Poly stop a hacker David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti) Language-Based Security • language-based security mechanisms protect a host from untrusted applications analyzing or modifying application behavior – static mechanisms (analysis at link time) • type checking, proof checking, abstract interpretation – dynamic mechanisms (analysis at run time) • access-control lists, stack inspection, capabilities Poly stop a hacker David Walker Language-Based Security • language-based security mechanisms protect a host from untrusted applications by analyzing or modifying application behavior – static mechanisms (analysis at link time) • type checking, proof checking, abstract interpretation – dynamic mechanisms (analysis at run time) • access-control lists, stack inspection, capabilities Poly stop a hacker David Walker Program Monitors • A program monitor is a computation that runs in parallel with an untrusted application – monitors detect, prevent, and recover from application errors at run time – monitor decisions may be based on execution history – we assume monitors have no knowledge of future application actions Poly stop a hacker David Walker Program Monitors: Good Operations Monitor Application fopen () Poly stop a hacker David Walker Program Monitors: Bad Operations Application Monitor fopen () halt! Poly stop a hacker David Walker Program Monitors: Bad Operations Monitor Application fopen () Poly stop a hacker David Walker Program Monitors: Options • A program monitor may do any of the following when it recognizes a dangerous operation: – halt the application – suppress (skip) the operation but allow the application to continue – insert (perform) some computation on behalf of the application Poly stop a hacker David Walker Past Research • Program monitors have a lengthy history in the systems community – OS kernels • use hardware support • secure fixed system-call interface – mobile code architectures and safe languages (Java, CLR) • more complex interactions between applications • more diverse set of interfaces to secure • more diverse set of policies necessary Poly stop a hacker David Walker The Polymer Project • Theoretical analysis of the range of the policies enforceable at run time • Definition and implementation of a high-level policy language – incorporate types, modularity and highlevel programming techniques • Formal semantics and tools for reasoning about policies Poly stop a hacker David Walker The Polymer Project • Theoretical analysis of the range of the policies enforceable at run time • Definition and implementation of a high-level policy language – incorporate types, modularity and highlevel programming techniques • Formal semantics and tools for reasoning about policies Poly stop a hacker David Walker Today: Polymer the Language • Polymer via Pictures – simple policies – complex policies • Polymer semantics – monadic structure – types • Polymer discussion – implementation, related and future work Poly stop a hacker David Walker Today: Polymer the Language • Polymer via Pictures – simple policies – complex policies • Polymer semantics – monadic structure – types • Polymer discussion – implementation, related and future work Poly stop a hacker David Walker What is in a run-time security policy? • Policy-relevant actions – method calls, get/set state, raise exception • Security-relevant state – inaccessible to application program • Decision procedure – does the current action satisfy the policy in the current state? – if not, what supplementary action must be taken? Poly stop a hacker David Walker Example: Access Control Access Control Monitor (ACM) actions state fopen fclose getc putc a acl computation acl lookup Poly stop a hacker David Walker Example: Deadlock Prevention Deadlock Prevention Monitor (Deadlock) actions acquire release state computation locks held locking protocol Poly stop a hacker David Walker Security in Complex Systems • Restating the obvious: – it’s hard to secure complex systems against the determined attacker • Design goal: – prepare for mistakes – be ready for change • Mechanisms: – modularity – highly structured and parameterized policies Poly stop a hacker David Walker Security in Complex Systems • Polymer Mechanisms – high-level policy combinators • conjunctive policies • disjunctive policies – modularity mechanisms from modern languages (eg: ML) • hierarchical policies • parameterized policies • higher-order policies Poly stop a hacker David Walker Parallel Conjunctive Policies ResourceMgr Application ACM Deadlock conjunctive decision Poly stop a hacker David Walker Parallel Conjunctive Policies • two independent parallel processes decide whether an action is allowed – both say okay ==> application goes ahead – either says halt ==> application halts – one says okay and the other does not care about this action ==> application goes ahead • example: – resourceMgr = ACM AND Deadlock Poly stop a hacker David Walker Policy Combinators • Conjunctive policies narrow the set of acceptable program action sequences • Disjunctive policies widen the set of acceptable program action sequences Poly stop a hacker David Walker Parallel Disjunctive Policies ACM++ Application ACM Authenticated ACM disjunctive decision Poly stop a hacker David Walker Parallel Disjunctive Policies • two independent parallel processes decide whether an action is allowed – either says okay ==> app. goes ahead – both say halt ==> application halts – one says okay and the other does not care about this action ==> app. goes ahead • example: – ACM++= ACM OR AuthenticatedACM Poly stop a hacker David Walker Chinese Wall Policies • Chinese Wall Policies – each application is offered a number of protocol choices – when the application selects