Download
1 / 90
900 likes | 1.01k Vues
Secure Programs via Game-based Synthesis. Somesh Jha, Tom Reps, and Bill Harris. One-slide summary. Secure programming on a conventional OS is intractable Privilege -aware OS’s take secure programming from intractable to challenging
E N D
Secure Programs viaGame-based Synthesis • Somesh Jha, Tom Reps, and Bill Harris
One-slide summary • Secure programming on a conventional OS is intractable • Privilege-aware OS’s take secure programmingfrom intractable to challenging • Our program rewriter takes secure programming from challenging to simple
Outline • Motivation, problem statement • Motivation, problem statement • Previous work: Capsicum [CAV ’12, Oakland ’13] • Ongoing work: HiStar • Open challenges
Secure Programmingis Intractable • 81 exploits in CVE since Sept. 2013 • Many exploit a software bugto carry out undesirable system operations • 2013-5751: exploit SAP NetWeaverto traverse a directory • 2013-5979: exploit bad filename handling inXibo to read arbitrary files • 2013-5725: exploit ByWordto overwrite files 4
How to Carry Outan Exploit software vulnerability + OS privilege = security exploit
Solution The Conventional-OS software vulnerability + OS privilege = security exploit
Solution The Program-Verification software vulnerability + OS privilege = security exploit
Priv.-aware OS • Introduce explicitprivileges over all system objects,primitives that update privileges • Programs call primitives to manage privilege
Priv.-aware OS The Solution ( ) software vulnerability + OS privilege = security exploit + primitives monitor
Priv.-aware OS The Capsicum [Watson ’10] • Privilege: ambient authority (Amb) to open descriptors to system objects • Primitives: program calls cap_enter()to manage Amb
Rules of ’s Amb Capsicum • When a process is created,it has the Amb value of its parent • After a process calls cap_enter(),it does not have Amb • If a process does not have Amb,then it can never obtain Amb
gzip • main() { • file_nms = parse_cl(); • for (f in file_nms): • L0: (in, out) = open2(f); • } L1: compress(in, out); L1:compress(in, out); /usr/local http://evil.com
A simple policy gzip with AMB • When gzip calls open2() at L0,it should • When gzip calls compress() at L1,it should not be able to open descriptors have AMB have AMB able to open descriptors
with AMB ? L0:AMB L1:no AMB ? gzip main() { file_nms = parse_cl(); for (f in file_nms): L0: (in, out) = open2(f); L1: compress(in, out); } cap_enter()
Capsicum Programming Challenges • Amb policies are not explicit • cap_enter primitive has subtle temporal effects
gzip Programming Challenges main() { file_nms = parse_cl(); for (f in file_nms): L0: (in, out) = open2(f); L1: compress(in, out); } AMB no AMB AMB no AMB AMB cap_enter(); no AMB L0:AMB L1:no AMB
Rules of Capsicum’s Amb • When a process is created,it has the AMB value of its parent • After a process calls cap_enter(),it never has AMB • If a process does not have Amb,then it can never obtain Amb
Instrumenting gzip AMB AMB AMB • main() { • file_nms = parse_cl(); • for (f in file_nms): • L0: (in, out) = open2(f); • L1: compress(in, out); • } AMB AMB sync_fork(); cap_enter(); no AMB sync_join(); L0:AMB L1:no AMB
Capsicum ChallengesNot Appearing in This Talk • Program can construct capability from each UNIX descriptor • Capability has a vector of 63 access rights (~1 for every system call on a descriptor) • Programs can assume new capabilities via a Remote Procedure Call (RPC)
with CapWeave Instrumenting Programs • Programmer writes an explicitAmb policy • CapWeave instruments program to invoke primitives so that it satisfies the policy
with CapWeave gzip main() { file_nms = parse_cl(); for (f in file_nms): L0: (in, out) = open2(f); L1: compress(in, out); } Policy Cur(p) => (pc[L0](p) => AMB(p) & (pc[L1](p) => !AMB(p)) L0:AMB L1:no AMB
main() { file_nms = parse_cl(); for (f in file_nms): L0: (in, out) = open2(f); L1: compress(in, out); } CapWeave void main() { L0: open2(...); sync_fork(); cap_enter(); L1: compress(); sync_join(); } Instrumented Program Policy Cur(p) => (pc[L0](p) => AMB(p) & (pc[L1](p) => !AMB(p))
The Next 700Policy Weavers • Analogous challenges with Decentralized Information Flow Control (DIFC) • Asbestos [Efstathopoulos ‘05] • HiStar [Zeldovich ’06] • Flume [Krohn ‘07]
gzip() { file_nms = parse_cl(); ... } Policy Cur(p) => (pc[L0](p) => AMB(p)) & (pc[L1](p) => !AMB(p)) CapWeave gzip() { file_nms = parse_cl(); sync_fork(); cap_enter(); ... } Programmer Capsicum Designer cap_enter: Amb’(p):= Amb(p) & ... WeaverGenerator
Programmer HiStar Designer create_cat(&c):Flows’(p, q) := Flows(p, q) || ... wrapper() { exec(...); ... } Policy forall w, s. Flows(w, s) => ... HiWeave WeaverGenerator scanner() { create_cat(&c); exec(...); ... }
Outline • Previous work: Capsicum • Motivation, problem statement • Previous work: Capsicum • Ongoing work: HiStar • Open challenges
CapWeave Algorithm • Inputs: Program P, Amb Policy Q • Output: Instrumentation of P that always satisfies Q • Build finite IP#⊇instrumented runs that violate Q
1. Building IP#: Inputs Program Amb Policy L0: Amb L1: no Amb main() { file_nms = parse_cl(); for (f in file_nms): L0: (in, out) = open2(f); L1: compress(in, out); }
1. Building IP#: Output parse_cl cap_enter noop L0:open2() L0:open2() sync_join() noop sync_fork() noop noop noop noop cap_enter() cap_enter() L1:compress() L1:compress() L1:compress() L1:compress() noop L1: no Amb L0:open2()
1. Building IP#: Output parse_cl cap_enter noop L0:open2() L0:open2() sync_join() noop sync_fork() noop noop noop noop cap_enter() cap_enter() L1:compress() L1:compress() L1:compress() L1:compress() noop L0:open2() L0: Amb
Building IP# • Basic idea: construct IP# as a forward explorationof an abstract state space
1(b). IP#: Define Abstract Transformers 𝜏[cap_enter]# 𝛼 Q# Q 𝜏[cap_enter]
𝜏[noop]# ... noop ... 1(c). Explore Abstract State Space 𝜏[cap_enter]# 𝛼 𝜏[parse_cl]# ... Q# cap_enter ... parse_cl Q L0’ L0 init
parse_cl cap_enter noop L0:open2() L0:open2() sync_join() noop sync_fork() noop noop noop noop cap_enter() cap_enter() L1:compress() L1:compress() L1:compress() L1:compress() noop L0:open2() 𝜏[parse_cl]#
≡{ } A A D B B C State-Structure Exploration If a concrete state is a logical structure, ... Q
State-Structure Exploration properties are FOL formulas, ... ∀p. A(p) ⇒ ((B(p) ⇒C(p)) ⋀ (D(p) ⇒ ¬C(p)))
State-Structure Exploration ...and semantics is given as predicate updates, ... A’(x) = A(x) ⋁∃ y. C(y) ⋀ B(q, p) B’(x, y) = B(x, y) ⋁ (C(x) ⋀ D(y)) C’(x) = ... D’(x) = ... 𝜏[action] ≡
State-Structure Exploration ...then abstract space and transformers can be generated automatically [Sagiv ’99] 𝜏[action]# Q# 𝛼 𝛼 𝜏[action] Q
Capsicum Semantics A A Q ≡ D 1. 2. B B C A’(x) = A(x) ⋁∃ y. C(y) ⋀ B(q, p) B’(x, y) = B(x, y) ⋁ (C(x) ⋀ D(y)) C’(x) = ... D’(x) = ... 𝜏[action] ≡
Capsicum State as Structure Cur Parent L1 Amb Amb ⊭ ∀ p. Cur(p) ⋀L1(p) ⇒ ¬ Amb(p)
Capsicum State as Structure Cur Parent L1 Amb Amb ⊨ ∀ p. Cur(p) ⋀L1(p) ⇒ ¬ Amb(p)
Capsicum Structure Transformers Fresh Cur Parent Cur Amb Amb Structure Transformer Action Intro Fresh Amb’(p) := Amb(p) ⋁ ( Fresh(p) ⋀ ∃ q. Cur(q) ⋀Amb(q)) sync_fork()
Capsicum Structure Transformers Fresh Parent Cur Amb Amb Structure Transformer Action Amb’(p) := Amb(p) ⋀ ¬Cur(p) cap_enter()
Building IP#: Summary • If semantics is given astransforms of logical structures,we can generate an approximation of runs that cause a violation • Capsicum semantics can be modeled as structure transforms
CapWeave Algorithm • Inputs: Program P, Amb Policy Q • Output: Instrumentation of P that always satisfies Q • Build finite IP#⊇instrumented runs that violate Q • From IP#, build safety game Gwon by violations of Q
Two-Player Safety Games • In an Attacker state,the Attacker chooses the next input • In a Defender state,the Defender chooses the next input • Attacker wants to reach an accepting state
a x y b b w y z c c y x y x d d d d y b
gzip IP# parse_cl cap_enter noop L0:open2() L0:open2() sync_join() noop sync_fork() noop noop noop noop cap_enter() cap_enter() L1:compress() L1:compress() L1:compress() L1:compress() noop L0:open2()
