Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Programming via Visibly Pushdown Safety Games

Published byAugust Peters Modified over 5 years ago

Similar presentations

Presentation on theme: "Secure Programming via Visibly Pushdown Safety Games"— Presentation transcript:

1 Secure Programming via Visibly Pushdown Safety Games
Bill Harris, Somesh Jha, and Thomas Reps Computer Aided Verification 13 July 2012

2 One-slide Summary Motivation: privilege-aware OS’s enable secure applications Problem: privilege-aware OS’s are hard to program for Solution: reduce programming for a privilege-aware OS to solving a safety game

3 Important Programs are Still Insecure
Vulnerabilities in: Security-critical, network-facing programs tcpdump (CVE ) fetchmail (CVE ) wget (CVE ) Core utilities bzip2 (CVE ) gzip (CVE ) tar (CVE ) -core problem: standard operating system has too coarse a notion of privilege. If a program has a vulnerability, then the attacker can exploit it to act with full privilege of the user.

4 Traditional Program Security
Program is analyzed passively to ensure that it behaves securely.

5 Privilege-Aware OS’s OS maintains a privilege for each process
Program actively manages its privilege by invoking security system calls (primitives) -previous methods: passively analyze or monitor program. Each of these techniques has shortcomings that keep them from being applied to a lot of practical programs.

6 Example Privilege-Aware OS’s
Information-flow control Asbestos [SOSP 2005] HiStar [OSDI 2006] Flume [SOSP 2007] Tagged memory: Wedge [NSDI 2008] Capabilities: Capsicum [USENIX Sec. 2010]

7 Running example: gzip public_leak.com compr(in, out) { body; }
gzip() { files = parse_cl; for (f in files) (in, out) = open; compr(in, out); } public_leak.com

8 An Informal Policy for gzip
When gzip executes body, it should only be able to read from in and write to out.

9 Capsicum: A Privilege-Aware OS
Two levels of privilege: High Capability (can open files) Low Capability (cannot open files) Rules describing privilege: Process initially executes with capability of its parent Process can invoke the drop system call to take Low Capability -We can rewrite gzip so that it satisfies our informal policy when it runs on Capsicum. -Describe Capsicum. -caveat: this is not the real Capsicum.

10 Securing gzip on Capsicum
compr(in, out) { drop(); body; } Low Cap. gzip() { files = parse_cl; for (f in files) (in, out) = open; compr(in, out); } public_leak.com High Cap.

11 Securing gzip on Capsicum
compr(in, out) { drop(); body; } Low Cap. gzip() { files = parse_cl; for (f in files) (in, out) = open; compr(in, out); } High Cap. High Cap. -animate evolution of capabilities for wrong instrumentation up to capability of body High Cap. High Cap.

12 Securing gzip on Capsicum
compr(in, out) { drop(); body; } gzip() { files = parse_cl; for (f in files) (in, out) = open; compr(in, out); } Low Cap. -animate break in functionality Low Cap. ≠ High Cap.

13 Securing gzip on Capsicum
compr(in, out) { drop(); body; } Low Cap. gzip() { files = parse_cl; for (f in files) (in, out) = open; compr(in, out); } High Cap. High Cap. fork_compr(in, out); High Cap.

14 Securing gzip on Capsicum
compr(in, out) { drop(); body; } Low Cap. gzip() { files = parse_cl; for (f in files) (in, out) = open; compr(in, out); } -animate evolution of capabilities for wrong instrumentation up to capability of body High Cap. fork_compr(in, out);

15 Progrmr. Pol. Wrtr. Capsicum Dev. Program Policy Capsicum Capsicum Policy Weaver Weaver Generator Us Capsicum Program

16 Progrmr. Pol. Wrtr. Capscium Dev. OS Dev. Program Policy OS Capsicum
Policy Weaver Capsicum Policy Weaver Weaver Generator Us -focus on Program Capsicum Program OS Program

17 Paper Contributions Designed an automata-theoretic weaver generator
Implemented an efficient weaver-generator via a scaffold-based safety-game solver Experimentally evaluated practical feasibility

18 Progrmr. Pol. Wrtr. OS Dev. Program Policy OS Weaver Generator OS
Policy Weaver Weaver Generator Us -focus on policy OS Program

19 Program: Prog Acts Progrmr. Program parse_cl call compr open body loop
ret compr exit

20 Progrmr. Pol. Wrtr. OS Developer Program Policy OS Weaver Generator Us
-focus on Host OS Program

21 Policy: Prog Acts x Privs
Pol. Wrtr. Privs = { High Cap, Low Cap} Policy (open, LowCap) * (body, HighCap)

22 Progrmr. Pol. Wrtr. OS Dev. Program Policy OS Weaver Generator Us
-isolate Host OS Program

23 OS: Prog Acts ∪ Prims → Privs
OS Dev. OS: Prog Acts ∪ Prims → Privs OS Prims = { drop, fork, join } open / AllowHigh AllowHigh HighCap AllowLow

24 OS Dev. OS: Prog Acts ∪ Prims → Privs OS drop AllowHigh AllowLow

25 OS Dev. OS: Prog Acts ∪ Prims → Privs OS open / AllowLow AllowLow LowCap

26 Progrmr. Pol. Wrtr. OS Dev. Program Policy OS Weaver Generator Us
-isolate Host OS Program

27 Instr: Prog Acts → Prims
OS Program parse_cl / noop Instr: Prog Acts → Prims open / fork call compr / drop -An instrumentation is a state machine that reads program actions and outputs OS primitives. -The weaver generator will output an instrumentation machine st we can rewrite our original program so that TODO: pick up from here. to execute an action, feed the program action to the instrumentation, loop / noop body / noop ret compr / join

