secure programs via game based synthesis
Download
Skip this Video
Download Presentation
Secure Programs via Game-based Synthesis

Loading in 2 Seconds...

play fullscreen
1 / 90

Secure Programs via Game-based Synthesis - PowerPoint PPT Presentation


  • 87 Views
  • Uploaded on

Secure Programs via Game-based Synthesis. Somesh Jha, Tom Reps, and Bill Harris. One-slide summary. Secure programming on a conventional OS is intractable Privilege -aware OS’s take secure programming from intractable to challenging

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Secure Programs via Game-based Synthesis' - jaimin


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
secure programs via game based synthesis
Secure Programs viaGame-based Synthesis
  • Somesh Jha, Tom Reps, and Bill Harris
one slide summary
One-slide summary
  • Secure programming on a conventional OS is intractable
  • Privilege-aware OS’s take secure programmingfrom intractable to challenging
  • Our program rewriter takes secure programming from challenging to simple
outline
Outline
  • Motivation, problem statement
  • Motivation, problem statement
  • Previous work: Capsicum [CAV ’12, Oakland ’13]
  • Ongoing work: HiStar
  • Open challenges
secure programming is intractable
Secure Programmingis Intractable
  • 81 exploits in CVE since Sept. 2013
  • Many exploit a software bugto carry out undesirable system operations
    • 2013-5751: exploit SAP NetWeaverto traverse a directory
    • 2013-5979: exploit bad filename handling inXibo to read arbitrary files
    • 2013-5725: exploit ByWordto overwrite files

4

how to carry out an exploit
How to Carry Outan Exploit

software vulnerability

+

OS privilege

=

security exploit

slide6
Solution

The Conventional-OS

software vulnerability

+

OS privilege

=

security exploit

slide7
Solution

The Program-Verification

software vulnerability

+

OS privilege

=

security exploit

priv aware os
Priv.-aware OS
  • Introduce explicitprivileges over all system objects,primitives that update privileges
  • Programs call primitives to manage privilege
solution
Priv.-aware OS

The

Solution

(

)

software vulnerability

+

OS privilege

=

security exploit

+

primitives

monitor

watson 10
Priv.-aware OS

The

Capsicum

[Watson ’10]
  • Privilege: ambient authority (Amb) to open descriptors to system objects
  • Primitives: program calls cap_enter()to manage Amb
slide11
Rules of

’s Amb

Capsicum

  • When a process is created,it has the Amb value of its parent
  • After a process calls cap_enter(),it does not have Amb
  • If a process does not have Amb,then it can never obtain Amb
slide12
gzip
  • main() {
  • file_nms = parse_cl();
  • for (f in file_nms):
  • L0: (in, out) = open2(f);
  • }

L1: compress(in, out);

L1:compress(in, out);

/usr/local

http://evil.com

slide13
A simple policy

gzip

with AMB

  • When gzip calls open2() at L0,it should
  • When gzip calls compress() at L1,it should not

be able to open descriptors

have AMB

have AMB

able to open descriptors

slide14
with AMB

?

L0:AMB

L1:no AMB

?

gzip

main() {

file_nms = parse_cl();

for (f in file_nms):

L0: (in, out) = open2(f);

L1: compress(in, out);

}

cap_enter()

programming challenges
CapsicumProgramming Challenges
  • Amb policies are not explicit
  • cap_enter primitive has subtle temporal effects
programming challenges1
gzipProgramming Challenges

main() {

file_nms = parse_cl();

for (f in file_nms):

L0: (in, out) = open2(f);

L1: compress(in, out);

}

AMB

no AMB

AMB

no AMB

AMB

cap_enter();

no AMB

L0:AMB

L1:no AMB

rules of capsicum s amb
Rules of Capsicum’s Amb
  • When a process is created,it has the AMB value of its parent
  • After a process calls cap_enter(),it never has AMB
  • If a process does not have Amb,then it can never obtain Amb
instrumenting gzip
Instrumenting gzip

