poly stop a hacker l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Poly stop a hacker PowerPoint Presentation
Download Presentation
Poly stop a hacker

Loading in 2 Seconds...

play fullscreen
1 / 49

Poly stop a hacker - PowerPoint PPT Presentation


  • 305 Views
  • Uploaded on

Poly stop a hacker David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti) Language-Based Security language-based security mechanisms protect a host from untrusted applications analyzing or modifying application behavior static mechanisms (analysis at link time)

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Poly stop a hacker' - andrew


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
poly stop a hacker

Poly stop a hacker

David Walker

Princeton University

(joint work with Lujo Bauer and Jay Ligatti)

language based security
Language-Based Security
  • language-based security mechanisms protect a host from untrusted applications analyzing or modifying application behavior
    • static mechanisms (analysis at link time)
      • type checking, proof checking, abstract interpretation
    • dynamic mechanisms (analysis at run time)
      • access-control lists, stack inspection, capabilities

Poly stop a hacker

language based security3
Language-Based Security
  • language-based security mechanisms protect a host from untrusted applications by analyzing or modifying application behavior
    • static mechanisms (analysis at link time)
      • type checking, proof checking, abstract interpretation
    • dynamic mechanisms (analysis at run time)
      • access-control lists, stack inspection, capabilities

Poly stop a hacker

program monitors
Program Monitors
  • A program monitor is a computation that runs in parallel with an untrusted application
    • monitors detect, prevent, and recover from application errors at run time
    • monitor decisions may be based on execution history
    • we assume monitors have no knowledge of future application actions

Poly stop a hacker

program monitors good operations
Program Monitors: Good Operations

Monitor

Application

fopen ()

Poly stop a hacker

program monitors bad operations
Program Monitors: Bad Operations

Monitor

Application

halt!

fopen ()

Poly stop a hacker

program monitors bad operations7
Program Monitors: Bad Operations

Monitor

Application

fopen ()

Poly stop a hacker

program monitors options
Program Monitors: Options
  • A program monitor may do any of the following when it recognizes a dangerous operation:
    • halt the application
    • suppress (skip) the operation but allow the application to continue
    • insert (perform) some computation on behalf of the application

Poly stop a hacker

past research
Past Research
  • Program monitors have a lengthy history in the systems community
    • OS kernels
      • use hardware support
      • secure fixed system-call interface
    • mobile code architectures and safe languages (Java, CLR)
      • more complex interactions between applications
      • more diverse set of interfaces to secure
      • more diverse set of policies necessary

Poly stop a hacker

the polymer project
The Polymer Project
  • Theoretical analysis of the range of the policies enforceable at run time
  • Definition and implementation of a high-level policy language
    • incorporate types, modularity and high-level programming techniques
  • Formal semantics and tools for reasoning about policies

Poly stop a hacker

the polymer project11
The Polymer Project
  • Theoretical analysis of the range of the policies enforceable at run time
  • Definition and implementation of a high-level policy language
    • incorporate types, modularity and high-level programming techniques
  • Formal semantics and tools for reasoning about policies

Poly stop a hacker

today polymer the language
Today: Polymer the Language
  • Polymer via Pictures
    • simple policies
    • complex policies
  • Polymer semantics
    • monadic structure
    • types
  • Polymer discussion
    • implementation, related and future work

Poly stop a hacker

today polymer the language13
Today: Polymer the Language
  • Polymer via Pictures
    • simple policies
    • complex policies
  • Polymer semantics
    • monadic structure
    • types
  • Polymer discussion
    • implementation, related and future work

Poly stop a hacker

what is in a run time security policy
What is in a run-time security policy?
  • Policy-relevant actions
    • method calls, get/set state, raise exception
  • Security-relevant state
    • inaccessible to application program
  • Decision procedure
    • does the current action satisfy the policy in the current state?
    • if not, what supplementary action must be taken?

