A Type System for Expressive Security Policies David Walker Cornell University.

Slides:

Advertisements

Similar presentations

Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.

Advertisements

David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 20: Total Correctness; Proof-

The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko.

March 4, 2005Susmit Sarkar 1 A Cost-Effective Foundational Certified Code System Susmit Sarkar Thesis Proposal.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

ECE 720T5 Fall 2012 Cyber-Physical Systems Rodolfo Pellizzoni.

Nicholas Moore Bianca Curutan Pooya Samizadeh McMaster University March 30, 2012.

ActionScript In-lined Reference Monitoring in Prolog Meera Sridhar and Kevin W. Hamlen The University of Texas at Dallas January 18, 2010 Supported by.

Background information Formal verification methods based on theorem proving techniques and modelchecking –to prove the absence of errors (in the formal.

ISBN Chapter 3 Describing Syntax and Semantics.

1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.

Automated Soundness Proofs for Dataflow Analyses and Transformations via Local Rules Sorin Lerner* Todd Millstein** Erika Rice* Craig Chambers* * University.

An Introduction to Proof-Carrying Code David Walker Princeton University (slides kindly donated by George Necula; modified by David Walker)

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI

Code-Carrying Proofs Aytekin Vargun Rensselaer Polytechnic Institute.

An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.

AndroidCompiler. Layout Motivation Literature Review AndroidCompiler Future Works.

CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)

Coolaid: Debugging Compilers with Untrusted Code Verification Bor-Yuh Evan Chang with George Necula, Robert Schneck, and Kun Gao May 14, 2003 OSQ Retreat.

Attacking Malicious Code: A Report to the Infosec Research Council Kim Sung-Moo.

Extensible Verification of Untrusted Code Bor-Yuh Evan Chang, Adam Chlipala, Kun Gao, George Necula, and Robert Schneck May 14, 2004 OSQ Retreat Santa.

Typed Assembly Languages COS 441, Fall 2004 Frances Spalding Based on slides from Dave Walker and Greg Morrisett.

Proof-system search ( ` ) Interpretation search ( ² ) Main search strategy DPLL Backtracking Incremental SAT Natural deduction Sequents Resolution Main.

Automatically Proving the Correctness of Compiler Optimizations Sorin Lerner Todd Millstein Craig Chambers University of Washington.

Typed Memory Management in a Calculus of Capabilities David Walker (with Karl Crary and Greg Morrisett)

1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.

1 A Dependently Typed Assembly Language Hongwei Xi University of Cincinnati and Robert Harper Carnegie Mellon University.

Proofs, Types, and Safe Mobile Code CoS 598E David Walker.

Programmability with Proof-Carrying Code George C. Necula University of California Berkeley Peter Lee Carnegie Mellon University.

Language-Based Security Proof-Carrying Code Greg Morrisett Cornell University Thanks to G.Necula & P.Lee.

Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?

More Enforceable Security Policies Lujo Bauer, Jay Ligatti and David Walker Princeton University (graciously presented by Iliano Cervesato)

From last time S1: l := new Cons p := l S2: t := new Cons *p := t p := t l p S1 l p tS2 l p S1 t S2 l t S1 p S2 l t S1 p S2 l t S1 p L2 l t S1 p S2 l t.

Secure Certifying Compilation David Walker Cornell University What do you want to type check today?

Harmless Advice Daniel S Dantas Princeton University with Prof. David Walker.

The Practice of Type Theory in Programming Languages Robert Harper Carnegie Mellon University August, 2000.

Describing Syntax and Semantics

Mechanized Metatheory for User- Defined Type Extensions Dan Marino, Brian Chin, Todd Millstein UCLA Gang Tan Boston College Robert J. Simmons, David Walker.

Advanced Type Systems for Low-Level Languages Greg Morrisett Cornell University.

Extensible Untrusted Code Verification Robert Schneck with George Necula and Bor-Yuh Evan Chang May 14, 2003 OSQ Retreat.

1 The Problem o Fluid software cannot be trusted to behave as advertised unknown origin (must be assumed to be malicious) known origin (can be erroneous.

Extensible Code Verification Kun Gao (Senior EECS) with Professor George Necula, Evan Chang, Robert Schneck, Adam Chlipala An individual receives code.

Cormac Flanagan University of California, Santa Cruz Hybrid Type Checking.

Formal Methods 1. Software Engineering and Formal Methods  Every software engineering methodology is based on a recommended development process  proceeding.

Typed Assembly Languages and Security Automatons Ben Watson The George Washington University CS 297 Security and Programming Languages June 2, 2005.

