Programming via Visibly Pushdown Safety Games Bill Harris Somesh Jha and Thomas Reps Computer Aided Verification 13 July 2012 1 Oneslide Summary Motivation privilegeaware OSs enable secure applications ID: 514574
Download Presentation The PPT/PDF document "Secure" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Secure Programming viaVisibly Pushdown Safety Games
Bill Harris, Somesh Jha, and Thomas Reps
Computer Aided Verification
13 July 2012
1Slide2
One-slide SummaryMotivation: privilege-aware OS’s enable secure applications
Problem: privilege-aware OS’s arehard to program forSolution: reduce programming for a privilege-aware OS to solving a safety game2Slide3
Important Programs are Still Insecure
Vulnerabilities in:Security-critical, network-facing programstcpdump (CVE-2007-3798)fetchmail (CVE-2010-0562)wget (CVE-2005-3185)Core utilitiesbzip2 (CVE-2010-0405)gzip (CVE-2010-0001)
tar (CVE-2007-4476)3Slide4
Traditional Program SecurityProgram is analyzed
passively to ensurethat it behaves securely. 4Slide5
Privilege-Aware OS’sOS maintains a privilege
for each processProgram actively manages its privilege byinvoking security system calls (primitives)
5Slide6
Example Privilege-Aware OS’sInformation-flow controlAsbestos [SOSP 2005]
HiStar [OSDI 2006]Flume [SOSP 2007]Tagged memory: Wedge [NSDI 2008]Capabilities: Capsicum [USENIX Sec. 2010]6Slide7
Running example: gzip
gzip() { files = parse_cl; for (f in files) (in, out) = open;
compr
(in, out);}
compr
(in, out) {
body;
}
7
public_leak.comSlide8
An Informal Policy for gzip
When gzip executes body,it should only be able to read from inand write to out.
8Slide9
Capsicum: A Privilege-Aware OSTwo levels of
privilege:High Capability (can open files)Low Capability (cannot open files)Rules describing privilege:Process initially executes withcapability of its parent
Process can invoke the drop system call
to take Low Capability9Slide10
Securing gzip on Capsicum
gzip() { files = parse_cl; for (f in files)
(in, out) = open; compr
(in, out);}
compr
(in, out) {
drop();
body;
}
High Cap.
Low Cap.
10
public_leak.comSlide11
compr
(in, out) {
drop();
body;
}
Securing
gzip
on Capsicum
High Cap.
High Cap.
High Cap.
High Cap.
Low Cap.
11
gzip
() {
files =
parse_cl
;
for (f in files)
(in, out) = open;
compr
(in, out);
}Slide12
compr
(in, out) {
drop();
body;
}
Securing
gzip
on Capsicum
Low Cap.
Low Cap.
12
gzip
() {
files =
parse_cl
;
for (f in files)
(in, out) = open;
compr
(in, out);
}
High Cap.
Slide13
compr
(in, out) {
drop();
body;
}
Securing
gzip
on Capsicum
High Cap.
13
gzip
() {
files =
parse_cl
;
for (f in files)
(in, out) = open;
compr
(in, out);
}
fork
_compr
(in, out);
Low Cap.
High Cap.
High Cap.Slide14
compr
(in, out) {
drop();
body;
}
Securing
gzip
on Capsicum
High Cap.
Low Cap.
14
gzip
() {
files =
parse_cl
;
for (f in files)
(in, out) = open;
compr
(in, out);
}
fork
_compr
(in, out);Slide15
Capsicum
15Program
Policy
CapsicumPolicy WeaverCapsicum
Program
Progrmr
.
Weaver Generator
Capsicum
Dev.
Us
Pol.
Wrtr
.Slide16
OSPolicy Weaver
Capscium Dev.Capsicum
OS
Capsicum Program
CapsicumPolicy Weaver
16
Program
Policy
OS
Program
Progrmr
.
Weaver Generator
OS Dev.
Us
Pol.
Wrtr
.Slide17
Paper ContributionsDesigned an automata-theoretic
weaver generatorImplemented an efficient weaver-generator via a scaffold-based safety-game solverExperimentally evaluated practical feasibility
17Slide18
Weaver Generator
18Program
Policy
OSPolicy Weaver
OS Program
Progrmr
.
Weaver Generator
OS
OS Dev.
