Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Poly stop a hacker David Walker Princeton University

advertisement 
Poly stop a hacker
David Walker
Princeton University
(joint work with Lujo Bauer and Jay Ligatti)
Language-Based Security
• language-based security mechanisms
protect a host from untrusted
applications analyzing or modifying
application behavior
– static mechanisms (analysis at link time)
• type checking, proof checking, abstract
interpretation
– dynamic mechanisms (analysis at run time)
• access-control lists, stack inspection,
capabilities
Poly stop a hacker
David Walker
Language-Based Security
• language-based security mechanisms
protect a host from untrusted
applications by analyzing or modifying
application behavior
– static mechanisms (analysis at link time)
• type checking, proof checking, abstract
interpretation
– dynamic mechanisms (analysis at run time)
• access-control lists, stack inspection,
capabilities
Poly stop a hacker
David Walker
Program Monitors
• A program monitor is a computation
that runs in parallel with an untrusted
application
– monitors detect, prevent, and recover from
application errors at run time
– monitor decisions may be based on
execution history
– we assume monitors have no knowledge of
future application actions
Poly stop a hacker
David Walker
Program Monitors: Good Operations
Monitor
Application
fopen ()
Poly stop a hacker
David Walker
Program Monitors: Bad Operations
Application
Monitor
fopen ()
halt!
Poly stop a hacker
David Walker
Program Monitors: Bad Operations
Monitor
Application
fopen ()
Poly stop a hacker
David Walker
Program Monitors: Options
• A program monitor may do any of the
following when it recognizes a
dangerous operation:
– halt the application
– suppress (skip) the operation but allow the
application to continue
– insert (perform) some computation on
behalf of the application
Poly stop a hacker
David Walker
Past Research
• Program monitors have a lengthy history
in the systems community
– OS kernels
• use hardware support
• secure fixed system-call interface
– mobile code architectures and safe
languages (Java, CLR)
• more complex interactions between applications
• more diverse set of interfaces to secure
• more diverse set of policies necessary
Poly stop a hacker
David Walker
The Polymer Project
• Theoretical analysis of the range of the
policies enforceable at run time
• Definition and implementation of a
high-level policy language
– incorporate types, modularity and highlevel programming techniques
• Formal semantics and tools for
reasoning about policies
Poly stop a hacker
David Walker
The Polymer Project
• Theoretical analysis of the range of the
policies enforceable at run time
• Definition and implementation of a
high-level policy language
– incorporate types, modularity and highlevel programming techniques
• Formal semantics and tools for
reasoning about policies
Poly stop a hacker
David Walker
Today: Polymer the Language
• Polymer via Pictures
– simple policies
– complex policies
• Polymer semantics
– monadic structure
– types
• Polymer discussion
– implementation, related and future work
Poly stop a hacker
David Walker
Today: Polymer the Language
• Polymer via Pictures
– simple policies
– complex policies
• Polymer semantics
– monadic structure
– types
• Polymer discussion
– implementation, related and future work
Poly stop a hacker
David Walker
What is in a run-time security policy?
• Policy-relevant actions
– method calls, get/set state, raise exception
• Security-relevant state
– inaccessible to application program
• Decision procedure
– does the current action satisfy the policy in
the current state?
– if not, what supplementary action must be
taken?