Containment and Integrity for Mobile Code Security policies as types Andrew Myers Fred Schneider Department of Computer Science Cornell University.

Proof Carrying Code Zhiwei Lin. Outline Proof-Carrying Code The Design and Implementation of a Certifying Compiler A Proof – Carrying Code Architecture.

Let’s Stop Beating Dead Horses, and Start Beating Trojan Horses! David Evans INFOSEC Malicious Code Workshop San Antonio, 13.

Chapter 25 Formal Methods Formal methods Specify program using math Develop program using math Prove program matches specification using.

Proof-Carrying Code & Proof-Carrying Authentication Stuart Pickard CSCI 297 June 2, 2005.

CS 363 Comparative Programming Languages Semantics.

Writing Systems Software in a Functional Language An Experience Report Iavor Diatchki, Thomas Hallgren, Mark Jones, Rebekah Leslie, Andrew Tolmach.

© Andrew IrelandDependable Systems Group Static Analysis and Program Proof Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt University.

Semantics In Text: Chapter 3.

Secure Compiler Seminar 4/11 Visions toward a Secure Compiler Toshihiro YOSHINO (D1, Yonezawa Lab.)

Recognizing safety and liveness Presented by Qian Huang.

Policy-Directed Code Safety David Evans April 1999 Software Devices and Systems MIT Lab for Computer Science.

Version 02U-1 Computer Security: Art and Science1 Correctness by Construction: Developing a Commercial Secure System by Anthony Hall Roderick Chapman.

SASI Enforcement of Security Policies : A Retrospective* PSLab 오민경.

SAFE KERNEL EXTENSIONS WITHOUT RUN-TIME CHECKING George C. Necula Peter Lee Carnegie Mellon U.

Formal Verification. Background Information Formal verification methods based on theorem proving techniques and modelchecking –To prove the absence of.

1 Jay Ligatti (Princeton University); joint work with: Lujo Bauer (Carnegie Mellon University), David Walker (Princeton University) Enforcing Non-safety.

Suman Jana *Original slides from Vitaly Shmatikov

TALx86: A Realistic Typed Assembly Language

State your reasons or how to keep proofs while optimizing code

Logical architecture refinement

Enforcing Non-safety Security Policies with Program Monitors

New Research in Software Security

Lecture 19: Proof-Carrying Code Background just got here last week

Presentation transcript:

A Type System for Expressive Security Policies David Walker Cornell University

PoPL ’00David Walker, Cornell University2 Extensible Systems Extensible systems are everywhere: –web browsers, extensible operating systems, servers and databases Critical Problem: Security Code System Interface Download, Link & Execute

PoPL ’00David Walker, Cornell University3 Certified Code Attach annotations (types, proofs,...) to untrusted code Annotations make verification of security properties feasible Untrusted Code System Interface Download & Verify Annotations Link & Execute Secure Code

PoPL ’00David Walker, Cornell University4 Certifying Compilation An Advantage –Increased Trustworthiness verification occurs after compilation compiler bugs will not result in security holes A Disadvantage –Certificates may be difficult to produce

PoPL ’00David Walker, Cornell University5 Producing Certified Code High-level Program Compile Optimize Annotated Program Transmit Certificate production must be automated Necessary components: 1) a source-level programming language 2) a compiler to compile, annotate, and optimize source programs 3) a transmission language that certifies security properties user annotations

PoPL ’00David Walker, Cornell University6 So Far... Type Safe High-level Program Compile Optimize Typed Program Transmit 1) a strongly typed source-level programming language 2) a type-preserving compiler to compile, annotate, and optimize source programs 3) a transmission language that certifies type-safety properties types

PoPL ’00David Walker, Cornell University7 Examples Proof-Carrying Code [Necula & Lee] –compilers produce type safety proofs Typed Assembly Language [Morrisett, Walker, et al] –guarantees type safety properties Efficient Code Certification [Kozen] –uses typing information to guarantee control- flow and memory safety properties Proof-Carrying Code [Appel & Felty] –construct types from low-level primitives

PoPL ’00David Walker, Cornell University8 Conventional Type Safety Conventional types ensure basic safety: –basic operations performed correctly –abstraction/interfaces hide data representations and system code Conventional types don't describe complex policies –eg: policies that depend upon history Melissa virus reads Outlook contacts list and then sends 50 s

PoPL ’00David Walker, Cornell University9 Security in Practice Security via code instrumentation –insert security state and check dynamically –use static analysis to minimize run-time overhead –SFI [Wahbe et al], –SASI [Erlingsson & Schneider], –Naccio [Evans & Twyman], –[Colcombet & Fradet], …