one choice, all other choices become unavailable Poly stop a hacker David Walker Parallel Disjunctive Policies Chinese Wall Monitor Application File not Network Network not File disjunctive decision Poly stop a hacker David Walker Complete Mediation • A Crucial Security Principle – in order to protect a resource, one must mediate all accesses to that resource • Naive composition of policies can lead to violations of complete mediation – eg: kernelSafety AND deadlock inserts acquire/release to protect kernel data must see all acquire/ release actions Poly stop a hacker David Walker Sequential Conjunction Application Resource Manager kernel safety deadlock prevention conjunctive decision Poly stop a hacker David Walker Sequential Conjunction Application System Policy resource manager logging/ auditing process conjunctive decision Poly stop a hacker David Walker Sequential Disjunction Application Disjunctive Monitor disjunctive decision Poly stop a hacker David Walker Today: Polymer the Language • Polymer via Pictures – simple policies – complex policies • Polymer semantics – monadic structure – types • Polymer discussion – implementation, related and future work Poly stop a hacker David Walker Formal Language Structure • Derived from the computational lambda calculus [Moggi] – computations (E) • run in parallel with an untrusted application • have effects on the application (halt, suppress, change state, perform application actions, etc.) – terms (M) • an algebra for manipulating suspended computations (ie: policies) • do not have effects Poly stop a hacker David Walker Simple Policies • actions (method calls) – a in A • terms (policies) – M ::= {actions: A; policy: E} | fun f (x:t) = M | M1 M2 | ... • monitoring computations – E ::= M | ok; E | sup; E | call (a) next: E1 done: E2 | do M; E | case * of (A1: E1 | A2: E2) | ... Poly stop a hacker David Walker Memory-Limit Example fun mpol(q:int) = { } actions: malloc; policy: next: case * of malloc(n): let q’ = q-n in if (q’ > 0) then ok; do (mpol q’) else halt end done: () Poly stop a hacker David Walker Memory-Limit Policy • mpol is a function from integers to policies • to generate a policy we apply our function to an initial memory quota: – memLimit = mpol 10000 Poly stop a hacker David Walker File-Access Example fun fpol (files: file list) = { } actions: fopen, fcloses; policy: next: case * of fopen(s,m): if (acl s m) then ok; do (fpol (s::files)) else sup; do (fpol (files)) | fcloses (l): ... done: call (fcloses files) Poly stop a hacker David Walker File-Access Policy • Once again, we apply our recursive function to an initial argument to get a policy – fileAccess = fpol [] Poly stop a hacker David Walker Policy Types • types – t ::= int | () | t1 x t2 | t1 + t2 | t1 -> t2 | Mt • examples: – mpol : int -> M () – memLimit : M () • a simple type system prevents standard sorts of errors Poly stop a hacker David Walker Parallel Conjunctive Policies • A parallel conjunctive policy is a suspended computation that returns a pair of values • Types: – if P1 : M t1 and P : M t2 then P1 AND P2 : M (t1 x t2) – Curry-Howard strikes again! • Trivial policy T is the identity for AND – T : M () Poly stop a hacker David Walker Parallel Disjunctive Policies • A parallel disjunctive policy is a suspended computation that returns a sum • Types: – if P1 : M t1 and P : M t2 then P1 OR P2 : M (t1 + t2) • Unsatisfiable policy is identity for OR – : M void Poly stop a hacker David Walker Complete Mediation Failure Monitor Application foo () deadlock Poly stop a hacker auditing process David Walker Conflicting Policies Monitor Application foo () sup ok ? Poly stop a hacker David Walker Types and Effects • We synthesize the effects of a computation – the effects = the actions that may be inserted or suppressed by a computation • P1 AND P2 is well-formed when – the effects of P1 are disjoint from the regulated set of P2 and vice versa • effect analysis – ensures complete mediation for parallel pol’s – provides flexibility in sequential pol’s Poly stop a hacker David Walker Today: Polymer the Language • Polymer via Pictures – simple policies – complex policies • Polymer semantics – monadic structure – types • Polymer discussion – implementation, related and future work Poly stop a hacker David Walker Implementation Architecture Java application policy interface policy implementation instrumented application secure application Poly stop a hacker David Walker Implementation Progress • work so far: – simple policies with basic features (ok, sup, pattern matching, case, Java base) – higher-order policies and policy combinators • future work: – networking applications – further combinators – type and effect system – dynamic policy updates Poly stop a hacker David Walker Related Work • Aspect-oriented programming – Polymer is a domain-specific aspectoriented programming language – New features: • an aspect algebra with novel combinators • a new approach to aspect collision (types and effects) • formal semantics as an extension of Moggi’s computational lambda calculus – see also Wand et al.’s semantics for aspects Poly stop a hacker David Walker Related Work • Monitoring languages – General-purpose languages/systems for monitoring applications • Poet and Pslang, Naccio, Ariel, Spin Kernel – Logical monitoring specifications • MAC (temporal logic), Bigwig (second-order monadic logic) Poly stop a hacker David Walker Summary: Polymer • First steps towards the design of a modern language for programming modular runtime security monitors • References – FCS ‘02 (expressible and inexpressible policies) – Princeton TR 655-02 (Polymer semantics) – www.cs.princeton.edu/sip/projects/polymer/ Poly stop a hacker David Walker End Poly stop a hacker David Walker