Presentation is loading. Please wait.

Presentation is loading. Please wait.

David Evans CS588: Cryptography University of Virginia Computer Science Lecture 21: Countering Malicious Code.

Published byAdele Boone Modified over 8 years ago

Similar presentations

Presentation on theme: "David Evans CS588: Cryptography University of Virginia Computer Science Lecture 21: Countering Malicious Code."— Presentation transcript:

1 David Evans http://www.cs.virginia.edu/evans CS588: Cryptography University of Virginia Computer Science Lecture 21: Countering Malicious Code

2 23 April 2005University of Virginia CS 5882 Menu Reference Monitors Java/.NET Security

3 23 April 2005University of Virginia CS 5883 Malcode Defenses Constrain program behavior –Reference Monitors In-line Reference Monitors Prevent possibly harmful code from running –Safe Languages –Proof-Carrying Code

4 23 April 2005University of Virginia CS 5884 Program Execution Program Monitor Speakers SuperSoaker 2000 Disk Memory Network

5 23 April 2005University of Virginia CS 5885 Program Execution Program Monitor Speakers SuperSoaker 2000 Disk Memory Network Reference Monitor

6 23 April 2005University of Virginia CS 5886 Ideal Reference Monitor 1.Sees everything a program is about to do before it does it 2.Can instantly and completely stop program execution (or prevent action) 3.Has no other effect on the program or system Can we build this? Probably not unless we can build a time machine...

7 23 April 2005University of Virginia CS 5887 Ideal Reference Monitor 1.Sees everything a program is about to do before it does it 2.Can instantly and completely stop program execution (or prevent action) 3.Has no other effect on the program or system Real most things limited

8 23 April 2005University of Virginia CS 5888 Operating Systems Provide reference monitors for most security-critical resources –When a program opens a file in Unix or Windows, the OS checks that the principal running the program can open that file Doesn’t allow different policies for different programs No flexibility over what is monitored –OS decides for everyone –Hence, can’t monitor inexpensive operations

9 23 April 2005University of Virginia CS 5889 Reference Monitor as Finite State Automaton [Schneider99] 0 1 All other instructions Aim Fire STOP Policy Violation 2 All other instructions Aim All other instructions Aim

10 23 April 2005University of Virginia CS 58810 What policies can be enforced? Assume: –Security Automaton can see entire state of world, everything about instruction about to execute –Security Automaton has unlimited memory, can do unlimited computation Are there interesting policies that still can’t be enforced?

11 23 April 2005University of Virginia CS 58811 What’s a Security Policy? What’s a program? –A set of possible executions What’s an execution? –A sequence of states What’s a security policy? –A predicate on a set of executions

12 23 April 2005University of Virginia CS 58812 More Formally...  : set of all possible executions (can be infinite)  S : set of executions possible by target program S P : security policy set of executions  Boolean S is safe iff P (  S ) is true.

13 23 April 2005University of Virginia CS 58813 Reference Monitors cannot enforce all Security Policies Some policies depend on: –Knowing about the future If the program charges the credit card, it must eventually ship the goods –Knowing about all possible executions Information flow – can’t tell if a program reveals secret information without knowing about other possible executions Reference Monitors can only know about past of this particular execution

14 23 April 2005University of Virginia CS 58814 Safety Policies Reference monitors can only enforce safety policies Safety policy is a predicate on a prefix of states (see Schneider98 for more formal definition) –Cannot depend on future: prefix means once it is false, it is always false –Cannot depend on other possible executions

15 23 April 2005University of Virginia CS 58815 Java Security Real or Decaf?

16 23 April 2005University of Virginia CS 58816 What is Java? A.Island in Indonesia B.A Programming Language (Java  ) C.A Portable Low-Level Language (JVML) D.A Platform (JavaVM) E.A (semi-)successful marketing strategy –JavaScript is not related to Java or Java  F.Work on your projects G.All of the above

17 23 April 2005University of Virginia CS 58817 Java  : Programming Language “A simple, object-oriented, distributed, interpreted, robust, secure, architecture neutral, portable, high-performance, multithreaded, and dynamic language.” [Sun95]

18 23 April 2005University of Virginia CS 58818 What is a secure language? 1.Language is designed so it cannot express certain computations considered insecure. 2.Language is designed so that (accidental) program bugs are likely to be caught by the compiler or run- time environment instead of leading to security vulnerabilities. A few attempt to do this: PLAN, packet filters

19 23 April 2005University of Virginia CS 58819 Safe Programming Languages Type Safety –Compiler and run-time environment ensure that bits are treated as the type they represent Memory Safety –Compiler and run-time environment ensure that program cannot access memory outside defined storage Control Flow Safety –Can’t jump to arbitrary addresses Which of these does C++ have? Not a new idea: LISP had these in 1960!

