More Enforceable Security Policies Lujo Bauer, Jay Ligatti and David Walker Princeton University (graciously presented by Iliano Cervesato)

Slides:



Advertisements
Similar presentations
1 Composing Security Policies with Polymer Jay Ligatti (Princeton); joint work with: Lujo Bauer (CMU), David Walker (Princeton)
Advertisements

Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
Current Techniques in Language-based Security David Walker COS 597B With slides stolen from: Steve Zdancewic University of Pennsylvania.
08/03/071/41 Polymer: A Language and System for Specifying Complex, Modular Run-time Policies Jay Ligatti, University of South Florida Joint work with:
Jay Ligatti and Srikar Reddy University of South Florida.
Modular Program Monitors David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)
An Introduction to Proof-Carrying Code David Walker Princeton University (slides kindly donated by George Necula; modified by David Walker)
CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)
Attacking Malicious Code: A Report to the Infosec Research Council Kim Sung-Moo.
Bilkent University Department of Computer Engineering
Software Security Monitors: Theory & Practice David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.
Programmability with Proof-Carrying Code George C. Necula University of California Berkeley Peter Lee Carnegie Mellon University.
Policy-Carrying, Policy-Enforcing Digital Objects Sandra Payette and Carl Lagoze Cornell Digital Library Research Group ECDL2000 Lisbon, Portugal September.
Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?
A Type System for Expressive Security Policies David Walker Cornell University.
Harmless Advice Daniel S Dantas Princeton University with Prof. David Walker.
Chapter 14: Protection.
Software Security Monitors: Theory & Practice David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)
Computer Security and Penetration Testing
Policy-Carrying, Policy-Enforcing Digital Objects Sandra Payette Project Prism - Cornell University DLI2 All-Projects Meeting June 14, 2000.
Poly stop a hacker David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)
1 The Problem o Fluid software cannot be trusted to behave as advertised unknown origin (must be assumed to be malicious) known origin (can be erroneous.
Chapter 14: Protection.
Silberschatz, Galvin and Gagne ©2013 Operating System Concepts – 9 th Edition Chapter 14: Protection.
Do we need theoretical computer science in software engineering curriculum: an experience from Uni Novi Sad Bansko, August 28, 2013.
Formal Methods 1. Software Engineering and Formal Methods  Every software engineering methodology is based on a recommended development process  proceeding.
Page 19/4/2015 CSE 30341: Operating Systems Principles Raid storage  Raid – 0: Striping  Good I/O performance if spread across disks (equivalent to n.
Katanosh Morovat.   This concept is a formal approach for identifying the rules that encapsulate the structure, constraint, and control of the operation.
MT311 Java Application Development and Programming Languages Li Tak Sing( 李德成 )
Language-Based Information-Flow Security Richard Mancusi CSCI 297.
Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.
Containment and Integrity for Mobile Code Security policies as types Andrew Myers Fred Schneider Department of Computer Science Cornell University.
14.1 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts Chapter 14: Protection Goals of Protection Principles of Protection Domain of Protection.
Richard Gay – ICISS, December 20, 2014 CliSeAu:Securing Distributed Java Programs by Cooperative Dynamic Enforcement Richard Gay, Jinwei Hu, Heiko Mantel.
Proof Carrying Code Zhiwei Lin. Outline Proof-Carrying Code The Design and Implementation of a Certifying Compiler A Proof – Carrying Code Architecture.
Chapter 14: Protection Silberschatz, Galvin and Gagne ©2005 AE4B33OSS Chapter 14: Protection Goals of Protection Principles of Protection Domain.
Protection Nadeem Majeed Choudhary
Writing Systems Software in a Functional Language An Experience Report Iavor Diatchki, Thomas Hallgren, Mark Jones, Rebekah Leslie, Andrew Tolmach.
Highly Scalable Distributed Dataflow Analysis Joseph L. Greathouse Advanced Computer Architecture Laboratory University of Michigan Chelsea LeBlancTodd.
HACNet Simulation-based Validation of Security Protocols Vinay Venkataraghavan Advisors: S.Nair, P.-M. Seidel HACNet Lab Computer Science and Engineering.
Introduction Program File Authorization Security Theorem Active Code Authorization Authorization Logic Implementation considerations Conclusion.
Just Enough Type Theory or, Featherweight Java A Simple Formal Model of Objects Jonathan Aldrich
A Flexible Access Control Service for Java Mobile Code HPCC lab 문 정 아.
A Lattice Model of Secure Information Flow By Dorothy E. Denning Presented by Drayton Benner March 22, 2000.
Sampling Dynamic Dataflow Analyses Joseph L. Greathouse Advanced Computer Architecture Laboratory University of Michigan University of British Columbia.
SAFE KERNEL EXTENSIONS WITHOUT RUN-TIME CHECKING George C. Necula Peter Lee Carnegie Mellon U.
CSE 60641: Operating Systems George C. Necula and Peter Lee, Safe Kernel Extensions Without Run-Time Checking, OSDI ‘96 –SIGOPS Hall of fame citation:
Language-Based Information- Flow Security (Sabelfeld and Myers) “Practical methods for controlling information flow have eluded researchers for some time.”
Operational Semantics Mooly Sagiv Reference: Semantics with Applications Chapter 2 H. Nielson and F. Nielson
Infringement Management Towards Practical Enforcement Fabio Massacci 1 joint work with Nataliia Bielova 1 and reality checks by Andrea Micheletti 2 1 University.
Chapter 17: System Protection Silberschatz, Galvin and Gagne ©2005 Operating System Concepts Chapter 17: Protection Goals of Protection Principles.
1 Jay Ligatti (Princeton University); joint work with: Lujo Bauer (Carnegie Mellon University), David Walker (Princeton University) Enforcing Non-safety.
Support for Program Analysis as a First-Class Design Constraint in Legion Michael Bauer 02/22/17.
Chapter 14: System Protection
Timed Safety Property Runtime Enforcement Wanjiang Qian 03/22/2016.
Secure Software Development: Theory and Practice
Chapter 14: Protection.
Chapter 14: Protection.
Building Systems That Flexibly Control Downloaded Executable Content
Chapter 14: Protection.
Enforcing Non-safety Security Policies with Program Monitors
New Research in Software Security
Chapter 14: Protection.
Chapter 14: Protection.
Information Security CS 526
Chapter 14: Protection.
Chapter 14: Protection.
Presentation transcript:

More Enforceable Security Policies Lujo Bauer, Jay Ligatti and David Walker Princeton University (graciously presented by Iliano Cervesato)

FCS 02Bauer, Ligatti, Walker Language-Based Security language-based security mechanisms operate by analyzing and modifying program behavior –static mechanisms (analysis at link time) type checking, proof checking, abstract interpretation –dynamic mechanisms (analysis at run time) access control lists, stack inspection, capabilities

FCS 02Bauer, Ligatti, Walker Program Monitors A program monitor is a computation that runs in parallel with an untrusted application –monitors detect, prevent, and recover from application errors at run time –monitor decisions may be based on the history of all actions an application has executed –we assume monitors have no knowledge of future application actions

FCS 02Bauer, Ligatti, Walker Program Monitors: Good operations Application Monitor foo

FCS 02Bauer, Ligatti, Walker Program Monitors: Bad operations Application Monitor foo halt!

FCS 02Bauer, Ligatti, Walker Program Monitors: Options A program monitor may do any of the following when it recognizes a dangerous operation: –abort the application –suppress (skip) the operation but allow the application to continue –perform some computation on behalf of (against the wishes of) the application

FCS 02Bauer, Ligatti, Walker This paper Formalizes the notion of a program monitor by providing operational semantics for –security automata [Schneider 00] –insertion automata –suppression automata –edit automata

FCS 02Bauer, Ligatti, Walker This paper Begins to address the fundamental question of what run-time security policies can be enforced by program monitors –security automata are the least powerful –suppression and insertion automata are more powerful than security automata but incomparable –edit automata are the most powerful

FCS 02Bauer, Ligatti, Walker Current Work We are currently developing a programming language called Polymer –Poymer allows programmers to define higher-order, first-class and modular program monitors –Poymer has logical combinators ( ⊤ ⋀ ⊥ ⋁ ) that allow programmers to build complex policies from simple ones –Polymer provides security against untrusted Java applications

FCS 02Bauer, Ligatti, Walker Conclusions There are two equally important aspects of language-based security –static program analysis –dynamic program analysis Most of the research in the programming languages community has focused on the first at the expense of the second –we plan to fix this!