1 / 11

A Type System for Data-Flow Integrity in Windows Vista Joint work with Avik Chaudhuri and Sriram Rajamani Selected as o

umay
Download Presentation

A Type System for Data-Flow Integrity in Windows Vista Joint work with Avik Chaudhuri and Sriram Rajamani Selected as o

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. A Type System for Data-Flow Integrity in Windows Vista Joint work with Avik Chaudhuri and Sriram Rajamani Selected as one of top two papers at PLAS 2008

    2. Context Operating systems rely on access controls to enforce information flow properties In recent years label-based access control mechanisms have taken off Vista Asbestos, HiStar Are they secure? Provable?

    3. What are labels? Processes, objects tagged with dynamic integrity labels Labels related by total order < (“at most as trusted as") What can a process with label P do? fork a new process with label P create a new object with label P lower its own label change the label of an object from O to O’ iff O U O’ < P read an object write an object with label O iff O < P (Write Down) execute an object with label O lowering own label to P n O

    4. Attacks Can a process with a High label run a Low exe? No . . . Well actually yes! Copy, upgrade, and execute A Low process copies the object’s code to trojan Low object. A High process upgrades this object from Low to High and executes it . . . High process needs to upgrade for this attack! In Vista, the user needs to decide

    5. Empowering the user - typing Define a (process) calculus that “simulates” the OS security environment fork, create, change, read, write, execute Specify the target property Prevent dataflow from untrusted code to trusted objects Enforce property by typing Standard static analysis trick Typically used to guarantee memory safety Based on natural deduction, but operational proposition – type proof - program Type inference Automated verification of property

    6. Data-Flow Integrity Definition Suppose that contents of O are trusted at some label S. Then O never contains data that flows from labels < S. Trust is static, declared as an annotation. let home = new(. . . # Medium) in . . . Flow? [High] home := empty (empty flows from = High) [Low] O := empty fork [High] let x = !O in home := x

    7. Static Typing – Main idea Maintain lower bound label S for each object If program types, dynamic label not lower than S Object does not contain data that flows from a label lower than S Programmer annotates objects with S Typechecking algorithm efficient Linear in code size, number of labels

    8. Explicit Substitutions & Stuck Typing DFI is a safety property of explicit flows Explicit ? depends on existence not value However history or source of value is important Explicit substitutions for tracking flows (types and effects) x flows from a label P or lower if x is an instance of a value substituted at P or lower, [Low] o := empty fork [High] let x = !o in home := x x is an instance of a value (y) whose source is Low Stuck Typing Identify processes that provably block by access control at runtime Do not return values but have side effects

    9. Example - I A Medium process opens ie.exe with label Low, and clicks on a url that contains virus.exe. The virus contains code to write cmd.exe, which has label T. let cmd.exe = new(. . . # T) in let url = [Low] new(. . . # Low) in let binIE = pack(let x = !url in exec x) in let ie.exe = new(binIE # T) in [Medium] (. . . fork [Low] exec ie.exe) fork [Low] (let binVirus = pack(cmd.exe := . . . ) in let virus.exe = new(binVirus # Low) in url := virus.exe fork . . ) Access control blocks the write to cmd.exe. (A Low process cannot write to a T object.)

    10. Example II A Medium process downloads a virus that can erase home and saves it by default in setup.exe A High process upgrades and executes setup.exe let url = [Low] new(. . . # Low) in let setup.exe = [Low] new(. . . # Low) in let binIE = pack(let z = !url in let x = !z in setup.exe := x) in let ie.exe = new(binIE # T) in let home = [Medium] new(. . . # Medium) in [High] (· · fork let _ = <High> setup.exe in exec setup.exe) fork [Medium] (. . . [Low] exec ie.exe) [Low] (let binVirus = pack(home := empty) in let virus.exe = new(binVirus # Low) in url := virus.exe . . . ). A High process can write to medium object. Does not typecheck!

    11. Type Invariants Results of code running with effect label P cannot have effects >P. Contents of an object of effect S cannot have effects < S. The label of an object of effect S cannot be < S. Packed code of type P must remain well-typed if unpacked at any label < P.

    12. Contributions New property relevant to data & code integrity Trace based safety property, unlike noninterference New type system based on explicit substitutions, and subtyping, defined over a process calculus New insights on Vista security model Fragile: Requires dynamic checking, to enforce DFI soundly (stuck typing) With type-checking, execution controls can be optimized away

More Related