SASI Enforcement of Security Policies : A Retrospective* PSLab 오민경.

Slides:



Advertisements
Similar presentations
Chapter 11 Introduction to Programming in C
Advertisements

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
MODERN OPERATING SYSTEMS Third Edition ANDREW S. TANENBAUM Chapter 3 Memory Management Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall,
Containment and Integrity for Mobile Code Status Report to DARPA ISO: Feb Fred B. Schneider Andrew Myers Department of Computer Science Cornell University.
The Assembly Language Level
Chapter 6 Security Kernels.
A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.
COE Computer Organization & Assembly Language Introduction HLL vs. Assembly Programming Languages.
Introduction to Computers and Programming. Some definitions Algorithm: –A procedure for solving a problem –A sequence of discrete steps that defines such.
A Type System for Expressive Security Policies David Walker Cornell University.
November 18, 2004 Embedded System Design Flow Arkadeb Ghosal Alessandro Pinto Daniele Gasperini Alberto Sangiovanni-Vincentelli
Extensible Untrusted Code Verification Robert Schneck with George Necula and Bor-Yuh Evan Chang May 14, 2003 OSQ Retreat.
Policy-Carrying, Policy-Enforcing Digital Objects Sandra Payette Project Prism - Cornell University DLI2 All-Projects Meeting June 14, 2000.
Copyright Arshi Khan1 System Programming Instructor Arshi Khan.
Timed UML State Machines Ognyana Hristova Tutor: Priv.-Doz. Dr. Thomas Noll June, 2007.
Chapter 6: Integrity and Security Thomas Nikl 19 October, 2004 CS157B.
Computer Architecture Computational Models Ola Flygt V ä xj ö University
An Introduction Chapter Chapter 1 Introduction2 Computer Systems  Programmable machines  Hardware + Software (program) HardwareProgram.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 2: System Structures.
4-1 Chapter 4 - The Instruction Set Architecture Computer Architecture and Organization by M. Murdocca and V. Heuring © 2007 M. Murdocca and V. Heuring.
G53SEC 1 Reference Monitors Enforcement of Access Control.
An Information Flow Inlining Compiler for a Core of JavaScript José Fragoso Santos Tamara Rezk Equipe Project INDES.
Operating System Support for Virtual Machines Samuel T. King, George W. Dunlap,Peter M.Chen Presented By, Rajesh 1 References [1] Virtual Machines: Supporting.
Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.
C++ for Engineers and Scientists Second Edition Chapter 6 Modularity Using Functions.
DEPARTMENT OF COMPUTER SCIENCE & TECHNOLOGY FACULTY OF SCIENCE & TECHNOLOGY UNIVERSITY OF UWA WELLASSA 1 CST 221 OBJECT ORIENTED PROGRAMMING(OOP) ( 2 CREDITS.
COP 4620 / 5625 Programming Language Translation / Compiler Writing Fall 2003 Lecture 10, 10/30/2003 Prof. Roy Levow.
Security Architecture and Design Chapter 4 Part 3 Pages 357 to 377.
Memory Management 3 Tanenbaum Ch. 3 Silberschatz Ch. 8,9.
4-1 Chapter 4 - The Instruction Set Architecture Principles of Computer Architecture by M. Murdocca and V. Heuring © 1999 M. Murdocca and V. Heuring Principles.
KATHOLIEKE UNIVERSITEIT LEUVEN 1 Run time enforcement of security policies on the.NET framework Frank Piessens Joint work with many people including Lieven.
Chapter 8 High-Level Programming Languages. 8-2 Chapter Goals Describe the translation process and distinguish between assembly, compilation, interpretation,
 JAVA Compilation and Interpretation  JAVA Platform Independence  Building First JAVA Program  Escapes Sequences  Display text with printf  Data.
Silberschatz, Galvin and Gagne  Operating System Concepts Chapter 18: Protection Goals of Protection Objects and Domains Access Matrix Implementation.
G53SEC 1 Reference Monitors Enforcement of Access Control.
1 Text Reference: Warford. 2 Computer Architecture: The design of those aspects of a computer which are visible to the programmer. Architecture Organization.
Assembly Language for x86 Processors 7th Edition Chapter 13: High-Level Language Interface (c) Pearson Education, All rights reserved. You may modify.
3.2 Semantics. 2 Semantics Attribute Grammars The Meanings of Programs: Semantics Sebesta Chapter 3.
Programming Languages and Design Lecture 3 Semantic Specifications of Programming Languages Instructor: Li Ma Department of Computer Science Texas Southern.
Operating Systems Security
A Lattice Model of Secure Information Flow By Dorothy E. Denning Presented by Drayton Benner March 22, 2000.
Efficient Software-Based Fault Isolation Robert Wahbe, Steven Lucco, Thomas E. Anderson, Susan L. Graham.
ECE 526 – Network Processing Systems Design Microengine Programming Chapter 23: D. E. Comer.
Chapter 5 Finite Automata Finite State Automata n Capable of recognizing numerous symbol patterns, the class of regular languages n Suitable for.
1 Introduction to Turing Machines
CS 404Ahmed Ezzat 1 CS 404 Introduction to Compiler Design Lecture 1 Ahmed Ezzat.
SQL Triggers, Functions & Stored Procedures Programming Operations.
Computer Security: Chapter 5 Operating Systems Security.
Computer System Structures
MODERN OPERATING SYSTEMS Third Edition ANDREW S
8. Introduction to Turing Machines
Chapter 1 Introduction.
Operating System Interface between a user and the computer hardware
Session 3 Memory Management
More variants of Turing Machines
COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE
Java Primer 1: Types, Classes and Operators
Suman Jana *Original slides from Vitaly Shmatikov
Chapter 3: Using Methods, Classes, and Objects
Chapter 1 Introduction.
Chapter 7 PUSHDOWN AUTOMATA.
Computer Architecture and Organization Miles Murdocca and Vincent Heuring Chapter 4 – The Instruction Set Architecture.
Chapter 9 TURING MACHINES.
Chapter 11 Introduction to Programming in C
8. Introduction to Turing Machines
Chapter 11 Introduction to Programming in C
Chapter 11 Introduction to Programming in C
Operator Overloading Professor Hugh C. Lauer CS-2303, System Programming Concepts (Slides include materials from The C Programming Language, 2nd edition,
Principles of Programming Languages
… NPDAs continued.
Presentation transcript:

SASI Enforcement of Security Policies : A Retrospective* PSLab 오민경

Contents Introduction Security Automata Merging-in a Security Automaton Two Prototype SASI Implementations X86 Prototype JVML Prototype

Abstract SASI enforces security policies by modifying object code for a target system before that system is executed Prototype Intel x86 Java JVML (Security Automata SFI Implementation)

introduction Reference monitor observe execution of a target system halts that system whenever it is about to violate some security policy of concern Typical security mechanisms directly implement reference monitors are intended to facilitate the implementation of reference monitors

introduction Reference monitor must be protected from subversion by the target systems it monitors. Memory protection hardware Placing the reference monitor and target systems in separate address spaces Performance cost Overhead due to context switches associated with transferring control to the reference monitor from within the target system. Expressiveness cost Means by which target system events cause the reference monitor to be invoked.

introduction To modify the target system code, effectively merging the reference monitor in-line. This is the basis for software-fault isolation (SFI). SFI : prevents reads, writes, or branches to memory locations outside of certain predefined memory regions. Our Prototype merge security policy enforcement code into the object code for a target system. Transforms x86 assembly language Transforms JVML (Java Virtual Machine Language) With each, Security policies are specified using security automata.

Security Automata Security automaton involves set of states input alphabet transition relation define next state using current state and input symbol using fist-order predicates no transition -> reject Security automata can be regarded as defining reference monitors. The input alphabet corresponds to the events that the reference monitor would see. The transition relation encodes a security policy.

Security Automata

Merging-in a Security Automaton SASI generalizes SFI to any security policy that is specified as a security automaton. With SFI New code is added to the target system preceding memory access instruction. New code ensure all reads and writes to memory will access addresses within the target’s data region. all branches, calls, and returns will transfer control to an instruction within the target program. the functionality of these additions cannot e circumvented by the target system.

Merging-in a Security Automaton With SASI New code is added to the target system preceding every instruction. The added code simulates a security automaton. new variable represent the current state of the security automata. new code simulates an automata state transition causes the target system to halt whenever the automaton rejects its input. Thus, the automaton simulation is equivalent to inserting a reference monitor in-line into the target system.

Merging-in a Security Automaton Simplification of code (for simulating a security automaton) Irrelevant tests and updates to the security automaton state can be removed. By using partial evaluation on the transition predicates. By using the automaton structure. Merging of a security automaton specification Insert security automata Evaluate transitions Simplify automata Compile automata

Merging-in a Security Automaton

Two Prototype SASI Implementations Security policies for our SASI prototypes are represented in SAL. SAL (Security Automaton Language) SAL specification consist of a list of states, with each state having a list of transitions to other states. Macros are defined at the start of the SAL specification and are expanded fully bottom-up before use. SAL supports only deterministic automata. SAL transition predicates are expression constructed from constants, variables, C-style arithmetic and logical operators, and calls to platform-independent functions and to platform-specific functions

Two Prototype SASI Implementations

The integrity of a reference monitor depends on preventing the corruption Preventing the target system from modifying variables Preventing the target system from circumventing the code that implements transitions. Preventing the target system from modifying its own code or causing other code to be executed. The discharge of these obligations is platform dependent, but there are two general approaches Verification of the object code to establish that the unwelcome behavior is impossible Modification of the object code to rule out the unwelcome behavior

Two Prototype SASI Implementations

x86 Prototype

MiSFIT performs considerably better. But, x86 SASI have the flexibility.

JVML Prototype

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.