Presentation is loading. Please wait.

Presentation is loading. Please wait.

Systems for Safety and Dependability David Evans University of Virginia Department of Computer Science.

Published byCharlotte Cannon Modified over 9 years ago

Similar presentations

Presentation on theme: "Systems for Safety and Dependability David Evans University of Virginia Department of Computer Science."— Presentation transcript:

1

2 Systems for Safety and Dependability David Evans http://www.cs.virginia.edu/~evans/ University of Virginia Department of Computer Science

3 214 December 1999Safety and Dependability What Are You Afraid Of? Malicious attacks –Russian New Year, Melissa, Chernobyl, Java thread attack, etc. Buggy programs –Can cause harm accidentally –Can be exploited by attackers User mistakes/bad interfaces –tar –cf *

4 314 December 1999Safety and Dependability Menu Naccio: Policy-Directed Code Safety How do you prevent bad programs from doing bad things? naccio.cs.virginia.edu LCLint: Annotation-Assisted Static Checking How do you help good people not write bad programs? lclint.cs.virginia.edu

5 414 December 1999Safety and Dependability Naccio Motivation Weaknesses in existing code safety systems: –Limited range of policies –Policy definition is ad hoc and platform dependent Enforcement is tied to a particular architecture Can we solve them without sacrificing efficiency or convenience? Yes!

6 514 December 1999Safety and Dependability General method for defining policies –Abstract resources –Platform independent System architecture for enforcing policies –Prototypes for JavaVM classes, Win32 executables Program Safe Program Safety Policy Naccio Overview

7 614 December 1999Safety and Dependability Problem User’s View Files Resources Policy System View WriteFile (fHandle, …) Disk Program System Library OS Kernel tar cf * Platform Interface

8 714 December 1999Safety and Dependability Safety Policy Definition Resource descriptions: abstract operational descriptions of resources (files, network, …) Platform interface: mapping between system events (Java API calls) and abstract resources Resource use policy: constraints on manipulating those resources

9 814 December 1999Safety and Dependability global resource RFileSystem openRead (file: RFile) Called before file is opened for reading openWrite (file: RFile) Called before existing file is opened for writing write (file: RFile, nbytes: int) Called before nbytes are written to file … // other operations for observing properties of files, deleting, etc. resource RFile RFile (pathname: String) Constructs object corresponding to pathname Resource Description

10 914 December 1999Safety and Dependability Java PFI Excerpt wrapper java.io.FileOutputStream requires RFileMap; state RFile rfile; wrapper void write (byte b[]) if (rfile != null) RFileSystem.write (rfile, b.length); %% // original method call …// wrappers needed for constructors, other write // methods, close and getFD

11 1014 December 1999Safety and Dependability Resource Use Policy policy LimitWrite LimitBytesWritten (1000000), NoOverwrite property LimitBytesWritten (n: int) requires TrackBytesWritten; check RFileSystem.write (file: RFile, nbytes: int) if (bytes_written > n) violation (“Writing more than …”); stateblock TrackBytesWritten addfield RFileSystem.bytes_written: int = 0; precode RFileSystem.write (file: RFile, nbytes: int) bytes_written += nbytes;

12 1114 December 1999Safety and Dependability Enforceable Policies Can enforce any policy that can be defined What can be defined depends on resource operations Resource operations depend on platform interface –Any manipulation done through API calls –Cannot constrain CPU usage Solutions possible: insert calls Portable policies use standard resources

13 1214 December 1999Safety and Dependability System architecture Defining policies Enforcing policies Architecture Results – JavaVM, Win32 Outline Program Safe Program Safety Policy

14 1314 December 1999Safety and Dependability Policy description file Application transformer transformer Program Version of program that: Uses policy-enforcing system library Satisfies low-level code safety Naccio Architecture Platforms in development: JavaVM – program is collection of Java classes Win32 – program is Win32 executable and DLLs Per application Policycompiler Safety policy definition Policy-enforcing system library Per policy

15 1414 December 1999Safety and Dependability Policy description file Resource descriptions System library Java library classes Platform interface Describes Java API Platformindependentanalyses Platform dependent analyses and code generation Resource use policy Policy Compiler Policy-enforcing system library Implementations of resource operations –Perform checking described by resource use policy Modifies Java byte codes –Call abstract resource operations as directed by platform interface

