Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jay Ligatti and Srikar Reddy University of South Florida.

Published byIvy Ida Modified over 9 years ago

Similar presentations

Presentation on theme: "Jay Ligatti and Srikar Reddy University of South Florida."— Presentation transcript:

1 Jay Ligatti and Srikar Reddy University of South Florida

2  Also known as runtime/security/program monitors  Ubiquitous Operating systems (e.g., file access control) Virtual machines (e.g., stack inspection) Web browsers (e.g., javascript sandboxing) Intrusion-detection systems Firewalls Auditing tools Spam filters Etc. 2

3  How do monitors operate to enforce policies? Which policies can runtime mechanisms enforce? Which policies should we never even try to enforce at runtime? All policies Runtime-enforceable policies 3

4  How do monitors operate to enforce policies? Which policies get enforced when we combine runtime mechanisms? mechanism M enforces policy P mechanism M’ enforces policy P’ M ^ M’ enforces? P ^ P’ ? What if P requires the first action executed to be fopen( f ), but P’ requires the first action executed to be fopen( f’ )? 4

5  How do monitors operate to enforce policies? How efficiently does a mechanism enforce a policy? What are the lower bounds on resources required to enforce policies of interest? What does it mean for a mechanism to be efficient? Low space usage (SHA of Fong, BHA of Talhi, Tawbi, and Debbabi) Low time usage ? 5

6  How do monitors operate to enforce policies? Which policies can runtime mechanisms enforce? Which policies get enforced when we combine runtime mechanisms? How efficiently does a mechanism enforce a policy? What are the lower bounds on resources required to enforce policies of interest? 6

7  How do monitors operate to enforce policies? Which policies can runtime mechanisms enforce? Which policies get enforced when we combine runtime mechanisms? How efficiently does a mechanism enforce a policy? What are the lower bounds on resources required to enforce policies of interest? 7

8  Research questions How do monitors operate to enforce policies?  Which policies can runtime mechanisms enforce?  Related work vs. this work  The model: executions, monitors, policies, and enforcement  Analysis of enforceable properties  Summary and future work 8

9  Most analyses of monitors are based on truncation automata (Schneider, 2000)  Operation: halt software being monitored (target) immediately before any policy violation  Limitation: real monitors normally respond to violations with remedial actions target monitor executing system (OS/VM/CPU) action a Halt target! 9

10  Powerful model of runtime enforcement  Operation: actively transform target actions to ensure they satisfy desired policy target monitor executing system (OS/VM/CPU) action a a a'a' etc. (quietly suppress a) 10

11  Limitation: All actions are assumed totally asynchronous  Monitor can always get next action after suppressing previous actions  Target can’t care about results of executed actions; there are no results in the model E.g., the echo program “x=input(); output(x);” is outside the edit-automata model 11

12  Conservatively assume all actions are synchronous  Operation: actively transform target actions and results of those actions to ensure they satisfy desired policy Untrusted Application valid results Executing System (Trusted) Security Monitor actions valid actions results 12

13  MRAs are stronger than truncation automata Can accept actions and halt targets but can also transform actions and results  MRAs are weaker than edit automata Asynchronicity lets edit automata “see” arbitrarily far into the future  Can postpone deciding how to edit an action until later  Arbitrary postponement is normally unrealistic 13

14 1. MRAs can enforce result-sanitization policies (trusted) mechanism sanitizes results before they get input to (untrusted) target application Many privacy, information-flow, and access- control policies are result-sanitization Untrusted Application Executing System (Trusted) Security Monitor (1) ls (3) {foo.txt,.hidden} (2) ls (4) {foo.txt} 14

15 2. Model provides simpler and more expressive definitions of policies and enforcement than previous work (more on this later) 15

16  Research questions How do monitors operate to enforce policies?  Which policies can runtime mechanisms enforce?  Related work vs. this work  The model: executions, monitors, policies, and enforcement  Analysis of enforceable properties  Summary and future work 16

17  Execution: finite or countably infinite sequence of MRA-relevant events (i.e., actions and results)  4 possibilities: (1) MRA inputs action a from the target Untrusted Application Executing System (Trusted) Security Monitor a => add a i to the current trace 17

18  Execution: finite or countably infinite sequence of MRA-relevant events (i.e., actions and results)  4 possibilities: (2) MRA outputs action a to be executed Untrusted Application Executing System (Trusted) Security Monitor a => add a o to the current trace 18

