Secure programs via game based synthesis
This presentation is the property of its rightful owner.
Sponsored Links
1 / 90

Secure Programs via Game-based Synthesis PowerPoint PPT Presentation


  • 72 Views
  • Uploaded on
  • Presentation posted in: General

Secure Programs via Game-based Synthesis. Somesh Jha, Tom Reps, and Bill Harris. One-slide summary. Secure programming on a conventional OS is intractable Privilege -aware OS’s take secure programming from intractable to challenging

Download Presentation

Secure Programs via Game-based Synthesis

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Secure programs via game based synthesis

Secure Programs viaGame-based Synthesis

  • Somesh Jha, Tom Reps, and Bill Harris


One slide summary

One-slide summary

  • Secure programming on a conventional OS is intractable

  • Privilege-aware OS’s take secure programmingfrom intractable to challenging

  • Our program rewriter takes secure programming from challenging to simple


Outline

Outline

  • Motivation, problem statement

  • Motivation, problem statement

  • Previous work: Capsicum [CAV ’12, Oakland ’13]

  • Ongoing work: HiStar

  • Open challenges


Secure programming is intractable

Secure Programmingis Intractable

  • 81 exploits in CVE since Sept. 2013

  • Many exploit a software bugto carry out undesirable system operations

    • 2013-5751: exploit SAP NetWeaverto traverse a directory

    • 2013-5979: exploit bad filename handling inXibo to read arbitrary files

    • 2013-5725: exploit ByWordto overwrite files

4


How to carry out an exploit

How to Carry Outan Exploit

software vulnerability

+

OS privilege

=

security exploit


Secure programs via game based synthesis

Solution

The Conventional-OS

software vulnerability

+

OS privilege

=

security exploit


Secure programs via game based synthesis

Solution

The Program-Verification

software vulnerability

+

OS privilege

=

security exploit


Priv aware os

Priv.-aware OS

  • Introduce explicitprivileges over all system objects,primitives that update privileges

  • Programs call primitives to manage privilege


Solution

Priv.-aware OS

The

Solution

(

)

software vulnerability

+

OS privilege

=

security exploit

+

primitives

monitor


Watson 10

Priv.-aware OS

The

Capsicum

[Watson ’10]

  • Privilege: ambient authority (Amb) to open descriptors to system objects

  • Primitives: program calls cap_enter()to manage Amb


Secure programs via game based synthesis

Rules of

’s Amb

Capsicum

  • When a process is created,it has the Amb value of its parent

  • After a process calls cap_enter(),it does not have Amb

  • If a process does not have Amb,then it can never obtain Amb


Secure programs via game based synthesis

gzip

  • main() {

  • file_nms = parse_cl();

  • for (f in file_nms):

  • L0: (in, out) = open2(f);

  • }

L1: compress(in, out);

L1:compress(in, out);

/usr/local

http://evil.com


Secure programs via game based synthesis

A simple policy

gzip

with AMB

  • When gzip calls open2() at L0,it should

  • When gzip calls compress() at L1,it should not

be able to open descriptors

have AMB

have AMB

able to open descriptors


Secure programs via game based synthesis

with AMB

?

L0:AMB

L1:no AMB

?

gzip

main() {

file_nms = parse_cl();

for (f in file_nms):

L0: (in, out) = open2(f);

L1: compress(in, out);

}

cap_enter()


Programming challenges

Capsicum

Programming Challenges

  • Amb policies are not explicit

  • cap_enter primitive has subtle temporal effects


Programming challenges1

gzip

Programming Challenges

main() {

file_nms = parse_cl();

for (f in file_nms):

L0: (in, out) = open2(f);

L1: compress(in, out);

}

AMB

no AMB

AMB

no AMB

AMB

cap_enter();

no AMB

L0:AMB

L1:no AMB


Rules of capsicum s amb

Rules of Capsicum’s Amb

  • When a process is created,it has the AMB value of its parent

  • After a process calls cap_enter(),it never has AMB

  • If a process does not have Amb,then it can never obtain Amb


Instrumenting gzip

Instrumenting gzip

AMB

AMB

AMB

  • main() {

  • file_nms = parse_cl();

  • for (f in file_nms):

  • L0: (in, out) = open2(f);

  • L1: compress(in, out);

