Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison

Slides:



Advertisements
Similar presentations
Retrofitting Legacy Code for Authorization Policy Enforcement Vinod Ganapathy Trent Jaeger Somesh Jha
Advertisements

Operating System Security
Enforcing Security Policies using Transactional Memory Introspection Vinod Ganapathy Rutgers University Arnar BirgissonMohan Dhawan Ulfar ErlingssonLiviu.
A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Software Security Issues in Embedded Systems Somesh Jha University of Wisconsin.
Overview Motivations Basic static and dynamic optimization methods ADAPT Dynamo.
Toward Automated Authorization Policy Enforcement Vinod Ganapathy Trent Jaeger Somesh Jha March 1 st,
Chapter 6 Security Kernels.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
2 Object-Oriented Analysis and Design with the Unified Process Objectives  Explain how statecharts can be used to describe system behaviors  Use statecharts.
Bilkent University Department of Computer Engineering
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
Combining Static and Dynamic Data in Code Visualization David Eng Sable Research Group, McGill University PASTE 2002 Charleston, South Carolina November.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
Chapter 2 Access Control Fundamentals. Chapter Overview Protection Systems Mandatory Protection Systems Reference Monitors Definition of a Secure Operating.
A Type System for Expressive Security Policies David Walker Cornell University.
Michael Ernst, page 1 Improving Test Suites via Operational Abstraction Michael Ernst MIT Lab for Computer Science Joint.
Semantics with Applications Mooly Sagiv Schrirber html:// Textbooks:Winskel The.
Chapter 14: Protection.
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.
Retrofitting Legacy Code for Authorization Policy Enforcement Vinod Ganapathy Ph.D. Thesis Defense Thursday, July 12 th, 2007.
Impact Analysis of Database Schema Changes Andy Maule, Wolfgang Emmerich and David S. Rosenblum London Software Systems Dept. of Computer Science, University.
Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.
1 Yolanda Gil Information Sciences InstituteJanuary 10, 2010 Requirements for caBIG Infrastructure to Support Semantic Workflows Yolanda.
Secure Web Applications via Automatic Partitioning Stephen Chong, Jed Liu, Andrew C. Meyers, Xin Qi, K. Vikram, Lantian Zheng, Xin Zheng. Cornell University.
COMPUTER PROGRAMMING Source: Computing Concepts (the I-series) by Haag, Cummings, and Rhea, McGraw-Hill/Irwin, 2002.
The Architecture of Secure Systems Jim Alves-Foss Laboratory for Applied Logic Department of Computer Science University of Idaho By, Nagaashwini Katta.
A Metadata Based Approach For Supporting Subsetting Queries Over Parallel HDF5 Datasets Vignesh Santhanagopalan Graduate Student Department Of CSE.
Module 7: Fundamentals of Administering Windows Server 2008.
Enforcing Security Policies using Transactional Memory Introspection Vinod Ganapathy Rutgers University Arnar BirgissonMohan Dhawan Ulfar ErlingssonLiviu.
14.1 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts Chapter 14: Protection Goals of Protection Principles of Protection Domain of Protection.
Domain-Specific Languages for Composing Signature Discovery Workflows Ferosh Jacob*, Adam Wynne+, Yan Liu+, Nathan Baker+, and Jeff Gray* *Department of.
Discovering Computers Fundamentals Fifth Edition Chapter 9 Database Management.
AccessMiner Using System- Centric Models for Malware Protection Andrea Lanzi, Davide Balzarotti, Christopher Kruegel, Mihai Christodorescu and Engin Kirda.
Data Management Console Synonym Editor
Problem Solving Techniques. Compiler n Is a computer program whose purpose is to take a description of a desired program coded in a programming language.
Module 11: Read-Only Domain Controllers. Overview Describe the Read-Only Domain Controllers role Use Read-Only Domain Controllers.
Chapter 7 Securing Commercial Operating Systems. Chapter Overview Retrofitting Security into a Commercial OS History of Retrofitting Commercial OS's Commercial.
Section 11: Implementing Software Restriction Policies and AppLocker What Is a Software Restriction Policy? Creating a Software Restriction Policy Using.
Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.
14.1/21 Part 5: protection and security Protection mechanisms control access to a system by limiting the types of file access permitted to users. In addition,
Integrating high-level constructs into programming languages Language extensions to make programming more productive Underspecified programs –give assertions,
0 Penn State, NSRC Industry Day, Trent Jaeger – Past Projects and Results Linux Security –Aim to Build Measurable, High Integrity Linux Systems.
Buffer Overflow Proofing of Code Binaries By Ramya Reguramalingam Graduate Student, Computer Science Advisor: Dr. Gopal Gupta.
CISC Machine Learning for Solving Systems Problems Presented by: Suman Chander B Dept of Computer & Information Sciences University of Delaware Automatic.
Operating Systems Security
The world leader in serving science Overview of Thermo 21 CFR Part 11 tools Overview of software used by multiple business units within the Spectroscopy.
Version 02U-1 Computer Security: Art and Science1 Correctness by Construction: Developing a Commercial Secure System by Anthony Hall Roderick Chapman.
Part I Web Service Composition
Introduction to Active Directory
Static Techniques for V&V. Hierarchy of V&V techniques Static Analysis V&V Dynamic Techniques Model Checking Simulation Symbolic Execution Testing Informal.
Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Decentralized Information Flow A paper by Myers/Liskov.
Dr. Jeff Teo Class 4 July 2, Deliverables Lecture on Trusted Computing: Evolution and Direction Review of students’ blogs and assignments Summarize.
The Akoma Ntoso Naming Convention Fabio Vitali University of Bologna.
1 A Methodology for automatic retrieval of similarly shaped machinable components Mark Ascher - Dept of ECE.
Security-Enhanced Linux Stephanie Stelling Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK
1. ABSTRACT Information access through Internet provides intruders various ways of attacking a computer system. Establishment of a safe and strong network.
PREPARED BY: MS. ANGELA R.ICO & MS. AILEEN E. QUITNO (MSE-COE) COURSE TITLE: OPERATING SYSTEM PROF. GISELA MAY A. ALBANO PREPARED BY: MS. ANGELA R.ICO.
Foundations of information systems : BIS 1202 Lecture 4: Database Systems and Business Intelligence.
Chapter 29: Program Security Dr. Wayne Summers Department of Computer Science Columbus State University
Chapter 14: System Protection
Paper Reading Group:. Language-Based Information-Flow Security. A
Chapter 14: Protection.
Chapter 29: Program Security
Comodo Dome Data Protection
Presentation transcript:

Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison

Vinod GanapathyRetrofitting Legacy Code for Security2 Principle of Design for Security  Historic example: MULTICS [Corbato et al. ‘65]  More recent examples: Operating systems Database servers To create a secure system, design it to be secure from the ground up

Vinod GanapathyRetrofitting Legacy Code for Security3 Relevance of the Principle today  Deadline-driven software development Design.Build.(Patch)* is here to stay  Diverse/Evolving security requirements MULTICS security study [Karger and Schell, ‘72] Most deployed software is not designed for security

Vinod GanapathyRetrofitting Legacy Code for Security4 Retrofitting legacy code Need systematic techniques to retrofit legacy code for security Legacy code Retrofitted code INSECURE SECURE

Vinod GanapathyRetrofitting Legacy Code for Security5 Retrofitting legacy code  Enforcing type safety CCured [Necula et al. ’02]  Partitioning for privilege separation PrivTrans [Brumley and Song, ’04]  Enforcing authorization policies Need systematic techniques to retrofit legacy code for security

Vinod GanapathyRetrofitting Legacy Code for Security6 Resource manager Enforcing authorization policies Resource user Operation requestResponse Authorization policy ‹ Alice, /etc/passwd, File_Read › Reference monitor Allowed? YES/NO

Vinod GanapathyRetrofitting Legacy Code for Security7 Retrofitting for authorization  Mandatory access control for Linux Linux Security Modules [Wright et al.,’02] SELinux [Loscocco and Smalley,’01]  Secure windowing systems Trusted X, Compartmented-mode workstation, X11/SELinux [Epstein et al.,’90][Berger et al.,’90][Kilpatrick et al.,’03]  Java Virtual Machine/SELinux [Fletcher,‘06]  IBM Websphere/SELinux [Hocking et al.,‘06] Painstaking, manual procedure

Vinod GanapathyRetrofitting Legacy Code for Security8 Contributions  Fingerprints: New abstraction to represent security-sensitive operations  Reduced effort to retrofit legacy code for authorization policy enforcement From several years to a few hours Applied to X server, Linux kernel, PennMUSH Analyses and transformations for authorization policy enforcement

Vinod GanapathyRetrofitting Legacy Code for Security9 Outline  Motivation  Problem Example Retrofitting legacy code: Lifecycle  Solution

Vinod GanapathyRetrofitting Legacy Code for Security10 X server with multiple X clients REMOTE LOCAL

Vinod GanapathyRetrofitting Legacy Code for Security11 REMOTE Malicious remote X client LOCAL

