Download
michael bond varun srivastava kathryn mckinley vitaly shmatikov university of texas at austin n.
Skip this Video
Loading SlideShow in 5 Seconds..
Efficient, Context-Sensitive Detection of Real-World Semantic Attacks PowerPoint Presentation
Download Presentation
Efficient, Context-Sensitive Detection of Real-World Semantic Attacks

Efficient, Context-Sensitive Detection of Real-World Semantic Attacks

136 Views Download Presentation
Download Presentation

Efficient, Context-Sensitive Detection of Real-World Semantic Attacks

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Michael Bond Varun Srivastava Kathryn McKinley Vitaly Shmatikov University of Texas at Austin Efficient, Context-Sensitive Detection of Real-World Semantic Attacks

  2. Real Semantic Exploits & Efficient, Context-Sensitive Detection

  3. How an applet loads a class classLoader.loadClass(“java.util.HashSet”);

  4. classLoader.loadClass(“java.util.HashSet”); loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass(); }

  5. Access-control security classLoader.loadClass(“java.util.HashSet”); loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass(); } SecurityManager.checkPackageAccess()

  6. classLoader.loadClass(“java.util.HashSet”); loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass(); } SecurityManager.checkPackageAccess() ClassLoader.loadClass():341 FileURLLoader.getResource():73 walkPathComponents() { ... 121: { ... if (file.exists()) ... } ... 139: { ... if (file.exists()) ... } ... }

  7. classLoader.loadClass(“java.util.HashSet”); loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass(); } SecurityManager.checkPackageAccess() ClassLoader.loadClass():341 FileURLLoader.getResource():73 walkPathComponents() { ... 121: { ... if (file.exists()) ... } ... 139: { ... if (file.exists()) ... } ... } File.exists():268 File.checkRead():1485 SecurityManager.checkRead()

  8. classLoader.loadClass(“sun/applet/AppletClassLoader”); Sun Java Virtual Machine 1.3

  9. classLoader.loadClass(“sun/applet/AppletClassLoader”); loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass(); }

  10. classLoader.loadClass(“sun/applet/AppletClassLoader”); loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass(); } SecurityManager.checkPackageAccess()

  11. classLoader.loadClass(“sun/applet/AppletClassLoader”); loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass(); } SecurityManager.checkPackageAccess() ClassLoader.loadClass():341 FileURLLoader.getResource():73 walkPathComponents() { ... 121: { ... if (file.exists()) ... } ... 139: { ... if (file.exists()) ... } ... } File.exists():268 File.checkRead():1485 SecurityManager.checkRead()

  12. classLoader.loadClass(“sun/applet/AppletClassLoader”); loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass(); } SecurityManager.checkPackageAccess() • Semantic exploit • Examples: • Omitted security check • Untrusted code executes in wrong context • Misconfigured security policy ClassLoader.loadClass():341 FileURLLoader.getResource():73 walkPathComponents() { ... 121: { ... if (file.exists()) ... } ... 139: { ... if (file.exists()) ... } ... } File.exists():268 File.checkRead():1485 SecurityManager.checkRead()

  13. classLoader.loadClass(“sun/applet/AppletClassLoader”); loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass(); } SecurityManager.checkPackageAccess() How to detect this exploit? Infeasible path detection? Does not violate semantics (e.g., type & memory safety, control-flow integrity) ClassLoader.loadClass():341 FileURLLoader.getResource():73 walkPathComponents() { ... 121: { ... if (file.exists()) ... } ... 139: { ... if (file.exists()) ... } ... } File.exists():268 File.checkRead():1485 SecurityManager.checkRead()

  14. classLoader.loadClass(“sun/applet/AppletClassLoader”); loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass(); } SecurityManager.checkPackageAccess() How to detect this exploit? Check against specification? No specification available ClassLoader.loadClass():341 FileURLLoader.getResource():73 walkPathComponents() { ... 121: { ... if (file.exists()) ... } ... 139: { ... if (file.exists()) ... } ... } File.exists():268 File.checkRead():1485 SecurityManager.checkRead()

  15. classLoader.loadClass(“sun/applet/AppletClassLoader”); loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass(); } SecurityManager.checkPackageAccess() How to detect this exploit? Infer specification from dynamic behavior? ClassLoader.loadClass():341 FileURLLoader.getResource():73 walkPathComponents() { ... 121: { ... if (file.exists()) ... } ... 139: { ... if (file.exists()) ... } ... } File.exists():268 File.checkRead():1485 SecurityManager.checkRead()

  16. classLoader.loadClass(“sun/applet/AppletClassLoader”); loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass(); } SecurityManager.checkPackageAccess() ClassLoader.loadClass():341 Which dynamic behavior? FileURLLoader.getResource():73 walkPathComponents() { ... 121: { ... if (file.exists()) ... } ... 139: { ... if (file.exists()) ... } ... } File.exists():268 File.checkRead():1485 SecurityManager.checkRead()

