 API functions 430 distinct resource accesses Identify candidate fingerprints by comparing resource accesses

49 Vinod GanapathyRetrofitting Legacy Code for Security49 Features Instances Concept analysis MapSub Windows Map Window Keyboard Input Set xEvent->type To MapNotify Set Window->mapped To True Read Window->firstChild Read Window->nextSib Cmp Window ≠ 0 Cmp xEvent->type== KeyPress Comparison via hierarchical clustering

50 Vinod GanapathyRetrofitting Legacy Code for Security50 ABC 123456123456 Hierarchical clustering Cmp xEvent->type== KeyPress Cmp Window ≠ 0 Read Window->nextSib Read Window->firstChild Set Window->mapped To True Set xEvent->type To MapNotify Keyboard Input Map Window MapSub Windows {A,B,C}, Ф {A,B}, {1,2} {A}, {1,2,3,4,5} {C}, {6} Ф, {1,2,3,4,5,6}

51 Vinod GanapathyRetrofitting Legacy Code for Security51 {A}, {1,2,3,4,5} ABC 123456123456 Mining candidate fingerprints Cmp xEvent->type== KeyPress Cmp Window ≠ 0 Read Window->nextSib Read Window->firstChild Set Window->mapped To True Set xEvent->type To MapNotify Keyboard Input Map Window MapSub Windows {A,B,C}, Ф {A,B}, {1,2} {C}, {6} Ф, {1,2,3,4,5,6} Cand. Fing. 1 Cand. Fing. 2 Cand. Fing. 3

52 Vinod GanapathyRetrofitting Legacy Code for Security52 Static mining: Results 1.438 3.7115 3.718 94,014PennMUSH 30,096X Server/dix 4,476ext2 Avg. SizeCand. Fing.LOCBenchmark

53 Vinod GanapathyRetrofitting Legacy Code for Security53 X Server/dix ext2 Benchmark 22 11 Manually identified Security-sensitive ops Candidate fingerprints Static mining: Results 115 18 Able to find at least one fingerprint for each security-sensitive operation

54 Vinod GanapathyRetrofitting Legacy Code for Security54 Identified automatically in a few minutes Interpretation takes just a few hours Identified as part of multi-year efforts Static mining: Results 115 18 X Server/dix ext2 Benchmark 22 11 Manually identified Security-sensitive ops Candidate fingerprints

55 Vinod GanapathyRetrofitting Legacy Code for Security55  Associated 59 candidate fingerprints with security-sensitive operations  Remaining are likely security-sensitive too Static mining: Results X Server/dix ext2 Benchmark 22 11 Manually identified Security-sensitive ops Candidate fingerprints 115 18 Read Window->DrawableRec->width & Read Window->DrawableRec->height

56 Vinod GanapathyRetrofitting Legacy Code for Security56 Summary of contributions Input_Event Create Destroy Copy Paste Map Can the client receive this Input_Event ? Fingerprints Matching [CCS’05] Mining [Oakland’06][ICSE’07]

57 Vinod GanapathyRetrofitting Legacy Code for Security57 Implications  Before: Approximately 2 years  After: Few hours Analysis: ~ minutes; Interpretation: ~ hours  Before: Violation of complete mediation  After: Basis to prove security Can reduce manual effort Can reduce errors

58 Vinod GanapathyRetrofitting Legacy Code for Security58 Future work  Emitting security proofs Guarantee that retrofitted code satisfies principle of complete mediation Counter-example  must add additional authorization checks  More expressive fingerprint languages Temporal information on resource accesses Encode dataflow facts in fingerprints

59 Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu http://www.cs.wisc.edu/~vg

Download ppt "Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison"

Similar presentations

Retrofitting Legacy Code for Authorization Policy Enforcement Vinod Ganapathy Trent Jaeger Somesh Jha

Retrofitting Legacy Code for Authorization Policy Enforcement Vinod Ganapathy Trent Jaeger Somesh Jha
Operating System Security

Operating System Security
Enforcing Security Policies using Transactional Memory Introspection Vinod Ganapathy Rutgers University Arnar BirgissonMohan Dhawan Ulfar ErlingssonLiviu.

Enforcing Security Policies using Transactional Memory Introspection Vinod Ganapathy Rutgers University Arnar BirgissonMohan Dhawan Ulfar ErlingssonLiviu.
A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.

A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Software Security Issues in Embedded Systems Somesh Jha University of Wisconsin.

Software Security Issues in Embedded Systems Somesh Jha University of Wisconsin.
Overview Motivations Basic static and dynamic optimization methods ADAPT Dynamo.

Overview Motivations Basic static and dynamic optimization methods ADAPT Dynamo.
Toward Automated Authorization Policy Enforcement Vinod Ganapathy Trent Jaeger Somesh Jha March 1 st,

Toward Automated Authorization Policy Enforcement Vinod Ganapathy Trent Jaeger Somesh Jha March 1 st,
Chapter 6 Security Kernels.

Chapter 6 Security Kernels.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
2 Object-Oriented Analysis and Design with the Unified Process Objectives  Explain how statecharts can be used to describe system behaviors  Use statecharts.

2 Object-Oriented Analysis and Design with the Unified Process Objectives  Explain how statecharts can be used to describe system behaviors  Use statecharts.
Bilkent University Department of Computer Engineering

Bilkent University Department of Computer Engineering
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
Combining Static and Dynamic Data in Code Visualization David Eng Sable Research Group, McGill University PASTE 2002 Charleston, South Carolina November.

Combining Static and Dynamic Data in Code Visualization David Eng Sable Research Group, McGill University PASTE 2002 Charleston, South Carolina November.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.

1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
Chapter 2 Access Control Fundamentals. Chapter Overview Protection Systems Mandatory Protection Systems Reference Monitors Definition of a Secure Operating.

Chapter 2 Access Control Fundamentals. Chapter Overview Protection Systems Mandatory Protection Systems Reference Monitors Definition of a Secure Operating.
A Type System for Expressive Security Policies David Walker Cornell University.

A Type System for Expressive Security Policies David Walker Cornell University.
Michael Ernst, page 1 Improving Test Suites via Operational Abstraction Michael Ernst MIT Lab for Computer Science Joint.

Michael Ernst, page 1 Improving Test Suites via Operational Abstraction Michael Ernst MIT Lab for Computer Science Joint.
Semantics with Applications Mooly Sagiv Schrirber 317 03-640-7606 html://www.cs.tau.ac.il/~msagiv/courses/sem08.html Textbooks:Winskel The.

Semantics with Applications Mooly Sagiv Schrirber html:// Textbooks:Winskel The.
Chapter 14: Protection.

Chapter 14: Protection.

Similar presentations

Ads by Google