16 package naccio.p253.resource; class RFileSystem { static int bytes_written = 0; static void write (RFile file, int nbytes) { bytes_written += nbytes; if (bytes_written > 1000000) Check.violation (“LimitWrite”, “Attempt to write …); } … Policy compiler Resource implementations Resource use policy stateblock TrackBytesWritten addfield RFileSystem.bytes_written: int; precode RFileSystem.write (file: RFile, nbytes: int) bytes_written += nbytes; property LimitBytesWritten (n: int) check RFileSystem.write (file: RFile, nbytes: int) if (bytes_written > n) violation (“Attempt …); Implementing Resources RFileSystem RFile Resource descriptions policy LimitWrite NoOverwrite, LimitBytesWritten (1000000)

17 1614 December 1999Safety and Dependability class FileOutputStream { … public void write (byte b[]) { writeBytes (b, 0, b.length); } class FileOutputStream { naccio.p253.resource.RFile rfile; … // orig_write – same implementation as old write method void write (byte b[]) { if (rfile != null) naccio.p253.resource.RFileSystem.write (rfile, b.length); orig_write (b); } Policy compiler Wrapped library classes System library classes Platform interface wrapper java.io.FileOutputStream state RFile rfile; wrapper void write (byte b[]) if (rfile != null) RFileSystem.write (rfile, b.length); %% // original method call Rewriting Classes

18 1714 December 1999Safety and Dependability Optimizations Only implement resource operation if it: –May produce a violation –Modifies state used elsewhere Only wrap library method if it: –Calls implemented resource operation –Modifies state used meaningfully –Alters behavior Simple dataflow dependency analysis Not done yet: inline methods and state to remove resource overhead

19 1814 December 1999Safety and Dependability Program Transformer Policy description file Program Collection of Java classes Version of program that: 1.Uses policy-enforcing library Replace class names in constant pool Wrappers for dynamic class loading methods 2.Satisfies low-level code safety Use Java byte code verifier Wrappers on reflection methods

20 1914 December 1999Safety and Dependability What’s different for Win32? Program is Win32 executable and DLLs Platform interface describes Win32 API Policy compiler –Generate DLLs instead of Java classes Application transformer –Replace DLL names in import table –Low-level code safety is platform-specific SFI for jumps, PFI wrappers to protect memory Scan for kernel traps Policies can be reused

21 2014 December 1999Safety and Dependability Results - JavaVM Preparation time minimal Overhead depends on policy and application Substantially faster than JDK –Policy decisions made at transform time –Can optimize out unnecessary checking Details in [Evans99] Naccio tar from www.ice.com

22 2114 December 1999Safety and Dependability Results – Win32 Can enforce policies on Microsoft Word Caveats: –Subset of Win32 API –Doesn’t deal with low- level code safety yet (need to implement SFI) Details in [Twyman99] pkzip

23 2214 December 1999Safety and Dependability Related Work Software fault isolation [Wahbe et al, 93] Similar enforcement mechanisms –Execution monitoring [Schneider] –Ariel Project [Pandey, Hashii] Alternative: verify properties –Proof-carrying code [Necula, Lee] –Typed Assembly Language [Morrisett]

24 2314 December 1999Safety and Dependability Naccio Summary Method for defining large class of policies –Using abstract resources General architecture for code safety Encouraging results so far –Win32: need to implement low-level safety –JavaVM: needs to be attacked For more information: IEEE Security & Privacy 99 (Oakland) http://naccio.cs.virginia.edu

25 2414 December 1999Safety and Dependability Annotation-Assisted Static Checking Effort Required Low Unfathomable Formal Verifiers Bugs Detected none all Compilers LCLint

26 2514 December 1999Safety and Dependability Approach Programmers add annotations (formal specifications) –Simple and precise –Describe programmers intent: Types, memory management, data hiding, aliasing, modification, nullness, etc. LCLint detects inconsistencies between annotations and code –Simple (fast!) dataflow analyses

27 2614 December 1999Safety and Dependability Sample Annotation: only Reference (return value) owns storage No other persistent (non-local) references to it Implies obligation to transfer ownership Transfer ownership by: –Assigning it to an external only reference –Return it as an only result –Pass it as an only parameter: e.g., extern void free (only void *); extern only char *gptr; extern only out null void *malloc (int);

28 2714 December 1999Safety and Dependability Example 1int dummy (void) { 2 int *ip= (int *) malloc (sizeof (int)); 3 *ip = 3; 4 return *ip; 5 } extern only null void *malloc (int); in library LCLint output: dummy.c:3:4: Dereference of possibly null pointer ip: *ip dummy.c:2:13: Storage ip may become null dummy.c:4:14: Fresh storage ip not released before return dummy.c:2:43: Fresh storage ip allocated