28 Progrmr. Pol. Wrtr. OS Dev. Program Policy OS Weaver Generator Us
-isolate Host OS Program

29 Safety Games: A Quick Refresher

30 a c y y x x d b b d z y -with a two-player, turn-based safety game… y e f

31 Correct instrumentation
Weaving as a Game Policy Weaving Safety Game Policy Weaving Safety Game Program actions Attacker actions Policy Weaving Safety Game Program actions Attacker actions OS primitives Defender actions Correct instrumentation Winning Defender strategy Policy Weaving Safety Game Program actions Attacker actions OS primitives Defender actions

32 parse_cl a call compr c noop y y drop x noop drop x body d open b b
fork z y noop -transition slide: fade out abstract game symbols, fade in gzip symbols join y ret compr e loop f

33 parse_cl call compr noop drop noop drop body open open body fork noop
-transition slide: show example paths that correspond to policy violations join ret compr loop

34 parse_cl call compr noop drop noop drop body open open body fork noop
-transition slide: show the sub-strategy join ret compr loop

35 parse_cl parse_cl / call compr call compr / drop noop noop open open /
body body / fork noop -go from strategy to instrumentation join ret compr ret compr / loop loop /

36 The Importance of VPA’s
Accurately approximate the set of program paths Accurately model relationship between OS primitives and privileges Modular strategies for modular instrumentations

37 Paper Contributions Designed an automata-theoretic weaver generator
Implemented an efficient weaver-generator via a scaffold-based game solver Experimentally evaluated practical feasibility

38 Experiment Highlights
Instantiated weaver-generator to a policy weaver for Capsicum Applied Capsicum policy weaver to six UNIX utilities from 8 to 108 kLoC Found strategies in 0:05 to 2:00

39 Summary Motivation: privilege-aware OS’s enable secure applications
Problem: privilege-aware OS’s are hard to program for Solution: reduce programming for a privilege-aware OS to solving a safety game

40 Questions?

41 Progrmr. Pol. Wrtr. OS Developer Program Policy OS Weaver Generator Us
-focus on instrumented program OS Program

42 Extra Slides

43 Secure Programming via Visibly Pushdown Safety Games
Bill Harris, Somesh Jha, and Thomas Reps Somesh Jha Computer Aided Verification 2012 13 July

44 fork compr parse_cl init noop drop open body loop ret compr

Download ppt "Secure Programming via Visibly Pushdown Safety Games"

Similar presentations

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.
Operating System Security

Operating System Security
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Chapter 6 Security Kernels.

Chapter 6 Security Kernels.
Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.

Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.
Fundamentals of Computer Security Geetika Sharma Fall 2008.

Fundamentals of Computer Security Geetika Sharma Fall 2008.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
Paper Title Your Name CMSC 838 Presentation. CMSC 838T – Presentation Motivation u Problem paper is trying to solve  Characteristics of problem  … u.

Paper Title Your Name CMSC 838 Presentation. CMSC 838T – Presentation Motivation u Problem paper is trying to solve  Characteristics of problem  … u.
Implementing Mapping Composition Todd J. Green * University of Pennsylania with Philip A. Bernstein (Microsoft Research), Sergey Melnik (Microsoft Research),

Implementing Mapping Composition Todd J. Green * University of Pennsylania with Philip A. Bernstein (Microsoft Research), Sergey Melnik (Microsoft Research),
Chapter 1 Introduction. Chapter Overview Overview of Operating Systems Secure Operating Systems Basic Concepts in Information Security Design of a Secure.

Chapter 1 Introduction. Chapter Overview Overview of Operating Systems Secure Operating Systems Basic Concepts in Information Security Design of a Secure.
MOPS MOdelchecking Security Properties David Wagner U.C. Berkeley.

MOPS MOdelchecking Security Properties David Wagner U.C. Berkeley.
1 CSE 380 Computer Operating Systems Instructor: Insup Lee and Dianna Xu University of Pennsylvania Fall 2003 Lecture Note: Protection Mechanisms.

1 CSE 380 Computer Operating Systems Instructor: Insup Lee and Dianna Xu University of Pennsylvania Fall 2003 Lecture Note: Protection Mechanisms.
Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3 Operating System Organization.

Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3 Operating System Organization.
Software Development Unit 6.

Software Development Unit 6.
Introduction to Computer Technology

Introduction to Computer Technology
Justice Information Network Strategic Plan Development Justice Information Network Board March 18, 2008 Mo West, JIN Program Manager.

Justice Information Network Strategic Plan Development Justice Information Network Board March 18, 2008 Mo West, JIN Program Manager.
NICE :Network Intrusion Detection and Countermeasure Selection in Virtual Network Systems.

NICE :Network Intrusion Detection and Countermeasure Selection in Virtual Network Systems.
Chapter 6 Operating System Support. This chapter describes how middleware is supported by the operating system facilities at the nodes of a distributed.

Chapter 6 Operating System Support. This chapter describes how middleware is supported by the operating system facilities at the nodes of a distributed.
Cosc 4010 Sandboxing. Last lecture Last time, we covered chroot, which is a method to sandbox a problem. –Not full proof by any means. Many simple mistakes.

Cosc 4010 Sandboxing. Last lecture Last time, we covered chroot, which is a method to "sandbox" a problem. –Not full proof by any means. Many simple mistakes.
Policy Weaving for System Security Thomas Reps and Somesh Jha University of Wisconsin Thomas RepsSomesh Jha Bill Harris Junghee Lim Matt Fredrikson Min.

Policy Weaving for System Security Thomas Reps and Somesh Jha University of Wisconsin Thomas RepsSomesh Jha Bill Harris Junghee Lim Matt Fredrikson Min.

Similar presentations

Ads by Google