20 23 April 2005University of Virginia CS 58820 Java  Safety Type Safety –Most types checked statically –Coercions, array assignments type checked at run time Memory Safety –No direct memory access (e.g., pointers) –Primitive array type with mandatory run-time bounds checking Control Flow Safety –Structured control flow, no arbitrary jumps

21 23 April 2005University of Virginia CS 58821 Malicious Code Can a safe programming language protect you from malcode? 1.Code your servers in it to protect from buffer overflow bugs 2.Only allow programs from untrustworthy origins to run if the are programmed in the safe language

22 23 April 2005University of Virginia CS 58822 Safe Languages? But how can you tell program was written in the safe language? –Get the source code and compile it (most vendors, and all malicious attackers refuse to provide source code) –Special compilation service signs object files generated from the safe language (SPIN, [Bershad96]) –Verify object files preserve safety properties of source language (Java)

23 23 April 2005University of Virginia CS 58823 JVML javac Compiler malcode.java Java  Source Code malcode.class JVML Object Code JavaVM Joe User Joe wants to know JVML code satisfies Java  ’s safety properties.

24 23 April 2005University of Virginia CS 58824 Does JVML satisfy Java  ’s safety properties? iconst_2 push integer constant 2 on stack istore_0 store top of stack in variable 0 as int aload_0 load object reference from variable 0 arraylength replace array on top of stack with its length No! This code violates Java  ’s type rules.

25 23 April 2005University of Virginia CS 58825 Bytecode Verifier malcode.class JVML Object Code Java Bytecode Verifier Joe User JavaVM “Okay” Invalid STOP Trusted Computing Base

26 23 April 2005University of Virginia CS 58826 Bytecode Verifier Checks JVML code satisfies Java  ’s safety properties Type safe – stack and variable slots must store and load as same type Memory safe (guaranteed by instruction set) Control flow safe: jumps must be within function, or call/return

27 23 April 2005University of Virginia CS 58827 Are Java Bytecode Verifiers Complicated? ~700 rules to enforce, JVML specification is (not all clearly specified) Emin Gün Sirer found > 100 bugs in commercial bytecode verifiers (using automatic test generation) –At least 15 of them were security vulnerabilities JVML includes jsr instruction (jump to subroutine), can be called with different types in variables and on stack

28 23 April 2005University of Virginia CS 58828 Java javac Compiler malcode.java malcode.class JVML Joe User Java Bytecode Verifier JavaVM “Okay” Invalid STOP Trusted Computing Base

29 23 April 2005University of Virginia CS 58829 JavaVM Virtual machine – interpreter for JVML programs Has complete access to host machine Bytecode verifier ensures some safety properties, JavaVM must ensure rest: –Type safety of run-time casts, array assignments –Memory safety: array bounds checking –Resource use policy

30 23 April 2005University of Virginia CS 58830 JavaVM Policy Enforcment From java.io.File: public boolean delete() { SecurityManager security = System.getSecurityManager(); if (security != null) { security.checkDelete(path); } if (isDirectory()) return rmdir0(); else return delete0(); } [JDK 1.0 – JDK 1.1]

31 23 April 2005University of Virginia CS 58831 java.lang.SecurityManager /** Throws a SecurityException if the calling thread is not allowed to delete the specified file. This method is invoked for the current security manager by the delete method of class File. */ (Some other comments deleted.) public void checkDelete(String file) { throw new SecurityException(); }

32 23 April 2005University of Virginia CS 58832 Security Manager Reference monitor –How well does it satisfy the requirements? Complete mediation Can stop execution/prevent action Limited effect on execution until policy violation User/host application creates a subclass of SecurityManager to define a policy

33 23 April 2005University of Virginia CS 58833 HotJava’s Policy (JDK 1.1.7) public class AppletSecurity extends SecurityManager {... public synchronized void checkDelete(String file) { checkWrite(file); }... }

34 23 April 2005University of Virginia CS 58834 AppletSecurity.checkWrite (some exception handling code removed) public synchronized void checkWrite(String file) { if (inApplet()) { if (!initACL) initializeACLs(); String realPath = (new File(file)).getCanonicalPath(); for (int i = writeACL.length ; i-- > 0 ;) { if (realPath.startsWith(writeACL[i])) return; } throw new AppletSecurityException ("checkwrite", file, realPath); } Note: no checking if not inApplet! Very important this does the right thing.

