Modular Program Monitors David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)
Modular Run-time Program MonitorsDavid Walker Program Monitors A program monitor is a coroutine that runs in parallel with an untrusted application –monitors process security-relevant actions decide to allow/disallow application actions may terminate or suspend application execution –monitors detect, prevent, and recover from erroneous or malicious applications at run time
Modular Run-time Program MonitorsDavid Walker Simple Monitor Structure Monitors have 3 components –set of security-relevant application actions –security state –computation a Access Control Monitor fopen fclose actions acl state computation acl lookup
Modular Run-time Program MonitorsDavid Walker Polymer Project Polymer –An extension of Java designed to simplify construction of run-time program monitors Design methodology –A formula for producing well-structured, easy-to-understand, easy-to-modify monitors
Modular Run-time Program MonitorsDavid Walker Policy Architecture: The Problem Java core Polymer language extensions Host System (Java) Program Monitor Definition Untrusted application
Modular Run-time Program MonitorsDavid Walker Policy Architecture: Simple Policies Java core Polymer language extensions Host System (Java) Simple Policy Def. system interface
Modular Run-time Program MonitorsDavid Walker class limitFiles extends Policy { private int openFiles = 0; private int maxOpen = 0; limitFiles(int max) { maxOpen = max; }.... } A Simple Polymer Policy private policy state, protected from malicious applications policy constructor
Modular Run-time Program MonitorsDavid Walker class limitFiles extends Policy { private int openFiles =... private int maxOpen =... private ActionSet actions = new ActionSet( new String[] {“fileOpen(String)”, “fileClose()”} );.... } A Simple Polymer Policy Continued set of policy- relevant methods
Modular Run-time Program MonitorsDavid Walker class limitFiles extends Policy { private ActionSet actions =... private int openFiles =... private int maxOpen =... Suggestion step(Action a) { aswitch (a) { case fileOpen(String s) : if (++openFiles <= maxOpen) return Suggestion.OK(); else return Suggestion.Halt(); case fileClose() :... A Simple Polymer Policy Continued policy behaviour
Modular Run-time Program MonitorsDavid Walker class limitFiles extends Policy { private ActionSet actions =... private int openFiles =... private int maxOpen =... Suggestion step(Action a) { aswitch (a) { case fileOpen(String s) : if (++openFiles <= maxOpen) return Suggestion.OK(); else return Suggestion.Halt(); case fileClose() :... A Simple Polymer Policy Continued
Modular Run-time Program MonitorsDavid Walker class limitFiles extends Policy { private ActionSet actions =... private int openFiles =... private int maxOpen =... Suggestion step(Action a) { aswitch (a) { case fileOpen(String s) : if (++openFiles <= maxOpen) return Suggestion.OK(); else return Suggestion.Halt(); case fileClose() :... A Simple Polymer Policy Continued
Modular Run-time Program MonitorsDavid Walker class limitFiles extends Policy { private ActionSet actions =... private int openFiles =... private int maxOpen =... Suggestion step(Action a) { aswitch (a) { case fileOpen(String s) : if (++openFiles <= maxOpen) return Suggestion.OK(); else return Suggestion.Halt(); case fileClose() :... A Simple Polymer Policy Continued
Modular Run-time Program MonitorsDavid Walker Realistic Monitors Protect complex system interfaces –interfaces replicate functionality in many different places –method parameters communicate information in different forms –eg: Java file system interface 9 different methods to open files 4 different methods to close files filename strings, file objects, self used to identify files
Modular Run-time Program MonitorsDavid Walker Policy Architecture: Abstract Actions Java core Polymer language extensions Host System (Java) Abstract Action Def. concrete system interface abstract system interface Simple Policy Def.
Modular Run-time Program MonitorsDavid Walker Abstract Action Definitions java.lang.io FileReader(String fileName); FileReader(File file); RandomAccessFile(...);... FileReader.close(); RandomAccessFile.close();... fileOpen(String n); fileClose();
Modular Run-time Program MonitorsDavid Walker Realistic Monitors Combine simple policies defined over a variety of different resources –eg: sample applet policy file system access control bounds on bytes written and number of files opened restricted network access –no access after file system read –communication with applet source only
Modular Run-time Program MonitorsDavid Walker Policy Architecture: Complex Policies Java core Polymer language extensions Host System (Java) Abstract Action Def. Simple Policy Def. Policy Comb. Def. Complex, System-specific Policy concrete system interface abstract system interface
Modular Run-time Program MonitorsDavid Walker Policy Combinators Conjunction, Disjunction, Chinese wall,... s1 s2 Conjunctive Policy P1P2 s
Modular Run-time Program MonitorsDavid Walker Related Work Aspect-oriented programming –New polymer features: first-class suggestions, abstract actions, action patterns, policy combinators, policy architecture, formal semantics Monitoring languages Poet and Pslang, Naccio, Ariel, Spin Kernel Logical monitoring specifications MAC (temporal logic), Bigwig (second-order monadic logic)
Modular Run-time Program MonitorsDavid Walker Summary: Polymer First steps towards the design of a modern language for programming modular run- time security monitors For future software releases & papers see –
Modular Run-time Program MonitorsDavid Walker End