Us
Pol.
Wrtr
.Slide19
open
Program: Prog Acts
p
arse_cl
call
compr
ret
compr
exit
Program
Progrmr
.
loop
body
19Slide20
20
ProgramPolicy
OS Program
Progrmr
.
OS
OS Developer
Us
Pol.
Wrtr
.
Weaver GeneratorSlide21
Policy: Prog Acts x
Privs
*
(
open
,
LowCap
)
(
body
,
HighCap
)
Policy
Pol.
Wrtr
.
21
Privs
= { High Cap, Low Cap}Slide22
22
ProgramPolicy
OS Program
Progrmr
.
OS
OS Dev.
Us
Pol.
Wrtr
.
Weaver GeneratorSlide23
23
OSOS Dev.
AllowHigh
open
/
HighCap
Prims = { drop, fork, join }
OS:
Prog
Acts
Prims
Privs
AllowHigh
AllowLowSlide24
24
OSOS Dev.
drop
OS:
Prog
Acts
Prims
Privs
AllowHigh
AllowLowSlide25
25
OSOS Dev.
open
/
LowCap
OS:
Prog
Acts
Prims
Privs
AllowLow
AllowLowSlide26
26
ProgramPolicy
OS Program
Progrmr
.
OS
OS Dev.
Us
Pol.
Wrtr
.
Weaver GeneratorSlide27
open
/fork
parse_cl
/
noop
loop
/
noop
body
/
noop
ret
compr
/
join
OS
Program
Instr
:
Prog
Acts
Prims
call
compr
/
drop
27Slide28
28
ProgramPolicy
OS Program
Progrmr
.
OS
OS Dev.
Us
Pol.
Wrtr
.
Weaver GeneratorSlide29
Safety Games: A Quick Refresher29Slide30
z
a
y
x
d
d
e
b
b
y
x
f
c
y
y
30Slide31
Policy Weaving
Safety GameProgram actionsAttacker actions
OS primitivesDefender actions
Policy Weaving
Safety Game
Program actions
Attacker actions
OS
primitives
Defender actions
Correct instrumentation
Winning
Defender
strategy
Policy Weaving
Safety Game
Program actions
Attacker actions
Policy Weaving
Safety Game
Weaving as a Game
31Slide32
fork
p
arse_cl
noop
drop
body
body
ret
compr
open
open
noop
drop
loop
c
all
compr
noop
join
a
d
d
e
b
b
f
c
z
y
x
y
x
y
y
32Slide33
fork
p
arse_cl
noop
drop
body
body
ret
compr
open
open
noop
drop
loop
c
all
compr
noop
join
33Slide34
fork
p
arse_cl
noop
drop
body
body
ret
compr
open
open
noop
drop
loop
c
all
compr
noop
join
34Slide35
ret
compr /
fork
p
arse_cl
parse_cl
/
drop
body
ret
compr
open
noop
loop
c
all
compr
noop
join
b
ody /
l
oop /
c
all
compr
/
o
pen /
noop
35Slide36
The Importance of VPA’sAccurately approximate the setof
program pathsAccurately model relationship betweenOS primitives and privilegesModular strategies formodular instrumentations
36Slide37
Paper ContributionsDesigned an automata-theoretic
weaver generatorImplemented an efficient weaver-generator via a scaffold-based game solverExperimentally evaluated practical feasibility
37Slide38
Experiment HighlightsInstantiated weaver-generator toa policy weaver for Capsicum
Applied Capsicum policy weaver to six UNIXutilities from 8 to 108 kLoCFound strategies in 0:05 to 2:0038Slide39
SummaryMotivation: privilege-aware OS’s enable secure applications
Problem: privilege-aware OS’s arehard to program forSolution: reduce programming for a privilege-aware OS to solving a safety game39Slide40
Questions?40Slide41
41
ProgramPolicy
OS Program
Progrmr
.
OS
OS Developer
Us
Pol.
Wrtr
.
Weaver GeneratorSlide42
Extra Slides42Slide43
Secure Programming viaVisibly Pushdown Safety Games
Bill Harris, Somesh Jha, and Thomas Reps
Computer Aided Verification 2012
13 July
43
Somesh
JhaSlide44
fork
compr
p
arse_cl
init
drop
body
ret
compr
open
noop
loop
44