Poly stop a hacker David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Slides:



Advertisements
Similar presentations
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Advertisements

Current Techniques in Language-based Security David Walker COS 597B With slides stolen from: Steve Zdancewic University of Pennsylvania.
Jay Ligatti and Srikar Reddy University of South Florida.
Chapter 6 Security Kernels.
EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,
Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.
CTO Office Reliability & Security Distinctions and Interactions Hal Lockhart BEA Systems.
Concolic Modularity Testing Derrick Coetzee University of California, Berkeley CS 265 Final Project Presentation.
Modular Program Monitors David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)
An Introduction to Proof-Carrying Code David Walker Princeton University (slides kindly donated by George Necula; modified by David Walker)
CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)
Expert System Human expert level performance Limited application area Large component of task specific knowledge Knowledge based system Task specific knowledge.
Attacking Malicious Code: A Report to the Infosec Research Council Kim Sung-Moo.
1 Steve Chenoweth Friday, 10/21/11 Week 7, Day 4 Right – Good or bad policy? – Asking the user what to do next! From malware.net/how-to-remove-protection-system-
Bilkent University Department of Computer Engineering
Functional Design and Programming Lecture 1: Functional modeling, design and programming.
Software Security Monitors: Theory & Practice David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)
Extensibility, Safety and Performance in the SPIN Operating System Bershad et al Presentation by norm Slides shamelessly “borrowed” from Stefan Savage’s.
Typed Memory Management in a Calculus of Capabilities David Walker (with Karl Crary and Greg Morrisett)
Concurrency CS 510: Programming Languages David Walker.
Policy-Carrying, Policy-Enforcing Digital Objects Sandra Payette and Carl Lagoze Cornell Digital Library Research Group ECDL2000 Lisbon, Portugal September.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space html://
Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?
More Enforceable Security Policies Lujo Bauer, Jay Ligatti and David Walker Princeton University (graciously presented by Iliano Cervesato)
MinML: an idealized programming language CS 510 David Walker.
A Type System for Expressive Security Policies David Walker Cornell University.
Exokernel: An Operating System Architecture for Application-Level Resource Management Dawson R. Engler, M. Frans Kaashoek, and James O’Toole Jr. M.I.T.
Software Security Monitors: Theory & Practice David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)
Mechanized Metatheory for User- Defined Type Extensions Dan Marino, Brian Chin, Todd Millstein UCLA Gang Tan Boston College Robert J. Simmons, David Walker.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Chapter 2: Operating-System Structures Modified from the text book.
1 The Problem o Fluid software cannot be trusted to behave as advertised unknown origin (must be assumed to be malicious) known origin (can be erroneous.
Cormac Flanagan University of California, Santa Cruz Hybrid Type Checking.
/ PSWLAB Eraser: A Dynamic Data Race Detector for Multithreaded Programs By Stefan Savage et al 5 th Mar 2008 presented by Hong,Shin Eraser:
University of Palestine software engineering department Testing of Software Systems Fundamentals of testing instructor: Tasneem Darwish.
MT311 Java Application Development and Programming Languages Li Tak Sing( 李德成 )
