Presentation is loading. Please wait.

Presentation is loading. Please wait.

Wishnu Prasetya Security Checking.

Published byPaul Lambert Modified over 9 years ago

Similar presentations

Presentation on theme: "Wishnu Prasetya Security Checking."— Presentation transcript:

1 Wishnu Prasetya wishnu@cs.uu.nl www.cs.uu.nl/docs/vakken/pv Security Checking

2 Plan Extended static checking Credential model Security testing Exception 2

3 Extended Static Checking (ESC) To check some generic correctness properties, e.g. that the program won’t crash due to division by zero, access to an array with an illegal index, null dereference, etc. Rely on auto-annotation. 3 tax(rate, income | tax) { if (income  10000) tax := 0 ; if (income  20000) tax := income / rate.low ; tax := tax + income / rate.high ; } { true } assert rate.high  0 if nothing else known, then true as pre-cond assert rate.low  0

4 Some notes on ESC We still have to deal with loops For automation, you may favor the  while  k approach, but this approach is not sound. There may be some crashes that we won’t be able to detect. Is this bad? 4

5 Security Security: access to certain variables or methods may require certain credentials. Privacy : a piece of data may have a set of “owners”, and should only be accessed by these owners. Unifying concept: a credential specifies a set of users. c  d means that d has at least the same level of access as c. Example: root, {u}, and  More abstractly, assume a security domain (C, ,  ), complete lattice. 5

6 Expressing security policy in GCL Global variables cred 0 and cred cred 0 can only be assigned once. cred  cred 0 should hold, at all time. Variables can declare the required credential var x c  y d  z in... end This requirement is static. Information can only flow towards variables with the same or lower credentials. Note that not all kinds of security policy can be expressed with these constructs. 6

7 Example Suppose var x c  y d  z in... Consider cred:=e ; z:=x+y Annotated to: assert e  cred 0 ; cred:=e ; assert c  cred ; assert d  c ; assert d   z:=x+y 7

8 Dealing with branches Consider: if x=0 then x:=y else z:=0 { Q } After annotation: if x=0 then { assert c  cred ; x := y } else { assert d  cred ; z := 0 } the wlp : (x=0  (c  cred /\ Q[y/x])) /\ (x  0  d  cred /\ Q[0/z]) Doubling the formula size  Can we simplify? 8

9 Case reduction (a  b) /\ (  a  c)  b /\ c Reducing wlp like this is sound, but in most cases this is too strong. There exists an f where f  ((a  b) /\ (  a  c)  b /\ c) A realistic f ? 9

10 Reducing branch, with security goals Recall the wlp : (x=0  (c  cred /\ Q[y/x])) /\ (x  0  d  cred /\ Q[0/z]) Consider d  cred as the post-condition. The wlp would then be: (x=0  c  cred /\ d  cred) /\ (x  0  d  cred) Is it reasonable to apply case-reduction on this? 10

11 Dealing with loops [while] k unfolding is too restrictive An unsound approach in not acceptable. while y>0 do {x := x+y ; y := y−1} {c  cred} Annotated to: 11 assert c  cred ; while y > 0 do { assert c  cred ; x := x+y ; assert c  cred ; y := y−1 ; assert c  cred ; } W 0 = true W 1 = (y>0 /\ wlp body W 0 ) \/ (y  0 /\ c  cred) = (y>0 /\ c  cred) \/ (y  0 /\ c  cred) = c  cred W 2 =... fix point! Nice.

12 d  cred Ok, how about this? A slightly different post-condition 12 while y > 0 do { assert c  cred ; x := x+y ; assert c  cred ; y := y−1 ; assert c  cred ; } W 0 = true W 1 = (y>0 /\ c  cred) \/ (y  0 /\ d  cred) W 2 = (y>1 /\ c  cred) \/ (y=1 /\ c  cred /\ d  cred) \/ (y  0 /\ d  cred).... does not terminate 

13 d  cred You have to fall back... Need a proposal for an invariant : c  cred /\ d  cred Can such a proposal be automated ? 13 while y > 0 do { assert c  cred ; x := x+y ; assert c  cred ; y := y−1 ; assert c  cred ; }

14 A loop that does something to credentials while y > 0 do {cred := cred+1 ; y := y−1} { c  cred } Annotated to: 14 assert c  cred ; while y > 0 do { assert cred+1  cred 0 ; cred := cred+1 ; assert c  cred ; y := y−1 ; assert c  cred ; } W 0 = true W 1 = (y>0 /\ cred+1  cred 0 /\ c  cred+1) \/ (y  0 /\ c  cred) = ((y>0 /\ c  cred+1) \/ (y  0 /\ c  cred)) /\ (y>0  cred+1  cred 0 ) W 2 = ((y>0 /\ c  cred+1) \/ (y  0 /\ c  cred)) /\ (y>1  cred+2  cred 0 ) /\ (y=1  cred+1  cred 0 )... does not terminate 

15 Need a proposal again... We can try : cred+y  cred 0 /\ c  cred Or even: cred+y  cred 0 /\ ((y>0 /\ c  cred+1) \/ (y  0 /\ c  cred)) 15 { c  cred } assert c  cred ; while y > 0 do { assert cred+1  cred 0 ; cred := cred+1 ; assert c  cred ; y := y−1 ; assert c  cred ; }

16 What do we do with loops like the previous one? Maybe we only have a few Heuristics to statically analyze the program, and propose invariants Dynamically infer proposals from logs 16

17 Dealing with containers E.g. arrays, or objects In a real language, you may have two variables y and z pointing to the same object. What do we do if y and z are declared with different credential requirements? Extend composite structures to have their own credential requirements What is a container contains an object o with a different credential requirement? Note that o can also be a member of another container! Impose that adding an object to a container, respect the requirement of the container. 17

18 Unauthorized use of resource Represent secured resources as objects, that can only be accessed through their methods. Programs/Methods can now declare required credential: e  Pr(x | r ) body Annotate calls to Pr accordingly. Method’s credential is static; so this is just a simple extension of the scheme we have so far. How about dynamic binding ? 18

19 Input injection attack Use of external components is security risk. Imagine Pr(x), where x is a user input and inside it sends a query to a backend DB engine. A program cannot naively trust its user’s input. Typical approach is to sanitize inputs. 19 query := "SELECT * FROM users” + “WHERE name =’" + userName + "’;" "’ or ’1’=’1"

20 Modeling sanitation Introduce function sanitize(expr) We prefer to treat this function abstractly  uninterpreted function. But the programmer has to specify, to what credential the result would be appropriate. syntax: sanitize(expr,c) It will be the programmer’s responsibility to make sure that the credential claim is met. our logic will check over the consequences of that. 20

21 Examples y := x+1 { true } The resulting wlp will be unsatisfiable  the program is definitely not safe  the logic detected it, yay! y := sanitize(x,c)+1 { true } But what if we want to prove this post-cond: y=0 Losing information due to the taken abstraction... 21

22 Exception Exception introduces non-standard flow of execution, which are often error prone; thus also security prone. The problem is, exception can be thrown from many points in the program, basically exploding the goals to solve for verification. But first... how to deal with exception in Hoare logic / wlp ? 22

23 Exception Introduce a global variable exc : bool, initially false raise sets this variable to true entering a handler reset it to false A state where exc is true, is an ‘exceptional’ state, else it is a normal state. Note that multiple exception types can be encoded. The obvious: wlp raise Q = Q[true/exc] 23

24 Assignments and guards In GCL evaluating an expression does not crash; so you have to properly ‘annotate’ the expression to model crashes. E.g. : x := a[k]/y should be transformed to e.g. : if k<0 \/ k  #a then raise ; // alternatively use assert if y=0 then raise ; // alternatively use assert x := a[k]/y ; Similar situation with ite and loop guard.s 24

25 Sequential composition is now ugly S 1 ; S 2  S 1 ; if exc then skip else S 2 wlp (S 1 ; S 2 ) Q = wlp S 1 (exc /\ Q) \/ wlp S 1 (  exc /\ wlp S 2 Q) Now “;” also doubles the formula  However, you can statically check if S 1 contains raise, if it does not, we don’t do the expansion. while g do S  while... /\  exc do S 25

26 exception handler S ! H  S ; if exc then { exc:=false ; H } else skip wlp (S ! H) Q = wlp S (  exc /\ Q) \/ wlp S (exc /\ ((wlp H Q)[false/exc])) Two scenarios S manages to terminate normally  H is not executed S throws an exception  control goes to H 26

27 Summary Static Security Checking can be done, almost automatically. Require critical variables or classes to declare needed credential Rely on annotating transformation Calculating wlp of loops can be challenging, but it looks like it can be mitigated Branches explode the formula, exception make its even worse; some heuristic to reduce the formula on the fly would be nice; but do watch for the overhead. 27

Download ppt "Wishnu Prasetya Security Checking."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
CSE341: Programming Languages Lecture 2 Functions, Pairs, Lists Dan Grossman Winter 2013.

CSE341: Programming Languages Lecture 2 Functions, Pairs, Lists Dan Grossman Winter 2013.
- Vasvi Kakkad.  Formal -  Tool for mathematical analysis of language  Method for precisely designing language  Well formed model for describing and.

- Vasvi Kakkad.  Formal -  Tool for mathematical analysis of language  Method for precisely designing language  Well formed model for describing and.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
An Introduction to Java Programming and Object- Oriented Application Development Chapter 8 Exceptions and Assertions.

An Introduction to Java Programming and Object- Oriented Application Development Chapter 8 Exceptions and Assertions.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.

1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.

1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.
Wishnu Prasetya Hoare Logic and Predicate Transformers.

Wishnu Prasetya Hoare Logic and Predicate Transformers.
Computer Science 1620 Loops.

Computer Science 1620 Loops.
ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.

ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.
Copyright W. Howden1 Lecture 13: Programming by Contract.

Copyright W. Howden1 Lecture 13: Programming by Contract.
CS 330 Programming Languages 09 / 18 / 2007 Instructor: Michael Eckmann.

CS 330 Programming Languages 09 / 18 / 2007 Instructor: Michael Eckmann.
Loops – While, Do, For Repetition Statements Introduction to Arrays

Loops – While, Do, For Repetition Statements Introduction to Arrays
Some administrative stuff Class mailing list: –send to with the command “subscribe”

Some administrative stuff Class mailing list: –send to with the command “subscribe”
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
CS 330 Programming Languages 09 / 16 / 2008 Instructor: Michael Eckmann.

CS 330 Programming Languages 09 / 16 / 2008 Instructor: Michael Eckmann.
Well-cooked Spaghetti: Weakest-Precondition of Unstructured Programs Mike Barnett and Rustan Leino Microsoft Research Redmond, WA, USA.

Well-cooked Spaghetti: Weakest-Precondition of Unstructured Programs Mike Barnett and Rustan Leino Microsoft Research Redmond, WA, USA.
CSC 395 – Software Engineering Lecture 21: Overview of the Term & What Goes in a Data Dictionary.

CSC 395 – Software Engineering Lecture 21: Overview of the Term & What Goes in a Data Dictionary.

Similar presentations

Ads by Google