Policy-Directed Code Safety David Evans April 1999 Software Devices and Systems MIT Lab for Computer Science.

Slides:



Advertisements
Similar presentations
Operating Systems Components of OS
Advertisements

1 Copyright © 2005, Oracle. All rights reserved. Introducing the Java and Oracle Platforms.
Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Operating System Security : David Phillips A Study of Windows Rootkits.
Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee
Lab Information Security Using Java (Review) Lab#0 Omaima Al-Matrafi.
EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,
Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.
Introduction CSCI 444/544 Operating Systems Fall 2008.
An Introduction to Proof-Carrying Code David Walker Princeton University (slides kindly donated by George Necula; modified by David Walker)
Lab#1 (14/3/1431h) Introduction To java programming cs425
CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.
Contiki A Lightweight and Flexible Operating System for Tiny Networked Sensors Presented by: Jeremy Schiff.
Programmability with Proof-Carrying Code George C. Necula University of California Berkeley Peter Lee Carnegie Mellon University.
Presented by IBM developer Works ibm.com/developerworks/ 2006 January – April © 2006 IBM Corporation. Making the most of Creating Eclipse plug-ins.
A Type System for Expressive Security Policies David Walker Cornell University.
Introducing the Common Language Runtime for.NET. The Common Language Runtime The Common Language Runtime (CLR) The Common Language Runtime (CLR) –Execution.
Introducing the Common Language Runtime. The Common Language Runtime The Common Language Runtime (CLR) The Common Language Runtime (CLR) –Execution engine.
1 The Problem o Fluid software cannot be trusted to behave as advertised unknown origin (must be assumed to be malicious) known origin (can be erroneous.
Java Security Updated May Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security.
DATABASE MANAGEMENT SYSTEM ARCHITECTURE
Advance Computer Programming Java Database Connectivity (JDBC) – In order to connect a Java application to a database, you need to use a JDBC driver. –
Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Previous Next 06/18/2000Shanghai Jiaotong Univ. Computer Science & Engineering Dept. C+J Software Architecture Shanghai Jiaotong University Author: Lu,
REFACTORING Lecture 4. Definition Refactoring is a process of changing the internal structure of the program, not affecting its external behavior and.
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 19: Security in Java Real or.
Introduction and Overview Questions answered in this lecture: What is an operating system? How have operating systems evolved? Why study operating systems?
Chapter 3: Operating-System Structures System Components Operating System Services System Calls System Programs System Structure Virtual Machines System.
Eric Keller, Evan Green Princeton University PRESTO /22/08 Virtualizing the Data Plane Through Source Code Merging.
CS533 Concepts of Operating Systems Jonathan Walpole.
CS266 Software Reverse Engineering (SRE) Reversing and Patching Java Bytecode Teodoro (Ted) Cipresso,
Java 2 security model Valentina Casola. Components of Java the development environment –development lifecycle –Java language features –class files and.
CE Operating Systems Lecture 3 Overview of OS functions and structure.
Writing Systems Software in a Functional Language An Experience Report Iavor Diatchki, Thomas Hallgren, Mark Jones, Rebekah Leslie, Andrew Tolmach.
Processes Introduction to Operating Systems: Module 3.
David Evans The Bugs and the Bees Research in Programming Languages and Security University of.
Systems for Safety and Dependability David Evans University of Virginia Department of Computer Science.
EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM
DATABASE MANAGEMENT SYSTEM ARCHITECTURE
Core Java Introduction Byju Veedu Ness Technologies httpdownload.oracle.com/javase/tutorial/getStarted/intro/definition.html.
PRIOR TO WEB SERVICES THE OTHER TECHNOLOGIES ARE:.
Design Patterns Software Engineering CS 561. Last Time Introduced design patterns Abstraction-Occurrence General Hierarchy Player-Role.
SASI Enforcement of Security Policies : A Retrospective* PSLab 오민경.
CSCE 314 Programming Languages Reflection Dr. Hyunyoung Lee 1.
SAFE KERNEL EXTENSIONS WITHOUT RUN-TIME CHECKING George C. Necula Peter Lee Carnegie Mellon U.
Classes, Interfaces and Packages
David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 18: Malcode Countermeasures.
Efficient Software-Based Fault Isolation Authors: Robert Wahbe Steven Lucco Thomas E. Anderson Susan L. Graham Presenter: Gregory Netland.
Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).
1 Chapter 2: Operating-System Structures Services Interface provided to users & programmers –System calls (programmer access) –User level access to system.
System Components Operating System Services System Calls.
1 cs205: engineering software university of virginia fall 2006 Running Untrustworthy Code Project team requests: extended until 11pm tonight.
Sung-Dong Kim, Dept. of Computer Engineering, Hansung University Java - Introduction.
Types for Programs and Proofs
Protection and OS Structure
An Overview of Java.
Chapter 3: Windows7 Part 1.
CS216: Program and Data Representation
Chap 10 Malicious Software.
Security in Java Real or Decaf? cs205: engineering software
Chapter 3: Operating-System Structures
Chapter 2: Operating-System Structures
Introduction to Operating Systems
Outline Chapter 2 (cont) OS Design OS structure
Chap 10 Malicious Software.
Lecture 17: Defeating Malcode (Shameless Self-Promotion) Background
Chapter 2: Operating-System Structures
Presentation transcript:

