Policy-Directed
Code Safety
David Evans
http://naccio.lcs.mit.edu
evs@sds.lcs.mit.edu
April 1999
Software Devices and Systems
MIT Lab for Computer Science
What Are You Afraid Of?
• Malicious attackers
– Melissa Word macro virus
• Questionable “trusted” programs
– Win95 Registration Wizard
• Buggy programs
– Therac-25
• User mistakes/bad interfaces
– tar –cf *
David Evans
Policy-Directed Code Safety
2
LCLint [Evans, PLDI ‘96]
• Programmers add annotations to code
• Lightweight static checking detects
inconsistencies (often bugs)
• Useful, but can’t provide code safety
– Requires source code, expertise and effort
– Too hard to prove most properties statically
David Evans
Policy-Directed Code Safety
3
Solution Space
• Detect bad programs
– Malicious code detector (virus scanners)
– Digital signatures
• Platform limits on what programs can do
– Operating system, firewalls, Java sandbox
• Naccio: alter programs before running
David Evans
Policy-Directed Code Safety
4
My Work
Program
• General method for
defining policies
– Abstract resources
– Platform independent
Safety
Policy
• System architecture
for enforcing policies
Safe Program
David Evans
Policy-Directed Code Safety
5
Naccio Architecture
Run by policy-author
Run by sysadmin or user
Safety policy definition
Policy
compiler
Policy-enforcing
system library
Program
Policy description file
Application
transformer
Version of program that:
• Uses policy-enforcing system library
• Satisfies low-level code safety
Platforms in development:
JavaVM - program is collection of Java classes
Win32 [Andrew Twyman] - Win32 executable
David Evans
Policy-Directed Code Safety
6
Related Work
• Software fault isolation [Wahbe et al, 93]
• Similar enforcement mechanisms
– Execution monitoring [Schneider]
– Ariel Project [Pandey, Hashii]
• Alternative: verify properties
– Proof-carrying code [Necula, Lee]
– Typed Assembly Language [Morrisett]
David Evans
Policy-Directed Code Safety
7
Program
Outline
 System architecture
• Defining policies
• Enforcing policies
• Results
Safety
Policy
Safe Program
David Evans
Policy-Directed Code Safety
8
Example Safety Policies
• Access constraints
– JDK policies
• Resource use limits
– Limit number of bytes that can be written
• Application-specific policies
– TarCustom policy
• Behavior-modifying policies
– Soft bandwidth limit
David Evans
Policy-Directed Code Safety
9
Describing Policies
public class AppletSecurity extends SecurityManager {
…
public synchronized void checkRead(String file, URL base)
if (base != null) {
if (!initACL) { initializeACLs(); }
if (readACL == null) { return; }
{
String realPath = null;
try {
realPath = (new File(file)).getCanonicalPath();
} catch (IOException e) {
throw new AppletSecurityException
("checkread.exception1", e.getMessage(), file);
…
}
Internet Explorer 5.0
HotJava SecurityManager
Want something:
• More expressive
• Easier to produce, understand and reason about
David Evans
Policy-Directed Code Safety
10
Problem
Policy Author’s View
System View
Program
java.io.FileOutputStream.write (a)
Policy
Resources
System Library
Files
David Evans
Disk
Policy-Directed Code Safety
11
Safety Policy Definition
• Resource descriptions: abstract
operational descriptions of resources
(files, network, …)
• Platform interface: mapping between
system API and abstract resources
• Resource use policy: constraints on
manipulating those resources
David Evans
Policy-Directed Code Safety
12
Resource Description
global resource RFileSystem
openRead (file: RFile) Called before file is opened for reading
openCreate (file: RFile) Called before new file is created and opened for writing
openWrite (file: RFile) Called before existing file is opened for writing
write (file: RFile, nbytes: int)
Called before nbytes are written to file
preRead (file: RFile, nbytes: int) Called before up to nbytes are read from file
postRead (file: RFile, nbytes: int) Called after nbytes were read from file
… // other operations for observing properties of files, deleting, etc.
resource RFile
RFile (pathname: String)
David Evans
Constructs object corresponding to pathname
Policy-Directed Code Safety
13
Platform Interface
• The ugly part - mapping from platform system
calls to resource operations
• For every system procedure either:
– Describe its effects on resources, or
– Pass through checking to procedures it calls.