Poly stop a hacker

example access control
Example: Access Control

Access Control Monitor (ACM)

a

state

actions

computation

fopen

fclose

getc

putc

acl

acl lookup

Poly stop a hacker

example deadlock prevention
Example: Deadlock Prevention

Deadlock Prevention Monitor (Deadlock)

state

actions

computation

acquire

release

locks

held

locking protocol

Poly stop a hacker

security in complex systems
Security in Complex Systems
  • Restating the obvious:
    • it’s hard to secure complex systems against the determined attacker
  • Design goal:
    • prepare for mistakes
    • be ready for change
  • Mechanisms:
    • modularity
    • highly structured and parameterized policies

Poly stop a hacker

security in complex systems18
Security in Complex Systems
  • Polymer Mechanisms
    • high-level policy combinators
      • conjunctive policies
      • disjunctive policies
    • modularity mechanisms from modern languages (eg: ML)
      • hierarchical policies
      • parameterized policies
      • higher-order policies

Poly stop a hacker

parallel conjunctive policies
Parallel Conjunctive Policies

ResourceMgr

Application

Deadlock

ACM

conjunctive decision

Poly stop a hacker

parallel conjunctive policies20
Parallel Conjunctive Policies
  • two independent parallel processes decide whether an action is allowed
    • both say okay ==> application goes ahead
    • either says halt ==> application halts
    • one says okay and the other does not care about this action ==> application goes ahead
  • example:
    • resourceMgr = ACM AND Deadlock

Poly stop a hacker

policy combinators
Policy Combinators
  • Conjunctive policies narrow the set of acceptable program action sequences
  • Disjunctive policies widen the set of acceptable program action sequences

Poly stop a hacker

parallel disjunctive policies
Parallel Disjunctive Policies

ACM++

Application

Authenticated

ACM

ACM

disjunctive decision

Poly stop a hacker

parallel disjunctive policies23
Parallel Disjunctive Policies
  • two independent parallel processes decide whether an action is allowed
    • either says okay ==> app. goes ahead
    • both say halt ==> application halts
    • one says okay and the other does not care about this action ==> app. goes ahead
  • example:
    • ACM++= ACM OR AuthenticatedACM

Poly stop a hacker

chinese wall policies
Chinese Wall Policies
  • Chinese Wall Policies
    • each application is offered a number of protocol choices
    • when the application selects one choice, all other choices become unavailable

Poly stop a hacker

parallel disjunctive policies25
Parallel Disjunctive Policies

Chinese Wall Monitor

Application

File

not

Network

Network

not

File

disjunctive decision

Poly stop a hacker

complete mediation
Complete Mediation
  • A Crucial Security Principle
    • in order to protect a resource, one must mediate all accesses to that resource
  • Naive composition of policies can lead to violations of complete mediation
    • eg: kernelSafety AND deadlock

inserts acquire/release

to protect kernel data

must see all acquire/

release actions

Poly stop a hacker

sequential conjunction
Sequential Conjunction

Application

Resource Manager

deadlock

prevention

kernel

safety

conjunctive

decision

Poly stop a hacker

sequential conjunction28
Sequential Conjunction

Application

System Policy

resource

manager

logging/

auditing

process

conjunctive

decision

Poly stop a hacker

sequential disjunction
Sequential Disjunction

Application

Disjunctive Monitor

disjunctive

decision

Poly stop a hacker

today polymer the language30
Today: Polymer the Language
  • Polymer via Pictures
    • simple policies
    • complex policies
  • Polymer semantics
    • monadic structure
    • types
  • Polymer discussion
    • implementation, related and future work

Poly stop a hacker

formal language structure
Formal Language Structure
  • Derived from the computational lambda calculus [Moggi]
    • computations (E)
      • run in parallel with an untrusted application
      • have effects on the application (halt, suppress, change state, perform application actions, etc.)
    • terms (M)
      • an algebra for manipulating suspended computations (ie: policies)
      • do not have effects

Poly stop a hacker

simple policies
Simple Policies
  • actions (method calls)
    • a in A
  • terms (policies)
    • M ::= {actions: A; policy: E} |

fun f (x:t) = M | M1 M2 | ...

  • monitoring computations
    • E ::= M | ok; E | sup; E | call (a)

next: E1 done: E2 | do M; E |

case * of (A1: E1 | A2: E2) | ...