Policy-Directed Code Safety David Evans April 1999 Software Devices and Systems MIT Lab for Computer Science

2David EvansPolicy-Directed Code Safety What Are You Afraid Of? Malicious attackers –Melissa Word macro virus Questionable “trusted” programs –Win95 Registration Wizard Buggy programs –Therac-25 User mistakes/bad interfaces – tar –cf *

3David EvansPolicy-Directed Code Safety LCLint [Evans, PLDI ‘96] Programmers add annotations to code Lightweight static checking detects inconsistencies (often bugs) Useful, but can’t provide code safety –Requires source code, expertise and effort –Too hard to prove most properties statically

4David EvansPolicy-Directed Code Safety Solution Space Detect bad programs –Malicious code detector (virus scanners) –Digital signatures Platform limits on what programs can do –Operating system, firewalls, Java sandbox Naccio: alter programs before running

5David EvansPolicy-Directed Code Safety General method for defining policies –Abstract resources –Platform independent System architecture for enforcing policies Program Safe Program Safety Policy My Work

6David EvansPolicy-Directed Code Safety Policy description file Application transformer transformer Program Version of program that: Uses policy-enforcing system library Satisfies low-level code safety Naccio Architecture Platforms in development: JavaVM - program is collection of Java classes Win32 [Andrew Twyman] - Win32 executable Run by sysadmin or user Policycompiler Safety policy definition Policy-enforcing system library Run by policy-author

7David EvansPolicy-Directed Code Safety Related Work Software fault isolation [Wahbe et al, 93] Similar enforcement mechanisms –Execution monitoring [Schneider] –Ariel Project [Pandey, Hashii] Alternative: verify properties –Proof-carrying code [Necula, Lee] –Typed Assembly Language [Morrisett]

8David EvansPolicy-Directed Code Safety System architecture Defining policies Enforcing policies Results Outline Program Safe Program Safety Policy

9David EvansPolicy-Directed Code Safety Example Safety Policies Access constraints –JDK policies Resource use limits –Limit number of bytes that can be written Application-specific policies –TarCustom policy Behavior-modifying policies –Soft bandwidth limit

10David EvansPolicy-Directed Code Safety Describing Policies Internet Explorer 5.0 public class AppletSecurity extends SecurityManager { … public synchronized void checkRead(String file, URL base) { if (base != null) { if (!initACL) { initializeACLs(); } if (readACL == null) { return; } String realPath = null; try { realPath = (new File(file)).getCanonicalPath(); } catch (IOException e) { throw new AppletSecurityException ("checkread.exception1", e.getMessage(), file); … } HotJava SecurityManager Want something: More expressive Easier to produce, understand and reason about

11David EvansPolicy-Directed Code Safety Problem System Library Policy Author’s View Files Resources Policy System View java.io.FileOutputStream.write (a) Disk Platform Interface Program System Library

12David EvansPolicy-Directed Code Safety Safety Policy Definition Resource descriptions: abstract operational descriptions of resources (files, network, …) Platform interface: mapping between system API and abstract resources Resource use policy: constraints on manipulating those resources

13David EvansPolicy-Directed Code Safety Resource Description global resource RFileSystem openRead (file: RFile) Called before file is opened for reading openCreate (file: RFile) Called before new file is created and opened for writing openWrite (file: RFile) Called before existing file is opened for writing write (file: RFile, nbytes: int) Called before nbytes are written to file preRead (file: RFile, nbytes: int) Called before up to nbytes are read from file postRead (file: RFile, nbytes: int) Called after nbytes were read from file … // other operations for observing properties of files, deleting, etc. resource RFile RFile (pathname: String) Constructs object corresponding to pathname

14David EvansPolicy-Directed Code Safety Platform Interface The ugly part - mapping from platform system calls to resource operations For every system procedure either: –Describe its effects on resources, or –Pass through checking to procedures it calls. Platform determines procedures PFI must describe May describe additional methods to: –Improve performance and clarity –Treat system code differently (risky)

15David EvansPolicy-Directed Code Safety Java PFI Excerpt wrapper java.io.FileOutputStream requires RFileMap; state RFile rfile; wrapper void write (byte b[]) if (rfile != null) RFileSystem.write (rfile, b.length); %% // original method call …// wrappers needed for constructors, other write // methods, close and getFD

16David EvansPolicy-Directed Code Safety Resource Use Policy policy LimitWrite NoOverwrite, LimitBytesWritten ( ) property NoOverwrite check RFileSystem.openWrite (file: RFile) violation (“Attempt to overwrite file.”); Policy is collection of properties Properties attach checking code to resource operations

17David EvansPolicy-Directed Code Safety LimitBytesWritten Property stateblock TrackBytesWritten addfield RFileSystem.bytes_written: int = 0; precode RFileSystem.write (file: RFile, nbytes: int) bytes_written += nbytes; property LimitBytesWritten (n: int) requires TrackBytesWritten; check RFileSystem.write (file: RFile, nbytes: int) if (bytes_written > n) violation (“Attempt to write more than ” + n + “ bytes …”);

