1 Composing Security Policies with Polymer Jay Ligatti (Princeton); joint work with: Lujo Bauer (CMU), David Walker (Princeton)

Slides:



Advertisements
Similar presentations
Chapter 20 Recursion.
Advertisements

Lazy Asynchronous I/O For Event-Driven Servers Khaled Elmeleegy, Anupam Chanda and Alan L. Cox Department of Computer Science Rice University, Houston,
Shared-Memory Model and Threads Intel Software College Introduction to Parallel Programming – Part 2.
Using Matrices in Real Life
Advanced Piloting Cruise Plot.
1 Applets Programming Enabling Application Delivery Via the Web.
Chapter 6 Structures and Classes. Copyright © 2006 Pearson Addison-Wesley. All rights reserved. 6-2 Learning Objectives Structures Structure types Structures.
Chapter 1 The Study of Body Function Image PowerPoint
1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.
Remote Educational Programming Of Robots (REPOR) Tord Fauskanger Aurelie Aurilla Bechina Arntzen Dag Samuelsen Buskerud University College.
3 Copyright © 2005, Oracle. All rights reserved. Basic Java Syntax and Coding Conventions.
1 Copyright © 2005, Oracle. All rights reserved. Introducing the Java and Oracle Platforms.
6 Copyright © 2005, Oracle. All rights reserved. Building Applications with Oracle JDeveloper 10g.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
FACTORING ax2 + bx + c Think “unfoil” Work down, Show all steps.
© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 16 Secure Coding in Java and.NET Part 1: Fundamentals.
Construction process lasts until coding and testing is completed consists of design and implementation reasons for this phase –analysis model is not sufficiently.
Configuration management
1 The phone in the cloud Utilizing resources hosted anywhere Claes Nilsson.
The Platform as a Service Model for Networking Eric Keller, Jennifer Rexford Princeton University INM/WREN 2010.
Data Structures ADT List
ITEC200 Week04 Lists and the Collection Interface.
1 A Formal Foundation for Software Refactoring Tom Mens, Serge Demeyer, Dirk Janssens serge.demeyer | dirk.janssens Programming.
25 July, 2014 Hailiang Mei, TU/e Computer Science, System Architecture and Networking 1 Hailiang Mei Remote Terminal Management.
VOORBLAD.
15. Oktober Oktober Oktober 2012.
HORIZONT TWS/WebAdmin TWS/WebAdmin for Distributed
1 public class Newton { public static double sqrt(double c) { double epsilon = 1E-15; if (c < 0) return Double.NaN; double t = c; while (Math.abs(t - c/t)
The World Wide Web. 2 The Web is an infrastructure of distributed information combined with software that uses networks as a vehicle to exchange that.
4 Oracle Data Integrator First Project – Simple Transformations: One source, one target 3-1.
1..
© 2012 National Heart Foundation of Australia. Slide 2.
Lilian Blot VARIABLE SCOPE EXCEPTIONS FINAL WORD Final Lecture Spring 2014 TPOP 1.
Understanding Generalist Practice, 5e, Kirst-Ashman/Hull
Executional Architecture
25 seconds left…...
School Census Summer 2010 Headlines 1 Jim Haywood Product Manager for Statutory Returns Version 1.0.
Januar MDMDFSSMDMDFSSS
Systems Analysis and Design in a Changing World, Fifth Edition
©Brooks/Cole, 2001 Chapter 12 Derived Types-- Enumerated, Structure and Union.
Database Administration
PSSA Preparation.
Chapter 11 Component-Level Design
 2003 Prentice Hall, Inc. All rights reserved. 1 Chapter 13 - Exception Handling Outline 13.1 Introduction 13.2 Exception-Handling Overview 13.3 Other.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
Incremental Update for a Compositional SDN Hypervisor Xin Jin Jennifer Rexford, David Walker.
Abstract Class, Packages and interface from Chapter 9
1 Abstract Class and Packages from Chapter 9 Lecture.
From Model-based to Model-driven Design of User Interfaces.
South Dakota Library Network MetaLib User Interface South Dakota Library Network 1200 University, Unit 9672 Spearfish, SD © South Dakota.
Chapter 8 Improving the User Interface
1 Programming Languages (CS 550) Mini Language Interpreter Jeremy R. Johnson.
08/03/071/41 Polymer: A Language and System for Specifying Complex, Modular Run-time Policies Jay Ligatti, University of South Florida Joint work with:
Modular Program Monitors David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)
More Enforceable Security Policies Lujo Bauer, Jay Ligatti and David Walker Princeton University (graciously presented by Iliano Cervesato)
12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida.
Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.
1 Enforcing Security Policies with Run-time Program Monitors Jay Ligatti Princeton University.
08/06/071/58 Runtime Software Monitoring Jay Ligatti, University of South Florida Joint work with: Lujo Bauer, CMU CyLab David Walker, Princeton University.
27/09/071/65 Coping with Runtime-Policy Complexity Jay Ligatti, University of South Florida Joint work with: Lujo Bauer, Carnegie Mellon University CyLab.
1 Jay Ligatti (Princeton University); joint work with: Lujo Bauer (Carnegie Mellon University), David Walker (Princeton University) Enforcing Non-safety.
Policy Enforcement via Program Monitoring
Enforcing Security Policies with Run-time Program Monitors
Enforcing Non-safety Security Policies with Program Monitors
New Research in Software Security
Presentation transcript:

1 Composing Security Policies with Polymer Jay Ligatti (Princeton); joint work with: Lujo Bauer (CMU), David Walker (Princeton)

2 Security Policy Enforcement News flash: Software sometimes does bad stuff –Bugs –Malicious design One mitigation is run-time monitoring –Ensure that software adheres to run-time constraints specified by a security policy –Stack inspection, access control lists, applet sandboxing, firewalls, resource monitors, …

3 Policies Become More Complex As software becomes more sophisticated –Multi-user and networked systems –Electronic commerce –Medical databases (HIPAA) As we tighten overly relaxed policies –Insecure default configurations disallowed –Downloading.doc files requires warning As we relax overly tight policies –All applets sandboxed (JDK 1.0) vs. only unsigned applets sandboxed (JDK 1.1)

4 Managing Complexity via Centralization Application with policy scattered throughout Scattered policy is hard to find and reason about Application with centralized policy Centralized policy is easier to find and reason about Policy contains: - Security code - When to run the security code

5 Beyond Centralization: Composition Policy centralization is not enough –Need methodology for organizing a complex centralized policy Polymer provides a flexible methodology for decomposing complex policies into simpler modules –Policies are first-class and organized for composition –Higher-order policies (superpolicies) can compose simpler policies (subpolicies)

6 Related Work General monitoring systems (with centralized policies) –Java-MaC [Lee, Kannan, Kim, Sokolsky, Viswanathan 99] –Naccio [Evans, Twyman 99] –Policy Enforcement Toolkit [Erlingsson, Schneider 00] –Aspect-oriented software systems [Kiczales, Hilsdale, Hugunin, Kersten, Palm, Griswold 01; …] –… Language theory –Semantics for AOPLs [Tucker, Krishnamurthi 03; Walker, Zdancewic, Ligatti 03; Wand, Kiczales, Dutchyn 04; …] Automata theory –Security automata [Schneider 00; Ligatti, Bauer, Walker 05]

7 Outline Motivation and goal –Ease specification of run-time policies Polymer system Polymer language –First-class actions, suggestions, policies –Policy examples Case study Summary

8 Polymer Tools Policy compiler –Converts monitor policies written in the Polymer language into Java source code –Then runs javac to compile the Java source Bytecode instrumenter –Adds calls to the monitor to the core Java libraries and to the untrusted (target) application Total size = 30 core classes (approx lines of Java) + JavaCC + Apache BCEL

9 Securing Targets in Polymer 1.Create a listing of all security-relevant methods (trigger actions) 2.Instrument trigger actions in core Java libraries 3.Write and compile security policy 4.Run target using instrumented libraries, instrumenting target classes as they load

10 Securing Targets in Polymer TargetLibraries…… Original application Instrumented target Instrumented libraries Compiled policy …… Secured application

11 Outline Motivation and goal –Ease specification of run-time policies Polymer system Polymer language –First-class actions, suggestions, policies –Policy examples Case study Summary

12 First-class Actions Action objects contain information about a method invocation –Static method signature –Dynamic calling object –Dynamic parameters Policies can analyze actions about to be executed by the target Policies can synthesize actions to invoke on behalf of the target

13 Action Patterns Action objects can be matched to patterns in aswitch statements Wildcards can appear in action patterns aswitch(a) { case : E; … } (int i, …)>

