Not for public release Efficient Code Certification for Open Firmware Matt Stillerman, PhD Odyssey Research Associates 33 Thornwood Drive, Suite 500 Ithaca,

Slides:

Advertisements

Similar presentations

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu

Advertisements

Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Chapter 6 Security Kernels.

Lab Information Security Using Java (Review) Lab#0 Omaima Al-Matrafi.

EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,

Lab#1 (14/3/1431h) Introduction To java programming cs425

Attacking Malicious Code: A Report to the Infosec Research Council Kim Sung-Moo.

Object Orientated Programming

FIT3105 Smart card based authentication and identity management Lecture 4.

A Type System for Expressive Security Policies David Walker Cornell University.

For more Lectures and Notes Visit

1 The Problem o Fluid software cannot be trusted to behave as advertised unknown origin (must be assumed to be malicious) known origin (can be erroneous.

Static Code Analysis and Governance Effectively Using Source Code Scanners.

Java How to Program, 9/e Instructor: José M. Reyes Álamo © by Pearson Education, Inc. All Rights Reserved.

Session-02. Objective In this session you will learn : What is Class Loader ? What is Byte Code Verifier? JIT & JAVA API Features of Java Java Environment.

01 Introduction to Java Technology. 2 Contents History of Java What is Java? Java Platforms Java Virtual Machine (JVM) Java Development Kit (JDK) Benefits.

Page 1 Sandboxing & Signed Software Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.

Java Security Updated May Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security.

Website Hardening HUIT IT Security | Sep

Intro to Java The Java Virtual Machine. What is the JVM  a software emulation of a hypothetical computing machine that runs Java bytecodes (Java compiler.

JAVA v.s. C++ Programming Language Comparison By LI LU SAMMY CHU By LI LU SAMMY CHU.

Computer Programming-1 CSC 111 Chapter 1 : Introduction.

Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.

SEC835 Database and Web application security Information Security Architecture.

Introduction to Java Kumar Harshit. Objectives ( 목적지 ) At the end of the lesson, the student should be able to: ● Describe the features of Java technology.

Information Systems Security Computer System Life Cycle Security.

MT311 Java Application Development and Programming Languages Li Tak Sing( 李德成 )

1 UCR Firmware Attacks and Security introduction.

Java Virtual Machine Java Virtual Machine A Java Virtual Machine (JVM) is a set of computer software programs and data structures that use.

1 IEEE LAN/ MAN Banf 1998 Open Java-Based Intelligent Agent Architecture for Adaptive Networking Devices Tal Lavian, Bay Architecture Lab

Java Introduction Lecture 1. Java Powerful, object-oriented language Free SDK and many resources at

 2005 Pearson Education, Inc. All rights reserved Introduction to Computers, the Internet and the World Wide Web.

Future Airborne Capability Environment (FACE)

Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.

Panel Three - Small Businesses: Sustaining and Growing a Market Presence Open Interfaces and Market Penetration Protecting Intellectual Innovation and.

Security Architecture and Design Chapter 4 Part 3 Pages 357 to 377.

Proof Carrying Code Zhiwei Lin. Outline Proof-Carrying Code The Design and Implementation of a Certifying Compiler A Proof – Carrying Code Architecture.

Java Security Nathan Moore CS 665. Overview Survey of Java Inherent Security Properties Java Runtime Environment Java Virtual Machine Java Security Model.

CPRG 215 Introduction to Object-Oriented Programming with Java Module 1-Introduction to Java Topic 1.1 Basics of Java Produced by Harvey Peters, 2008 Copyright.

OASIS PI Meeting Feb 13-16, 2001 Odyssey Research Associates SL Cornell Business & Technology Park 33 Thornwood Drive, Suite 500 Ithaca, NY

Compatibility and Interoperability Requirements

Containment and Integrity for Mobile Code End-to-end security, untrusted hosts Andrew Myers Fred Schneider Department of Computer Science Cornell University.

Writing Systems Software in a Functional Language An Experience Report Iavor Diatchki, Thomas Hallgren, Mark Jones, Rebekah Leslie, Andrew Tolmach.

