Matt Fredrikson Rich Joiner Somesh Jha Tom Reps Phillip Porras Hassen Saïdi Vinod Yegneswaran 1 Funded by Outline Ensuring safety properties current practice ID: 315930
Download Presentation The PPT/PDF document "Efficient Runtime Policy Enforcement Usi..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Efficient Runtime Policy Enforcement Using Counterexample-Guided Abstraction Refinement
Matt Fredrikson, Rich Joiner, Somesh Jha, Tom Reps, Phillip Porras, Hassen Saïdi, Vinod Yegneswaran
1
Funded by
:Slide2
Outline
Ensuring safety properties: current practiceCEGAR: program verificationIRM: filtering program behaviorSafetyWeave: a hybrid approachImplementation and experimental results
2Slide3
CEGAR
Model ConstructionModelChecking
Model
Refinement
Safety Property
Source Code
“Verified”
Counterexample
Trace
Invalid counter-example
Valid counter-example
No counter-examples
3Slide4
CEGAR Issues
Computational complexityModel grows exponentially with each refinement stepMay not terminate (in our lifetimes)Statically indeterminable behaviorHigher-order functionsDynamic scopeNo recourse for valid counterexamplesRequires manual intervention
Takeaway: CEGAR can be
an expensive analysis
4Slide5
Runtime Enforcement
Safety PropertyInlined Reference Monitoring
Source Code
Dynamically-filtered
Source Code
Úlfar
Erlingsson
,
Fred B. Schneider
, “
The
inlined
reference
monitor
approach
to security policy enforcement
,” 2004
5Slide6
IRM Example
var state = 0; if (state == 0 && check("var
d = document",
"call(document.getElementById)")) state = 1;
if (state
== 0 && check("var
d = document",
"call(
document.getElementsByTagName
)")) state = 1;
if
(state
==
1
&& check("
var
d = document",
"set(
document.cookie)")) halt();
1 var d = document; if (state == 0 && check("var
f = d.getElementById",
"call(document.getElementById)")) state = 1; if (state == 0 && check("var
f = d.getElementById",
"call(document.getElementsByTagName)")) state = 1; if (state == 1 && check("
var f = d.getElementById
", "
set(
document.cookie
)")) halt();
2
var
f =
d.getElementById
;
if (state == 0 && check("
var
t = f('secret')",
"call(
document.getElementById
)")) state = 1;
if (state == 0 && check
("var t = f('secret')", "call(document.getElementsByTagName)")) state = 1; if (state == 1 && check("var t = f('secret')", "set(document.cookie)")) halt();3 var t = f('secret'); if (state == 0 && check("if (t)", "call(document.getElementById)")) state = 1; if (state == 0 && check("if (t)", "call(document.getElementsByTagName)")) state = 1; if (state == 1 && check("if (t)", "set(document.cookie)")) halt();4 if (t) { if (state == 0 && check("d.cookie = t.innerHTML", "call(document.getElementById)")) state = 1; if (state == 0 && check("d.cookie = t.innerHTML", "call(document.getElementsByTagName)")) state = 1; if (state == 1 && check("d.cookie = t.innerHTML", "set(document.cookie)")) halt();5 d.cookie = t.innerHTML;6 }
1 var d = document;2 var f = d.getElementById;3 var t = f('secret');4 if (t) {5 d.cookie = t.innerHTML;6 }
1 var d = document;2 var f = d.getElementById;3 var t = f('secret');4 if (t) {5 d.cookie = t.innerHTML;6 }
var state = 0; if (state == 0 && check("var d = document", "call(document.getElementById)")) state = 1; if (state == 0 && check("var d = document", "call(document.getElementsByTagName)")) state = 1; if (state == 1 && check("var d = document", "set(document.cookie)")) halt();1 var d = document; if (state == 0 && check("var f = d.getElementById", "call(document.getElementById)")) state = 1; if (state == 0 && check("var f = d.getElementById", "call(document.getElementsByTagName)")) state = 1; if (state == 1 && check("var f = d.getElementById", "set(document.cookie)")) halt();2 var f = d.getElementById; if (state == 0 && check("var t = f('secret')", "call(document.getElementById)")) state = 1; if (state == 0 && check("var t = f('secret')", "call(document.getElementsByTagName)")) state = 1; if (state == 1 && check("var t = f('secret')", "set(document.cookie)")) halt();3 var t = f('secret'); if (state == 0 && check("if (t)", "call(document.getElementById)")) state = 1; if (state == 0 && check("if (t)", "call(document.getElementsByTagName)")) state = 1; if (state == 1 && check("if (t)", "set(document.cookie)")) halt();4 if (t) { if (state == 0 && check("d.cookie = t.innerHTML", "call(document.getElementById)")) state = 1; if (state == 0 && check("d.cookie = t.innerHTML", "call(document.getElementsByTagName)")) state = 1; if (state == 1 && check("d.cookie = t.innerHTML", "set(document.cookie)")) halt();5 d.cookie = t.innerHTML;6 }
Safety property: Don’t inspect the document
prior to assigning to the cookie.
Safety property: Don’t inspect the documentprior to assigning to the cookie.