19  Execution: finite or countably infinite sequence of MRA-relevant events (i.e., actions and results)  4 possibilities: (3) MRA inputs result r from the system Untrusted Application Executing System (Trusted) Security Monitor r => add r i to the current trace 19

20  Execution: finite or countably infinite sequence of MRA-relevant events (i.e., actions and results)  4 possibilities: (4) MRA outputs result r to the target Untrusted Application Executing System (Trusted) Security Monitor => add r o to the current trace r 20

21  ls i ; ls o ; {foo.txt,.hidden} i ; {foo.txt} o Untrusted Application Executing System (Trusted) Security Monitor ls 21

22  ls i ; ls o ; {foo.txt,.hidden} i ; {foo.txt} o Untrusted Application Executing System (Trusted) Security Monitor ls 22

23  ls i ; ls o ; {foo.txt,.hidden} i ; {foo.txt} o Untrusted Application Executing System (Trusted) Security Monitor {foo.txt,.hidden} 23

24  ls i ; ls o ; {foo.txt,.hidden} i ; {foo.txt} o Untrusted Application Executing System (Trusted) Security Monitor {foo.txt} 24

25  shutdown i ; popupConfirm o ; OK i ; shutdown o Untrusted Application Executing System (Trusted) Security Monitor shutdown 25

26  shutdown i ; popupConfirm o ; OK i ; shutdown o Untrusted Application Executing System (Trusted) Security Monitor popupConfirm 26

27  shutdown i ; popupConfirm o ; OK i ; shutdown o Untrusted Application Executing System (Trusted) Security Monitor OK 27

28  shutdown i ; popupConfirm o ; OK i ; shutdown o Untrusted Application Executing System (Trusted) Security Monitor shutdown 28

29  An MRA M is a tuple (E, Q, q 0, ∂) E = event set over which M operates Q = M’s finite or countably infinite state set q 0 = M’s initial state ∂ = M’s transition function ∂ : Q x E Q x E given a current MRA state and an event just input, ∂ returns the next MRA state and an event to output 29

30  Hidden-file filtering MRA M = (E, Q, q 0, ∂) E = { ls, …} Q = { T, F } (are we executing an ls?) q 0 = { F } ( F, e ) if q=F and e<>ls ∂(q,e) = ( T, e ) if q=F and e=ls ( F, filter(e)) if q=T 30

31  Shutdown-confirming MRA M=(E, Q, q 0, ∂) E = { shutdown, popupConfirm, OK, cancel, null, …} Q = { T, F } (are we confirming a shutdown?) q 0 = { F } ( F, e ) if q=F and e<>shutdown ∂(q,e) = ( T, popupConfirm ) if q=F and e=shutdown ( F, null ) if q=T and e=cancel ( F, shutdown ) if q=T and e=OK 31

32  MRA operations match the possible behaviors we’ve observed in many implemented monitoring systems Polymer (with Bauer and Walker) PSLang (Erlingsson and Schneider) AspectJ (Kiczales et al.) Etc.  For every input action and input result, monitor may output an action or a result  Previous models couldn’t transform results => couldn’t model the last 2 realistic examples 32

33  MRA operations can be formalized with six small rules dictating how traces get built  Please see conference proceedings for details 33

34  (Technical note: here we’re really only considering special kinds of policies called properties)  Policies are predicates on executions  P(x) iff execution x satisfies policy P 34

35 P( ) ¬P(ls i ) P(ls i ; e o ) iff e=ls ∀ directory listings L: ¬ P(ls i ; ls o ; L i ) P(ls i ; ls o ; L i ; e o ) iff e=filter(L) [it’s OK for the target to do nothing] [monitor may not just stop upon inputting ls; must then output ls] [monitor must output only ls after inputting ls; it’s then OK for the system to never return a listing] [monitor may not stop upon inputting L; must return the filtered list to the target] [monitor must filter listings] 35

36  Policies here can reason about results Enables result-sanitization policies E.g., filter-hidden-file policy  Policies here can reason about input events Enables policies to dictate exactly how mechanisms can/must transform events E.g., confirm-shutdown policy => Powerful, but practical, expressiveness 36

37  Sound enforcement (no false -s)  Complete enforcement (no false +s)  Precise enforcement (no false +s or -s) M soundly enforces P iff ∀ executions x: (M produces x ⇒ P(x)) M completely enforces P iff ∀ executions x: (P(x) ⇒ M produces x) M precisely enforces policy P iff M soundly and completely enforces P 37

38  Simpler: no need for extra “transparency” constraints that can be rolled into policy definitions (now that policies can reason about input events)  More expressive: can reason about complete and precise enforcement too 38

39  Research questions How do monitors operate to enforce policies?  Which policies can runtime mechanisms enforce?  Related work vs. this work  The model: executions, monitors, policies, and enforcement  Analysis of enforceable properties  Summary and future work 39

40 40

41 41

42 42

43  Research questions How do monitors operate to enforce policies?  Which policies can runtime mechanisms enforce?  Related work vs. this work  The model: executions, monitors, policies, and enforcement  Analysis of enforceable properties  Summary and future work 43

44  Started building a theory of runtime enforcement based on MRAs, which: model the realistic ability of runtime mechanisms to transform synchronous actions and their results. can enforce result-sanitization policies and policies based on input events. provide simpler and more expressive definitions of policies and enforcement than previous models. 44

45  Something between edit automata (which assume asynchronous actions) and MRAs (which assume synchronous actions)? How would the monitor know when the target is waiting for a result, and for which action?  Static analysis of target application?  Could get complicated 45

46  Which policies get enforced when we combine runtime mechanisms?  How efficiently does a mechanism enforce a policy?  What are the lower bounds on resources required to enforce policies of interest?  Having a realistic operational model of runtime enforcement seems like a good first step to address these research questions 46

47 47

Download ppt "Jay Ligatti and Srikar Reddy University of South Florida."

Similar presentations

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Lecture 8: Three-Level Architectures CS 344R: Robotics Benjamin Kuipers.

Lecture 8: Three-Level Architectures CS 344R: Robotics Benjamin Kuipers.
GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.

GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Testing Concurrent/Distributed Systems Review of Final CEN 5076 Class 14 – 12/05.

Testing Concurrent/Distributed Systems Review of Final CEN 5076 Class 14 – 12/05.
Jay Ligatti University of South Florida.  Interpose on the actions of some untrusted software  Have authority to decide whether and how to allow those.

Jay Ligatti University of South Florida.  Interpose on the actions of some untrusted software  Have authority to decide whether and how to allow those.
Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee 2007. 04. 23.

Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee
The Big Picture Chapter 3. We want to examine a given computational problem and see how difficult it is. Then we need to compare problems Problems appear.

The Big Picture Chapter 3. We want to examine a given computational problem and see how difficult it is. Then we need to compare problems Problems appear.
Learning Objectives Explain similarities and differences among algorithms, programs, and heuristic solutions List the five essential properties of an algorithm.

Learning Objectives Explain similarities and differences among algorithms, programs, and heuristic solutions List the five essential properties of an algorithm.
CS21 Decidability and Tractability

CS21 Decidability and Tractability
Spin Tutorial (some verification options). Assertion is always executable and has no other effect on the state of the system than to change the local.

Spin Tutorial (some verification options). Assertion is always executable and has no other effect on the state of the system than to change the local.
1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.
Introduction to Computability Theory

Introduction to Computability Theory
1 Introduction to Computability Theory Lecture7: PushDown Automata (Part 1) Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture7: PushDown Automata (Part 1) Prof. Amos Israeli.
CPSC 411, Fall 2008: Set 12 1 CPSC 411 Design and Analysis of Algorithms Set 12: Undecidability Prof. Jennifer Welch Fall 2008.

CPSC 411, Fall 2008: Set 12 1 CPSC 411 Design and Analysis of Algorithms Set 12: Undecidability Prof. Jennifer Welch Fall 2008.
Software Security Monitors: Theory & Practice David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Software Security Monitors: Theory & Practice David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)
CS 536 Spring 20011 Global Optimizations Lecture 23.

CS 536 Spring Global Optimizations Lecture 23.
1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.

1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.
Chapter 1 Introduction. Chapter Overview Overview of Operating Systems Secure Operating Systems Basic Concepts in Information Security Design of a Secure.

Chapter 1 Introduction. Chapter Overview Overview of Operating Systems Secure Operating Systems Basic Concepts in Information Security Design of a Secure.
4/25/08Prof. Hilfinger CS164 Lecture 371 Global Optimization Lecture 37 (From notes by R. Bodik & G. Necula)

4/25/08Prof. Hilfinger CS164 Lecture 371 Global Optimization Lecture 37 (From notes by R. Bodik & G. Necula)

Similar presentations

Ads by Google