Vinod GanapathyRetrofitting Legacy Code for Security12 REMOTE Undesirable information flow LOCAL

Vinod GanapathyRetrofitting Legacy Code for Security13 Desirable information flow LOCAL REMOTE

Vinod GanapathyRetrofitting Legacy Code for Security14 Other policies to enforce  Prevent unauthorized Copy and paste Modification of inputs meant for other clients Changes to window settings of other clients Retrieval of bitmaps: Screenshots [Berger et al., ’90] [Epstein et al., ‘90] [Kilpatrick et al., ‘03]

Vinod GanapathyRetrofitting Legacy Code for Security15 X server X server with authorization X client Operation requestResponse Authorization policy Reference monitor Allowed? YES/NO

Vinod GanapathyRetrofitting Legacy Code for Security16 Outline  Motivation  Problem Example Retrofitting legacy code: Lifecycle  Solution

Vinod GanapathyRetrofitting Legacy Code for Security17 Retrofitting lifecycle 1.Identify security-sensitive operations 2.Locate where they are performed in code 3.Instrument these locations Input_Event Create Destroy Copy Paste Map Security-sensitive operations Source Code Policy checks Can the client receive this Input_Event ?

Vinod GanapathyRetrofitting Legacy Code for Security18 Problems  Time-consuming X11/SELinux ~ 2 years [Kilpatrick et al., ‘03] Linux Security Modules ~ 2 years [Wright et al., ‘02]  Error-prone [Zhang et al., ‘02][Jaeger et al., ‘04] Violation of complete mediation Time-of-check to Time-of-use bugs

Vinod GanapathyRetrofitting Legacy Code for Security19 Our approach  Retrofitting takes just a few hours Automatic analysis: ~ minutes Interpreting results: ~ hours  Basis to prove security of retrofitted code Reduces errors Reduces manual effort

Vinod GanapathyRetrofitting Legacy Code for Security20 Approach overview Legacy code Retrofitted code Miner Fingerprints Matcher

Vinod GanapathyRetrofitting Legacy Code for Security21 Outline  Motivation  Problem  Solution Fingerprints [CCS’05] Dynamic fingerprint mining Static fingerprint mining

Vinod GanapathyRetrofitting Legacy Code for Security22 What are fingerprints?  Resource accesses that are unique to a security-sensitive operation  Denote key steps needed to perform the security-sensitive operation on a resource Code-level signatures of security-sensitive operations

Vinod GanapathyRetrofitting Legacy Code for Security23 Examples of fingerprints  Input_Event :- Cmp xEvent->type == KeyPress Input_Event Create Destroy Copy Paste Map Security-sensitive operations Source Code

Vinod GanapathyRetrofitting Legacy Code for Security24 Examples of fingerprints  Input_Event :- Cmp xEvent->type == KeyPress  Input_Event :- Cmp xEvent->type == MouseMove  Map :- Set Window->mapped to True & Set xEvent->type to MapNotify  Enumerate :- Read Window->firstChild & Read Window->nextSib & Cmp Window ≠ 0

Vinod GanapathyRetrofitting Legacy Code for Security25 MapSubWindows(Window *pParent, Client *pClient) { Window *pWin; … // Run through linked list of child windows pWin = pParent->firstChild; … for (;pWin != 0; pWin=pWin->nextSib) {... // Code that maps each child window... } Fingerprint matching  X server function MapSubWindows Performs Enumerate Enumerate :- Read Window->firstChild & Read Window->nextSib & Cmp Window ≠ 0

Vinod GanapathyRetrofitting Legacy Code for Security26 MapSubWindows(Window *pParent, Client *pClient) { Window *pWin; … // Run through linked list of child windows if CHECK(pClient,pParent,Enumerate) == ALLOWED { pWin = pParent->firstChild; … for (;pWin != 0; pWin=pWin->nextSib) {... // Code that maps each child window... } } else { HANDLE_FAILURE } } Placing authorization checks  X server function MapSubWindows

Vinod GanapathyRetrofitting Legacy Code for Security27 Fingerprint matching  Currently employ simple pattern matching  More sophisticated matching possible Metacompilation [Engler et al., ‘01] MOPS [Chen and Wagner, ‘02]  Inserting authorization checks is akin to static aspect-weaving [Kiczales et al., ’97]  Other aspect-weaving techniques possible Runtime aspect-weaving

Vinod GanapathyRetrofitting Legacy Code for Security28 Outline  Motivation  Problem  Solution Fingerprints Dynamic fingerprint mining [Oakland’06] Static fingerprint mining