18David EvansPolicy-Directed Code Safety Enforceable Policies Can enforce any policy that can be defined What can be defined depends on resource operations Resource operations depend on platform interface –Any manipulation done through API calls Cannot write policies that constrain memory and CPU usage –Solutions possible: insert calls

19David EvansPolicy-Directed Code Safety System architecture Defining policies Enforcing policies Results Outline Program Safe Program Safety Policy

20David EvansPolicy-Directed Code Safety Policy description file Resource descriptions System library Java API classes (e.g., java.io.FileOutputStream) Platform interface Describes Java API Platformindependentanalyses Platform dependent analyses and code generation Resource use policy Policy Compiler Policy-enforcing system library Implementations of resource operations –Perform checking described by resource use policy Rewritten Java API classes –Call abstract resource operations as directed by platform interface wrappers Safety policy definition

package naccio.p253.resource; class RFileSystem { static int bytes_written = 0; static void write (RFile file, int nbytes) { bytes_written += nbytes; if (bytes_written > ) Check.violation (“LimitWrite”, “Attempt to write …); } … Policy compiler Resource implementations Resource use policy stateblock TrackBytesWritten addfield RFileSystem.bytes_written: int; precode RFileSystem.write (file: RFile, nbytes: int) bytes_written += nbytes; property LimitBytesWritten (n: int) check RFileSystem.write (file: RFile, nbytes: int) if (bytes_written > n) violation (“Attempt …); Implementing Resources RFileSystem RFile Resource descriptions policy LimitWrite NoOverwrite, LimitBytesWritten ( )

22David EvansPolicy-Directed Code Safety class FileOutputStream { … public void write (byte b[]) { writeBytes (b, 0, b.length); } class FileOutputStream { naccio.p253.resource.RFile rfile; … // orig_write – same implementation as old write method void write (byte b[]) { if (rfile != null) naccio.p253.resource.RFileSystem.write (rfile, b.length); orig_write (b); } Policy compiler Wrapped library classes System library classes Platform interface wrapper java.io.FileOutputStream state RFile rfile; wrapper void write (byte b[]) if (rfile != null) RFileSystem.write (rfile, b.length); %% // original method call Rewriting Classes

23David EvansPolicy-Directed Code Safety Optimizations Only implement resource operation if it: –May produce a violation –Modifies state used elsewhere Only wrap library method if it: –Calls implemented resource operation –Modifies state used meaningfully –Alters behavior Simple dataflow dependency analysis Not done yet: inline methods and state to remove resource overhead

24David EvansPolicy-Directed Code Safety Application Transformer Policy description file Program Collection of Java classes Platformindependent Platformdependenttransformations Version of program that: 1.Uses policy-enforcing library Set CLASSPATH (or rename classes) 2.Satisfies low-level code safety Run byte code verifier Protect dynamic class loading, reflection

25David EvansPolicy-Directed Code Safety What’s different for Win32? Program is Win32 executable and DLLs Platform interface describes Win32 API Policy compiler –Generate DLLs instead of Java classes Application transformer –Replace DLL names in import table –Low-level code safety is platform-specific SFI for jumps, PFI wrappers to protect memory Scan for kernel traps Policies can be reused

26David EvansPolicy-Directed Code Safety Outline System architecture Defining policies Enforcing policies Results - JavaVM – Preparation costs – Execution performance Program Safe Program Safety Policy

27David EvansPolicy-Directed Code Safety Preparation Costs Policy generation –Time to generate policy: 1-10 minutes –Cost of storing policy Average case: ~250 KB Application transformation –Basically free Integrate into byte code verifier Simple string replacements in constant pool

28David EvansPolicy-Directed Code Safety Performance

29David EvansPolicy-Directed Code Safety Policy Performance

30David EvansPolicy-Directed Code Safety Contributions Method for defining safety policies –In terms of abstract resources –Policies may be reused on different platforms General architecture for code safety –Prototypes for Win32 and JavaVM Encouraging results for JavaVM –Minimal preparation costs –Enforces policies more efficiently than JDK

31David EvansPolicy-Directed Code Safety Future Work What’s left to do –Implementing inlining optimizations –Validating/synthesizing platform interface –Multiple threads –Deployment, user interface, policy authoring tools Applications of Naccio’s mechanisms –Performance, debugging, behavior modification Can we protect vendors as well? –Restrict what modifications can be done –Trust external components –Use a policy to protect copyright, distribution, etc.

32David EvansPolicy-Directed Code Safety Conclusion Supporting large class of precise safety policies important Naccio provides good way to define and enforce policies Close to being practical Paper to appear in IEEE Security and Privacy, Oakland, May 1999.

33David EvansPolicy-Directed Code Safety END

David EvansPolicy-Directed Code Safety Problem System Library Policy Author’s View Files Resources Policy System View java.io.FileOutputStream.write (a) Disk Program System Library 11

35David EvansPolicy-Directed Code Safety Performance

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.