CS711
Language-Based Security
Introduction
Greg Morrisett
Cornell University
Paper for this lecture
“Attacking Malicious Code: A Report to the
INFOSEC Research Council.”
Background:
– series of meetings of people from various US
government agencies (DoD, FBI, CIA, NSA),
industry, academia, and hacker communities.
– goal was to identify promising research directions.
– also informed by a DARPA ISAT study.
– scary set of meetings...
7/12/2016
Lang. Based Security
2
Computer Security
Goal: prevent “bad” things from happening:
–
–
–
–
–
delete or trash files
crash a system
deny access to a service
steal information
fail to pay
Similar goals to software engineering.
Difference is in assumptions about “failures”:
– must assume the worst possible case: attacks!
7/12/2016
Lang. Based Security
3
What is “Bad”?
Depends upon:
– the task -- what is the code’s purpose?
– the context -- what host, what OS, whose behalf?
– the policy -- e.g., mandatory access
Tighter constraints are better.
idealized
implementation
MAC
full specification
7/12/2016
memory
safety
type safety
Lang. Based Security
who wrote
the code
“true”
4
Mainframe Security
Traditional security policies and mechanisms
grew out of the shared mainframe world.
– protect service (computing) from failures
– protect users’ data from each other
OS Kernel served as a Reference Monitor:
– multiplex hardware among users’ programs
• preemptive multi-tasking, indirect device access
– isolate programs from each other
• virtual memory address spaces, distinct supervisor mode
– maintain integrity (privacy?) of users’ files
• user & group id’s, access control lists
7/12/2016
Lang. Based Security
5
1st Principle of Security
Design
Least Privilege: each principle is given
the minimum access needed to
accomplish its task. [Saltzer &
Schroeder ‘75]
Examples:
+ Administrators don’t run day-to-day tasks as root.
So “rm –rf /” won’t wipe the disk.
- fingerd runs as root so it can access different
users’ .plan files. But then it can also
“rm –rf /”.
7/12/2016
Lang. Based Security
6
Least Privilege Elsewhere
Least Privilege shows up in almost all
engineering design patterns.
– SE & Languages: abstract data types,
strong interfaces, encapsulation, black-box
principle, etc.
But the emphasis there is subtly different.
– Easier to make changes to an
implementation when the interface is
enforced.
7/12/2016
Lang. Based Security
7
2nd Principle of Security Design
Keep the Trusted Computing Base
small.
Trusted Computing Base (TCB):
– the parts of a system that must work correctly to
ensure the proper functioning of the system.
– e.g., the OS Kernel & Hardware.
Smaller, simpler systems tend to have fewer
bugs and bad interactions.
– so keep the kernel small and simple.
“Small TCB” is a basic principle in all software.
7/12/2016
Lang. Based Security
8
Things have changed...
The principles of least privilege and small
TCB are still valid.
But the context that motivated the design
of today’s security policies and OSbased enforcement mechanisms have
changed radically.
We need new policies and mechanisms.
7/12/2016
Lang. Based Security
9
Changes:
Back in the 1970’s, the hardware and kernel
were simple, small and relatively trustworthy.
Today, they’re HUGE.
– Win2K: ~50 Mloc
Why the growth?
– personal vs. shared computers – protecting users from each
other wasn’t that important.
– old code never goes away.
– richer set of devices (mice, cd, bluetooth, etc.)
– services (e.g., gui, net, web, suspend, etc.)
– performance – crossing boundaries is expensive.
It’s hard to say these are small TCB’s.
7/12/2016
Lang. Based Security
10
Further Changes
In the ’70s, computing systems were isolated.
– software updates done infrequently by an experienced
administrator.
– you trusted the programs you ran.
– physical access was required.
– few things were executable.
– crashes and outages didn’t cost billions.
The Internet has changed all of this.
– software is constantly updated – sometimes without your
knowledge or consent.
– you have no idea what a program does.
– a hacker in the Philippines is as close as your neighbor.
– everything is executable (i.e., web pages, email).
– we depend upon the infrastructure.
