Presentation is loading. Please wait.

Presentation is loading. Please wait.

Policy-Directed Code Safety David Evans April 1999 Software Devices and Systems MIT Lab for Computer Science.

Published byPaul Poole Modified over 9 years ago

Similar presentations

Presentation on theme: "Policy-Directed Code Safety David Evans April 1999 Software Devices and Systems MIT Lab for Computer Science."— Presentation transcript:

1 Policy-Directed Code Safety David Evans http://naccio.lcs.mit.edu evs@sds.lcs.mit.edu April 1999 Software Devices and Systems MIT Lab for Computer Science

2 2David EvansPolicy-Directed Code Safety What Are You Afraid Of? Malicious attackers –Melissa Word macro virus Questionable “trusted” programs –Win95 Registration Wizard Buggy programs –Therac-25 User mistakes/bad interfaces – tar –cf *

3 3David EvansPolicy-Directed Code Safety LCLint [Evans, PLDI ‘96] Programmers add annotations to code Lightweight static checking detects inconsistencies (often bugs) Useful, but can’t provide code safety –Requires source code, expertise and effort –Too hard to prove most properties statically

4 4David EvansPolicy-Directed Code Safety Solution Space Detect bad programs –Malicious code detector (virus scanners) –Digital signatures Platform limits on what programs can do –Operating system, firewalls, Java sandbox Naccio: alter programs before running

5 5David EvansPolicy-Directed Code Safety General method for defining policies –Abstract resources –Platform independent System architecture for enforcing policies Program Safe Program Safety Policy My Work

6 6David EvansPolicy-Directed Code Safety Policy description file Application transformer transformer Program Version of program that: Uses policy-enforcing system library Satisfies low-level code safety Naccio Architecture Platforms in development: JavaVM - program is collection of Java classes Win32 [Andrew Twyman] - Win32 executable Run by sysadmin or user Policycompiler Safety policy definition Policy-enforcing system library Run by policy-author

7 7David EvansPolicy-Directed Code Safety Related Work Software fault isolation [Wahbe et al, 93] Similar enforcement mechanisms –Execution monitoring [Schneider] –Ariel Project [Pandey, Hashii] Alternative: verify properties –Proof-carrying code [Necula, Lee] –Typed Assembly Language [Morrisett]

8 8David EvansPolicy-Directed Code Safety System architecture Defining policies Enforcing policies Results Outline Program Safe Program Safety Policy

9 9David EvansPolicy-Directed Code Safety Example Safety Policies Access constraints –JDK policies Resource use limits –Limit number of bytes that can be written Application-specific policies –TarCustom policy Behavior-modifying policies –Soft bandwidth limit

10 10David EvansPolicy-Directed Code Safety Describing Policies Internet Explorer 5.0 public class AppletSecurity extends SecurityManager { … public synchronized void checkRead(String file, URL base) { if (base != null) { if (!initACL) { initializeACLs(); } if (readACL == null) { return; } String realPath = null; try { realPath = (new File(file)).getCanonicalPath(); } catch (IOException e) { throw new AppletSecurityException ("checkread.exception1", e.getMessage(), file); … } HotJava SecurityManager Want something: More expressive Easier to produce, understand and reason about

11 11David EvansPolicy-Directed Code Safety Problem System Library Policy Author’s View Files Resources Policy System View java.io.FileOutputStream.write (a) Disk Platform Interface Program System Library

12 12David EvansPolicy-Directed Code Safety Safety Policy Definition Resource descriptions: abstract operational descriptions of resources (files, network, …) Platform interface: mapping between system API and abstract resources Resource use policy: constraints on manipulating those resources

13 13David EvansPolicy-Directed Code Safety Resource Description global resource RFileSystem openRead (file: RFile) Called before file is opened for reading openCreate (file: RFile) Called before new file is created and opened for writing openWrite (file: RFile) Called before existing file is opened for writing write (file: RFile, nbytes: int) Called before nbytes are written to file preRead (file: RFile, nbytes: int) Called before up to nbytes are read from file postRead (file: RFile, nbytes: int) Called after nbytes were read from file … // other operations for observing properties of files, deleting, etc. resource RFile RFile (pathname: String) Constructs object corresponding to pathname

14 14David EvansPolicy-Directed Code Safety Platform Interface The ugly part - mapping from platform system calls to resource operations For every system procedure either: –Describe its effects on resources, or –Pass through checking to procedures it calls. Platform determines procedures PFI must describe May describe additional methods to: –Improve performance and clarity –Treat system code differently (risky)