CT1513 Introduction To java © A.AlOsaimi.

Module 2 – User Safety Privacy Attacks on end users Browser vulnerabilities.

1. An Introduction A Programming Language A Technology Java Development Kit Java API One Language: Three Editions Standard Edition Enterprise Edition.

Operating Systems Security

Testing OO software. State Based Testing State machine: implementation-independent specification (model) of the dynamic behaviour of the system State:

CS526: Information Security Chris Clifton November 4, 2003 Assurance.

Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.

Version 02U-1 Computer Security: Art and Science1 Correctness by Construction: Developing a Commercial Secure System by Anthony Hall Roderick Chapman.

Unit 17: SDLC. Systems Development Life Cycle Five Major Phases Plus Documentation throughout Plus Evaluation…

The Execution System1. 2 Introduction Managed code and managed data qualify code or data that executes in cooperation with the execution engine The execution.

Security-Enhanced Linux Stephanie Stelling Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK

Introduction to Programming 1 1 2Introduction to Java.

T.Russell Shields, Co-Chair, Collaboration on ITS Communication Standards Martin Adolph, Programme Coordinator, ITU ITU activities on secure vehicle software.

1 Chapter 2: Operating-System Structures Services Interface provided to users & programmers –System calls (programmer access) –User level access to system.

1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 2 v3.1 Module 2 Introduction to Routers.

Fundamental of Java Programming (630002) Unit – 1 Introduction to Java.

What Do Computers Do? A computer system is

CMSC 345 Defensive Programming Practices from Software Engineering 6th Edition by Ian Sommerville.

Introduction to Computers, the Internet and the World Wide Web

Secure Software Confidentiality Integrity Data Security Authentication

Lecture 1: Introduction to JAVA

Security in Java Real or Decaf? cs205: engineering software

Introduction CSC 111.

How to Mitigate the Consequences What are the Countermeasures?

Outline Operating System Organization Operating System Examples

PSS0 Configuration Management,

Presentation transcript:

Not for public release Efficient Code Certification for Open Firmware Matt Stillerman, PhD Odyssey Research Associates 33 Thornwood Drive, Suite 500 Ithaca, NY OASIS PI Meeting, Santa Fe NM July 25, 2001

Odyssey Research Associates 2 Not for public release 7/25/2001 SL Collaborators Dexter Kozen, Cornell University Thomas Merritt, CodeGen, Inc.

Odyssey Research Associates 3 Not for public release 7/25/2001 SL Problem: Malicious Firmware Information systems are vulnerable when booting. Security measures are not started yet. Boot software runs in a very privileged mode – it can “do anything.” This vulnerability would be exploited by inserting malicious code into the boot program (firmware). Odyssey’s Solution: BootSafe will detect all non-TCB firmware programs with the potential to violate the security policy, at boot-time, before they run.

Odyssey Research Associates 4 Not for public release 7/25/2001 SL Why worry about boot firmware? The boot program: tells the operating system about the hardware configuration. It could lie. (e.g. “Here is an approved cryptographic device.”) initializes all hardware devices. It could operate those devices maliciously, fail to initialize them, or damage them. (e.g. “It’s time to erase all keys.”) loads the operating system. It could hack the OS, and thus is capable of disabling, circumventing, or subverting all trusted host software. (e.g. Substitute a spoof version of the login module for the real one.)

Odyssey Research Associates 5 Not for public release 7/25/2001 SL Practical, Exploitable Weakness Within the means of a nation-state or well-funded organization. Several routes for insertion of malicious code: –Firmware patches and upgrades –Device drivers for peripheral devices –Console boot prompt gives full access to an interpreter. User/Administrator community generally not aware of this danger – systems are wide-open to arbitrary harm.

Odyssey Research Associates 6 Not for public release 7/25/2001 SL Expected Benefits of BootSafe Directly detects what users care about: potential violations of the security policy. Malicious code is identified before it runs. Code is rechecked before each boot cycle. All trust resides in end-user systems. Can accept code updates from untrusted suppliers. End-user gains well-founded trust without source code. Complements code-signing integrity approaches. Based on a rigorous formal analysis, thus can achieve high assurance.

