ActionScript In-lined Reference Monitoring in Prolog Meera Sridhar and Kevin W. Hamlen The University of Texas at Dallas January 18, 2010 Supported by.

Slides:

Advertisements

Similar presentations

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu

Advertisements

Security of JavaCard smart card applets Erik Poll University of Nijmegen

Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.

Operating System Security

A Survey of Runtime Verification Jonathan Amir 2004.

Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.

March 4, 2005Susmit Sarkar 1 A Cost-Effective Foundational Certified Code System Susmit Sarkar Thesis Proposal.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Jay Ligatti and Srikar Reddy University of South Florida.

Java Applet Security Diana Dong CS 265 Spring 2004.

Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee

H Apr-01 Clark Thomborson Software Security CompSci 725 Handout 28: Report Writing #2 (Sample Titles & Abstracts) Clark Thomborson University of.

Flexible In-lined Reference Monitor Certification: Challenges and Future Directions Meera Sridhar and Kevin W. Hamlen University of Texas at Dallas January.

An Introduction to Proof-Carrying Code David Walker Princeton University (slides kindly donated by George Necula; modified by David Walker)

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI

AndroidCompiler. Layout Motivation Literature Review AndroidCompiler Future Works.

Model-Checking In-lined Reference Monitors Meera Sridhar and Kevin W. Hamlen The University of Texas at Dallas January 17, 2010 Supported in part by grants.

Attacking Malicious Code: A Report to the Infosec Research Council Kim Sung-Moo.

Extensible Verification of Untrusted Code Bor-Yuh Evan Chang, Adam Chlipala, Kun Gao, George Necula, and Robert Schneck May 14, 2004 OSQ Retreat Santa.

Vertically Integrated Analysis and Transformation for Embedded Software John Regehr University of Utah.

Proof-system search ( ` ) Interpretation search ( ² ) Main search strategy DPLL Backtracking Incremental SAT Natural deduction Sequents Resolution Main.

Programmability with Proof-Carrying Code George C. Necula University of California Berkeley Peter Lee Carnegie Mellon University.

Chapter 1 Introduction. Chapter Overview Overview of Operating Systems Secure Operating Systems Basic Concepts in Information Security Design of a Secure.

Policy-Carrying, Policy-Enforcing Digital Objects Sandra Payette and Carl Lagoze Cornell Digital Library Research Group ECDL2000 Lisbon, Portugal September.

Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?

More Enforceable Security Policies Lujo Bauer, Jay Ligatti and David Walker Princeton University (graciously presented by Iliano Cervesato)

CS CS 5150 Software Engineering Lecture 13 System Architecture and Design 1.

A Type System for Expressive Security Policies David Walker Cornell University.

Bending Binary Programs to your Will Rajeev Barua.

CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.

Tcl Agent : A flexible and secure mobile-agent system Paper by Robert S. Gray Dartmouth College Presented by Vipul Sawhney University of Pennsylvania.

Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005 Shimin Chen LBA Reading Group.

Policy-Carrying, Policy-Enforcing Digital Objects Sandra Payette Project Prism - Cornell University DLI2 All-Projects Meeting June 14, 2000.

1 The Problem o Fluid software cannot be trusted to behave as advertised unknown origin (must be assumed to be malicious) known origin (can be erroneous.

Database Management Systems (DBMS)

Phu H. Phung Chalmers University of Technology JSTools’ 12 June 13, 2012, Beijing, China Joint work with Lieven Desmet (KU Leuven)

Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.

Prevent Cross-Site Scripting (XSS) attack

Zhonghua Qu and Ovidiu Daescu December 24, 2009 University of Texas at Dallas.

Computer Security and Penetration Testing

Richard Gay – ICISS, December 20, 2014 CliSeAu:Securing Distributed Java Programs by Cooperative Dynamic Enforcement Richard Gay, Jinwei Hu, Heiko Mantel.

Proof Carrying Code Zhiwei Lin. Outline Proof-Carrying Code The Design and Implementation of a Certifying Compiler A Proof – Carrying Code Architecture.

Reasoning about Information Leakage and Adversarial Inference Matt Fredrikson 1.