29 2814 December 1999Safety and Dependability Checking Examples Encapsulation – abstract types (rep exposure), global variables, documented modifications Memory management – leaks, dead references De-referencing null pointers, dangerous aliasing, undefined behavior

30 2914 December 1999Safety and Dependability Unsoundness & Incompleteness are Good! Okay to miss errors –Report as many as possible Okay to issue false warnings –But don’t annoy the user to too many –Make it easy to configure checking and override warnings Design tradeoff – do more ambitious checking the best you can

31 3014 December 1999Safety and Dependability LCLint Status Public distribution since 1993 Effective checking >100K line programs (checks about 1K lines per second) –Detects lots of real bugs in real programs (including itself, of course) More information: lclint.cs.virginia.edu PLDI ’96, FSE’94

32 3114 December 1999Safety and Dependability Where do we go from here? Motivating Example: Take an e-commerce site and prove that credit card information is never stored or transmitted unencrypted Meta-annotations [David LaRochelle] –Allow users to define new annotations and associated checking Generalize framework –Support static checking for multiple source languages in a principled way –Integrate static and run-time checking to enable completeness guarantees

33 3214 December 1999Safety and Dependability Summary A little redundancy goes a long way Naccio: –Describe high-level behavioral constraints in an abstract way –Check them automatically at run-time LCLint: –Describe programmer intent in a precise way –Check them statically at compile-time

34 3314 December 1999Safety and Dependability Credits Naccio Win32 Implementation: Andrew Twyman LCLint LCL: Yang Meng Tan, John Guttag, Jim Horning Funding DARPA, NSF, ONR

Download ppt "Systems for Safety and Dependability David Evans University of Virginia Department of Computer Science."

Similar presentations

Operating Systems Components of OS

Operating Systems Components of OS
Automatic Memory Management Noam Rinetzky Schreiber 123A 2015/seminar/seminar1415a.html.

Automatic Memory Management Noam Rinetzky Schreiber 123A /seminar/seminar1415a.html.
The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko.

The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko.
SPLINT STATIC CHECKING TOOL Sripriya Subramanian 10/29/2002.

SPLINT STATIC CHECKING TOOL Sripriya Subramanian 10/29/2002.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,

EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,
The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI 297 5.31.2005.

The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI
Lab#1 (14/3/1431h) Introduction To java programming cs425

Lab#1 (14/3/1431h) Introduction To java programming cs425
Joel Winstead CS201j: Engineering Software University of Virginia Computer Science Lecture 16: Pointers and Memory Management.

Joel Winstead CS201j: Engineering Software University of Virginia Computer Science Lecture 16: Pointers and Memory Management.
RUGRAT: Runtime Test Case Generation using Dynamic Compilers Ben Breech NASA Goddard Space Flight Center Lori Pollock John Cavazos University of Delaware.

RUGRAT: Runtime Test Case Generation using Dynamic Compilers Ben Breech NASA Goddard Space Flight Center Lori Pollock John Cavazos University of Delaware.
CIS 101: Computer Programming and Problem Solving Lecture 8 Usman Roshan Department of Computer Science NJIT.

CIS 101: Computer Programming and Problem Solving Lecture 8 Usman Roshan Department of Computer Science NJIT.
Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.

Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.
OOP in Java Nelson Padua-Perez Chau-Wen Tseng Department of Computer Science University of Maryland, College Park.

OOP in Java Nelson Padua-Perez Chau-Wen Tseng Department of Computer Science University of Maryland, College Park.
Programmability with Proof-Carrying Code George C. Necula University of California Berkeley Peter Lee Carnegie Mellon University.

Programmability with Proof-Carrying Code George C. Necula University of California Berkeley Peter Lee Carnegie Mellon University.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.

1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
A Type System for Expressive Security Policies David Walker Cornell University.

A Type System for Expressive Security Policies David Walker Cornell University.
Common System Components

Common System Components
OOP in Java Fawzi Emad Chau-Wen Tseng Department of Computer Science University of Maryland, College Park.

OOP in Java Fawzi Emad Chau-Wen Tseng Department of Computer Science University of Maryland, College Park.
Shallow Versus Deep Copy and Pointers Shallow copy: when two or more pointers of the same types point to the same memory – They point to the same data.

Shallow Versus Deep Copy and Pointers Shallow copy: when two or more pointers of the same types point to the same memory – They point to the same data.
Statically Detecting Likely Buffer Overflow Vulnerabilities David Larochelle David Evans University of Virginia Department of Computer Science Supported.

Statically Detecting Likely Buffer Overflow Vulnerabilities David Larochelle David Evans University of Virginia Department of Computer Science Supported.

Similar presentations

Ads by Google