7/12/2016
Lang. Based Security
11
Trends:
Vendors
few
many
Media
hard
soft
Delivery
mechanism
Frequency of
installation
Size of
package
Permanence
7/12/2016
physical
electronic
seldom
always
whole
thing
small
pieces
persistent
Lang. Based Security
ephemeral
12
Timeline: 1975-2000
Trojan Horse
197?
pushl
$68732f
push '/sh<NUL>'
Virus
1983
pushl $6e69622f
push '/bin'
movl
sp,r10
save
of start of
pushl
$68732f
push address
'/sh<NUL>'
The
Morris
Worm
Oct 1988
string
pushl $6e69622f
push '/bin'
Nov 1988: CERT is created.
pushl
push
(arg 3 of
to start
execve)
movl $0
sp,r10
save Oaddress
of string
pushl
$68732f
push
'/sh<NUL>'
pushl
$0
push
O
(arg
2
to
pushl $0
push O (arg 3 to execve)
execve)
pushl $6e69622f
push '/bin'
pushl
push
1 to
pushl r10
$0
push string
O (arg addr
2 to (arg
execve)
movl
sp,r10
save address of start of string
execve)
pushl r10
push string addr (arg 1 to
pushl
push
O (argcount
3 to execve)
pushl
$3 $0
push
argument
execve)
pushl
$0
push
O
(arg
2 to execve)
movl
set
argument
pointer
pushl sp,ap
$3
push
argument
count
pushl
r10
push
string
addr (arg
chink
$3b
do
"execvet"
Call.1 to
movl Private
sp,apSub Document_Open()
set
argument kernel
pointer
execve)
chink On
$3b
"execvet" kernel Call.
Resume Nextdo push
pushl Error
$3
argument count
movlIf System.PrivateProfileString("",
sp,ap
set argument pointer
rem barok -loveletter(vbe) <i hate go to school>
chink
$3b
do "execvet" kernel Call.
"HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security",
Melissa
March 1999
explore.zip
rem Stacheldraht
by: spyder / ispyder@mail.com
June 1999
Feb 2000
/ @GRAMMERSoft
Group
1994: Privatization of the
Internet
1997: Pres. Commission on
Critical Infrastructure
Protection
1999: Morris joins
MIT faculty.
"Level")
<> "" Then
/
Private Sub Document_Open()
CommandBars("Macro").Controls("Security...").Enabled
= False
Manila,Philippines
System.PrivateProfileString("",
OnResume
Error Resume
Next
On Error
From: Next
The SANS Institute Research Office
"HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security",
If System.PrivateProfileString("",
dim fso,dirsystem,dirwin,dirtemp,eq,ctr,file,vbscopy,dow
Subj: Malicious 911 Virus Wipes Out Hard Drives of Internet Users
"Level")
=
1&Else
eq="" "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security",
rem barok -loveletter(vbe) <i hate go to school>
CommandBars("Tools").Controls("Macro").Enabled
= False
<> "" Then
ctr=0 "Level")
rem
by:April
spyder
/ ispyder@mail.com
/ @GRAMMERSoft
At 8:00
am on Saturday,
1 (This
is not an April Fool's
joke!) the FBI
EndSet
If fsoCommandBars("Macro").Controls("Security...").Enabled
= False
= CreateObject("Scripting.FileSystemObject")
Published
on 06/09/2000,
PITTSBURGH
Group
announced
it /had discovered
malicious
code wiping POST-GAZETTE
out the data on hard
Dim
DasMapiName, BreakUmOffASlice
setUngaDasOutlook,
fileSystem.PrivateProfileString("",
= fso.OpenTextFile(WScript.ScriptFullname,1)
drivesManila,Philippines
and dialing 911. This is a vicious virus and needs to be stopped quickly.
Setvbscopy=file.ReadAll
UngaDasOutlook
= CreateObject("Outlook.Application")
"HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security",
HACKERS
HOME COMPUTERS
TO SET
UPforward
ATTACK
On Error
Resume
Next wide-scale
That can
only
be
done INVADE
through
individual action.
Please
If System.PrivateProfileString("",
"Level")
=
1&Else
main()
dimtofso,dirsystem,dirwin,dirtemp,eq,ctr,file,vbscopy,dow
this note
everyone who you know who might be affected.
"HKEY_CURRENT_USER\Software\Microsoft\Office\",
"Melissa?")
CommandBars("Tools").Controls("Macro").Enabled
= False <> "... by
sub main()
eq=""The FBI will meet with experts from a security company today to discuss the
Kwyjibo"
Then
End
If
On Error Resumectr=0
Next
firm's discovery that hackers have embedded a malicious program disguised
If UngaDasOutlook
= "Inlook" Then
Dim UngaDasOutlook,
DasMapiName, BreakUmOffASlice
as a= movie
clip on 2,000 commercial and home computers, positioning
Set fso
CreateObject("Scripting.FileSystemObject")
Set UngaDasOutlook = CreateObject("Outlook.Application")
themselves to launch an attack designed to shut down Web sites.
911 virus
ILoveYou
Badman Trojan
7/12/2016
April 2000
May 2000
June 2000
Lang. Based Security
13
1988: Morris Worm
Penetrated an estimated 5 to 10 percent of the
6,000 machines on the internet.
Used a number of clever methods to gain
access to a host.