KATHOLIEKE UNIVERSITEIT LEUVEN 1 Run time enforcement of security policies on the.NET framework Frank Piessens Joint work with many people including Lieven.

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1 RubyJax Brent Morris/

Proof-Carrying Code & Proof-Carrying Authentication Stuart Pickard CSCI 297 June 2, 2005.

Containment and Integrity for Mobile Code End-to-end security, untrusted hosts Andrew Myers Fred Schneider Department of Computer Science Cornell University.

CE Operating Systems Lecture 3 Overview of OS functions and structure.

Presented by: Reem Alshahrani. Outlines What is Virtualization Virtual environment components Advantages Security Challenges in virtualized environments.

240-Current Research Easily Extensible Systems, Octave, Input Formats, SOA.

Writing Systems Software in a Functional Language An Experience Report Iavor Diatchki, Thomas Hallgren, Mark Jones, Rebekah Leslie, Andrew Tolmach.

Compressed Abstract Syntax Trees as Mobile Code Christian H. Stork Vivek Haldar University of California, Irvine.

Virtual Machines, Interpretation Techniques, and Just-In-Time Compilers Kostis Sagonas

PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.

Create your futurewww.utdallas.edu Erik Jonsson School of Engineering and Computer Science FEARLESS Engineeringwww.utdallas.edu A M ODEL -C HECKING I N.

Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.

Preserving User Privacy from Third-party Applications in Online Social Networks Yuan Cheng, Jaehong Park and Ravi Sandhu Institute for Cyber Security University.

A Lattice Model of Secure Information Flow By Dorothy E. Denning Presented by Drayton Benner March 22, 2000.

SASI Enforcement of Security Policies : A Retrospective* PSLab 오민경.

SAFE KERNEL EXTENSIONS WITHOUT RUN-TIME CHECKING George C. Necula Peter Lee Carnegie Mellon U.

PREPARED BY: MS. ANGELA R.ICO & MS. AILEEN E. QUITNO (MSE-COE) COURSE TITLE: OPERATING SYSTEM PROF. GISELA MAY A. ALBANO PREPARED BY: MS. ANGELA R.ICO.

Introduction to Computer Programming Concepts M. Uyguroğlu R. Uyguroğlu.

1 Chapter 2: Operating-System Structures Services Interface provided to users & programmers –System calls (programmer access) –User level access to system.

1 Jay Ligatti (Princeton University); joint work with: Lujo Bauer (Carnegie Mellon University), David Walker (Princeton University) Enforcing Non-safety.

Security of Digital Signatures

Building Systems That Flexibly Control Downloaded Executable Content

New Research in Software Security

Software Security.

CSC-682 Advanced Computer Security

Presentation transcript:

ActionScript In-lined Reference Monitoring in Prolog Meera Sridhar and Kevin W. Hamlen The University of Texas at Dallas January 18, 2010 Supported by a grant from AFOSR PADL 2010 Madrid, Spain

Reference Monitors 1/18/2010 Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog 2 OS/VM R EFERENCE M ONITOR grant/denyevent Examples: file system permissions memory safety Disadvantages: —changing the policy requires changing the OS/VM —difficult to enforce finer-grained policies such as “No modifications to files ending in.exe” UNTRUSTED CODE

In-lined Reference Monitors [Schneider] 1/18/2010 Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog 3 OS/VM R EFERENCE M ONITOR grant/denyevent UNTRUSTED CODE  enforce safety policies by injecting runtime security guards directly into untrusted binaries o guards test whether the impending operation constitutes a policy violation, and if so some corrective action is taken  maintain history of security-relevant events  Advantages: o No need to modify the OS/VM o enforce richer policies: e.g., no network sends after file reads o more flexible: code recipient can specify security policy  Examples: SASI [Erlingsson, Schneider], Java-MAC [Kim et al], Java-MOP [Chen, Rosu], Polymer [Bauer, Ligatti, Walker], ConSpec [Aktug, Naliuka], MoBILe [Hamlen, Morrisett, Schneider]