  17. loadClass(“java.util.HashMap”); …  SecurityManager.checkPackageAccess() … …  FileURLLoader.getResource():73 walkPathComponents() :121  File.exists() loadClass(“sun/applet/AppletClassLoader”); …  SecurityManager.checkPackageAccess() … …  FileURLLoader.getResource():73 walkPathComponents() :121  File.exists() loadClass(“MyClass”); …  SecurityManager.checkPackageAccess() … …  FileURLLoader.getResource():73 walkPathComponents() :139 File.exists()

  18. loadClass(“java.util.HashMap”); …  SecurityManager.checkPackageAccess() … …  FileURLLoader.getResource():73 walkPathComponents() :121  File.exists() loadClass(“sun/applet/AppletClassLoader”); …  SecurityManager.checkPackageAccess() … …  FileURLLoader.getResource():73 walkPathComponents() :121  File.exists() loadClass(“MyClass”); …  SecurityManager.checkPackageAccess() … …  FileURLLoader.getResource():73 walkPathComponents() :139 File.exists() Train Deploy

  19. classLoader.loadClass(“MyClass”);

  20. classLoader.loadClass(“MyClass”); loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass(); }

  21. classLoader.loadClass(“MyClass”); loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass(); } SecurityManager.checkPackageAccess()

  22. classLoader.loadClass(“MyClass”); loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass(); } SecurityManager.checkPackageAccess() ClassLoader.loadClass():341 FileURLLoader.getResource():73 walkPathComponents() { ... 121: { ... if (file.exists()) ... } ... 139: { ... if (file.exists()) ... } ... } File.exists():268 File.checkRead():1485 SecurityManager.checkRead()

  23. loadClass(“java.util.HashMap”); …  SecurityManager.checkPackageAccess() … …  FileURLLoader.getResource():73 walkPathComponents() :121  File.exists() loadClass(“sun/applet/AppletClassLoader”); …  SecurityManager.checkPackageAccess() … …  FileURLLoader.getResource():73 walkPathComponents() :121 File.exists() loadClass(“MyClass”); …  SecurityManager.checkPackageAccess() … …  FileURLLoader.getResource():73 walkPathComponents() :139 File.exists()

  24. loadClass(“java.util.HashMap”); …  SecurityManager.checkPackageAccess() … …  FileURLLoader.getResource():73 walkPathComponents() :121  File.exists() loadClass(“sun/applet/AppletClassLoader”); …  SecurityManager.checkPackageAccess() … …  FileURLLoader.getResource():73 walkPathComponents() :121 File.exists() loadClass(“MyClass”); …  SecurityManager.checkPackageAccess() … …  FileURLLoader.getResource():73 walkPathComponents() :139 File.exists()

  25. loadClass(“java.util.HashMap”); …  SecurityManager.checkPackageAccess() … …  FileURLLoader.getResource():73 walkPathComponents() :121  File.exists() loadClass(“sun/applet/AppletClassLoader”); …  SecurityManager.checkPackageAccess() … …  FileURLLoader.getResource():73 walkPathComponents() :121 File.exists() loadClass(“MyClass”); …  SecurityManager.checkPackageAccess() … …  FileURLLoader.getResource():73 walkPathComponents() :139 File.exists() Train Deploy Train

  26. ClassLoader.loadClass():312 ClassLoader.loadClass():341 More context sensitivity FileURLLoader.getResource():73 FileURLLoader.walkPathComponents():121 File.exists():268 File.checkRead():1485 SecurityManager.checkRead()

  27. ClassLoader.loadClass():312 ClassLoader.loadClass():341 False negatives More context sensitivity False positives FileURLLoader.getResource():73 FileURLLoader.walkPathComponents():121 File.exists():268 File.checkRead():1485 SecurityManager.checkRead()

  28. ClassLoader.loadClass():312 ClassLoader.loadClass():341 False negatives Overhead More context sensitivity False positives FileURLLoader.getResource():73 FileURLLoader.walkPathComponents():121 File.exists():268 File.checkRead():1485 SecurityManager.checkRead()

  29. classLoader.loadClass(“java.util.HashSet”); loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass(); } SecurityManager.checkPackageAccess() ClassLoader.loadClass():341 FileURLLoader.getResource():73 walkPathComponents() { ... 121: { ... if (file.exists()) ... } ... 139: { ... if (file.exists()) ... } ... } File.exists():268 File.checkRead():1485 SecurityManager.checkRead()

  30. classLoader.loadClass(“java.util.HashSet”); loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass(); } S ←walkStack () check ( S ) SecurityManager.checkPackageAccess() ClassLoader.loadClass():341 FileURLLoader.getResource():73 walkPathComponents() { ... 121: { ... if (file.exists()) ... } ... 139: { ... if (file.exists()) ... } ... } File.exists():268 File.checkRead():1485 S ←walkStack () check ( S ) SecurityManager.checkRead()