–
–
–
–
brute force password guessing
bug in default sendmail configuration
X windows vulnerabilities, rlogin, etc.
buffer overrun in fingerd
Some remarks:
– “bio-diversity” helped to limit the spread.
– “root kits” for cracking modern systems are easily
available and largely use the same techniques.
7/12/2016
Lang. Based Security
14
1999: Love Bug & Melissa
Both email-based viruses that exploited:
– a common mail client (MS Outlook)
– trusting (i.e., uneducated) users
– VB scripting extensions within messages to:
• lookup addresses in the contacts database
• send a copy of the message to those contacts
Melissa: hit an estimated 1.2 million machines.
Love Bug: caused estimated $10B in damage.
Remarks:
– no passwords or crypto involved
7/12/2016
Lang. Based Security
15
Why Did they Succeed?
• VBscripts invoked transparently upon
opening.
• Run with full privileges of the user.
• Kernel doesn’t know about things like
mail messages, contacts database, etc.
• Recipients trusted the sender – after all,
they know them.
• Interactions of a complex system were
unanticipated.
7/12/2016
Lang. Based Security
16
A Solution for Melissa?
Turn off all executable content?
– no problem when email was just text.
– but executable content is genuinely useful.
– ex: automated meeting planner agent, postscript, Mpeg4
codecs, client-side forms, etc.
– US DoD tried to do this and was hit with a revolt. You can’t
function in the modern net-based world without scripting
extensions.
So there’s a fundamental tension:
– modern software wants to be open and extensible.
– programmable components are ultimately flexible.
• Postscript, Emacs, Java[script], VB, Jini, ActiveX, plug-n-play...
– security wants things to be closed: least privilege.
– turning off extensibility is a denial-of-service attack.
7/12/2016
Lang. Based Security
17
Solutions?
Scan for viruses or suspicious code.
–
–
–
–
–
–
–
e.g., McAffee, Norton, etc.
based largely on a lexical signature.
perhaps the most commercially effective tool.
but only works for things you’ve seen.
Melissa spread in a matter of hours.
virus kits make it easy to disguise a virus.
not clear that it scales over time.
Not a complete solution.
7/12/2016
Lang. Based Security
18
Solutions?
Code Signing: use crypto techniques to
establish that someone you trust has signed
the code.
– e.g., Verisign, Authenticode, MS device drivers
– bad assumption: signature implies “good”
• keys may be stolen
• “good” for what context?
• even well-intentioned people make “bad” code
– bad assumption: you can sue the signer
• signatures have no legal standing (at least in US)
• signer may not have written or even looked at the code
• identifying who is responsible is difficult
7/12/2016
Lang. Based Security
19
Turning off, Scanning & Signing
Examine surface-level properties of code.
– easy to build.
– but sensitive to the form of the code.
Oblivious to the semantics of the code.
– hard to detect and stop new forms of attacks.
– we want to stop bad things regardless as to who
wrote the code.
We’re going to focus on potential solutions that
are based more strongly on the semantics or
behavior of the code.
– hence, language-based security.
7/12/2016
Lang. Based Security
20
Security Enforcement
Possible times to rule out “bad” things:
– Before execution:
• analyze code, reject if it’s potentially bad
• rewrite the code so that it’s good
• backup data so you can recover later
– During execution:
• monitor execution & stop bad things
• detect that bad things happened and roll back
• detect that bad things happened and log
– After execution
• call the police, present audit logs
• sue somebody
7/12/2016
Lang. Based Security
21
Some Topics for the Course
• Reference Monitors (during execution)
– operating systems, interpreters
– software-based fault isolation
– in-lined reference monitors
• Type-Safe Languages (before execution)
– SPIN: Modula-3 based kernel
– Java VM, MS Common Language Runtime
• Minimizing the TCB
– Typed Assembly and Proof-Carrying Code
– Certifying Compilers
7/12/2016
Lang. Based Security
22
What You Have to Do
• Read and understand the papers
– there will be a lot of them
– there will be pop quizzes
• Option A: survey paper
– pick a topic, read n papers, write a > 10
page summary, and present in class.
• Option B: project
– pick a (significant) topic, and 1 or 2
partners, build or measure or break
something, present results in class.
7/12/2016
Lang. Based Security
23
Reading for Next Time
• Efficient Software-Based Fault Isolation
by Wahbe et al.
www.cs.berkeley.edu/~tea/sfi.ps
• MiSFIT: A Tool For Constructing Safe
Extensible Systems (draft) by C. Small
and M. Seltzer.
http://www.dogfish.org/chris/papers/misf
it/misfit-ieee.ps
7/12/2016
Lang. Based Security
24