Poly stop a hacker

memory limit example
Memory-Limit Example

fun mpol(q:int) =

{

actions: malloc;

policy:

next:

case * of

malloc(n):

let q’ = q-n in

if (q’ > 0) then ok; do (mpol q’)

else halt end

done:

()

}

Poly stop a hacker

memory limit policy
Memory-Limit Policy
  • mpol is a function from integers to policies
  • to generate a policy we apply our function to an initial memory quota:
    • memLimit = mpol 10000

Poly stop a hacker

file access example
File-Access Example

{

actions: fopen, fcloses; policy:

next:

case * of

fopen(s,m):

if (acl s m) then

ok; do (fpol (s::files))

else

sup; do (fpol (files))

| fcloses (l): ...

done:

call (fcloses files)

}

fun fpol (files: file list) =

Poly stop a hacker

file access policy
File-Access Policy
  • Once again, we apply our recursive function to an initial argument to get a policy
    • fileAccess = fpol []

Poly stop a hacker

policy types
Policy Types
  • types
    • t ::= int | () | t1 x t2 | t1 + t2 | t1 -> t2 |

M t

  • examples:
    • mpol : int -> M ()
    • memLimit : M ()
  • a simple type system prevents standard sorts of errors

Poly stop a hacker

parallel conjunctive policies38
Parallel Conjunctive Policies
  • A parallel conjunctive policy is a suspended computation that returns a pair of values
  • Types:
    • if P1 : M t1 and P : M t2 then

P1 AND P2 : M (t1 x t2)

    • Curry-Howard strikes again!
  • Trivial policy T is the identity for AND
    • T : M ()

Poly stop a hacker

parallel disjunctive policies39
Parallel Disjunctive Policies
  • A parallel disjunctive policy is a suspended computation that returns a sum
  • Types:
    • if P1 : M t1 and P : M t2 then

P1 OR P2 : M (t1 + t2)

  • Unsatisfiable policy  is identity for OR
    •  : M void

Poly stop a hacker

complete mediation failure
Complete Mediation Failure

Monitor

Application

foo ()

auditing

process

deadlock

Poly stop a hacker

conflicting policies
Conflicting Policies

Monitor

Application

foo ()

sup

ok

?

Poly stop a hacker

types and effects
Types and Effects
  • We synthesize the effects of a computation
    • the effects = the actions that may be inserted or suppressed by a computation
  • P1 AND P2 is well-formed when
    • the effects of P1 are disjoint from the regulated set of P2 and vice versa
  • effect analysis
    • ensures complete mediation for parallel pol’s
    • provides flexibility in sequential pol’s

Poly stop a hacker

today polymer the language43
Today: Polymer the Language
  • Polymer via Pictures
    • simple policies
    • complex policies
  • Polymer semantics
    • monadic structure
    • types
  • Polymer discussion
    • implementation, related and future work

Poly stop a hacker

implementation architecture
Implementation Architecture

Java

application

policy

interface

policy

implementation

instrumented

application

secure application

Poly stop a hacker

implementation progress
Implementation Progress
  • work so far:
    • simple policies with basic features (ok, sup, pattern matching, case, Java base)
    • higher-order policies and policy combinators
  • future work:
    • networking applications
    • further combinators
    • type and effect system
    • dynamic policy updates

Poly stop a hacker

related work
Related Work
  • Aspect-oriented programming
    • Polymer is a domain-specific aspect-oriented programming language
    • New features:
      • an aspect algebra with novel combinators
      • a new approach to aspect collision (types and effects)
      • formal semantics as an extension of Moggi’s computational lambda calculus
        • see also Wand et al.’s semantics for aspects

Poly stop a hacker

related work47
Related Work
  • Monitoring languages
    • General-purpose languages/systems for monitoring applications
      • Poet and Pslang, Naccio, Ariel, Spin Kernel
    • Logical monitoring specifications
      • MAC (temporal logic), Bigwig (second-order monadic logic)

Poly stop a hacker

summary polymer
Summary: Polymer
  • First steps towards the design of a modern language for programming modular run-time security monitors
  • References
    • FCS ‘02 (expressible and inexpressible policies)
    • Princeton TR 655-02 (Polymer semantics)
    • www.cs.princeton.edu/sip/projects/polymer/

Poly stop a hacker

slide49
End

Poly stop a hacker