David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 18: Malcode Countermeasures.

Slides:



Advertisements
Similar presentations
Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.
Advertisements

David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 20: Total Correctness; Proof-
Java security (in a nutshell)
Applet Security Gunjan Vohra. What is Applet Security? One of the most important features of Java is its security model. It allows untrusted code, such.
Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee
Lab Information Security Using Java (Review) Lab#0 Omaima Al-Matrafi.
Class 20: Verifying Bytecodes Fall 2010 UVa David Evans cs2220: Engineering Software Image: Joseph Featherston.
David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.
The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI
Lab#1 (14/3/1431h) Introduction To java programming cs425
George Blank University Lecturer. CS 602 Java and the Web Object Oriented Software Development Using Java Chapter 4.
CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.
Introduction to Java Kiyeol Ryu Java Programming Language.
Programmability with Proof-Carrying Code George C. Necula University of California Berkeley Peter Lee Carnegie Mellon University.
Java for High Performance Computing Jordi Garcia Almiñana 14 de Octubre de 1998 de la era post-internet.
JVM-1 Introduction to Java Virtual Machine. JVM-2 Outline Java Language, Java Virtual Machine and Java Platform Organization of Java Virtual Machine Garbage.
A Type System for Expressive Security Policies David Walker Cornell University.
An Approach to Safe Object Sharing Ciaran Bryce & Chrislain Razafimahefa University of Geneva, Switzerland.
Session-02. Objective In this session you will learn : What is Class Loader ? What is Byte Code Verifier? JIT & JAVA API Features of Java Java Environment.
Lecture 1: Overview of Java. What is java? Developed by Sun Microsystems (James Gosling) A general-purpose object-oriented language Based on C/C++ Designed.
Java Security Updated May Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security.
JAVA v.s. C++ Programming Language Comparison By LI LU SAMMY CHU By LI LU SAMMY CHU.
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 18: 0xCAFEBABE (Java Byte Codes)
Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 19: Security in Java Real or.
Java Introduction Lecture 1. Java Powerful, object-oriented language Free SDK and many resources at
Introduction to Java CSIS 3701: Advanced Object Oriented Programming.
Announcements Assignment 3 due. Invite friends, co-workers to your presentations. Course evaluations on Friday.
1 Module Objective & Outline Module Objective: After completing this Module, you will be able to, appreciate java as a programming language, write java.
Proof Carrying Code Zhiwei Lin. Outline Proof-Carrying Code The Design and Implementation of a Certifying Compiler A Proof – Carrying Code Architecture.
1 Comp 104: Operating Systems Concepts Java Development and Run-Time Store Organisation.
University of Houston-Clear Lake Proprietary© 1997 Evolution of Programming Languages Basic cycle of improvement –Experience software difficulties –Theory.
CS 11 java track: lecture 1 Administrivia need a CS cluster account cgi-bin/sysadmin/account_request.cgi need to know UNIX
Java Security Nathan Moore CS 665. Overview Survey of Java Inherent Security Properties Java Runtime Environment Java Virtual Machine Java Security Model.
Lecture :2 1.  DEFENTION : Java is a programming language expressly designed for use in the distributed environment of the Internet. It was designed.
Basics of Java IMPORTANT: Read Chap 1-6 of How to think like a… Lecture 3.
Java 2 security model Valentina Casola. Components of Java the development environment –development lifecycle –Java language features –class files and.
Let’s Stop Beating Dead Horses, and Start Beating Trojan Horses! David Evans INFOSEC Malicious Code Workshop San Antonio, 13.
Netprog: Java Intro1 Crash Course in Java. Netprog: Java Intro2 Why Java? Network Programming in Java is very different than in C/C++ –much more language.
1 Introduction to Java. 2 What is Java? A programming language. A platform –A virtual machine (JVM) definition. –Runtime environments in diverse hardware.
1 cs205: engineering software university of virginia fall 2006 Forgiveness and Permissions.
Computer Programming 2 Why do we study Java….. Java is Simple It has none of the following: operator overloading, header files, pre- processor, pointer.
Cs205: engineering software university of virginia fall 2006 Introducing Java David Evans Don’t forget to your registration.
Policy-Directed Code Safety David Evans April 1999 Software Devices and Systems MIT Lab for Computer Science.
CS216: Program and Data Representation University of Virginia Computer Science Spring 2006 David Evans Lecture 18: Code Safety and Virtual Machines
How to execute Program structure Variables name, keywords, binding, scope, lifetime Data types – type system – primitives, strings, arrays, hashes – pointers/references.
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 9: Designing Exceptionally.
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 10: Programming Exceptionally.
David Evans CS588: Cryptography University of Virginia Computer Science Lecture 21: Countering Malicious Code.
Lecture 4 Page 1 CS 111 Online Modularity and Memory Clearly, programs must have access to memory We need abstractions that give them the required access.
RealTimeSystems Lab Jong-Koo, Lim
1 cs205: engineering software university of virginia fall 2006 Running Untrustworthy Code Project team requests: extended until 11pm tonight.
Sung-Dong Kim, Dept. of Computer Engineering, Hansung University Java - Introduction.
Object Oriented Programming in
Modularity Most useful abstractions an OS wants to offer can’t be directly realized by hardware Modularity is one technique the OS uses to provide better.
Introduction to Operating Systems
CS216: Program and Data Representation
Java security (in a nutshell)
Introduction Enosis Learning.
Modularity and Memory Clearly, programs must have access to memory
Introduction Enosis Learning.
CS216: Program and Data Representation
Introduction to Operating Systems
Lecture 18: Java™ Decaffeinated CS551: Security and Privacy
Java Byte Codes (0xCAFEBABE) cs205: engineering software
Security in Java Real or Decaf? cs205: engineering software
Byte Code Verification
Lecture 17: Defeating Malcode (Shameless Self-Promotion) Background
Lecture 19: Proof-Carrying Code Background just got here last week
COSC Assignment 3 - Part 1 Java Security Susan Kovacs 19 April 2019 COSC Assignment 3 - Part 1.
Presentation transcript:

David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 18: Malcode Countermeasures

19 Nov 2001University of Virginia CS 5882 Menu Reference Monitors Java Security Proof-Carrying Code (time permitting) Monday: Firewalls, Intrusion Detection Movie – make sure I stop by 3:00!

19 Nov 2001University of Virginia CS 5883 Malcode Defenses Constrain program behavior –Reference Monitors In-line Reference Monitors Prevent possibly harmful code from running –Safe Languages –Proof-Carrying Code

19 Nov 2001University of Virginia CS 5884 Program Execution Program Monitor Speakers SuperSoaker 2000 Disk Memory Network

19 Nov 2001University of Virginia CS 5885 Program Execution Program Monitor Speakers SuperSoaker 2000 Disk Memory Network Reference Monitor

19 Nov 2001University of Virginia CS 5886 Ideal Reference Monitor 1.Sees everything a program is about to do before it does it 2.Can instantly and completely stop program execution (or prevent action) 3.Has no other effect on the program or system Can we build this? Probably not unless we can build a time machine...

19 Nov 2001University of Virginia CS 5887 Ideal Reference Monitor 1.Sees everything a program is about to do before it does it 2.Can instantly and completely stop program execution (or prevent action) 3.Has no other effect on the program or system Real most things limited

19 Nov 2001University of Virginia CS 5888 Operating Systems Provide reference monitors for most security-critical resources –When a program opens a file in Unix or Windows, the OS checks that the principal running the program can open that file Doesn’t allow different policies for different programs No flexibility over what is monitored –OS decides for everyone –Hence, can’t monitor inexpensive operations

19 Nov 2001University of Virginia CS 5889 Reference Monitor as Finite State Automaton [Schneider99] 0 1 All other instructions Aim Fire STOP Policy Violation 2 All other instructions Aim All other instructions Aim

19 Nov 2001University of Virginia CS What policies can be enforced? Assume: –Security Automaton can see entire state of world, everything about instruction about to execute –Security Automaton has unlimited memory, can do unlimited computation Are there interesting policies that still can’t be enforced?

19 Nov 2001University of Virginia CS What’s a Security Policy? What’s a program? –A set of possible executions What’s an execution? –A sequence of states What’s a security policy? –A predicate on a set of executions

19 Nov 2001University of Virginia CS More Formally...  : set of all possible executions (can be infinite)  S : set of executions possible by target program S P : security policy set of executions  Boolean S is safe iff P (  S ) is true.

19 Nov 2001University of Virginia CS Reference Monitors cannot enforce all Security Policies Some policies depend on: –Knowing about the future If the program charges the credit card, it must eventually ship the goods –Knowing about all possible executions Information flow – can’t tell if a program reveals secret information without knowing about other possible executions Reference Monitors can only know about past of this particular execution

19 Nov 2001University of Virginia CS Safety Policies Reference monitors can only enforce safety policies Safety policy is a predicate on a prefix of states (see Schneider98 for more formal definition) –Cannot depend on future: prefix means once it is false, it is always false –Cannot depend on other possible executions