35 23 April 2005University of Virginia CS 58835 JDK 1.0 Trust Model When JavaVM loads a class from the CLASSPATH, it has no associated ClassLoader (can do anything) When JavaVM loads a class from elsewhere (e.g., the web), it has an associated ClassLoader

36 23 April 2005University of Virginia CS 58836 JDK Evolution JDK 1.1: Signed classes from elsewhere and have no associated ClassLoader JDK 1.2: –Different classes can have different policies based on ClassLoader –Explict enable/disable/check privileges –SecurityManager is now AccessController

37 23 April 2005University of Virginia CS 58837 What can go wrong? Java API doesn’t call right SecurityManager checks (63 calls in java.*) –Font loading bug, synchronization ClassLoader is tricked into loading external class as internal Bug in Bytecode Verifier can be exploited to circumvent SecurityManager Policy is too weak and allows damaging behavior

38 23 April 2005University of Virginia CS 58838 Java javac Compiler malcode.java malcode.class JVML Joe User Java Bytecode Verifier JavaVM “Okay” Invalid STOP Trusted Computing Base

39 23 April 2005University of Virginia CS 58839 Bytecode Verifier Checks JVML code satisfies safety properties –Simulates program execution to know types are correct, but doesn’t need to examine any instruction more than once –After code is verified, it is trusted: is not checked for type safety at run time (except for casts, array stores) Key assumption: when a value is written to a memory location, the value in that memory location is the same value when it is read.

40 23 April 2005University of Virginia CS 58840 Violating the Assumption … // The object on top of the stack is a SimObject astore_0 // There is a SimObject in location 0 aload_0 // The value on top of the stack is a SimObject If a cosmic ray hits the right bit of memory, between the store and load, the assumption might be wrong.

41 23 April 2005University of Virginia CS 58841 Improving the Odds Set up memory so that a single bit error is likely to be exploitable Mistreat the hardware memory to increase the odds that bits will flip One bit flip allows you to violate type safety, compromise all security Sudhakar Govindavajhala and Andrew W. Appel, Using Memory Errors to Attack a Virtual Machine, July 2003.

42 23 April 2005University of Virginia CS 58842 Getting a Bit Flip Wait for a Cosmic Ray –You have to be really, really patient… (or move machine out of Earth’s atmosphere) X-Rays –Expensive, not enough power to generate bit-flip High energy protons and neutrons –Work great - but, you need a particle accelerator Hmm….

43 23 April 2005University of Virginia CS 58843 Using Heat n 50-watt spotlight bulb n Between 80° - 100°C, memory starts to have a few failures n Attack applet is successful (at least half the time)! n Hairdryer works too, but it frys too many bits at once Picture from Sudhakar Govindavajhala

44 23 April 2005University of Virginia CS 58844 Should Anyone be Worried? Java virtual machine

45 23 April 2005University of Virginia CS 58845 Recap Verifier assumes the value you write is the same value when you read it By flipping bits, we can violate this assumption By violating this assumption, we can violate type safety: get two references to the same storage that have inconsistent types By violating type safety, we can get around all other security measures

46 23 April 2005University of Virginia CS 58846.NET

47 0 5 10 15 20 25 30 35 40 45 50 1996 1997 1998 1999 2000 2001 2002 2003 2004 Java VM.NET VM Major Security Vulnerabilities (Cumulative) http://www.cs.virginia.edu/evans/pubs/acsac2004.html

48 23 April 2005University of Virginia CS 58848 Course Evaluations

49 23 April 2005University of Virginia CS 58849 CS588 Pledge I will provide useful feedback. I realize this is an evolving course and it is important that I let the course staff know what they need to improve the course. I will not wait until the end of the course to make the course staff aware of any problems. I will provide feedback either anonymously … or by contacting the course staff directly. I will fill out all course evaluation surveys honestly and thoroughly.