IRM Implementation Challenges —must be fairly light-weight because it runs on the code- consumer side —binary code parsing and binary code generation are tedious and error-prone —IRM must elegantly implement many AST analyses and code-motion optimizations during rewriting — needed to preserve policy-compliant programs and generate efficient code —generated code should be amenable to formal verification (PCC[Necula & Lee], MoBILe[Hamlen, Morrisett, Schneider], and our recent work on Model-Checking IRMs [Sridhar & Hamlen, VMCAI 2010]) 1/18/2010 Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog 4

An ActionScript Bytecode IRM system in Prolog 1/18/2010 Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog 5 approximately: —400 lines of rewriter code per security policy family —900 lines of shared parser/generator code —2000 of verifier code

The Prolog Advantage Prolog turns out to be a surprisingly elegant language in which to implement IRM's! —DCG's facilitate binary parser implementation. —Reversible predicates combine the parser and code-generator into one piece of code! —AST's are very elegantly represented and manipulated as Prolog structures. —A Prolog implementation of binary rewriting is isomorphic to a search for a correctness proof. This is excellent for integration with a certifying IRM system (Model-Checking IRMs [Sridhar & Hamlen]) or a PCC system [Necula & Lee]. 1/18/2010 Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog 6

Application: Preventing malicious URL-redirections Adobe’s very real problem: -anyone can write a malicious ABC ad applet and float them around -ad-distributor doesn’t have a good way of pre-checking these since they might change dynamically 1/18/2010 Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog 7

Application: Preventing malicious URL-redirections Solution: Use an IRM framework! – URL-redirections are implemented in ActionScript Bytecode by the navigateToURL system call – let’s say we have a method checkURL, with a trusted implementation provided by the ad- distributor checkURL validates the input to navigateToURL, and may depend on dynamic information 1/18/2010 Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog 8

Application: Preventing malicious URL-redirections Solution (contd.): – insert a call to checkURL(s) before a call to navigateToURL(s) directly into bytecode – naïve approach – insert checkURL before every navigateToURL, but for efficiency reasons might want to pre- validate string – fits the Flash/AIR model perfectly, because security- enforcement done at code-consumer end, and code-producer (ad-creator) need not be trusted at all! 1/18/2010 Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog 9

A couple other real-world policies postok policy: sanitizes strings entered into message box widgets This can be helpful in preventing cross-site scripting attacks, privacy violations, and buffer-overflow exploits that affect older versions of the ActionScript VM. We enforced the policy on the Posty AIR application, which allows users to post messages to social networking sites such as Twitter, Jaiku, Tumblr, and Friendfeed. 1/18/2010 Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog 10

A couple other real-world policies flimit policy enforces a resource bound that disallows the creation of more than n files on the user's machine enforced this policy on the FedEx Desktop AIR application, which continuously monitors a user's shipment status and sends tracking information directly to his or her desktop IRM implements the policy by injecting a counter into the untrusted code that tracks file creations 1/18/2010 Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog 11

Implementation and Results Details for more details, please visit my website: 1/18/2010 Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog 12

Conclusion slide —IRM’s provide a more sophisticated security enforcement mechanism than traditional means. — Prolog provides a very elegant solution to typical IRM implementation challenges. —We implemented a prototype IRM system for ActionScript bytecode. —We demonstrated the feasibility of our solution by enforcing several real-world policies. 1/18/2010 Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog 13

Selected Citations 1.B. W. DeVries, G. Gupta, K. W. Hamlen, S. Moore, and M. Sridhar. ActionScript Bytecode Verification with Co-logic Programming. In Proc. of the ACM SIGPLAN Workshop on Prog. Languages and Analysis for Security (PLAS), K. W. Hamlen, G. Morrisett, and F. B. Schneider. Computability Classes for Enforcement Mechanisms. In ACM Trans. Prog. Languages and Systems, F. B. Schneider. Enforceable Security Policies. ACM Trans. Information and System Security, 3:30–50, M. Sridhar and K. W. Hamlen. Model-checking In-lined Reference Monitors. In Proc. Intl. Conf. on Verification, Model-Checking and Abstract Interpretation, /18/ Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog