Presentation is loading. Please wait.

Presentation is loading. Please wait.

Not for public release Efficient Code Certification for Open Firmware Matt Stillerman, PhD Odyssey Research Associates 33 Thornwood Drive, Suite 500 Ithaca,

Published byCarol Potter Modified over 9 years ago

Similar presentations

Presentation on theme: "Not for public release Efficient Code Certification for Open Firmware Matt Stillerman, PhD Odyssey Research Associates 33 Thornwood Drive, Suite 500 Ithaca,"— Presentation transcript:

1 Not for public release Efficient Code Certification for Open Firmware Matt Stillerman, PhD Odyssey Research Associates 33 Thornwood Drive, Suite 500 Ithaca, NY 14850 matt@oracorp.com OASIS PI Meeting, Santa Fe NM July 25, 2001

2 Odyssey Research Associates 2 Not for public release 7/25/2001 SL01-017 Collaborators Dexter Kozen, Cornell University Thomas Merritt, CodeGen, Inc.

3 Odyssey Research Associates 3 Not for public release 7/25/2001 SL01-017 Problem: Malicious Firmware Information systems are vulnerable when booting. Security measures are not started yet. Boot software runs in a very privileged mode – it can “do anything.” This vulnerability would be exploited by inserting malicious code into the boot program (firmware). Odyssey’s Solution: BootSafe will detect all non-TCB firmware programs with the potential to violate the security policy, at boot-time, before they run.

4 Odyssey Research Associates 4 Not for public release 7/25/2001 SL01-017 Why worry about boot firmware? The boot program: tells the operating system about the hardware configuration. It could lie. (e.g. “Here is an approved cryptographic device.”) initializes all hardware devices. It could operate those devices maliciously, fail to initialize them, or damage them. (e.g. “It’s time to erase all keys.”) loads the operating system. It could hack the OS, and thus is capable of disabling, circumventing, or subverting all trusted host software. (e.g. Substitute a spoof version of the login module for the real one.)

5 Odyssey Research Associates 5 Not for public release 7/25/2001 SL01-017 Practical, Exploitable Weakness Within the means of a nation-state or well-funded organization. Several routes for insertion of malicious code: –Firmware patches and upgrades –Device drivers for peripheral devices –Console boot prompt gives full access to an interpreter. User/Administrator community generally not aware of this danger – systems are wide-open to arbitrary harm.

6 Odyssey Research Associates 6 Not for public release 7/25/2001 SL01-017 Expected Benefits of BootSafe Directly detects what users care about: potential violations of the security policy. Malicious code is identified before it runs. Code is rechecked before each boot cycle. All trust resides in end-user systems. Can accept code updates from untrusted suppliers. End-user gains well-founded trust without source code. Complements code-signing integrity approaches. Based on a rigorous formal analysis, thus can achieve high assurance.

7 Odyssey Research Associates 7 Not for public release 7/25/2001 SL01-017 Scope: Open Firmware BootSafe will detect malicious code in Open Firmware-based systems. –Open Firmware is a widely used standard “platform” for boot firmware (IEEE-1275). –Standardizes the execution environment, the device API, the operating system API, and the user interface. –Popular because it enables reusability and portability of boot code. –Used by Sun Microsystems, Apple, and many embedded system vendors. –Used in DoD and US Government information systems.

8 Odyssey Research Associates 8 Not for public release 7/25/2001 SL01-017 Forth-based Solution Other Software Fcode Interpreter Fcode programs Forth Source program Certifying tokenizer Verifier certificate Software Developer Open Firmware Boot Host BootSafe

9 Odyssey Research Associates 9 Not for public release 7/25/2001 SL01-017 Java-based Solution ROM Storage certificate Fcode Java Program JVM Bytecode javac J2F certifying compiler Firmware Developer

10 Odyssey Research Associates 10 Not for public release 7/25/2001 SL01-017 Fcode Loading and Verification Other Software Fcode Interpreter Fcode programs Boot Program ROM Storage Verifier certificate Fcode “Loading”

11 Odyssey Research Associates 11 Not for public release 7/25/2001 SL01-017 Advantages of Java Java is strongly typed. –JAVA bytecode is strongly typed -- can carry typing down to Fcode type annotations that reflect JAVA typing –Fcode verification mimics JAVA bytecode verification Open Firmware is naturally object-oriented –The device tree has a natural object-oriented inheritance structure -- can provide templates with general functionality for each device type that can be subclassed –Static/instance structure already present in Open Firmware

12 Odyssey Research Associates 12 Not for public release 7/25/2001 SL01-017 Advantages of Java Thus our security policy will be very naturally expressed in terms of Java, as: –Type checking. –Safety of Java namespace. Non-malleable class definitions. –Requirement to implement specific standard interfaces. –Liberal use of final and private attributes. –Restrictions on lexical references

13 Odyssey Research Associates 13 Not for public release 7/25/2001 SL01-017 First Level Policy: Type Safety Memory safety Control flow Stack safety Compiling down from a type safe language ensures this. Enforced in Fcode by the analog of Java bytecode verification.