6Slide7
IRM Issues
Runtime overheadSpurious instrumentation placementPrograms run slowerTakeaway:
IRM can be expensive at runtime
7Slide8
The Idea
Combine CEGAR and IRMStatically remove naïve IRM instrumentationLimit the size of the abstract program model
8Slide9
Rewritten Program
1 var d = document;2 var f = d.getElementById
;3 var t = f('secret');
4 if (t) {5
d.cookie =
t.innerHTML;6 }
var
state = 0;
1
var
d = document;
2
var
f =
d.getElementById
;
if (state == 0 && check("
var
t = f('secret')",
"call(document.getElementById)")) state = 1;3 var t = f('secret');
4 if (t) { if (state == 1 && check("d.cookie
= t.innerHTML",
"set(document.cookie)")) halt();
5 d.cookie = t.innerHTML;
6 } Safety property: Don’t inspect the documentprior to assigning to the cookie.
9Slide10
The
SafetyWeave AlgorithmINPUT: Program, safety propertyOUTPUT: Rewritten programSoundRewritten program proven safe w.r.t. the propertyAll benign execution is preservedLanguage-independentTunable tradeoff between static and dynamic
overheadAlways terminates
Characteristics
10Slide11
Safety PropertiesTemporal state traces that a program should not exhibit
Can be encoded as an automaton with state predicates labeling the edgescall(document.getElementById)call(document.getElementsByTagName)
set(document.cookie)
A
B
C
*
*
11Slide12
Source Code
Rewriting
Invalid counter-example
Valid counter-example
No counter-examples
Verified, Instrumented
Source Code
Model Construction
Model
Checking
Model
Refinement
Safety Property
Source Code
Key Insight: CEGAR analysis used to minimize IRM instrumentation
12Slide13
Source Code
Rewriting
No counter-examples
Abstraction Limit Reached
Verified, Instrumented
Source Code
Model Construction
Model
Checking
Model
Refinement
Safety Property
Source Code
Key Insight: Number of predicates learned limited to ensure termination
13Slide14
Why JavaScript?
Pervasive on the Internet
Code often comes from many authors
Libraries, advertisements, mash-ups, web service interfaces
JavaScript is challenging to analyze statically
Higher-order functions, scope-resolution rules, writable native objects
Prototype
I
mplementation
JaM
is the
Ja
vaScript
M
odel Checker
14Slide15
Deployment Scenario
15
Website
owners:
JaM
Ads
e
ntreprenuer
:
JaM
analysis
server
Verified online ad service
JaM
is part of a DARPA clean-slate security effortSlide16
Source Code
Rewriting
Verified, Instrumented
Source Code
Model Construction
Model
Checking
Model
Refinement
Safety Property
Source Code
OpenNWA
XSB,
Kaluza
/
Yices
Closure
Compiler
16Slide17
JavaScript Language Model
Implements symbolic pre-image operator over program statementsBased on JavaScript semantics of Maffeis et al.Sergio Maffeis, John Mitchell, Ankur Taly, “Operational Semantics of JavaScript,” APLAS ‘08Operational semantics encoded as a logic programexp(H,L,
E,H,L,Va) :- is_this(
E), scope(H,L,'@this',L1),
aget(H,L1,'@this',Va).
Scope
(
H,l,@this
)= l1 H,l1.
@Get
(@this)=
va
-------------------- [E-This]
H,l,
this
->
H,l,va
To evaluate the “this” keyword, traverse the
scope chain and retrieve its reference value.
17Slide18
Applications and Policies
Benchmark applications12 real programs used on the WWWRange from 25 to 4000 linesExercise a wide range of JavaScript coding patterns and constructsJaM safety propertiesCommunication with external hostsModification of persistent storage to reflect page contents
Creation of foreign pop-up dialog boxesDOM access/modification
18Slide19
Experimental Results
Initial abstract model (without refinement)Program model composed of predicates used in safety property89% to 100% of statements deemed safe
Effect of model refinement
5 of 12: required no refinement
5 of 12: reduced spurious counterexamples by learning 1 to 4 predicates
19Slide20
Source Code
Rewriting
Invalid counter-example
Valid counter-example
No counter-examples
Verified, Instrumented
Source Code
Model Construction
Model
Checking
Model
Refinement
Safety Property
Source Code
Abstraction Limit Reached
20Slide21
Complete ResultsSlide22
A Simple Example: Program & Policy
call readHistorycall readFilecall sendPacket
A
B
C
*
*
1
api
[0] =
readFile
;
2
api
[1] =
sendPacket
;
3 while (true) {
4
instr
, data = read();
5
api
[
instr
](data);6 }Slide23
Control Flow Automaton
api
[0] =
readFile
api
[1] =
sendPacket
{false}
{exit}
{true}
instr
, data = read()
api
[
instr
](data)
while(true)Slide24
Data Automaton
α
: call readFileβ
: call readHistoryγ: call
sendPacket
α
!
α
!
α
!
α
!
β
!
β
β
!
β
!
γ
!
γ
!γγ
[Self-edges
omitted
for sanity]Slide25