Vinod GanapathyRetrofitting Legacy Code for Security29 Dynamic fingerprint mining Input_Event Create Destroy Copy Paste Map Security-sensitive operations Source Code Output: Fingerprints Input_Event :- Cmp xEvent->type == KeyPress

Vinod GanapathyRetrofitting Legacy Code for Security30 Dynamic fingerprint mining  Security-sensitive operations [NSA’03]  Use this information to induce the program to perform security-sensitive operations Input_Event Input to window from device Create Create new window Destroy Destroy existing window Map Map window to console

Vinod GanapathyRetrofitting Legacy Code for Security31 Problem definition  S: Set of security-sensitive operations  D: Descriptions of operations in S  R: Set of resource accesses Read/Set/Cmp of Window / xEvent  Each s є S has a fingerprint A fingerprint is a subset of R Contains a resource access unique to s  Problem: Find fingerprints for each security-sensitive operation in S using D

Vinod GanapathyRetrofitting Legacy Code for Security32 Traces contain fingerprints  Induce security-sensitive operation Typing to window will induce Input_Event  Fingerprint must be in runtime trace Cmp xEvent->type == KeyPress Input_Event Create Destroy Copy Paste Map Security-sensitive operations Source CodeRuntime trace

Vinod GanapathyRetrofitting Legacy Code for Security33 Compare traces to localize  Localize fingerprint in trace Trace difference and intersection Input_Event Create Destroy Copy Paste Map Security-sensitive operations Source CodeRuntime trace

Vinod GanapathyRetrofitting Legacy Code for Security34 Runtime traces  Trace the program and record reads/writes to resource data structures Window and xEvent in our experiments  Example: from X server startup (In function SetWindowtoDefaults ) Set Window->prevSib to 0 Set Window->firstChild to 0 Set Window->lastChild to 0 … about 1400 such resource accesses

Vinod GanapathyRetrofitting Legacy Code for Security35 Using traces for fingerprinting  Obtain traces for each security-sensitive operation Series of controlled tracing experiments  Examples Typing to keyboard generates Input_Event Creating new window generates Create Creating window also generates Map Closing existing window generates Destroy

Vinod GanapathyRetrofitting Legacy Code for Security36 Comparison with “diff” and “∩” Open xterm Close xterm Move xterm Open browser Switch windows Create Destroy Map Unmap Input_Event Annotation is a manual step

Vinod GanapathyRetrofitting Legacy Code for Security37 - Move xterm Create = Open xterm ∩ Open browser Comparison with “diff” and “∩” Open xterm Close xterm Move xterm Open browser Switch windows Create Destroy Map Unmap Input_Event Perform same set operations on resource accesses

Vinod GanapathyRetrofitting Legacy Code for Security38 Set equations  Each trace has a set of labels Open xterm : { Create, Map } Browser: { Create, Destroy, Map, Unmap } Move xterm : { Map, Input_Event }  Need set equation for { Create } Compute an exact cover for this set Open xterm ∩ Open browser – Move xterm  Perform the same set operations on the set of resource accesses in each trace

Vinod GanapathyRetrofitting Legacy Code for Security39 Experimental methodology Source code Server with logging enabled Raw traces Relevant portions of traces Pruned traces gcc –-enable-logging Run experiments and collect traces Localize security-sensitive operation Compare traces with “diff” and “∩”

Vinod GanapathyRetrofitting Legacy Code for Security40 Dynamic mining: Results Size Each fingerprint localized to within 126 resource accesses

Vinod GanapathyRetrofitting Legacy Code for Security41 1.Incomplete: False negatives 2.High-level description needed 3.Operations are manually induced Limitations of dynamic mining Input_Event Create Destroy Copy Paste Map Security-sensitive operations Source CodeRuntime trace

Vinod GanapathyRetrofitting Legacy Code for Security42 Outline  Motivation  Problem  Solution Fingerprints Dynamic fingerprint mining Static fingerprint mining [ICSE’07]

Vinod GanapathyRetrofitting Legacy Code for Security43 Static fingerprint mining Input_Event Create Destroy Copy Paste Map Security-sensitive operations Source Code Output: Candidate Fingerprints Cmp xEvent->type == KeyPress Resources Window xEvent

Vinod GanapathyRetrofitting Legacy Code for Security44 Problem definition  R: Set of resource accesses Read/Set/Cmp of Window / xEvent  Each trace of the program contains a set of resource accesses from R  Problem: Compute smallest mutually disjoint partition P = {C 1, C 2, …, C n } of R R = C 1 U C 2 U … U C n Resource accesses in each trace of the program are composed of elements of P