PoPL ’00David Walker, Cornell University10 This Paper Combines two ideas: –certifying compilation –security via code instrumentation The Result: –a system for secure certified code high-level security policy specifications an automatic translation into low-level code security enforced by static & dynamic checking

PoPL ’00David Walker, Cornell University11 Strategy Security Automata specify security properties [Erlingsson & Schneider] Compilation inserts typing annotations & dynamic checks where necessary A dependently-typed target language provides a framework for verification –can express & enforce any security automaton policy –provably sound

PoPL ’00David Walker, Cornell University12 Security Architecture High-level Program Compile Optimize Secure Typed Program Transmit Security Automaton Secure Typed Interface Type Check System Interface Annotate Secure Executable

PoPL ’00David Walker, Cornell University13 Security Automata A general mechanism for specifying security policies Enforce any safety property –access control policies: “cannot access file foo” –resource bound policies: “allocate no more than 1M of memory” –the Melissa policy: “no network send after file read”

PoPL ’00David Walker, Cornell University14 Example Policy: No send operation after a read operation States: start, has read, bad Inputs (program operations): send, read Transitions (state x input -> state): –start x read(f) -> has read start has read read(f) sendread(f) bad send

PoPL ’00David Walker, Cornell University15 Example Cont’d start has read read(f) sendread(f) bad send % untrusted program% s.a.: start state send(); % ok -> start read(f); % ok -> has read send(); % bad, security violation S.A. monitor program execution Entering the bad state = security violation

PoPL ’00David Walker, Cornell University16 Enforcing S.A. Specs Every security-relevant operation has an associated function: check op Trusted, provided by policy writer check op implements the s.a. transition function check send (state) = if state = start then start else bad

PoPL ’00David Walker, Cornell University17 Enforcing S.A. Specs Rewrite programs: let next_state = check send (current_state) in if next_state = bad then halt else % next state is ok send()

PoPL ’00David Walker, Cornell University18 Questions How do we verify instrumented code? –is this safe? let next_state = check send (other_state) in if next_state = bad then halt else % next state is ok send() Can we optimize certified code?

PoPL ’00David Walker, Cornell University19 Verification Basic types ensure standard type safety –functions and data used as intended and cannot be confused –security checks can’t be circumvented Introduce a logic into the type system to express complex invariants Use the logic to encode the s.a. policy Use the logic to prove checks unnecessary

PoPL ’00David Walker, Cornell University20 Target Language Types Predicates: –describe security states –describe automaton transitions –describe dependencies between values Function types include predicates so they can specify preconditions: –foo:  [  1,  2,P 1 (  1,  2 ),P 2 (  1 )].  1 ->  2

PoPL ’00David Walker, Cornell University21 Secure Functions Each security-relevant function has a type specifying 3 additional preconditions eg: the send function: – P 1 : in_state(current_state) – P 2 : transition send (current_state,next_state) – P 3 : next_state  bad Pre: P 1 & P 2 & P 3 Post: in_state(next_state) The precondition ensures calling send won’t result in a security violation

PoPL ’00David Walker, Cornell University22 Run-time Security Checks Dynamic checks propagate information into the type system eg: check send (state) Post:  next_state. transition send (state,next_state) & result = next_state conditional tests: if state = bad then % assume state = bad... else % assume state  bad...

PoPL ’00David Walker, Cornell University23 Example % P 1 : in_state(current_state) let next_state = check_send(current_state) in % P 2 : transition send (current_state,next_state) if next_state = bad then halt else % P 3 : next_state  bad send() % P 1 & P 2 & P 3 imply send is ok

PoPL ’00David Walker, Cornell University24 Optimization Analysis of s.a. structure makes redundant check elimination possible –eg: –supply the type checker with the fact transition send (start,start) and verify: if current = start then send(); send (); send (); … start has read read(f) sendread(f) bad send

PoPL ’00David Walker, Cornell University25 Related Work Program verification –abstract interpretation, data flow & control flow analysis, model checking, soft typing, verification condition generation & theorem proving,... Dependent types in compiler ILs –Xi & Pfenning, Crary & Weirich,... Security properties of typed languages –Leroy & Rouaix,...

PoPL ’00David Walker, Cornell University26 Summary A recipe for secure certified code: –types ensure basic safety prevent dynamic checks from being circumvented provide a framework for reasoning about programs –security automata specify expressive policies dynamic checking when policies can’t be proven statically