Presentation is loading. Please wait.

Presentation is loading. Please wait.

Poly stop a hacker David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Poly stop a hacker David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)"— Presentation transcript:

1 Poly stop a hacker David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

2 Poly stop a hackerDavid Walker Language-Based Security language-based security mechanisms protect a host from untrusted applications analyzing or modifying application behavior –static mechanisms (analysis at link time) type checking, proof checking, abstract interpretation –dynamic mechanisms (analysis at run time) access-control lists, stack inspection, capabilities

3 Poly stop a hackerDavid Walker Language-Based Security language-based security mechanisms protect a host from untrusted applications by analyzing or modifying application behavior –static mechanisms (analysis at link time) type checking, proof checking, abstract interpretation –dynamic mechanisms (analysis at run time) access-control lists, stack inspection, capabilities

4 Poly stop a hackerDavid Walker Program Monitors A program monitor is a computation that runs in parallel with an untrusted application –monitors detect, prevent, and recover from application errors at run time –monitor decisions may be based on execution history –we assume monitors have no knowledge of future application actions

5 Poly stop a hackerDavid Walker Program Monitors: Good Operations Application Monitor fopen ()

6 Poly stop a hackerDavid Walker Program Monitors: Bad Operations Application Monitor fopen () halt!

7 Poly stop a hackerDavid Walker Program Monitors: Bad Operations Application Monitor fopen ()

8 Poly stop a hackerDavid Walker Program Monitors: Options A program monitor may do any of the following when it recognizes a dangerous operation: –halt the application –suppress (skip) the operation but allow the application to continue –insert (perform) some computation on behalf of the application

9 Poly stop a hackerDavid Walker Past Research Program monitors have a lengthy history in the systems community –OS kernels use hardware support secure fixed system-call interface –mobile code architectures and safe languages (Java, CLR) more complex interactions between applications more diverse set of interfaces to secure more diverse set of policies necessary

10 Poly stop a hackerDavid Walker The Polymer Project Theoretical analysis of the range of the policies enforceable at run time Definition and implementation of a high-level policy language –incorporate types, modularity and high- level programming techniques Formal semantics and tools for reasoning about policies

11 Poly stop a hackerDavid Walker The Polymer Project Theoretical analysis of the range of the policies enforceable at run time Definition and implementation of a high-level policy language –incorporate types, modularity and high- level programming techniques Formal semantics and tools for reasoning about policies

12 Poly stop a hackerDavid Walker Today: Polymer the Language Polymer via Pictures –simple policies –complex policies Polymer semantics –monadic structure –types Polymer discussion –implementation, related and future work

13 Poly stop a hackerDavid Walker Today: Polymer the Language Polymer via Pictures –simple policies –complex policies Polymer semantics –monadic structure –types Polymer discussion –implementation, related and future work

14 Poly stop a hackerDavid Walker What is in a run-time security policy? Policy-relevant actions –method calls, get/set state, raise exception Security-relevant state –inaccessible to application program Decision procedure –does the current action satisfy the policy in the current state? –if not, what supplementary action must be taken?

15 Poly stop a hackerDavid Walker Example: Access Control a Access Control Monitor (ACM) fopen fclose getc putc actions acl state computation acl lookup

16 Poly stop a hackerDavid Walker Example: Deadlock Prevention Deadlock Prevention Monitor (Deadlock) acquire release actions locks held state computation locking protocol

17 Poly stop a hackerDavid Walker Security in Complex Systems Restating the obvious: –it’s hard to secure complex systems against the determined attacker Design goal: –prepare for mistakes –be ready for change Mechanisms: –modularity –highly structured and parameterized policies

18 Poly stop a hackerDavid Walker Security in Complex Systems Polymer Mechanisms –high-level policy combinators conjunctive policies disjunctive policies –modularity mechanisms from modern languages (eg: ML) hierarchical policies parameterized policies higher-order policies

19 Poly stop a hackerDavid Walker Parallel Conjunctive Policies Application ResourceMgr conjunctive decision Deadlock ACM

20 Poly stop a hackerDavid Walker Parallel Conjunctive Policies two independent parallel processes decide whether an action is allowed –both say okay ==> application goes ahead –either says halt ==> application halts –one says okay and the other does not care about this action ==> application goes ahead example: –resourceMgr = ACM AND Deadlock

21 Poly stop a hackerDavid Walker Policy Combinators Conjunctive policies narrow the set of acceptable program action sequences Disjunctive policies widen the set of acceptable program action sequences