14 Odyssey Research Associates 14 Not for public release 7/25/2001 SL01-017 Second Level Policy: Device Encapsulation Each physical device may only be accessed through its device driver using the published driver interface. –Each device driver interface conforms to the standard. –No additional public interface is defined. –No external access to internal methods or data structures of the device driver. –All calls to driver interface methods are well- formed.

15 Odyssey Research Associates 15 Not for public release 7/25/2001 SL01-017 Third Level Policies Threat categories they address: Malicious inter-device access Resource exhaustion Incorrect device alias or name Malformed device tree Corruption of the operating system –As it is loaded –As it runs Wrong OS boot device.

16 Odyssey Research Associates 16 Not for public release 7/25/2001 SL01-017 Preventing Malicious Inter-device Access Allow only plausible forms of access, by device type. Enforce additional site-specific restrictions on inter-device access. Enforcement: –Check explicit calls in device driver code against policy. –Restrict “dynamic” inter-device calls where the target or method is computed in a non-obvious way. –Mediate calls by a run-time check. Verify that the correct enforcement code (boiler-plate) is in place.

17 Odyssey Research Associates 17 Not for public release 7/25/2001 SL01-017 Status Phase I SBIR, nearly completed Accomplishments –Forth-based and Java-based approaches. Feasibility Architecture –Draft security policy –J2F program Potential –Addresses a real vulnerability –Commercially attractive

18 Odyssey Research Associates 18 Not for public release 7/25/2001 SL01-017 Eager Java Class Initialization Eager class loading and initialization would be preferable to Java’s lazy class loading policy. Problem: What order to initialize classes with cyclic class initializer dependencies. class A { static int a = B.b + 1;... 2 } class B { static int b = A.a + 1;... 1 }

Download ppt "Not for public release Efficient Code Certification for Open Firmware Matt Stillerman, PhD Odyssey Research Associates 33 Thornwood Drive, Suite 500 Ithaca,"

Similar presentations

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu www.list.gmu.edu.

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu
Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.

Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Chapter 6 Security Kernels.

Chapter 6 Security Kernels.
Lab Information Security Using Java (Review) Lab#0 Omaima Al-Matrafi.

Lab Information Security Using Java (Review) Lab#0 Omaima Al-Matrafi.
EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,

EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,
Lab#1 (14/3/1431h) Introduction To java programming cs425

Lab#1 (14/3/1431h) Introduction To java programming cs425
Attacking Malicious Code: A Report to the Infosec Research Council Kim Sung-Moo.

Attacking Malicious Code: A Report to the Infosec Research Council Kim Sung-Moo.
Object Orientated Programming

Object Orientated Programming
FIT3105 Smart card based authentication and identity management Lecture 4.

FIT3105 Smart card based authentication and identity management Lecture 4.
A Type System for Expressive Security Policies David Walker Cornell University.

A Type System for Expressive Security Policies David Walker Cornell University.
For more Lectures and Notes Visit www.basicsofprogramming.wordpress.com.

For more Lectures and Notes Visit
1 The Problem o Fluid software cannot be trusted to behave as advertised unknown origin (must be assumed to be malicious) known origin (can be erroneous.

1 The Problem o Fluid software cannot be trusted to behave as advertised unknown origin (must be assumed to be malicious) known origin (can be erroneous.
Static Code Analysis and Governance Effectively Using Source Code Scanners.

Static Code Analysis and Governance Effectively Using Source Code Scanners.
Java How to Program, 9/e Instructor: José M. Reyes Álamo ©1992-2012 by Pearson Education, Inc. All Rights Reserved.

Java How to Program, 9/e Instructor: José M. Reyes Álamo © by Pearson Education, Inc. All Rights Reserved.
Session-02. Objective In this session you will learn : What is Class Loader ? What is Byte Code Verifier? JIT & JAVA API Features of Java Java Environment.

Session-02. Objective In this session you will learn : What is Class Loader ? What is Byte Code Verifier? JIT & JAVA API Features of Java Java Environment.
01 Introduction to Java Technology. 2 Contents History of Java What is Java? Java Platforms Java Virtual Machine (JVM) Java Development Kit (JDK) Benefits.

01 Introduction to Java Technology. 2 Contents History of Java What is Java? Java Platforms Java Virtual Machine (JVM) Java Development Kit (JDK) Benefits.
Page 1 Sandboxing & Signed Software Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.

Page 1 Sandboxing & Signed Software Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
Java Security Updated May 2007. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security.

Java Security Updated May Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security.
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep

Similar presentations

Ads by Google