Poly stop a hacker
David Walker
Example: Access Control
Access Control Monitor (ACM)
actions
state
fopen
fclose
getc
putc
a
acl
computation
acl lookup
Poly stop a hacker
David Walker
Example: Deadlock Prevention
Deadlock Prevention Monitor (Deadlock)
actions
acquire
release
state
computation
locks
held
locking protocol
Poly stop a hacker
David Walker
Security in Complex Systems
• Restating the obvious:
– it’s hard to secure complex systems against
the determined attacker
• Design goal:
– prepare for mistakes
– be ready for change
• Mechanisms:
– modularity
– highly structured and parameterized policies
Poly stop a hacker
David Walker
Security in Complex Systems
• Polymer Mechanisms
– high-level policy combinators
• conjunctive policies
• disjunctive policies
– modularity mechanisms from modern
languages (eg: ML)
• hierarchical policies
• parameterized policies
• higher-order policies
Poly stop a hacker
David Walker
Parallel Conjunctive Policies
ResourceMgr
Application
ACM
Deadlock
conjunctive decision
Poly stop a hacker
David Walker
Parallel Conjunctive Policies
• two independent parallel processes
decide whether an action is allowed
– both say okay ==> application goes ahead
– either says halt ==> application halts
– one says okay and the other does not care
about this action ==> application goes
ahead
• example:
– resourceMgr = ACM AND Deadlock
Poly stop a hacker
David Walker
Policy Combinators
• Conjunctive policies narrow the set of
acceptable program action sequences
• Disjunctive policies widen the set of
acceptable program action sequences
Poly stop a hacker
David Walker
Parallel Disjunctive Policies
ACM++
Application
ACM
Authenticated
ACM
disjunctive decision
Poly stop a hacker
David Walker
Parallel Disjunctive Policies
• two independent parallel processes
decide whether an action is allowed
– either says okay ==> app. goes ahead
– both say halt ==> application halts
– one says okay and the other does not care
about this action ==> app. goes ahead
• example:
– ACM++= ACM OR AuthenticatedACM
Poly stop a hacker
David Walker
Chinese Wall Policies
• Chinese Wall Policies
– each application is offered a number of
protocol choices
– when the application selects one choice, all
other choices become unavailable
Poly stop a hacker
David Walker
Parallel Disjunctive Policies
Chinese Wall Monitor
Application
File
not
Network
Network
not
File
disjunctive decision
Poly stop a hacker
David Walker
Complete Mediation
• A Crucial Security Principle
– in order to protect a resource, one must
mediate all accesses to that resource
• Naive composition of policies can lead
to violations of complete mediation
– eg: kernelSafety AND deadlock
inserts acquire/release
to protect kernel data
must see all acquire/
release actions
Poly stop a hacker
David Walker
Sequential Conjunction
Application
Resource Manager
kernel
safety
deadlock
prevention
conjunctive
decision
Poly stop a hacker
David Walker
Sequential Conjunction
Application
System Policy
resource
manager
logging/
auditing
process
conjunctive
decision
Poly stop a hacker
David Walker
Sequential Disjunction
Application
Disjunctive Monitor
disjunctive
decision
Poly stop a hacker
David Walker
Today: Polymer the Language
• Polymer via Pictures
– simple policies
– complex policies
• Polymer semantics
– monadic structure
– types
• Polymer discussion
– implementation, related and future work
Poly stop a hacker
David Walker
Formal Language Structure
• Derived from the computational lambda
calculus [Moggi]
– computations (E)
• run in parallel with an untrusted application
• have effects on the application (halt, suppress,
change state, perform application actions, etc.)
– terms (M)
• an algebra for manipulating suspended
computations (ie: policies)
• do not have effects
Poly stop a hacker
David Walker
Simple Policies
• actions (method calls)
– a in A
• terms (policies)
– M ::= {actions: A; policy: E} |
fun f (x:t) = M | M1 M2 | ...
• monitoring computations
– E ::= M | ok; E | sup; E | call (a)
next: E1 done: E2 | do M; E |
case * of (A1: E1 | A2: E2) | ...