50 23 April 2005University of Virginia CS 58850 Course Evaluations Fill out the SEAS Evaluation on-line –It may not be anonymous, but I promise not to peek –Respond based on whether you want me to get fired or promoted (optional) Fill out a RateMyProfessors.com survey –Provide useful information to future students Fill out my course-specific survey (handed out last day) –Help improve future versions of the course for later students

51 23 April 2005University of Virginia CS 58851 Charge Links to papers on the web site: –Hair dryer attacks –Comparing Java and.NET Thursday: –Quantum cryptography –Cryptographic hashing attacks (Boyd and Isabelle) Tuesday: –Project presentations, final out, Sneakers

Download ppt "David Evans CS588: Cryptography University of Virginia Computer Science Lecture 21: Countering Malicious Code."

Similar presentations

Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.

Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.
David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 20: Total Correctness; Proof-

David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 20: Total Correctness; Proof-
1 Lecture 18 Subverting a Type System turning a bit flip into an exploit Ras Bodik Ali and Mangpo Hack Your Language! CS164: Introduction to Programming.

1 Lecture 18 Subverting a Type System turning a bit flip into an exploit Ras Bodik Ali and Mangpo Hack Your Language! CS164: Introduction to Programming.
Java security (in a nutshell)

Java security (in a nutshell)
Applet Security Gunjan Vohra. What is Applet Security? One of the most important features of Java is its security model. It allows untrusted code, such.

Applet Security Gunjan Vohra. What is Applet Security? One of the most important features of Java is its security model. It allows untrusted code, such.
Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee 2007. 04. 23.

Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee
Lab Information Security Using Java (Review) Lab#0 Omaima Al-Matrafi.

Lab Information Security Using Java (Review) Lab#0 Omaima Al-Matrafi.
Class 20: Verifying Bytecodes Fall 2010 UVa David Evans cs2220: Engineering Software Image: Joseph Featherston.

Class 20: Verifying Bytecodes Fall 2010 UVa David Evans cs2220: Engineering Software Image: Joseph Featherston.
CS216: Program and Data Representation University of Virginia Computer Science Spring 2006 David Evans Lecture 20: Hair-Dryer Attacks and Introducing x86.

CS216: Program and Data Representation University of Virginia Computer Science Spring 2006 David Evans Lecture 20: Hair-Dryer Attacks and Introducing x86.
Lab#1 (14/3/1431h) Introduction To java programming cs425

Lab#1 (14/3/1431h) Introduction To java programming cs425
Security: Lessons Learned and Missed from Java Nathanael Paul David Evans University of Virginia ACSAC 2004.

Security: Lessons Learned and Missed from Java Nathanael Paul David Evans University of Virginia ACSAC 2004.
Introduction to Java Kiyeol Ryu Java Programming Language.

Introduction to Java Kiyeol Ryu Java Programming Language.
JVM-1 Introduction to Java Virtual Machine. JVM-2 Outline Java Language, Java Virtual Machine and Java Platform Organization of Java Virtual Machine Garbage.

JVM-1 Introduction to Java Virtual Machine. JVM-2 Outline Java Language, Java Virtual Machine and Java Platform Organization of Java Virtual Machine Garbage.
Building Secure Software Chapter 9 Race Conditions.

Building Secure Software Chapter 9 Race Conditions.
Session-02. Objective In this session you will learn : What is Class Loader ? What is Byte Code Verifier? JIT & JAVA API Features of Java Java Environment.

Session-02. Objective In this session you will learn : What is Class Loader ? What is Byte Code Verifier? JIT & JAVA API Features of Java Java Environment.
Lecture 1: Overview of Java. What is java? Developed by Sun Microsystems (James Gosling) A general-purpose object-oriented language Based on C/C++ Designed.

Lecture 1: Overview of Java. What is java? Developed by Sun Microsystems (James Gosling) A general-purpose object-oriented language Based on C/C++ Designed.
Java Security Updated May 2007. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security.

Java Security Updated May Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security.
JAVA v.s. C++ Programming Language Comparison By LI LU SAMMY CHU By LI LU SAMMY CHU.

JAVA v.s. C++ Programming Language Comparison By LI LU SAMMY CHU By LI LU SAMMY CHU.
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 18: 0xCAFEBABE (Java Byte Codes)

David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 18: 0xCAFEBABE (Java Byte Codes)
Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.

Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.

Similar presentations

Ads by Google