AMB

AMB

AMB

  • main() {
  • file_nms = parse_cl();
  • for (f in file_nms):
  • L0: (in, out) = open2(f);
  • L1: compress(in, out);
  • }

AMB

AMB

sync_fork();

cap_enter();

no AMB

sync_join();

L0:AMB

L1:no AMB

capsicum challenges not appearing in this talk
Capsicum ChallengesNot Appearing in This Talk
  • Program can construct capability from each UNIX descriptor
  • Capability has a vector of 63 access rights (~1 for every system call on a descriptor)
  • Programs can assume new capabilities via a Remote Procedure Call (RPC)
instrumenting programs
with CapWeaveInstrumenting Programs
  • Programmer writes an explicitAmb policy
  • CapWeave instruments program to invoke primitives so that it satisfies the policy
slide21
with CapWeave

gzip

main() {

file_nms = parse_cl();

for (f in file_nms):

L0: (in, out) = open2(f);

L1: compress(in, out);

}

Policy

Cur(p) => (pc[L0](p) => AMB(p)

& (pc[L1](p) => !AMB(p))

L0:AMB

L1:no AMB

slide22
main() {

file_nms = parse_cl();

for (f in file_nms):

L0: (in, out) = open2(f);

L1: compress(in, out);

}

CapWeave

void main() {

L0: open2(...);

sync_fork();

cap_enter();

L1: compress();

sync_join();

}

Instrumented

Program

Policy

Cur(p) => (pc[L0](p) => AMB(p)

& (pc[L1](p) => !AMB(p))

the next 700 policy weavers
The Next 700Policy Weavers
  • Analogous challenges with Decentralized Information Flow Control (DIFC)
  • Asbestos [Efstathopoulos ‘05]
  • HiStar [Zeldovich ’06]
  • Flume [Krohn ‘07]
slide24
gzip() {

file_nms = parse_cl();

...

}

Policy

Cur(p) =>

(pc[L0](p) => AMB(p))

& (pc[L1](p) => !AMB(p))

CapWeave

gzip() {

file_nms = parse_cl();

sync_fork();

cap_enter();

...

}

Programmer

Capsicum Designer

cap_enter: Amb’(p):= Amb(p) & ...

WeaverGenerator

slide25
Programmer

HiStar Designer

create_cat(&c):Flows’(p, q) := Flows(p, q) || ...

wrapper() {

exec(...);

...

}

Policy

forall w, s.

Flows(w, s) => ...

HiWeave

WeaverGenerator

scanner() {

create_cat(&c);

exec(...);

...

}

outline1
Outline
  • Previous work: Capsicum
  • Motivation, problem statement
  • Previous work: Capsicum
  • Ongoing work: HiStar
  • Open challenges
capweave algorithm
CapWeave Algorithm
  • Inputs: Program P, Amb Policy Q
  • Output: Instrumentation of P that always satisfies Q
  • Build finite IP#⊇instrumented runs that violate Q
1 building ip inputs
1. Building IP#: Inputs

Program

Amb Policy

L0: Amb

L1: no Amb

main() {

file_nms = parse_cl();

for (f in file_nms):

L0: (in, out) = open2(f);

L1: compress(in, out);

}

slide29
1. Building IP#: Output

parse_cl

cap_enter

noop

L0:open2()

L0:open2()

sync_join()

noop

sync_fork()

noop

noop

noop

noop

cap_enter()

cap_enter()

L1:compress()

L1:compress()

L1:compress()

L1:compress()

noop

L1: no Amb

L0:open2()

slide30
1. Building IP#: Output

parse_cl

cap_enter

noop

L0:open2()

L0:open2()

sync_join()

noop

sync_fork()

noop

noop

noop

noop

cap_enter()

cap_enter()

L1:compress()

L1:compress()

L1:compress()

L1:compress()

noop

L0:open2()

L0: Amb

building ip
Building IP#
  • Basic idea: construct IP# as a forward explorationof an abstract state space
slide33
1(b). IP#: Define Abstract Transformers

𝜏[cap_enter]#

𝛼

Q#

Q

𝜏[cap_enter]

1 c explore abstract state space
𝜏[noop]#

...

noop

...