22 Poly stop a hackerDavid Walker Parallel Disjunctive Policies Application ACM++ disjunctive decision Authenticated ACM

23 Poly stop a hackerDavid Walker Parallel Disjunctive Policies two independent parallel processes decide whether an action is allowed –either says okay ==> app. goes ahead –both say halt ==> application halts –one says okay and the other does not care about this action ==> app. goes ahead example: –ACM++= ACM OR AuthenticatedACM

24 Poly stop a hackerDavid Walker Chinese Wall Policies –each application is offered a number of protocol choices –when the application selects one choice, all other choices become unavailable

25 Poly stop a hackerDavid Walker Parallel Disjunctive Policies Application Chinese Wall Monitor disjunctive decision Network not File not Network

26 Poly stop a hackerDavid Walker Complete Mediation A Crucial Security Principle –in order to protect a resource, one must mediate all accesses to that resource Naive composition of policies can lead to violations of complete mediation –eg: kernelSafety AND deadlock inserts acquire/release to protect kernel data must see all acquire/ release actions

27 Poly stop a hackerDavid Walker Sequential Conjunction Resource Manager kernel safety deadlock prevention Application conjunctive decision

28 Poly stop a hackerDavid Walker Sequential Conjunction System Policy resource manager logging/ auditing process Application conjunctive decision

29 Poly stop a hackerDavid Walker Sequential Disjunction Disjunctive Monitor Application disjunctive decision

30 Poly stop a hackerDavid Walker Today: Polymer the Language Polymer via Pictures –simple policies –complex policies Polymer semantics –monadic structure –types Polymer discussion –implementation, related and future work

31 Poly stop a hackerDavid Walker Formal Language Structure Derived from the computational lambda calculus [Moggi] –computations (E) run in parallel with an untrusted application have effects on the application (halt, suppress, change state, perform application actions, etc.) –terms (M) an algebra for manipulating suspended computations (ie: policies) do not have effects

32 Poly stop a hackerDavid Walker Simple Policies actions (method calls) –a in A terms (policies) –M ::= {actions: A; policy: E} | fun f (x:t) = M | M1 M2 |... monitoring computations –E ::= M | ok; E | sup; E | call (a) next: E1 done: E2 | do M; E | case * of (A1: E1 | A2: E2) |...

33 Poly stop a hackerDavid Walker Memory-Limit Example { actions: malloc; policy: next: case * of malloc(n): let q’ = q-n in if (q’ > 0) then ok; do (mpol q’) else halt end done: () } fun mpol(q:int) =

34 Poly stop a hackerDavid Walker Memory-Limit Policy mpol is a function from integers to policies to generate a policy we apply our function to an initial memory quota: –memLimit = mpol 10000

35 Poly stop a hackerDavid Walker File-Access Example { actions: fopen, fcloses; policy: next: case * of fopen(s,m): if (acl s m) then ok; do (fpol (s::files)) else sup; do (fpol (files)) | fcloses (l):... done: call (fcloses files) } fun fpol (files: file list) =

36 Poly stop a hackerDavid Walker File-Access Policy Once again, we apply our recursive function to an initial argument to get a policy –fileAccess = fpol []

37 Poly stop a hackerDavid Walker Policy Types types –t ::= int | () | t1 x t2 | t1 + t2 | t1 -> t2 | M t examples: –mpol : int -> M () –memLimit : M () a simple type system prevents standard sorts of errors

38 Poly stop a hackerDavid Walker Parallel Conjunctive Policies A parallel conjunctive policy is a suspended computation that returns a pair of values Types: –if P1 : M t1 and P : M t2 then P1 AND P2 : M (t1 x t2) –Curry-Howard strikes again! Trivial policy T is the identity for AND –T : M ()

39 Poly stop a hackerDavid Walker Parallel Disjunctive Policies A parallel disjunctive policy is a suspended computation that returns a sum Types: –if P1 : M t1 and P : M t2 then P1 OR P2 : M (t1 + t2) Unsatisfiable policy  is identity for OR –  : M void

40 Poly stop a hackerDavid Walker Complete Mediation Failure Application Monitor foo () auditing process deadlock

41 Poly stop a hackerDavid Walker Conflicting Policies Application Monitor foo () ? ok sup

42 Poly stop a hackerDavid Walker Types and Effects We synthesize the effects of a computation –the effects = the actions that may be inserted or suppressed by a computation P1 AND P2 is well-formed when –the effects of P1 are disjoint from the regulated set of P2 and vice versa effect analysis –ensures complete mediation for parallel pol’s –provides flexibility in sequential pol’s