Protection.
Types for Programs and Proofs Lecture 1. What are types? int, float, char, …, arrays types of procedures, functions, references, records, objects,...
Mathematical Modeling and Formal Specification Languages CIS 376 Bruce R. Maxim UM-Dearborn.
Computer Science Open Research Questions Adversary models –Define/Formalize adversary models Need to incorporate characteristics of new technologies and.
Containment and Integrity for Mobile Code Security policies as types Andrew Myers Fred Schneider Department of Computer Science Cornell University.
14.1 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts Chapter 14: Protection Goals of Protection Principles of Protection Domain of Protection.
Benjamin Gamble. What is Time?  Can mean many different things to a computer Dynamic Equation Variable System State 2.
Announcements Assignment 3 due. Invite friends, co-workers to your presentations. Course evaluations on Friday.
An Approach To Automate a Process of Detecting Unauthorised Accesses M. Chmielewski, A. Gowdiak, N. Meyer, T. Ostwald, M. Stroiński
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
CE Operating Systems Lecture 3 Overview of OS functions and structure.
G53SEC 1 Access Control principals, objects and their operations.
Chapter 1 Introduction to Databases. 1-2 Chapter Outline   Common uses of database systems   Meaning of basic terms   Database Applications  
Writing Systems Software in a Functional Language An Experience Report Iavor Diatchki, Thomas Hallgren, Mark Jones, Rebekah Leslie, Andrew Tolmach.
Processes Introduction to Operating Systems: Module 3.
14.1/21 Part 5: protection and security Protection mechanisms control access to a system by limiting the types of file access permitted to users. In addition,
1 CSCD 326 Data Structures I Software Design. 2 The Software Life Cycle 1. Specification 2. Design 3. Risk Analysis 4. Verification 5. Coding 6. Testing.
Unix Security Assessing vulnerabilities. Classifying vulnerability types Several models have been proposed to classify vulnerabilities in UNIX-type Oses.
Chapter 1: Fundamental of Testing Systems Testing & Evaluation (MNN1063)
Types and Programming Languages Lecture 11 Simon Gay Department of Computing Science University of Glasgow 2006/07.
Review of Parnas’ Criteria for Decomposing Systems into Modules Zheng Wang, Yuan Zhang Michigan State University 04/19/2002.
Chapter 14: Protection Silberschatz, Galvin and Gagne ©2005 Operating System Concepts – 7 th Edition, Apr 11, 2005 Chapter 14: Protection Goals.
What’s Ahead for Embedded Software? (Wed) Gilsoo Kim
SAFE KERNEL EXTENSIONS WITHOUT RUN-TIME CHECKING George C. Necula Peter Lee Carnegie Mellon U.
CSS430 Protection1 Textbook Ch14 These slides were compiled from the OSC textbook slides (Silberschatz, Galvin, and Gagne) and the instructor’s class materials.
Chapter 10 Chapter 10 Implementing Subprograms. Implementing Subprograms  The subprogram call and return operations are together called subprogram linkage.
PREPARED BY: MS. ANGELA R.ICO & MS. AILEEN E. QUITNO (MSE-COE) COURSE TITLE: OPERATING SYSTEM PROF. GISELA MAY A. ALBANO PREPARED BY: MS. ANGELA R.ICO.
1 Chapter 2: Operating-System Structures Services Interface provided to users & programmers –System calls (programmer access) –User level access to system.
1 Jay Ligatti (Princeton University); joint work with: Lujo Bauer (Carnegie Mellon University), David Walker (Princeton University) Enforcing Non-safety.
Types for Programs and Proofs
Lecture 1: Introduction to JAVA
Enforcing Non-safety Security Policies with Program Monitors
New Research in Software Security
Language-based Security
Presentation transcript:

Poly stop a hacker David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Poly stop a hackerDavid Walker Language-Based Security language-based security mechanisms protect a host from untrusted applications analyzing or modifying application behavior –static mechanisms (analysis at link time) type checking, proof checking, abstract interpretation –dynamic mechanisms (analysis at run time) access-control lists, stack inspection, capabilities

Poly stop a hackerDavid Walker Language-Based Security language-based security mechanisms protect a host from untrusted applications by analyzing or modifying application behavior –static mechanisms (analysis at link time) type checking, proof checking, abstract interpretation –dynamic mechanisms (analysis at run time) access-control lists, stack inspection, capabilities

Poly stop a hackerDavid Walker Program Monitors A program monitor is a computation that runs in parallel with an untrusted application –monitors detect, prevent, and recover from application errors at run time –monitor decisions may be based on execution history –we assume monitors have no knowledge of future application actions

Poly stop a hackerDavid Walker Program Monitors: Good Operations Application Monitor fopen ()

Poly stop a hackerDavid Walker Program Monitors: Bad Operations Application Monitor fopen () halt!

Poly stop a hackerDavid Walker Program Monitors: Bad Operations Application Monitor fopen ()

Poly stop a hackerDavid Walker Program Monitors: Options A program monitor may do any of the following when it recognizes a dangerous operation: –halt the application –suppress (skip) the operation but allow the application to continue –insert (perform) some computation on behalf of the application

Poly stop a hackerDavid Walker Past Research Program monitors have a lengthy history in the systems community –OS kernels use hardware support secure fixed system-call interface –mobile code architectures and safe languages (Java, CLR) more complex interactions between applications more diverse set of interfaces to secure more diverse set of policies necessary

Poly stop a hackerDavid Walker The Polymer Project Theoretical analysis of the range of the policies enforceable at run time Definition and implementation of a high-level policy language –incorporate types, modularity and high- level programming techniques Formal semantics and tools for reasoning about policies

Poly stop a hackerDavid Walker The Polymer Project Theoretical analysis of the range of the policies enforceable at run time Definition and implementation of a high-level policy language –incorporate types, modularity and high- level programming techniques Formal semantics and tools for reasoning about policies

Poly stop a hackerDavid Walker Today: Polymer the Language Polymer via Pictures –simple policies –complex policies Polymer semantics –monadic structure –types Polymer discussion –implementation, related and future work

Poly stop a hackerDavid Walker Today: Polymer the Language Polymer via Pictures –simple policies –complex policies Polymer semantics –monadic structure –types Polymer discussion –implementation, related and future work

Poly stop a hackerDavid Walker What is in a run-time security policy? Policy-relevant actions –method calls, get/set state, raise exception Security-relevant state –inaccessible to application program Decision procedure –does the current action satisfy the policy in the current state? –if not, what supplementary action must be taken?

Poly stop a hackerDavid Walker Example: Access Control a Access Control Monitor (ACM) fopen fclose getc putc actions acl state computation acl lookup

Poly stop a hackerDavid Walker Example: Deadlock Prevention Deadlock Prevention Monitor (Deadlock) acquire release actions locks held state computation locking protocol

Poly stop a hackerDavid Walker Security in Complex Systems Restating the obvious: –it’s hard to secure complex systems against the determined attacker Design goal: –prepare for mistakes –be ready for change Mechanisms: –modularity –highly structured and parameterized policies

Poly stop a hackerDavid Walker Security in Complex Systems Polymer Mechanisms –high-level policy combinators conjunctive policies disjunctive policies –modularity mechanisms from modern languages (eg: ML) hierarchical policies parameterized policies higher-order policies

Poly stop a hackerDavid Walker Parallel Conjunctive Policies Application ResourceMgr conjunctive decision Deadlock ACM

Poly stop a hackerDavid Walker Parallel Conjunctive Policies two independent parallel processes decide whether an action is allowed –both say okay ==> application goes ahead –either says halt ==> application halts –one says okay and the other does not care about this action ==> application goes ahead example: –resourceMgr = ACM AND Deadlock

Poly stop a hackerDavid Walker Policy Combinators Conjunctive policies narrow the set of acceptable program action sequences Disjunctive policies widen the set of acceptable program action sequences

Poly stop a hackerDavid Walker Parallel Disjunctive Policies Application ACM++ disjunctive decision Authenticated ACM

Poly stop a hackerDavid Walker Parallel Disjunctive Policies two independent parallel processes decide whether an action is allowed –either says okay ==> app. goes ahead –both say halt ==> application halts –one says okay and the other does not care about this action ==> app. goes ahead example: –ACM++= ACM OR AuthenticatedACM

Poly stop a hackerDavid Walker Chinese Wall Policies –each application is offered a number of protocol choices –when the application selects one choice, all other choices become unavailable

Poly stop a hackerDavid Walker Parallel Disjunctive Policies Application Chinese Wall Monitor disjunctive decision Network not File not Network

Poly stop a hackerDavid Walker Complete Mediation A Crucial Security Principle –in order to protect a resource, one must mediate all accesses to that resource Naive composition of policies can lead to violations of complete mediation –eg: kernelSafety AND deadlock inserts acquire/release to protect kernel data must see all acquire/ release actions

Poly stop a hackerDavid Walker Sequential Conjunction Resource Manager kernel safety deadlock prevention Application conjunctive decision

Poly stop a hackerDavid Walker Sequential Conjunction System Policy resource manager logging/ auditing process Application conjunctive decision

Poly stop a hackerDavid Walker Sequential Disjunction Disjunctive Monitor Application disjunctive decision

Poly stop a hackerDavid Walker Today: Polymer the Language Polymer via Pictures –simple policies –complex policies Polymer semantics –monadic structure –types Polymer discussion –implementation, related and future work

Poly stop a hackerDavid Walker Formal Language Structure Derived from the computational lambda calculus [Moggi] –computations (E) run in parallel with an untrusted application have effects on the application (halt, suppress, change state, perform application actions, etc.) –terms (M) an algebra for manipulating suspended computations (ie: policies) do not have effects

Poly stop a hackerDavid Walker Simple Policies actions (method calls) –a in A terms (policies) –M ::= {actions: A; policy: E} | fun f (x:t) = M | M1 M2 |... monitoring computations –E ::= M | ok; E | sup; E | call (a) next: E1 done: E2 | do M; E | case * of (A1: E1 | A2: E2) |...

