Enhancing Runtime Policy Enforcement Through CEGAR and IRM Techniques

Efficient Runtime Policy Enforcement Using Counterexample-Guided Abstraction Refinement Matt Fredrikson, Rich Joiner, SomeshJha, Tom Reps, Phillip Porras, HassenSaïdi, VinodYegneswaran Funded by:

Outline • Ensuring safety properties: current practice • CEGAR: program verification • IRM: filtering program behavior • SafetyWeave: a hybrid approach • Implementation and experimental results

CEGAR Invalid counter-example Model Refinement No counter-examples Source Code “Verified” Model Construction Model Checking Safety Property Counterexample Trace Valid counter-example

CEGAR Issues • Computational complexity • Model grows exponentially with each refinement step • May not terminate (in our lifetimes) • Statically indeterminable behavior • Higher-order functions • Dynamic scope • No recourse for valid counterexamples • Requires manual intervention Takeaway: CEGAR can be an expensive analysis

Runtime Enforcement Source Code Dynamically-filtered Source Code Inlined Reference Monitoring Safety Property ÚlfarErlingsson, Fred B. Schneider, “The inlinedreferencemonitor approach to security policy enforcement,” 2004

var state = 0; if (state == 0 && check("var d = document", "call(document.getElementById)")) state = 1; if (state == 0 && check("var d = document", "call(document.getElementsByTagName)")) state = 1; if (state == 1 && check("var d = document", "set(document.cookie)")) halt(); 1 var d = document; if (state == 0 && check("varf = d.getElementById", "call(document.getElementById)")) state = 1; if (state == 0 && check("varf = d.getElementById", "call(document.getElementsByTagName)")) state = 1; if (state == 1 && check("varf = d.getElementById", "set(document.cookie)")) halt(); 2 var f = d.getElementById; if (state == 0 && check("vart = f('secret')", "call(document.getElementById)")) state = 1; if (state == 0 && check("var t = f('secret')", "call(document.getElementsByTagName)")) state = 1; if (state == 1 && check("var t = f('secret')", "set(document.cookie)")) halt(); 3 var t = f('secret'); if (state == 0 && check("if (t)", "call(document.getElementById)")) state = 1; if (state == 0 && check("if (t)", "call(document.getElementsByTagName)")) state = 1; if (state == 1 && check("if (t)", "set(document.cookie)")) halt(); 4 if (t) { if (state == 0 && check("d.cookie= t.innerHTML", "call(document.getElementById)")) state = 1; if (state == 0 && check("d.cookie= t.innerHTML", "call(document.getElementsByTagName)")) state = 1; if (state == 1 && check("d.cookie= t.innerHTML", "set(document.cookie)")) halt(); 5d.cookie = t.innerHTML; 6 } IRM Example var state = 0; if (state == 0 && check("var d = document", "call(document.getElementById)")) state = 1; if (state == 0 && check("var d = document", "call(document.getElementsByTagName)")) state = 1; if (state == 1 && check("var d = document", "set(document.cookie)")) halt(); 1 var d = document; if (state == 0 && check("varf = d.getElementById", "call(document.getElementById)")) state = 1; if (state == 0 && check("varf = d.getElementById", "call(document.getElementsByTagName)")) state = 1; if (state == 1 && check("varf = d.getElementById", "set(document.cookie)")) halt(); 2 var f = d.getElementById; if (state == 0 && check("vart = f('secret')", "call(document.getElementById)")) state = 1; if (state == 0 && check("var t = f('secret')", "call(document.getElementsByTagName)")) state = 1; if (state == 1 && check("var t = f('secret')", "set(document.cookie)")) halt(); 3 var t = f('secret'); if (state == 0 && check("if (t)", "call(document.getElementById)")) state = 1; if (state == 0 && check("if (t)", "call(document.getElementsByTagName)")) state = 1; if (state == 1 && check("if (t)", "set(document.cookie)")) halt(); 4 if (t) { if (state == 0 && check("d.cookie= t.innerHTML", "call(document.getElementById)")) state = 1; if (state == 0 && check("d.cookie= t.innerHTML", "call(document.getElementsByTagName)")) state = 1; if (state == 1 && check("d.cookie= t.innerHTML", "set(document.cookie)")) halt(); 5d.cookie = t.innerHTML; 6 } 1 var d = document; 2 var f = d.getElementById; 3 var t = f('secret'); 4 if (t) { 5d.cookie = t.innerHTML; 6 } 1 var d = document; 2 var f = d.getElementById; 3 var t = f('secret'); 4 if (t) { 5d.cookie = t.innerHTML; 6 } Safety property: Don’t inspect the document prior to assigning to the cookie. Safety property: Don’t inspect the document prior to assigning to the cookie.