43 Poly stop a hackerDavid Walker Today: Polymer the Language Polymer via Pictures –simple policies –complex policies Polymer semantics –monadic structure –types Polymer discussion –implementation, related and future work

44 Poly stop a hackerDavid Walker Implementation Architecture Java application policy interface policy implementation instrumented application secure application

45 Poly stop a hackerDavid Walker Implementation Progress work so far: –simple policies with basic features (ok, sup, pattern matching, case, Java base) – higher-order policies and policy combinators future work: –networking applications –further combinators –type and effect system –dynamic policy updates

46 Poly stop a hackerDavid Walker Related Work Aspect-oriented programming –Polymer is a domain-specific aspect- oriented programming language –New features: an aspect algebra with novel combinators a new approach to aspect collision (types and effects) formal semantics as an extension of Moggi’s computational lambda calculus –see also Wand et al.’s semantics for aspects

47 Poly stop a hackerDavid Walker Related Work Monitoring languages –General-purpose languages/systems for monitoring applications Poet and Pslang, Naccio, Ariel, Spin Kernel –Logical monitoring specifications MAC (temporal logic), Bigwig (second-order monadic logic)

48 Poly stop a hackerDavid Walker Summary: Polymer First steps towards the design of a modern language for programming modular run- time security monitors References –FCS ‘02 (expressible and inexpressible policies) –Princeton TR 655-02 (Polymer semantics) –www.cs.princeton.edu/sip/projects/polymer/

49 Poly stop a hackerDavid Walker End

Download ppt "Poly stop a hacker David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)"

Similar presentations

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Current Techniques in Language-based Security David Walker COS 597B With slides stolen from: Steve Zdancewic University of Pennsylvania.

Current Techniques in Language-based Security David Walker COS 597B With slides stolen from: Steve Zdancewic University of Pennsylvania.
Jay Ligatti and Srikar Reddy University of South Florida.

Jay Ligatti and Srikar Reddy University of South Florida.
Chapter 6 Security Kernels.

Chapter 6 Security Kernels.
EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,

EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,
Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.

Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.
CTO Office Reliability & Security Distinctions and Interactions Hal Lockhart BEA Systems.

CTO Office Reliability & Security Distinctions and Interactions Hal Lockhart BEA Systems.
Concolic Modularity Testing Derrick Coetzee University of California, Berkeley CS 265 Final Project Presentation.

Concolic Modularity Testing Derrick Coetzee University of California, Berkeley CS 265 Final Project Presentation.
Modular Program Monitors David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Modular Program Monitors David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)
An Introduction to Proof-Carrying Code David Walker Princeton University (slides kindly donated by George Necula; modified by David Walker)

An Introduction to Proof-Carrying Code David Walker Princeton University (slides kindly donated by George Necula; modified by David Walker)
CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)

CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)
Expert System Human expert level performance Limited application area Large component of task specific knowledge Knowledge based system Task specific knowledge.

Expert System Human expert level performance Limited application area Large component of task specific knowledge Knowledge based system Task specific knowledge.
Attacking Malicious Code: A Report to the Infosec Research Council Kim Sung-Moo.

Attacking Malicious Code: A Report to the Infosec Research Council Kim Sung-Moo.
1 Steve Chenoweth Friday, 10/21/11 Week 7, Day 4 Right – Good or bad policy? – Asking the user what to do next! From malware.net/how-to-remove-protection-system-

1 Steve Chenoweth Friday, 10/21/11 Week 7, Day 4 Right – Good or bad policy? – Asking the user what to do next! From malware.net/how-to-remove-protection-system-
Bilkent University Department of Computer Engineering

Bilkent University Department of Computer Engineering
Functional Design and Programming Lecture 1: Functional modeling, design and programming.

Functional Design and Programming Lecture 1: Functional modeling, design and programming.
Software Security Monitors: Theory & Practice David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Software Security Monitors: Theory & Practice David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)
Extensibility, Safety and Performance in the SPIN Operating System Bershad et al Presentation by norm Slides shamelessly “borrowed” from Stefan Savage’s.

Extensibility, Safety and Performance in the SPIN Operating System Bershad et al Presentation by norm Slides shamelessly “borrowed” from Stefan Savage’s.
Typed Memory Management in a Calculus of Capabilities David Walker (with Karl Crary and Greg Morrisett)

Typed Memory Management in a Calculus of Capabilities David Walker (with Karl Crary and Greg Morrisett)
Concurrency CS 510: Programming Languages David Walker.

Concurrency CS 510: Programming Languages David Walker.

Similar presentations

Ads by Google