  • }

AMB

AMB

sync_fork();

cap_enter();

no AMB

sync_join();

L0:AMB

L1:no AMB


Capsicum challenges not appearing in this talk

Capsicum ChallengesNot Appearing in This Talk

  • Program can construct capability from each UNIX descriptor

  • Capability has a vector of 63 access rights (~1 for every system call on a descriptor)

  • Programs can assume new capabilities via a Remote Procedure Call (RPC)


Instrumenting programs

with CapWeave

Instrumenting Programs

  • Programmer writes an explicitAmb policy

  • CapWeave instruments program to invoke primitives so that it satisfies the policy


Secure programs via game based synthesis

with CapWeave

gzip

main() {

file_nms = parse_cl();

for (f in file_nms):

L0: (in, out) = open2(f);

L1: compress(in, out);

}

Policy

Cur(p) => (pc[L0](p) => AMB(p)

& (pc[L1](p) => !AMB(p))

L0:AMB

L1:no AMB


Secure programs via game based synthesis

main() {

file_nms = parse_cl();

for (f in file_nms):

L0: (in, out) = open2(f);

L1: compress(in, out);

}

CapWeave

void main() {

L0: open2(...);

sync_fork();

cap_enter();

L1: compress();

sync_join();

}

Instrumented

Program

Policy

Cur(p) => (pc[L0](p) => AMB(p)

& (pc[L1](p) => !AMB(p))


The next 700 policy weavers

The Next 700Policy Weavers

  • Analogous challenges with Decentralized Information Flow Control (DIFC)

  • Asbestos [Efstathopoulos ‘05]

  • HiStar [Zeldovich ’06]

  • Flume [Krohn ‘07]


Secure programs via game based synthesis

gzip() {

file_nms = parse_cl();

...

}

Policy

Cur(p) =>

(pc[L0](p) => AMB(p))

& (pc[L1](p) => !AMB(p))

CapWeave

gzip() {

file_nms = parse_cl();

sync_fork();

cap_enter();

...

}

Programmer

Capsicum Designer

cap_enter: Amb’(p):= Amb(p) & ...

WeaverGenerator


Secure programs via game based synthesis

Programmer

HiStar Designer

create_cat(&c):Flows’(p, q) := Flows(p, q) || ...

wrapper() {

exec(...);

...

}

Policy

forall w, s.

Flows(w, s) => ...

HiWeave

WeaverGenerator

scanner() {

create_cat(&c);

exec(...);

...

}


Outline1

Outline

  • Previous work: Capsicum

  • Motivation, problem statement

  • Previous work: Capsicum

  • Ongoing work: HiStar

  • Open challenges


Capweave algorithm

CapWeave Algorithm

  • Inputs: Program P, Amb Policy Q

  • Output: Instrumentation of P that always satisfies Q

  • Build finite IP#⊇instrumented runs that violate Q


1 building ip inputs

1. Building IP#: Inputs

Program

Amb Policy

L0: Amb

L1: no Amb

main() {

file_nms = parse_cl();

for (f in file_nms):

L0: (in, out) = open2(f);

L1: compress(in, out);

}


Secure programs via game based synthesis

1. Building IP#: Output

parse_cl

cap_enter

noop

L0:open2()

L0:open2()

sync_join()

noop

sync_fork()

noop

noop

noop

noop

cap_enter()

cap_enter()

L1:compress()

L1:compress()

L1:compress()

L1:compress()

noop

L1: no Amb

L0:open2()


Secure programs via game based synthesis

1. Building IP#: Output

parse_cl

cap_enter

noop

L0:open2()

L0:open2()

sync_join()

noop

sync_fork()

noop

noop

noop

noop

cap_enter()

cap_enter()

L1:compress()

L1:compress()

L1:compress()

L1:compress()

noop

L0:open2()

L0: Amb


Building ip

Building IP#

  • Basic idea: construct IP# as a forward explorationof an abstract state space


1 a ip define abstract state space

1(a). IP#: Define Abstract State-space

𝛼

Q#

Q


Secure programs via game based synthesis

1(b). IP#: Define Abstract Transformers

𝜏[cap_enter]#

𝛼

Q#

Q

𝜏[cap_enter]


1 c explore abstract state space

𝜏[noop]#

...

noop

...

1(c). Explore Abstract State Space

𝜏[cap_enter]#

𝛼

𝜏[parse_cl]#

...