19 Nov 2001University of Virginia CS Java Security Real or Decaf?

19 Nov 2001University of Virginia CS What is Java? A.Island in Indonesia B.A Programming Language (Java  ) C.A Portable Low-Level Language (JVML) D.A Platform (JavaVM) E.A (semi-)successful marketing strategy –JavaScript is not related to Java or Java  F.Work on your projects G.All of the above

19 Nov 2001University of Virginia CS Java  : Programming Language “A simple, object-oriented, distributed, interpreted, robust, secure, architecture neutral, portable, high-performance, multithreaded, and dynamic language.” [Sun95]

19 Nov 2001University of Virginia CS What is a secure language? 1.Language is designed so it cannot express certain computations considered insecure. 2.Language is designed so that (accidental) program bugs are likely to be caught by the compiler or run- time environment instead of leading to security vulnerabilities. A few attempt to do this: PLAN, packet filters

19 Nov 2001University of Virginia CS Safe Programming Languages Type Safety –Compiler and run-time environment ensure that bits are treated as the type they represent Memory Safety –Compiler and run-time environment ensure that program cannot access memory outside defined storage Control Flow Safety –Can’t jump to arbitrary addresses Which of these does C++ have? Not a new idea: LISP had these in 1960!

19 Nov 2001University of Virginia CS Java  Safety Type Safety –Most types checked statically –Coercions, array assignments type checked at run time Memory Safety –No direct memory access (e.g., pointers) –Primitive array type with mandatory run-time bounds checking Control Flow Safety –Structured control flow, no arbitrary jumps

19 Nov 2001University of Virginia CS Malicious Code Can a safe programming language protect you from malcode? 1.Code your servers in it to protect from buffer overflow bugs 2.Only allow programs from untrustworthy origins to run if the are programmed in the safe language

19 Nov 2001University of Virginia CS Safe Languages? But how can you tell program was written in the safe language? –Get the source code and compile it (most vendors, and all malicious attackers refuse to provide source code) –Special compilation service signs object files generated from the safe language (SPIN, [Bershad96]) –Verify object files preserve safety properties of source language (Java)

19 Nov 2001University of Virginia CS JVML javac Compiler malcode.java Java  Source Code malcode.class JVML Object Code JavaVM Joe User Joe wants to know JVML code satisfies Java  ’s safety properties.

19 Nov 2001University of Virginia CS Does JVML satisfy Java  ’s safety properties? iconst_2 push integer constant 2 on stack istore_0 store top of stack in variable 0 as int aload_0 load object reference from variable 0 arraylength replace array on top of stack with its length No! This code violates Java  ’s type rules.

19 Nov 2001University of Virginia CS Bytecode Verifier malcode.class JVML Object Code Java Bytecode Verifier Joe User JavaVM “Okay” Invalid STOP Trusted Computing Base

19 Nov 2001University of Virginia CS Bytecode Verifier Checks JVML code satisfies Java  ’s safety properties Type safe – stack and variable slots must store and load as same type Memory safe (guaranteed by instruction set) Control flow safe: jumps must be within function, or call/return

19 Nov 2001University of Virginia CS Are Java Bytecode Verifiers Complicated? ~700 rules to enforce, JVML specification is (not all clearly specified) Emin Gün Sirer found > 100 bugs in commercial bytecode verifiers (using automatic test generation) –At least 15 of them were security vulnerabilities JVML includes jsr instruction (jump to subroutine), can be called with different types in variables and on stack

19 Nov 2001University of Virginia CS Java javac Compiler malcode.java malcode.class JVML Joe User Java Bytecode Verifier JavaVM “Okay” Invalid STOP Trusted Computing Base

19 Nov 2001University of Virginia CS JavaVM Virtual machine – interpreter for JVML programs Has complete access to host machine Bytecode verifier ensures some safety properties, JavaVM must ensure rest: –Type safety of run-time casts, array assignments –Memory safety: array bounds checking –Resource use policy

19 Nov 2001University of Virginia CS JavaVM Policy Enforcment From java.io.File: public boolean delete() { SecurityManager security = System.getSecurityManager(); if (security != null) { security.checkDelete(path); } if (isDirectory()) return rmdir0(); else return delete0(); } [JDK 1.0 – JDK 1.1]

19 Nov 2001University of Virginia CS java.lang.SecurityManager /** Throws a SecurityException if the calling thread is not allowed to delete the specified file. This method is invoked for the current security manager by the delete method of class File. */ (Some other comments deleted.) public void checkDelete(String file) { throw new SecurityException(); }

19 Nov 2001University of Virginia CS Security Manager Reference monitor –How well does it satisfy the requirements? Complete mediation Can stop execution/prevent action Limited effect on execution until policy violation User/host application creates a subclass of SecurityManager to define a policy