• Platform determines procedures PFI must
describe
• May describe additional methods to:
– Improve performance and clarity
– Treat system code differently (risky)
David Evans
Policy-Directed Code Safety
14
Java PFI Excerpt
wrapper java.io.FileOutputStream
requires RFileMap;
state RFile rfile;
wrapper void write (byte b[])
if (rfile != null) RFileSystem.write (rfile, b.length);
%%% // original method call
…
// wrappers needed for constructors, other write
// methods, close and getFD
David Evans
Policy-Directed Code Safety
15
Resource Use Policy
• Policy is collection of properties
• Properties attach checking code to
resource operations
policy LimitWrite
NoOverwrite, LimitBytesWritten (1000000)
property NoOverwrite
check RFileSystem.openWrite (file: RFile)
violation (“Attempt to overwrite file.”);
David Evans
Policy-Directed Code Safety
16
LimitBytesWritten Property
stateblock TrackBytesWritten
addfield RFileSystem.bytes_written: int = 0;
precode RFileSystem.write (file: RFile, nbytes: int)
bytes_written += nbytes;
property LimitBytesWritten (n: int)
requires TrackBytesWritten;
check RFileSystem.write (file: RFile, nbytes: int)
if (bytes_written > n)
violation (“Attempt to write more than ” + n + “ bytes …”);
David Evans
Policy-Directed Code Safety
17
Enforceable Policies
• Can enforce any policy that can be defined
• What can be defined depends on resource
operations
• Resource operations depend on platform
interface
– Any manipulation done through API calls
• Cannot write policies that constrain
memory and CPU usage
– Solutions possible: insert calls
David Evans
Policy-Directed Code Safety
18
Program
Outline
 System architecture
 Defining policies
• Enforcing policies
• Results
Safety
Policy
Safe Program
David Evans
Policy-Directed Code Safety
19
Policy Compiler
Safety policy definition
Platform
independent
analyses
Resource descriptions
Resource use policy
Platform interface
Describes Java API
Platform dependent
analyses and code
generation
System library
Java API classes
(e.g., java.io.FileOutputStream)
Policy
description
file
Policy-enforcing system library
• Implementations of resource operations
– Perform checking described by resource use policy
• Rewritten Java API classes
– Call abstract resource operations as directed by platform interface wrappers
David Evans
Policy-Directed Code Safety
20
Implementing Resources
policy LimitWrite
NoOverwrite,
LimitBytesWritten (1000000)
RFileSystem
RFile
Resource descriptions
stateblock TrackBytesWritten
addfield RFileSystem.bytes_written: int;
precode RFileSystem.write (file: RFile, nbytes: int)
bytes_written += nbytes;
property LimitBytesWritten (n: int)
check RFileSystem.write (file: RFile, nbytes: int)
if (bytes_written > n) violation (“Attempt …);
Resource use policy
Policy compiler
Resource implementations
package naccio.p253.resource;
class RFileSystem {
static int bytes_written = 0;
static void write (RFile file, int nbytes) {
bytes_written += nbytes;
if (bytes_written > 1000000) Check.violation (“LimitWrite”, “Attempt to write …);
}
…
Rewriting Classes
class FileOutputStream {
…
public void write (byte b[]) {
writeBytes (b, 0, b.length);
}
}
wrapper java.io.FileOutputStream
state RFile rfile;
wrapper void write (byte b[])
if (rfile != null) RFileSystem.write (rfile, b.length);
%%% // original method call
System library classes
Platform interface
Policy compiler
Wrapped library classes
class FileOutputStream {
naccio.p253.resource.RFile rfile;
… // orig_write – same implementation as old write method
void write (byte b[]) {
if (rfile != null) naccio.p253.resource.RFileSystem.write (rfile, b.length);
orig_write (b);
}
David Evans
Policy-Directed Code Safety
22
Optimizations
• Only implement resource operation if it:
– May produce a violation
– Modifies state used elsewhere
• Only wrap library method if it:
– Calls implemented resource operation
– Modifies state used meaningfully
– Alters behavior
• Simple dataflow dependency analysis
• Not done yet: inline methods and state to
remove resource overhead
David Evans
Policy-Directed Code Safety
23
Application Transformer
Program
Collection of Java classes
Policy description file
Platform
independent
Platform
dependent
transformations
Version of program that:
1. Uses policy-enforcing library
• Set CLASSPATH (or rename classes)
2. Satisfies low-level code safety
• Run byte code verifier
• Protect dynamic class loading, reflection
David Evans
Policy-Directed Code Safety
24
What’s different for Win32?