14 First-class Suggestions Policies return Suggestion objects to indicate how to handle trigger actions –IrrSug: action is irrelevant –OKSug: action is relevant but safe –InsSug: defer judgment until after running and evaluating some auxiliary code –ReplSug: replace action (which computes a return value) with another return value –ExnSug: raise an exception to notify target that it is not allowed to execute this action –HaltSug: disallow action and halt execution

15 First-class Policies Policies include state and several methods: –query() suggests how to deal with trigger actions –accept() performs bookkeeping before a suggestion is followed –result() performs bookkeeping after an OKd or inserted action returns a result public abstract class Policy { public abstract Sug query(Action a); public void accept(Sug s) { }; public void result(Sug s, Object result, boolean wasExnThn) { }; }

16 Compositional Policy Design query() methods should be effect-free –Superpolicies test reactions of subpolicies by calling their query() methods –Superpolicies combine reactions in meaningful ways –Policies cannot assume suggestions will be followed Effects postponed for accept() and result()

17 A Simple Policy That Forbids Runtime.exec(..) methods public class DisSysCalls extends Policy { public Sug query(Action a) { aswitch(a) { case : return new HaltSug(this, a); } return new IrrSug(this); } public void accept(Sug s) { if(s.isHalt()) { System.err.println(Illegal exec method called); System.err.println(About to halt target.); }

18 Policy Combinators Polymer provides library of generic superpolicies (combinators) Policy writers are free to create new combinators Standard form: public class Conjunction extends Policy { private Policy p1, p2; public Conjunction(Policy p1, Policy p2) { this.p1 = p1; this.p2 = p2; } public Sug query(Action a) { Sug s1 = p1.query(a), s2 = p2.query(a); //return the conjunction of s1 and s2 …

19 Policy Combinator I: Conjunction Apply several policies at once, first making any insertions suggested by subpolicies When no subpolicy suggests an insertion, obey most restrictive subpolicy suggestion IrrelevantOK Replace(v1) Replace(v2) … Replace(v3) ExceptionHalt Least restrictiveMost restrictive

20 Policy Combinator II: Selector Make some initial choice about which subpolicy to enforce and forget about the other subpolicies IsClientSigned: Enforce first subpolicy if and only if target is cryptographically signed Policy sandboxUnsigned = new IsClientSigned( new TrivialPolicy(), new SandboxPolicy());

21 Policy Combinator III: Precedence Give one subpolicy precedence over another Dominates: Obey first subpolicy if it considers the action relevant; otherwise obey whatever second subpolicy suggests TryWith: Obey first subpolicy if and only if it returns an Irrelevant, OK, or Insertion suggestion

22 Policy Combinator IV: Single-policy Modifier Perform some extra operations while enforcing a single subpolicy Audit: Obey sole subpolicy but also log all actions seen and suggestions made AutoUpdate: Obey sole subpolicy but also intermittently check for subpolicy updates

23 Outline Motivation and goal –Ease specification of run-time policies Polymer system Polymer language –First-class actions, suggestions, policies –Policy examples Case study Summary

24 Case Study Polymer policy for clients that use the JavaMail API –Approx lines of Polymer code Tested on Pooka [ –Approx. 50K lines of Java code + libraries (Java standard libraries, JavaMail, JavaBeans Activation Framework, JavaHelp, The Knife mbox provider, Kunststoff Look and Feel, and ICE JNI library)

25 Policy Hierarchy Related policy concerns are modularized –Easier to create the policy Modules are reusable Modules can be written in isolation –Easier to understand the policy

26 Outline Motivation and goal –Ease specification of run-time policies Polymer system Polymer language –First-class actions, suggestions, policies –Policy examples Case study Summary

27 Summary A new approach to managing policy complexity: –Design policies for composition –Complex policies can be decomposed into simpler subpolicies Enabling the approach –First-class actions, suggestions, and policies –Policy organization (effectless query methods and effectful bookkeeping methods) Implemented end-to-end system –Library of useful combinators –Case study policy hierarchy

28 More Information Language and system details, including a sound formal semantics for the language: PLDI 05 proceedings Full source code and example policies:

29 End Thanks / Questions

30 (Unoptimized) Performance Instrument all Java core libraries = 107s = 3.7 ms per method Typical class loading time = 12 ms (vs. 6 ms with default class loader) Monitored method call = 0.6 ms overhead Policy codes performance typically dominates cost

31 Another Example (logs incoming and prepends SPAM: to subject lines on messages flagged by a spam filter)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.