Q#

cap_enter

...

parse_cl

Q

L0’

L0

init


Secure programs via game based synthesis

parse_cl

cap_enter

noop

L0:open2()

L0:open2()

sync_join()

noop

sync_fork()

noop

noop

noop

noop

cap_enter()

cap_enter()

L1:compress()

L1:compress()

L1:compress()

L1:compress()

noop

L0:open2()

𝜏[parse_cl]#


State structure exploration

≡{

}

A

A

D

B

B

C

State-Structure Exploration

If a concrete state is a logical structure, ...

Q


State structure exploration1

State-Structure Exploration

properties are FOL formulas, ...

∀p. A(p) ⇒ ((B(p) ⇒C(p)) ⋀ (D(p) ⇒ ¬C(p)))


State structure exploration2

State-Structure Exploration

...and semantics is given as predicate updates, ...

A’(x) = A(x) ⋁∃ y. C(y) ⋀ B(q, p)

B’(x, y) = B(x, y) ⋁ (C(x) ⋀ D(y))

C’(x) = ...

D’(x) = ...

𝜏[action] ≡


State structure exploration3

State-Structure Exploration

...then abstract space and transformers

can be generated automatically [Sagiv ’99]

𝜏[action]#

Q#

𝛼

𝛼

𝜏[action]

Q


Capsicum semantics

Capsicum Semantics

A

A

Q ≡

D

1.

2.

B

B

C

A’(x) = A(x) ⋁∃ y. C(y) ⋀ B(q, p)

B’(x, y) = B(x, y) ⋁ (C(x) ⋀ D(y))

C’(x) = ...

D’(x) = ...

𝜏[action] ≡


Capsicum state as structure

Capsicum State as Structure

Cur

Parent

L1

Amb

Amb

∀ p. Cur(p) ⋀L1(p) ⇒ ¬ Amb(p)


Capsicum state as structure1

Capsicum State as Structure

Cur

Parent

L1

Amb

Amb

∀ p. Cur(p) ⋀L1(p) ⇒ ¬ Amb(p)


Secure programs via game based synthesis

Capsicum Structure Transformers

Fresh

Cur

Parent

Cur

Amb

Amb

Structure Transformer

Action

Intro Fresh

Amb’(p) := Amb(p)

⋁ ( Fresh(p)

⋀ ∃ q. Cur(q) ⋀Amb(q))

sync_fork()


Secure programs via game based synthesis

Capsicum Structure Transformers

Fresh

Parent

Cur

Amb

Amb

Structure Transformer

Action

Amb’(p) := Amb(p) ⋀ ¬Cur(p)

cap_enter()


Building ip summary

Building IP#: Summary

  • If semantics is given astransforms of logical structures,we can generate an approximation of runs that cause a violation

  • Capsicum semantics can be modeled as structure transforms


Capweave algorithm1

CapWeave Algorithm

  • Inputs: Program P, Amb Policy Q

  • Output: Instrumentation of P that always satisfies Q

  • Build finite IP#⊇instrumented runs that violate Q

  • From IP#, build safety game Gwon by violations of Q


Two player safety games

Two-Player Safety Games

  • In an Attacker state,the Attacker chooses the next input

  • In a Defender state,the Defender chooses the next input

  • Attacker wants to reach an accepting state


Secure programs via game based synthesis

a

x

y

b

b

w

y

z

c

c

y

x

y

x

d

d

d

d

y

b


Instrumentation as a game

Instrumentation as a Game


Secure programs via game based synthesis

gzip

IP#

parse_cl

cap_enter

noop

L0:open2()

L0:open2()

sync_join()

noop

sync_fork()

noop

noop

noop

noop

cap_enter()

cap_enter()

L1:compress()

L1:compress()

L1:compress()

L1:compress()

noop

L0:open2()


Secure programs via game based synthesis

gzip

Safety Game

parse_cl

cap_enter

noop

L0:open2()

L0:open2()

sync_join()

noop

sync_fork()

noop

noop

noop

noop

cap_enter()

cap_enter()

L1:compress()

L1:compress()

L1:compress()

L1:compress()

noop

L0:open2()