• Program is Win32 executable and DLLs
• Platform interface describes Win32 API
• Policy compiler
– Generate DLLs instead of Java classes
• Application transformer
– Replace DLL names in import table
– Low-level code safety is platform-specific
• SFI for jumps, PFI wrappers to protect memory
• Scan for kernel traps
• Policies can be reused
David Evans
Policy-Directed Code Safety
25
Program
Outline
 System architecture
 Defining policies
 Enforcing policies
• Results - JavaVM
– Preparation costs
– Execution performance
Safety
Policy
Safe Program
David Evans
Policy-Directed Code Safety
26
Preparation Costs
• Policy generation
– Time to generate policy: 1-10 minutes
– Cost of storing policy
• Average case: ~250 KB
• Application transformation
– Basically free
• Integrate into byte code verifier
• Simple string replacements in constant pool
David Evans
Policy-Directed Code Safety
27
Performance
10.5
JDK-Null
Naccio-Null
Normalized Run Time
7
JDK-JavaApplet
Naccio-JavaApplet
Naccio-JavaApplet Optimized
6
5
4
3
2
1
0
FileExists
David Evans
Tar
Policy-Directed Code Safety
Socket
28
Policy Performance
Null
LimitWrite
TarCustom
LimitWrite-Optimized
TarCustom-Optimized
1.5
Normalized Run Time
1.4
1.3
1.2
1.1
1
0.9
David Evans
FileExists
Tar
Policy-Directed Code Safety
Socket
29
Contributions
• Method for defining safety policies
– In terms of abstract resources
– Policies may be reused on different platforms
• General architecture for code safety
– Prototypes for Win32 and JavaVM
• Encouraging results for JavaVM
– Minimal preparation costs
– Enforces policies more efficiently than JDK
David Evans
Policy-Directed Code Safety
30
Future Work
• What’s left to do
–
–
–
–
Implementing inlining optimizations
Validating/synthesizing platform interface
Multiple threads
Deployment, user interface, policy authoring tools
• Applications of Naccio’s mechanisms
– Performance, debugging, behavior modification
• Can we protect vendors as well?
– Restrict what modifications can be done
– Trust external components
– Use a policy to protect copyright, distribution, etc.
David Evans
Policy-Directed Code Safety
31
Conclusion
• Supporting large class of precise safety
policies important
• Naccio provides good way to define and
enforce policies
• Close to being practical
http://naccio.lcs.mit.edu
Paper to appear in IEEE Security and Privacy,
Oakland, May 1999.
David Evans
Policy-Directed Code Safety
32
END
David Evans
Policy-Directed Code Safety
33
Problem
Policy Author’s View
System View
Program
java.io.FileOutputStream.write (a)
Policy
Resources
System Library
Files
David Evans
Disk
Policy-Directed Code Safety
11
Performance
10.6
Normalized Run Time
7
Naccio-Null
JDK-Null
Naccio-JavaApplet
JDK-JavaApplet
Naccio-JavaApplet Optimized
6
5
4
3
2
1
0
FileExists
David Evans
Tar
Policy-Directed Code Safety
Socket
35