19 Nov 2001University of Virginia CS HotJava’s Policy (JDK 1.1.7) public class AppletSecurity extends SecurityManager {... public synchronized void checkDelete(String file) { checkWrite(file); }... }

19 Nov 2001University of Virginia CS AppletSecurity.checkWrite (some exception handling code removed) public synchronized void checkWrite(String file) { if (inApplet()) { if (!initACL) initializeACLs(); String realPath = (new File(file)).getCanonicalPath(); for (int i = writeACL.length ; i-- > 0 ;) { if (realPath.startsWith(writeACL[i])) return; } throw new AppletSecurityException ("checkwrite", file, realPath); } Note: no checking if not inApplet! Very important this does the right thing.

19 Nov 2001University of Virginia CS inApplet boolean inApplet() { return inClassLoader(); } Inherited from java.lang.SecurityManager: protected boolean inClassLoader() { return currentClassLoader() != null; }

19 Nov 2001University of Virginia CS currentClassLoader /** Returns an object describing the most recent class loader executing on the stack. Returns the class loader of the most recent occurrence on the stack of a method from a class defined using a class loader; returns null if there is no occurrence on the stack of a method from a class defined using a class loader. */ protected native ClassLoader currentClassLoader();

19 Nov 2001University of Virginia CS Recap java.io.File.delete calls SecurityManager.checkDelete before deleting HotJava overrides SecurityManager with AppletSecurity to set policy AppletSecurity.checkDelete calls AppletSecurity.checkWrite AppletSecurity.checkWrite checks if any method on stack has a ClassLoader If not no checks; if it does, checks ACL list

19 Nov 2001University of Virginia CS JDK 1.0 Trust Model When JavaVM loads a class from the CLASSPATH, it has no associated ClassLoader (can do anything) When JavaVM loads a class from elsewhere (e.g., the web), it has an associated ClassLoader

19 Nov 2001University of Virginia CS JDK Evolution JDK 1.1: Signed classes from elsewhere and have no associated ClassLoader JDK 1.2: –Different classes can have different policies based on ClassLoader –Explict enable/disable/check privileges –SecurityManager is now AccessController

19 Nov 2001University of Virginia CS What can go wrong? Java API doesn’t call right SecurityManager checks (63 calls in java.*) –Font loading bug, synchronization ClassLoader is tricked into loading external class as internal Bug in Bytecode Verifier can be exploited to circumvent SecurityManager Policy is too weak and allows damaging behavior

19 Nov 2001University of Virginia CS Hostile Applets See (about 1 new vulnerability/month) Easy to write “annoying” applets (policy is too imprecise; no way to constrain many resource operations) applets/index.html

19 Nov 2001University of Virginia CS Proof-Carrying Code

19 Nov 2001University of Virginia CS (From Maze

19 Nov 2001University of Virginia CS (From Proof-Carrying Maze

19 Nov 2001University of Virginia CS Proof-Carrying Code Guarantee properties of untrustworthy code by checking a proof provided by code producer Creating a proof is hard –Have to make up invariants, choose cases, pick strategies, etc. Checking a proof is easy –Simple mechanical application of rules

19 Nov 2001University of Virginia CS Have we seen anything like this? Java Bytecode Verifier is a simple instance of PCC: –Bytecodes include extra information on typing, stack use, etc. –Bytecode verifier checks it to enforce low- level code safety properties

19 Nov 2001University of Virginia CS Fortune Cookie “That which be proved cannot be worth much.” Fortune cookie quoted on Peter’s web page must can True for all users True for all executions Exception: Low-level code safety

19 Nov 2001University of Virginia CS Reasons you might prefer PCC Run-time performance? –Amortizes additional download and verification time only rarely –SFI Performance penalty: ~5% If you care, pay $20 more for a better processor or wait 5 weeks Smaller Trusted Computing Base? –Not really smaller: twice as big as SFI (Touchstone VCGen+checker – 8300 lines / MisFiT x86 SFI implementation – 4500 lines) You are a vendor who cares more about quality than time to market –Not really PCC (not across a trust boundary)

19 Nov 2001University of Virginia CS Feedback Slips

19 Nov 2001University of Virginia CS You are getting a strip of paper with your recorded grades so far (check they are correct), and my recommendation for PS5/project: You’re doing fine (but keep working on your project). Enjoy your Thanksgiving. You’re doing okay, but go easy on the Cranberry Sauce. You should either do PS5 or work a lot on your project. You need to get cracking to avoid a mediocre grade (or worse) in this course. You should do PS5 and work on your project. No one got this. Still plenty of time to do well in the course.

19 Nov 2001University of Virginia CS Movie