IRM Issues • Runtime overhead • Spurious instrumentation placement • Programs run slower Takeaway: IRM can be expensive at runtime

The Idea • Combine CEGAR and IRM • Statically remove naïve IRM instrumentation • Limit the size of the abstract program model

Rewritten Program var state = 0; 1 var d = document; 2 var f = d.getElementById; if (state == 0 && check("vart = f('secret')", "call(document.getElementById)")) state = 1; 3 var t = f('secret'); 4 if (t) { if (state == 1 && check("d.cookie= t.innerHTML", "set(document.cookie)")) halt(); 5d.cookie = t.innerHTML; 6 } 1 var d = document; 2 var f = d.getElementById; 3 var t = f('secret'); 4 if (t) { 5d.cookie = t.innerHTML; 6 } Safety property: Don’t inspect the document prior to assigning to the cookie.

The SafetyWeave Algorithm • INPUT: Program, safety property • OUTPUT: Rewritten program • Sound • Rewritten program proven safe w.r.t. the property • All benign execution is preserved • Language-independent • Tunable tradeoff between static and dynamic overhead • Always terminates Characteristics

Safety Properties • Temporal state traces that a program should not exhibit • Can be encoded as an automaton with state predicateslabeling the edges call(document.getElementById) set(document.cookie) A B C * * call(document.getElementsByTagName)

Invalid counter-example Model Refinement Source Code Key Insight: CEGAR analysis used to minimize IRM instrumentation No counter-examples Verified, Instrumented Source Code Model Construction Model Checking Safety Property Source CodeRewriting Valid counter-example

Model Refinement Source Code Key Insight: Number of predicates learned limited to ensure termination No counter-examples Verified, Instrumented Source Code Model Construction Model Checking Safety Property Abstraction Limit Reached Source CodeRewriting

Prototype Implementation • JaM is the JavaScript Model Checker • Why JavaScript? • Pervasive on the Internet • Code often comes from many authors • Libraries, advertisements, mash-ups, web service interfaces • JavaScript is challenging to analyze statically • Higher-order functions, scope-resolution rules, writable native objects

Deployment Scenario JaM is part of a DARPA clean-slate security effort Verified online ad service JaM analysis server Website owners: JaM Ads entreprenuer:

Model Refinement Source Code OpenNWA XSB, Kaluza/Yices Verified, Instrumented Source Code Model Construction Model Checking Safety Property Closure Compiler Source CodeRewriting

JavaScript Language Model • Implements symbolic pre-image operator over program statements • Based on JavaScript semantics of Maffeis et al. • Sergio Maffeis, John Mitchell, AnkurTaly, “Operational Semantics of JavaScript,” APLAS ‘08 • Operational semantics encoded as a logic program To evaluate the “this” keyword, traverse the scope chain and retrieve its reference value. exp(H,L,E,H,L,Va) :- is_this(E), scope(H,L,'@this',L1), aget(H,L1,'@this',Va). Scope(H,l,@this)= l1 H,l1.@Get(@this)= va -------------------- [E-This] H,l,this -> H,l,va

Applications and Policies • Benchmark applications • 12 real programs used on the WWW • Range from 25 to 4000 lines • Exercise a wide range of JavaScript coding patterns and constructs • JaM safety properties • Communication with external hosts • Modification of persistent storage to reflect page contents • Creation of foreign pop-up dialog boxes • DOM access/modification

Experimental Results • Initial abstract model (without refinement) • Program model composed of predicates used in safety property • 89% to 100% of statements deemed safe • Effect of model refinement • 5 of 12: required no refinement • 5 of 12: reduced spurious counterexamples by learning 1 to 4 predicates

Invalid counter-example Model Refinement Source Code No counter-examples Verified, Instrumented Source Code Model Construction Model Checking Safety Property Abstraction Limit Reached Source CodeRewriting Valid counter-example

Complete Results

A Simple Example: Program & Policy 1 api[0] = readFile; 2 api[1] = sendPacket; 3 while (true) { 4 instr, data = read(); 5 api[instr](data); 6 } call readHistory call sendPacket A B C * call readFile *

Control Flow Automaton api[0] = readFile api[1] = sendPacket api[instr](data) while(true) {true} {false} instr, data = read() {exit}

Data Automaton α: call readFile β: call readHistory γ: call sendPacket !α !β !γ !α α [Self-edges omitted for sanity] !β !β γ !γ !α β !γ

Enhancing Runtime Policy Enforcement Through CEGAR and IRM Techniques

Enhancing Runtime Policy Enforcement Through CEGAR and IRM Techniques

Presentation Transcript

Efficient Penalty Enforcement

Android Security Enforcement and Refinement

Abstraction and Refinement in Protocol Derivation

Counterexample-Guided Abstraction Refinement

Abstraction-Guided Synthesis of Synchronization

Abstraction-Guided Synthesis

Abstraction-Guided Synthesis of synchronization

Abstraction Refinement for Bounded Model Checking

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing

Automatic Abstraction Refinement for GSTE

Component-Based Abstraction and Refinement

Data Abstraction and Data Refinement

Thread-modular Abstraction Refinement

Software Verification using Predicate Abstraction and Iterative Refinement: Part 1

Counterexample-Guided Focus

Policy Enforcement and Refinement

A Framework for Runtime Enforcement Systems

Policy Enforcement and Refinement

V yrdMC : Driving Runtime Refinement Checking Using Model Checkers

Towards Abstraction Refinement in TVLA

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing

Automatic Abstraction Refinement for GSTE