Poly stop a hackerDavid Walker Memory-Limit Example { actions: malloc; policy: next: case * of malloc(n): let q’ = q-n in if (q’ > 0) then ok; do (mpol q’) else halt end done: () } fun mpol(q:int) =

Poly stop a hackerDavid Walker Memory-Limit Policy mpol is a function from integers to policies to generate a policy we apply our function to an initial memory quota: –memLimit = mpol 10000

Poly stop a hackerDavid Walker File-Access Example { actions: fopen, fcloses; policy: next: case * of fopen(s,m): if (acl s m) then ok; do (fpol (s::files)) else sup; do (fpol (files)) | fcloses (l):... done: call (fcloses files) } fun fpol (files: file list) =

Poly stop a hackerDavid Walker File-Access Policy Once again, we apply our recursive function to an initial argument to get a policy –fileAccess = fpol []

Poly stop a hackerDavid Walker Policy Types types –t ::= int | () | t1 x t2 | t1 + t2 | t1 -> t2 | M t examples: –mpol : int -> M () –memLimit : M () a simple type system prevents standard sorts of errors

Poly stop a hackerDavid Walker Parallel Conjunctive Policies A parallel conjunctive policy is a suspended computation that returns a pair of values Types: –if P1 : M t1 and P : M t2 then P1 AND P2 : M (t1 x t2) –Curry-Howard strikes again! Trivial policy T is the identity for AND –T : M ()

Poly stop a hackerDavid Walker Parallel Disjunctive Policies A parallel disjunctive policy is a suspended computation that returns a sum Types: –if P1 : M t1 and P : M t2 then P1 OR P2 : M (t1 + t2) Unsatisfiable policy  is identity for OR –  : M void

Poly stop a hackerDavid Walker Complete Mediation Failure Application Monitor foo () auditing process deadlock

Poly stop a hackerDavid Walker Conflicting Policies Application Monitor foo () ? ok sup

Poly stop a hackerDavid Walker Types and Effects We synthesize the effects of a computation –the effects = the actions that may be inserted or suppressed by a computation P1 AND P2 is well-formed when –the effects of P1 are disjoint from the regulated set of P2 and vice versa effect analysis –ensures complete mediation for parallel pol’s –provides flexibility in sequential pol’s

Poly stop a hackerDavid Walker Today: Polymer the Language Polymer via Pictures –simple policies –complex policies Polymer semantics –monadic structure –types Polymer discussion –implementation, related and future work

Poly stop a hackerDavid Walker Implementation Architecture Java application policy interface policy implementation instrumented application secure application

Poly stop a hackerDavid Walker Implementation Progress work so far: –simple policies with basic features (ok, sup, pattern matching, case, Java base) – higher-order policies and policy combinators future work: –networking applications –further combinators –type and effect system –dynamic policy updates

Poly stop a hackerDavid Walker Related Work Aspect-oriented programming –Polymer is a domain-specific aspect- oriented programming language –New features: an aspect algebra with novel combinators a new approach to aspect collision (types and effects) formal semantics as an extension of Moggi’s computational lambda calculus –see also Wand et al.’s semantics for aspects

Poly stop a hackerDavid Walker Related Work Monitoring languages –General-purpose languages/systems for monitoring applications Poet and Pslang, Naccio, Ariel, Spin Kernel –Logical monitoring specifications MAC (temporal logic), Bigwig (second-order monadic logic)

Poly stop a hackerDavid Walker Summary: Polymer First steps towards the design of a modern language for programming modular run- time security monitors References –FCS ‘02 (expressible and inexpressible policies) –Princeton TR (Polymer semantics) –

Poly stop a hackerDavid Walker End