Capweave algorithm2

CapWeave Algorithm

  • Inputs: Program P, Amb Policy Q

  • Output: Instrumentation of P that always satisfies Q

  • Build finite IP# ⊇ instrumented runs that violate Q

  • From IP#, build safety game Gwon by violations of Q

  • From winning strategy for G,generate primitive controller for P


Capweave performance

CapWeave Performance


Performance on included tests

Performance onIncluded Tests


Outline2

Outline

  • Ongoing work: HiStar

  • Motivation, problem statement

  • Previous work: Capsicum

  • Ongoing work: HiStar

  • Open challenges


The histar priv aware os zeldovich 06

The HiStar Priv-aware OS [Zeldovich ’06]

  • Privilege: OS allows flow between processes

  • Primitives: system calls update labels,which define allowed flows

  • Very powerful: mutually untrusting login (?!)


Sandboxing a virus scanner

Sandboxing a Virus Scanner

launcher() {

exec(“/bin/scanner”);

}

wrapper() {

child = sync_fork(&launcher);

while (true) {

read(child, buf);

sanitize(buf);

write(netd, buf); }

}


A flow policy for a virus scanner

A Flow Policyfor a Virus Scanner

  • Information should never transitively flow from the scanner to the network,unless it goes through the wrapper

  • Information should always flow from the scanner to the wrapper

  • Information should always flow from the wrapper to the network


Rules for histar s flow

Rules for HiStar’s Flow

  • A process’s label maps each categoryto low or high

  • If process p calls create_cat, then each process is low in c, and p can declassify c

  • Each process may raise its level at each category

  • Each process may relinquish declassification of any category


Rules for histar s flow1

Rules for HiStar’s Flow

  • Information can flow from p to q if for each category:

  • The level of p is lower than the level of q at c, or

  • p can declassify c


Sandboxing a virus scanner1

Sandboxing a Virus Scanner

launcher() {

exec(“/bin/scanner”); }

wrapper() {

child = sync_fork(&launcher);

while (true) {

read(child, buf);

sanitize(buf);

write(netd, buf); } }

drop_declass(x);

create_cat(&x);

raise(x);


Histar challenges not appearing in this talk

HiStar Challenges Not Appearing in This Talk

  • There are actually four levels

  • Each process has to manage its clearance

  • Processes can create labeled closures(calling a closure implicitly performs two label operations and three ordering checks)


Weave algorithm

Weave Algorithm

Cap

Hi

Amb

Flow

  • Inputs: Program P, Policy Q

  • Output: Instrumentation of P that satisfies Q

  • Build IP# ⊇ instrumented runs that violate Q(using semantics)

  • From IP#, build safety game Gwon by violations of Q

  • From winning strategy for G,generate primitive controller for P

Capsicum

HiStar


Semantics

Semantics

Capsicum

HiStar

A

A

Q ≡

D

1.

2.

B

B

C

𝜏[action] ≡

A’(x) = A(x) ⋁ ∃ y. C(y) ⋀ B(q, p)

B’(x, y) = B(x, y) ⋁ (C(x) ⋀ D(y))

C’(x) = ...

D’(x) = ...


Secure programs via game based synthesis

HiStar State as Structure

Netd

Label

Flows

Flows

Low

x

Low

High

Label

Label

Wrap

Scan

Flows

Cur

∀ w, s, n. Wrap(w) ⋀Scan(s) ⋀Netd(n) ⇒

Flows(s, w) ⋀ Flows(w, n)


Secure programs via game based synthesis

HiStar State as Structure

Netd

Label

Flows

Flows

Low

x

Low

High

Label

Label

Wrap

Scan

Flows

Decl

Cur

∀ w, s, n. Wrap(w) ⋀Scan(s) ⋀Netd(n) ⇒

Flows(s, w) ⋀ Flows(w, n)


Secure programs via game based synthesis

HiStar State Transformers

Flows

Low

Label

Fresh

Cur

x

Decl

Action

Structure Transform

Intro Fresh

Decl’(p, c) := Decl(p, c)

⋁ (Cur(p) ⋀ Fresh(c))

create_cat(&x)


Secure programs via game based synthesis

HiStar State Transformers

Flows

High

Low

Label

Fresh

Cur

x

Decl

Action

Structure Transform

Intro Fresh

High’(l, c) := High(l, c)

⋁ ∃ p. Cur(p) & Label(p, l) & x(c)

raise(&x)


Summary histar semantics

Summary: HiStar Semantics

  • We can define the HiStar semantics as FOL predicate transforms and automatically generate a weaver for HiStar

  • FOL predicate transforms can describecapability and DIFCsemantics


Scanner game

Scanner Game

noop

create_cat(&c)

raise(c)

noop

noop

sync_fork

sync_fork

sync_fork

exec

noop

drop_decl(c)

exec

...