15 15David EvansPolicy-Directed Code Safety Java PFI Excerpt wrapper java.io.FileOutputStream requires RFileMap; state RFile rfile; wrapper void write (byte b[]) if (rfile != null) RFileSystem.write (rfile, b.length); %% // original method call …// wrappers needed for constructors, other write // methods, close and getFD

16 16David EvansPolicy-Directed Code Safety Resource Use Policy policy LimitWrite NoOverwrite, LimitBytesWritten (1000000) property NoOverwrite check RFileSystem.openWrite (file: RFile) violation (“Attempt to overwrite file.”); Policy is collection of properties Properties attach checking code to resource operations

17 17David EvansPolicy-Directed Code Safety LimitBytesWritten Property stateblock TrackBytesWritten addfield RFileSystem.bytes_written: int = 0; precode RFileSystem.write (file: RFile, nbytes: int) bytes_written += nbytes; property LimitBytesWritten (n: int) requires TrackBytesWritten; check RFileSystem.write (file: RFile, nbytes: int) if (bytes_written > n) violation (“Attempt to write more than ” + n + “ bytes …”);

18 18David EvansPolicy-Directed Code Safety Enforceable Policies Can enforce any policy that can be defined What can be defined depends on resource operations Resource operations depend on platform interface –Any manipulation done through API calls Cannot write policies that constrain memory and CPU usage –Solutions possible: insert calls

19 19David EvansPolicy-Directed Code Safety System architecture Defining policies Enforcing policies Results Outline Program Safe Program Safety Policy

20 20David EvansPolicy-Directed Code Safety Policy description file Resource descriptions System library Java API classes (e.g., java.io.FileOutputStream) Platform interface Describes Java API Platformindependentanalyses Platform dependent analyses and code generation Resource use policy Policy Compiler Policy-enforcing system library Implementations of resource operations –Perform checking described by resource use policy Rewritten Java API classes –Call abstract resource operations as directed by platform interface wrappers Safety policy definition

21 package naccio.p253.resource; class RFileSystem { static int bytes_written = 0; static void write (RFile file, int nbytes) { bytes_written += nbytes; if (bytes_written > 1000000) Check.violation (“LimitWrite”, “Attempt to write …); } … Policy compiler Resource implementations Resource use policy stateblock TrackBytesWritten addfield RFileSystem.bytes_written: int; precode RFileSystem.write (file: RFile, nbytes: int) bytes_written += nbytes; property LimitBytesWritten (n: int) check RFileSystem.write (file: RFile, nbytes: int) if (bytes_written > n) violation (“Attempt …); Implementing Resources RFileSystem RFile Resource descriptions policy LimitWrite NoOverwrite, LimitBytesWritten (1000000)

22 22David EvansPolicy-Directed Code Safety class FileOutputStream { … public void write (byte b[]) { writeBytes (b, 0, b.length); } class FileOutputStream { naccio.p253.resource.RFile rfile; … // orig_write – same implementation as old write method void write (byte b[]) { if (rfile != null) naccio.p253.resource.RFileSystem.write (rfile, b.length); orig_write (b); } Policy compiler Wrapped library classes System library classes Platform interface wrapper java.io.FileOutputStream state RFile rfile; wrapper void write (byte b[]) if (rfile != null) RFileSystem.write (rfile, b.length); %% // original method call Rewriting Classes

23 23David EvansPolicy-Directed Code Safety Optimizations Only implement resource operation if it: –May produce a violation –Modifies state used elsewhere Only wrap library method if it: –Calls implemented resource operation –Modifies state used meaningfully –Alters behavior Simple dataflow dependency analysis Not done yet: inline methods and state to remove resource overhead

24 24David EvansPolicy-Directed Code Safety Application Transformer Policy description file Program Collection of Java classes Platformindependent Platformdependenttransformations Version of program that: 1.Uses policy-enforcing library Set CLASSPATH (or rename classes) 2.Satisfies low-level code safety Run byte code verifier Protect dynamic class loading, reflection

25 25David EvansPolicy-Directed Code Safety What’s different for Win32? Program is Win32 executable and DLLs Platform interface describes Win32 API Policy compiler –Generate DLLs instead of Java classes Application transformer –Replace DLL names in import table –Low-level code safety is platform-specific SFI for jumps, PFI wrappers to protect memory Scan for kernel traps Policies can be reused

26 26David EvansPolicy-Directed Code Safety Outline System architecture Defining policies Enforcing policies Results - JavaVM – Preparation costs – Execution performance Program Safe Program Safety Policy

27 27David EvansPolicy-Directed Code Safety Preparation Costs Policy generation –Time to generate policy: 1-10 minutes –Cost of storing policy Average case: ~250 KB Application transformation –Basically free Integrate into byte code verifier Simple string replacements in constant pool