Vinod GanapathyRetrofitting Legacy Code for Security45 Problem definition  C 1, C 2, …, C n called candidate fingerprints  Hypothesis: Candidate fingerprints represent security-sensitive operations C1C1 C2C2 C3C3 C4C4 C1C1 C2C2 C4C4 C4C4

Vinod GanapathyRetrofitting Legacy Code for Security46  Each entry point implicitly defines a set of traces through the program  Resource accesses performed by these traces can be statically characterized Entry points define traces Source CodeProgram traces API

Vinod GanapathyRetrofitting Legacy Code for Security47 Static analysis  Extract resource accesses potentially possible via each entry point  Example from the X server Entry point: MapSubWindows(…) Resource accesses: Set xEvent->type To MapNotify Set Window->mapped To True Read Window->firstChild Read Window->nextSib Cmp Window ≠ 0

Vinod GanapathyRetrofitting Legacy Code for Security48 Resource accesses MapSub Windows Map Window Keyboard Input Set xEvent->type To MapNotify Set Window->mapped To True Read Window->firstChild Read Window->nextSib Cmp Window ≠ 0 Cmp xEvent->type== KeyPress 270 API functions 430 distinct resource accesses Identify candidate fingerprints by comparing resource accesses

Vinod GanapathyRetrofitting Legacy Code for Security49 Features Instances Concept analysis MapSub Windows Map Window Keyboard Input Set xEvent->type To MapNotify Set Window->mapped To True Read Window->firstChild Read Window->nextSib Cmp Window ≠ 0 Cmp xEvent->type== KeyPress Comparison via hierarchical clustering

Vinod GanapathyRetrofitting Legacy Code for Security50 ABC Hierarchical clustering Cmp xEvent->type== KeyPress Cmp Window ≠ 0 Read Window->nextSib Read Window->firstChild Set Window->mapped To True Set xEvent->type To MapNotify Keyboard Input Map Window MapSub Windows {A,B,C}, Ф {A,B}, {1,2} {A}, {1,2,3,4,5} {C}, {6} Ф, {1,2,3,4,5,6}

Vinod GanapathyRetrofitting Legacy Code for Security51 {A}, {1,2,3,4,5} ABC Mining candidate fingerprints Cmp xEvent->type== KeyPress Cmp Window ≠ 0 Read Window->nextSib Read Window->firstChild Set Window->mapped To True Set xEvent->type To MapNotify Keyboard Input Map Window MapSub Windows {A,B,C}, Ф {A,B}, {1,2} {C}, {6} Ф, {1,2,3,4,5,6} Cand. Fing. 1 Cand. Fing. 2 Cand. Fing. 3

Vinod GanapathyRetrofitting Legacy Code for Security52 Static mining: Results ,014PennMUSH 30,096X Server/dix 4,476ext2 Avg. SizeCand. Fing.LOCBenchmark

Vinod GanapathyRetrofitting Legacy Code for Security53 X Server/dix ext2 Benchmark Manually identified Security-sensitive ops Candidate fingerprints Static mining: Results Able to find at least one fingerprint for each security-sensitive operation

Vinod GanapathyRetrofitting Legacy Code for Security54 Identified automatically in a few minutes Interpretation takes just a few hours Identified as part of multi-year efforts Static mining: Results X Server/dix ext2 Benchmark Manually identified Security-sensitive ops Candidate fingerprints

Vinod GanapathyRetrofitting Legacy Code for Security55  Associated 59 candidate fingerprints with security-sensitive operations  Remaining are likely security-sensitive too Static mining: Results X Server/dix ext2 Benchmark Manually identified Security-sensitive ops Candidate fingerprints Read Window->DrawableRec->width & Read Window->DrawableRec->height

Vinod GanapathyRetrofitting Legacy Code for Security56 Summary of contributions Input_Event Create Destroy Copy Paste Map Can the client receive this Input_Event ? Fingerprints Matching [CCS’05] Mining [Oakland’06][ICSE’07]

Vinod GanapathyRetrofitting Legacy Code for Security57 Implications  Before: Approximately 2 years  After: Few hours Analysis: ~ minutes; Interpretation: ~ hours  Before: Violation of complete mediation  After: Basis to prove security Can reduce manual effort Can reduce errors

Vinod GanapathyRetrofitting Legacy Code for Security58 Future work  Emitting security proofs Guarantee that retrofitted code satisfies principle of complete mediation Counter-example  must add additional authorization checks  More expressive fingerprint languages Temporal information on resource accesses Encode dataflow facts in fingerprints

Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.