Hiweave performance

HiWeave 𝛼 Performance

  • Generates code for clamwrap in < 3 mins


Secure programs via game based synthesis

Programmer

HiStar Designer

create_cat(&c):Decl’(p, c) := Decl(p, c) || ...

scanner() {

sync_fork();

...

}

Policy

forall w, s, n.

Wrap(w) && ...

HiWeave

WeaverGenerator

scanner() {

create_cat(&c);

sync_fork();

...

}


Outline3

Outline

  • Motivation, problem statement

  • Previous work: Capsicum

  • Ongoing work: HiStar

  • Open challenges


Open challenges

Open Challenges

  • Automating abstraction refinement

  • Automating error diagnosis

  • Compositional synthesis

  • Optimizing generated code

  • Designing a policy logic


Automating abstraction refinement

AutomatingAbstraction Refinement

  • Picking the right abstraction predicates requires a lot of design effort

  • Can we refine the abstraction predicates via counter-strategies?


Automating error diagnosis

AutomatingError Diagnosis

  • When weaver fails, it has a counter-strategy

  • How can we simplify these when presenting them to the user?


Compositional synthesis

Compositional Synthesis

  • Real programs are structuredas a composition of processes

  • Policies are expressed naturally asconjunction of local, global policies

  • Can we adapt compositional verification?[Long, ’89]


Histar logger

HiStar Logger

Local (security) policy: only Logger

should be able to modify log

Logger

log.txt


Histar logger1

HiStar Logger

Global (functionality) policy: under certain conditions,Logger will append log on behalf of Environment

Logger

Environment

log.txt


Optimizing generated code

OptimizingGenerated Code

  • Mean-payoff games present an appealing cost model, but have high complexity in general

  • Can we apply any domain specific optimizations?


Designing a policy logic

Designing a Policy Logic

  • The weaver generator allows a policy writer to declare policies purely over privileges

  • What logic over privileges is easiest for a policy writer to understand?

  • How do we evaluate value added?


Our collaborators

Our Collaborators

Capsicum-dev

Pawel Jakub Dawidek

Khilan Gudka

Ben Laurie

Peter Neumann

MIT-LL

HiStar

TVLA

Michael Zhivich

Nickolai Zeldovich

Mooly Sagiv

Jeffrey Seibert


Secure programs via game based synthesis

Questions?

create_cat(&c):Decl’(p, c) := Decl(p, c) || ...

scanner() {

sync_fork();

...

}

Policy

forall w, s, n.

Wrap(w) && ...

HiWeave

WeaverGenerator

scanner() {

create_cat(&c);

sync_fork();

...

}


Extra slides

Extra Slides


Three valued logic

Three-valued logic

  • Values: true, false, and unknown

  • true & unknown = unknown

  • false & unknown = false


Three valued structures

Three-valued Structures

Parent

Amb

Cur

Parent

Amb

Cur

Amb

Cur

Parent

Amb

Amb

Cur

...

Parent

Parent


Abstraction function

Abstraction Function

alpha_{Cur}

Amb

Cur

Parent

Amb

Amb

Cur

Parent

Parent


Abstraction function1

Abstraction Function

alpha_{Cur}

Amb?

Cur

Parent

Amb

Cur

Parent

Parent


Abstract fork def

Abstract Fork (def)

Amb

Fresh

Cur

Amb

Amb

Amb

Cur

Parent

Parent

Action

Semantics

Intro Fresh

Amb(p) := Amb(p)

|| (Fresh(p) & E q. Cur(q) & Amb(q))

fork()


Abstract fork definite

Abstract Fork (definite)

Amb

Cur

Amb

Fresh

Cur

Fresh

Amb

Amb

Parent

Parent

Parent

Action

Semantics

Intro Fresh

Amb(p) := Amb(p)

|| (Fresh(p) & E q. Cur(q) & Amb(q))

fork()


  • Login