Poly stop a hacker
David Walker
Memory-Limit Example
fun mpol(q:int) = {
}
actions: malloc;
policy:
next:
case * of
malloc(n):
let q’ = q-n in
if (q’ > 0) then ok; do (mpol q’)
else halt end
done:
()
Poly stop a hacker
David Walker
Memory-Limit Policy
• mpol is a function from integers to
policies
• to generate a policy we apply our
function to an initial memory quota:
– memLimit = mpol 10000
Poly stop a hacker
David Walker
File-Access Example
fun fpol (files: file list) = {
}
actions: fopen, fcloses; policy:
next:
case * of
fopen(s,m):
if (acl s m) then
ok; do (fpol (s::files))
else
sup; do (fpol (files))
| fcloses (l): ...
done:
call (fcloses files)
Poly stop a hacker
David Walker
File-Access Policy
• Once again, we apply our recursive
function to an initial argument to get a
policy
– fileAccess = fpol []
Poly stop a hacker
David Walker
Policy Types
• types
– t ::= int | () | t1 x t2 | t1 + t2 | t1 -> t2 |
Mt
• examples:
– mpol
: int -> M ()
– memLimit : M ()
• a simple type system prevents standard
sorts of errors
Poly stop a hacker
David Walker
Parallel Conjunctive Policies
• A parallel conjunctive policy is a
suspended computation that returns a
pair of values
• Types:
– if P1 : M t1 and P : M t2 then
P1 AND P2 : M (t1 x t2)
– Curry-Howard strikes again!
• Trivial policy T is the identity for AND
– T : M ()
Poly stop a hacker
David Walker
Parallel Disjunctive Policies
• A parallel disjunctive policy is a
suspended computation that returns a
sum
• Types:
– if P1 : M t1 and P : M t2 then
P1 OR P2 : M (t1 + t2)
• Unsatisfiable policy  is identity for OR
–  : M void
Poly stop a hacker
David Walker
Complete Mediation Failure
Monitor
Application
foo ()
deadlock
Poly stop a hacker
auditing
process
David Walker
Conflicting Policies
Monitor
Application
foo ()
sup
ok
?
Poly stop a hacker
David Walker
Types and Effects
• We synthesize the effects of a computation
– the effects = the actions that may be inserted or
suppressed by a computation
• P1 AND P2 is well-formed when
– the effects of P1 are disjoint from the regulated
set of P2 and vice versa
• effect analysis
– ensures complete mediation for parallel pol’s
– provides flexibility in sequential pol’s
Poly stop a hacker
David Walker
Today: Polymer the Language
• Polymer via Pictures
– simple policies
– complex policies
• Polymer semantics
– monadic structure
– types
• Polymer discussion
– implementation, related and future work
Poly stop a hacker
David Walker
Implementation Architecture
Java
application
policy
interface
policy
implementation
instrumented
application
secure application
Poly stop a hacker
David Walker
Implementation Progress
• work so far:
– simple policies with basic features (ok, sup,
pattern matching, case, Java base)
– higher-order policies and policy combinators
• future work:
– networking applications
– further combinators
– type and effect system
– dynamic policy updates
Poly stop a hacker
David Walker
Related Work
• Aspect-oriented programming
– Polymer is a domain-specific aspectoriented programming language
– New features:
• an aspect algebra with novel combinators
• a new approach to aspect collision (types and
effects)
• formal semantics as an extension of Moggi’s
computational lambda calculus
– see also Wand et al.’s semantics for aspects
Poly stop a hacker
David Walker
Related Work
• Monitoring languages
– General-purpose languages/systems for
monitoring applications
• Poet and Pslang, Naccio, Ariel, Spin Kernel
– Logical monitoring specifications
• MAC (temporal logic), Bigwig (second-order
monadic logic)
Poly stop a hacker
David Walker
Summary: Polymer
• First steps towards the design of a modern
language for programming modular runtime security monitors
• References
– FCS ‘02 (expressible and inexpressible policies)
– Princeton TR 655-02 (Polymer semantics)
– www.cs.princeton.edu/sip/projects/polymer/
Poly stop a hacker
David Walker
End
Poly stop a hacker
David Walker
Related documents
– Current Popular IT IV – T0693 Tugas Review
– Current Popular IT IV – T0693 Tugas Review
College of Architecture & Environmental Design
College of Architecture & Environmental Design
Cause- English for CS I: What`s Wrong With These Cause and Effect
Cause- English for CS I: What`s Wrong With These Cause and Effect
Download
advertisement