28 28David EvansPolicy-Directed Code Safety Performance

29 29David EvansPolicy-Directed Code Safety Policy Performance

30 30David EvansPolicy-Directed Code Safety Contributions Method for defining safety policies –In terms of abstract resources –Policies may be reused on different platforms General architecture for code safety –Prototypes for Win32 and JavaVM Encouraging results for JavaVM –Minimal preparation costs –Enforces policies more efficiently than JDK

31 31David EvansPolicy-Directed Code Safety Future Work What’s left to do –Implementing inlining optimizations –Validating/synthesizing platform interface –Multiple threads –Deployment, user interface, policy authoring tools Applications of Naccio’s mechanisms –Performance, debugging, behavior modification Can we protect vendors as well? –Restrict what modifications can be done –Trust external components –Use a policy to protect copyright, distribution, etc.

32 32David EvansPolicy-Directed Code Safety Conclusion Supporting large class of precise safety policies important Naccio provides good way to define and enforce policies Close to being practical http://naccio.lcs.mit.edu Paper to appear in IEEE Security and Privacy, Oakland, May 1999.

33 33David EvansPolicy-Directed Code Safety END

34 David EvansPolicy-Directed Code Safety Problem System Library Policy Author’s View Files Resources Policy System View java.io.FileOutputStream.write (a) Disk Program System Library 11

35 35David EvansPolicy-Directed Code Safety Performance

Download ppt "Policy-Directed Code Safety David Evans April 1999 Software Devices and Systems MIT Lab for Computer Science."

Similar presentations

Operating Systems Components of OS

Operating Systems Components of OS
1 Copyright © 2005, Oracle. All rights reserved. Introducing the Java and Oracle Platforms.

1 Copyright © 2005, Oracle. All rights reserved. Introducing the Java and Oracle Platforms.
Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.

Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Operating System Security : David Phillips A Study of Windows Rootkits.

Operating System Security : David Phillips A Study of Windows Rootkits.
Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee 2007. 04. 23.

Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee
Lab Information Security Using Java (Review) Lab#0 Omaima Al-Matrafi.

Lab Information Security Using Java (Review) Lab#0 Omaima Al-Matrafi.
EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,

EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,
Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.

Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.
Introduction CSCI 444/544 Operating Systems Fall 2008.

Introduction CSCI 444/544 Operating Systems Fall 2008.
An Introduction to Proof-Carrying Code David Walker Princeton University (slides kindly donated by George Necula; modified by David Walker)

An Introduction to Proof-Carrying Code David Walker Princeton University (slides kindly donated by George Necula; modified by David Walker)
Lab#1 (14/3/1431h) Introduction To java programming cs425

Lab#1 (14/3/1431h) Introduction To java programming cs425
CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.
Contiki A Lightweight and Flexible Operating System for Tiny Networked Sensors Presented by: Jeremy Schiff.

Contiki A Lightweight and Flexible Operating System for Tiny Networked Sensors Presented by: Jeremy Schiff.
Programmability with Proof-Carrying Code George C. Necula University of California Berkeley Peter Lee Carnegie Mellon University.

Programmability with Proof-Carrying Code George C. Necula University of California Berkeley Peter Lee Carnegie Mellon University.
Presented by IBM developer Works ibm.com/developerworks/ 2006 January – April © 2006 IBM Corporation. Making the most of Creating Eclipse plug-ins.

Presented by IBM developer Works ibm.com/developerworks/ 2006 January – April © 2006 IBM Corporation. Making the most of Creating Eclipse plug-ins.
A Type System for Expressive Security Policies David Walker Cornell University.

A Type System for Expressive Security Policies David Walker Cornell University.
Introducing the Common Language Runtime for.NET. The Common Language Runtime The Common Language Runtime (CLR) The Common Language Runtime (CLR) –Execution.

Introducing the Common Language Runtime for.NET. The Common Language Runtime The Common Language Runtime (CLR) The Common Language Runtime (CLR) –Execution.
Introducing the Common Language Runtime. The Common Language Runtime The Common Language Runtime (CLR) The Common Language Runtime (CLR) –Execution engine.

Introducing the Common Language Runtime. The Common Language Runtime The Common Language Runtime (CLR) The Common Language Runtime (CLR) –Execution engine.
1 The Problem o Fluid software cannot be trusted to behave as advertised unknown origin (must be assumed to be malicious) known origin (can be erroneous.

1 The Problem o Fluid software cannot be trusted to behave as advertised unknown origin (must be assumed to be malicious) known origin (can be erroneous.

Similar presentations

Ads by Google