  31. Costs of Context Sensitivity

  32. Costs of Context Sensitivity Proportional to depth & security calls High overhead at security calls

  33. Efficient, Depth-Limited Context Sensitivity

  34. Probabilistic Calling Context[Bond & McKinley ’07] Represent calling context as probabilistically unique integer

  35. Probabilistic Calling Context[Bond & McKinley ’07] Compute value at every call Use value at security calls

  36. Probabilistic Calling Context[Bond & McKinley ’07] Compute value at every call Use value at security calls Always-available context Low overhead at security calls

  37. classLoader.loadClass(“java.util.HashSet”); loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass(); } SecurityManager.checkPackageAccess() ClassLoader.loadClass():341 FileURLLoader.getResource():73 walkPathComponents() { ... 121: { ... if (file.exists()) ... } ... 139: { ... if (file.exists()) ... } ... } File.exists():268 File.checkRead():1485 SecurityManager.checkRead()

  38. classLoader.loadClass(“java.util.HashSet”); V0 ← 0 loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass(); } V1 ←f ( V0 , cs1 ) SecurityManager.checkPackageAccess() ClassLoader.loadClass():341 FileURLLoader.getResource():73 walkPathComponents() { ... 121: { ... if (file.exists()) ... } ... 139: { ... if (file.exists()) ... } ... } File.exists():268 File.checkRead():1485 SecurityManager.checkRead()

  39. classLoader.loadClass(“java.util.HashSet”); V0 ← 0 loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass(); } V1 ←f ( V0 , cs1 ) SecurityManager.checkPackageAccess() V2 ←f ( V0 , cs2 ) ClassLoader.loadClass():341 FileURLLoader.getResource():73 walkPathComponents() { ... 121: { ... if (file.exists()) ... } ... 139: { ... if (file.exists()) ... } ... } File.exists():268 File.checkRead():1485 SecurityManager.checkRead()

  40. classLoader.loadClass(“java.util.HashSet”); V0 ← 0 loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass(); } V1 ←f ( V0 , cs1 ) SecurityManager.checkPackageAccess() V2 ←f ( V0 , cs2 ) V3 ←f ( V2 , cs3 ) ClassLoader.loadClass():341 V4 ←f ( V3 , cs4 ) FileURLLoader.getResource():73 walkPathComponents() { ... 121: { ... if (file.exists()) ... } ... 139: { ... if (file.exists()) ... } ... } V5 ←f ( V4 , cs5 ) File.exists():268 V6 ←f ( V5 , cs6 ) File.checkRead():1485 V7 ←f ( V6 , cs7 ) SecurityManager.checkRead()

  41. classLoader.loadClass(“java.util.HashSet”); V0 ← 0 loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass(); } V1 ←f ( V0 , cs1 ) check ( V1 ) SecurityManager.checkPackageAccess() V2 ←f ( V0 , cs2 ) V3 ←f ( V2 , cs3 ) ClassLoader.loadClass():341 V4 ←f ( V3 , cs4 ) FileURLLoader.getResource():73 walkPathComponents() { ... 121: { ... if (file.exists()) ... } ... 139: { ... if (file.exists()) ... } ... } V5 ←f ( V4 , cs5 ) File.exists():268 V6 ←f ( V5 , cs6 ) File.checkRead():1485 V7 ←f ( V6 , cs7 ) check ( V7 ) SecurityManager.checkRead()

  42. classLoader.loadClass(“java.util.HashSet”); V0 ← 0 loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass(); } V1 ←f ( V0 , cs1 ) check ( V1 ) SecurityManager.checkPackageAccess() V2 ←f ( V0 , cs2 ) History sensitivity V3 ←f ( V2 , cs3 ) ClassLoader.loadClass():341 V4 ←f ( V3 , cs4 ) FileURLLoader.getResource():73 walkPathComponents() { ... 121: { ... if (file.exists()) ... } ... 139: { ... if (file.exists()) ... } ... } V5 ←f ( V4 , cs5 ) File.exists():268 V6 ←f ( V5 , cs6 ) File.checkRead():1485 V7 ←f ( V6 , cs7 ) check ( V7 ) SecurityManager.checkRead()

  43. PCC Function f ( V , cs ) ≡ 3V + cs (mod 232)

  44. PCC Function f ( V , cs ) ≡ 3V +cs(mod 232) Motivated by MPI data-type hashing [Langou et al. ’05] [Gropp ’00]

  45. PCC Function f ( V , cs ) ≡ 3V + cs (mod 232) Encodes entire calling context

  46. PCC Function f ( V , cs ) ≡ 232/kV +cs(mod 232) Encodes last k call sites

  47. PCC Function f ( V , cs ) ≡ 232/kV + cs (mod 232) • Cheap to compute

  48. PCC Function f ( V , cs ) ≡ 232/kV +cs(mod 232) • Cheap to compute • Composition cheap to compute

  49. PCC Function f ( V , cs ) ≡ 232/kV +cs(mod 232) • Cheap to compute • Composition cheap to compute • Non-commutative