Odyssey Research Associates 7 Not for public release 7/25/2001 SL Scope: Open Firmware BootSafe will detect malicious code in Open Firmware-based systems. –Open Firmware is a widely used standard “platform” for boot firmware (IEEE-1275). –Standardizes the execution environment, the device API, the operating system API, and the user interface. –Popular because it enables reusability and portability of boot code. –Used by Sun Microsystems, Apple, and many embedded system vendors. –Used in DoD and US Government information systems.

Odyssey Research Associates 8 Not for public release 7/25/2001 SL Forth-based Solution Other Software Fcode Interpreter Fcode programs Forth Source program Certifying tokenizer Verifier certificate Software Developer Open Firmware Boot Host BootSafe

Odyssey Research Associates 9 Not for public release 7/25/2001 SL Java-based Solution ROM Storage certificate Fcode Java Program JVM Bytecode javac J2F certifying compiler Firmware Developer

Odyssey Research Associates 10 Not for public release 7/25/2001 SL Fcode Loading and Verification Other Software Fcode Interpreter Fcode programs Boot Program ROM Storage Verifier certificate Fcode “Loading”

Odyssey Research Associates 11 Not for public release 7/25/2001 SL Advantages of Java Java is strongly typed. –JAVA bytecode is strongly typed -- can carry typing down to Fcode type annotations that reflect JAVA typing –Fcode verification mimics JAVA bytecode verification Open Firmware is naturally object-oriented –The device tree has a natural object-oriented inheritance structure -- can provide templates with general functionality for each device type that can be subclassed –Static/instance structure already present in Open Firmware

Odyssey Research Associates 12 Not for public release 7/25/2001 SL Advantages of Java Thus our security policy will be very naturally expressed in terms of Java, as: –Type checking. –Safety of Java namespace. Non-malleable class definitions. –Requirement to implement specific standard interfaces. –Liberal use of final and private attributes. –Restrictions on lexical references

Odyssey Research Associates 13 Not for public release 7/25/2001 SL First Level Policy: Type Safety Memory safety Control flow Stack safety Compiling down from a type safe language ensures this. Enforced in Fcode by the analog of Java bytecode verification.

Odyssey Research Associates 14 Not for public release 7/25/2001 SL Second Level Policy: Device Encapsulation Each physical device may only be accessed through its device driver using the published driver interface. –Each device driver interface conforms to the standard. –No additional public interface is defined. –No external access to internal methods or data structures of the device driver. –All calls to driver interface methods are well- formed.

Odyssey Research Associates 15 Not for public release 7/25/2001 SL Third Level Policies Threat categories they address: Malicious inter-device access Resource exhaustion Incorrect device alias or name Malformed device tree Corruption of the operating system –As it is loaded –As it runs Wrong OS boot device.

Odyssey Research Associates 16 Not for public release 7/25/2001 SL Preventing Malicious Inter-device Access Allow only plausible forms of access, by device type. Enforce additional site-specific restrictions on inter-device access. Enforcement: –Check explicit calls in device driver code against policy. –Restrict “dynamic” inter-device calls where the target or method is computed in a non-obvious way. –Mediate calls by a run-time check. Verify that the correct enforcement code (boiler-plate) is in place.

Odyssey Research Associates 17 Not for public release 7/25/2001 SL Status Phase I SBIR, nearly completed Accomplishments –Forth-based and Java-based approaches. Feasibility Architecture –Draft security policy –J2F program Potential –Addresses a real vulnerability –Commercially attractive

Odyssey Research Associates 18 Not for public release 7/25/2001 SL Eager Java Class Initialization Eager class loading and initialization would be preferable to Java’s lazy class loading policy. Problem: What order to initialize classes with cyclic class initializer dependencies. class A { static int a = B.b + 1;... 2 } class B { static int b = A.a + 1;... 1 }