Presentation is loading. Please wait.

Presentation is loading. Please wait.

ActionScript In-lined Reference Monitoring in Prolog Meera Sridhar and Kevin W. Hamlen The University of Texas at Dallas January 18, 2010 Supported by.

Published byBrent Lang Modified over 9 years ago

Similar presentations

Presentation on theme: "ActionScript In-lined Reference Monitoring in Prolog Meera Sridhar and Kevin W. Hamlen The University of Texas at Dallas January 18, 2010 Supported by."— Presentation transcript:

1 ActionScript In-lined Reference Monitoring in Prolog Meera Sridhar and Kevin W. Hamlen The University of Texas at Dallas January 18, 2010 Supported by a grant from AFOSR PADL 2010 Madrid, Spain

2 Reference Monitors 1/18/2010 Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog 2 OS/VM R EFERENCE M ONITOR grant/denyevent Examples: file system permissions memory safety Disadvantages: —changing the policy requires changing the OS/VM —difficult to enforce finer-grained policies such as “No modifications to files ending in.exe” UNTRUSTED CODE

3 In-lined Reference Monitors [Schneider] 1/18/2010 Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog 3 OS/VM R EFERENCE M ONITOR grant/denyevent UNTRUSTED CODE  enforce safety policies by injecting runtime security guards directly into untrusted binaries o guards test whether the impending operation constitutes a policy violation, and if so some corrective action is taken  maintain history of security-relevant events  Advantages: o No need to modify the OS/VM o enforce richer policies: e.g., no network sends after file reads o more flexible: code recipient can specify security policy  Examples: SASI [Erlingsson, Schneider], Java-MAC [Kim et al], Java-MOP [Chen, Rosu], Polymer [Bauer, Ligatti, Walker], ConSpec [Aktug, Naliuka], MoBILe [Hamlen, Morrisett, Schneider]

4 IRM Implementation Challenges —must be fairly light-weight because it runs on the code- consumer side —binary code parsing and binary code generation are tedious and error-prone —IRM must elegantly implement many AST analyses and code-motion optimizations during rewriting — needed to preserve policy-compliant programs and generate efficient code —generated code should be amenable to formal verification (PCC[Necula & Lee], MoBILe[Hamlen, Morrisett, Schneider], and our recent work on Model-Checking IRMs [Sridhar & Hamlen, VMCAI 2010]) 1/18/2010 Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog 4

5 An ActionScript Bytecode IRM system in Prolog 1/18/2010 Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog 5 approximately: —400 lines of rewriter code per security policy family —900 lines of shared parser/generator code —2000 of verifier code

6 The Prolog Advantage Prolog turns out to be a surprisingly elegant language in which to implement IRM's! —DCG's facilitate binary parser implementation. —Reversible predicates combine the parser and code-generator into one piece of code! —AST's are very elegantly represented and manipulated as Prolog structures. —A Prolog implementation of binary rewriting is isomorphic to a search for a correctness proof. This is excellent for integration with a certifying IRM system (Model-Checking IRMs [Sridhar & Hamlen]) or a PCC system [Necula & Lee]. 1/18/2010 Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog 6

7 Application: Preventing malicious URL-redirections Adobe’s very real problem: -anyone can write a malicious ABC ad applet and float them around -ad-distributor doesn’t have a good way of pre-checking these since they might change dynamically 1/18/2010 Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog 7

8 Application: Preventing malicious URL-redirections Solution: Use an IRM framework! – URL-redirections are implemented in ActionScript Bytecode by the navigateToURL system call – let’s say we have a method checkURL, with a trusted implementation provided by the ad- distributor checkURL validates the input to navigateToURL, and may depend on dynamic information 1/18/2010 Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog 8

9 Application: Preventing malicious URL-redirections Solution (contd.): – insert a call to checkURL(s) before a call to navigateToURL(s) directly into bytecode – naïve approach – insert checkURL before every navigateToURL, but for efficiency reasons might want to pre- validate string – fits the Flash/AIR model perfectly, because security- enforcement done at code-consumer end, and code-producer (ad-creator) need not be trusted at all! 1/18/2010 Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog 9

10 A couple other real-world policies postok policy: sanitizes strings entered into message box widgets This can be helpful in preventing cross-site scripting attacks, privacy violations, and buffer-overflow exploits that affect older versions of the ActionScript VM. We enforced the policy on the Posty AIR application, which allows users to post messages to social networking sites such as Twitter, Jaiku, Tumblr, and Friendfeed. 1/18/2010 Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog 10

11 A couple other real-world policies flimit policy enforces a resource bound that disallows the creation of more than n files on the user's machine enforced this policy on the FedEx Desktop AIR application, which continuously monitors a user's shipment status and sends tracking information directly to his or her desktop IRM implements the policy by injecting a counter into the untrusted code that tracks file creations 1/18/2010 Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog 11

12 Implementation and Results Details for more details, please visit my website: www.utdallas.edu/~meera.sridhar 1/18/2010 Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog 12

13 Conclusion slide —IRM’s provide a more sophisticated security enforcement mechanism than traditional means. — Prolog provides a very elegant solution to typical IRM implementation challenges. —We implemented a prototype IRM system for ActionScript bytecode. —We demonstrated the feasibility of our solution by enforcing several real-world policies. 1/18/2010 Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog 13

14 Selected Citations 1.B. W. DeVries, G. Gupta, K. W. Hamlen, S. Moore, and M. Sridhar. ActionScript Bytecode Verification with Co-logic Programming. In Proc. of the ACM SIGPLAN Workshop on Prog. Languages and Analysis for Security (PLAS), 2009. 2.K. W. Hamlen, G. Morrisett, and F. B. Schneider. Computability Classes for Enforcement Mechanisms. In ACM Trans. Prog. Languages and Systems, 2006. 3.F. B. Schneider. Enforceable Security Policies. ACM Trans. Information and System Security, 3:30–50, 2000. 4.M. Sridhar and K. W. Hamlen. Model-checking In-lined Reference Monitors. In Proc. Intl. Conf. on Verification, Model-Checking and Abstract Interpretation, 2010. 1/18/201014 Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog

Download ppt "ActionScript In-lined Reference Monitoring in Prolog Meera Sridhar and Kevin W. Hamlen The University of Texas at Dallas January 18, 2010 Supported by."

Similar presentations

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu www.list.gmu.edu.

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu
Security of JavaCard smart card applets Erik Poll University of Nijmegen

Security of JavaCard smart card applets Erik Poll University of Nijmegen
Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.

Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.
Operating System Security

Operating System Security
A Survey of Runtime Verification Jonathan Amir 2004.

A Survey of Runtime Verification Jonathan Amir 2004.
Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.

Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.
March 4, 2005Susmit Sarkar 1 A Cost-Effective Foundational Certified Code System Susmit Sarkar Thesis Proposal.

March 4, 2005Susmit Sarkar 1 A Cost-Effective Foundational Certified Code System Susmit Sarkar Thesis Proposal.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Jay Ligatti and Srikar Reddy University of South Florida.

Jay Ligatti and Srikar Reddy University of South Florida.
Java Applet Security Diana Dong CS 265 Spring 2004.

Java Applet Security Diana Dong CS 265 Spring 2004.
Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee 2007. 04. 23.

Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee
H28.1 6-Apr-01 Clark Thomborson Software Security CompSci 725 Handout 28: Report Writing #2 (Sample Titles & Abstracts) Clark Thomborson University of.

H Apr-01 Clark Thomborson Software Security CompSci 725 Handout 28: Report Writing #2 (Sample Titles & Abstracts) Clark Thomborson University of.
Flexible In-lined Reference Monitor Certification: Challenges and Future Directions Meera Sridhar and Kevin W. Hamlen University of Texas at Dallas January.

Flexible In-lined Reference Monitor Certification: Challenges and Future Directions Meera Sridhar and Kevin W. Hamlen University of Texas at Dallas January.
An Introduction to Proof-Carrying Code David Walker Princeton University (slides kindly donated by George Necula; modified by David Walker)

An Introduction to Proof-Carrying Code David Walker Princeton University (slides kindly donated by George Necula; modified by David Walker)
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI 297 5.31.2005.

The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI
AndroidCompiler. Layout Motivation Literature Review AndroidCompiler Future Works.

AndroidCompiler. Layout Motivation Literature Review AndroidCompiler Future Works.
Model-Checking In-lined Reference Monitors Meera Sridhar and Kevin W. Hamlen The University of Texas at Dallas January 17, 2010 Supported in part by grants.

Model-Checking In-lined Reference Monitors Meera Sridhar and Kevin W. Hamlen The University of Texas at Dallas January 17, 2010 Supported in part by grants.
Attacking Malicious Code: A Report to the Infosec Research Council Kim Sung-Moo.

Attacking Malicious Code: A Report to the Infosec Research Council Kim Sung-Moo.
Extensible Verification of Untrusted Code Bor-Yuh Evan Chang, Adam Chlipala, Kun Gao, George Necula, and Robert Schneck May 14, 2004 OSQ Retreat Santa.

Extensible Verification of Untrusted Code Bor-Yuh Evan Chang, Adam Chlipala, Kun Gao, George Necula, and Robert Schneck May 14, 2004 OSQ Retreat Santa.

Similar presentations

Ads by Google