1(c). Explore Abstract State Space

𝜏[cap_enter]#

𝛼

𝜏[parse_cl]#

...

Q#

cap_enter

...

parse_cl

Q

L0’

L0

init

slide35
parse_cl

cap_enter

noop

L0:open2()

L0:open2()

sync_join()

noop

sync_fork()

noop

noop

noop

noop

cap_enter()

cap_enter()

L1:compress()

L1:compress()

L1:compress()

L1:compress()

noop

L0:open2()

𝜏[parse_cl]#

state structure exploration
≡{

}

A

A

D

B

B

C

State-Structure Exploration

If a concrete state is a logical structure, ...

Q

state structure exploration1
State-Structure Exploration

properties are FOL formulas, ...

∀p. A(p) ⇒ ((B(p) ⇒C(p)) ⋀ (D(p) ⇒ ¬C(p)))

state structure exploration2
State-Structure Exploration

...and semantics is given as predicate updates, ...

A’(x) = A(x) ⋁∃ y. C(y) ⋀ B(q, p)

B’(x, y) = B(x, y) ⋁ (C(x) ⋀ D(y))

C’(x) = ...

D’(x) = ...

𝜏[action] ≡

state structure exploration3
State-Structure Exploration

...then abstract space and transformers

can be generated automatically [Sagiv ’99]

𝜏[action]#

Q#

𝛼

𝛼

𝜏[action]

Q

capsicum semantics
Capsicum Semantics

A

A

Q ≡

D

1.

2.

B

B

C

A’(x) = A(x) ⋁∃ y. C(y) ⋀ B(q, p)

B’(x, y) = B(x, y) ⋁ (C(x) ⋀ D(y))

C’(x) = ...

D’(x) = ...

𝜏[action] ≡

capsicum state as structure
Capsicum State as Structure

Cur

Parent

L1

Amb

Amb

∀ p. Cur(p) ⋀L1(p) ⇒ ¬ Amb(p)

capsicum state as structure1
Capsicum State as Structure

Cur

Parent

L1

Amb

Amb

∀ p. Cur(p) ⋀L1(p) ⇒ ¬ Amb(p)

slide43
Capsicum Structure Transformers

Fresh

Cur

Parent

Cur

Amb

Amb

Structure Transformer

Action

Intro Fresh

Amb’(p) := Amb(p)

⋁ ( Fresh(p)

⋀ ∃ q. Cur(q) ⋀Amb(q))

sync_fork()

slide44
Capsicum Structure Transformers

Fresh

Parent

Cur

Amb

Amb

Structure Transformer

Action

Amb’(p) := Amb(p) ⋀ ¬Cur(p)

cap_enter()

building ip summary
Building IP#: Summary
  • If semantics is given astransforms of logical structures,we can generate an approximation of runs that cause a violation
  • Capsicum semantics can be modeled as structure transforms
capweave algorithm1
CapWeave Algorithm
  • Inputs: Program P, Amb Policy Q
  • Output: Instrumentation of P that always satisfies Q
  • Build finite IP#⊇instrumented runs that violate Q
  • From IP#, build safety game Gwon by violations of Q
two player safety games
Two-Player Safety Games
  • In an Attacker state,the Attacker chooses the next input
  • In a Defender state,the Defender chooses the next input
  • Attacker wants to reach an accepting state
slide48
a

x

y

b

b

w

y

z

c

c

y

x

y

x

d

d

d

d

y

b

slide50
gzip

IP#

parse_cl

cap_enter

noop

L0:open2()

L0:open2()

sync_join()

noop

sync_fork()

noop

noop

noop

noop

cap_enter()

cap_enter()

L1:compress()

L1:compress()

L1:compress()

L1:compress()

noop

L0:open2()

slide51
gzip

Safety Game

parse_cl

cap_enter

noop

L0:open2()

L0:open2()

sync_join()

noop

sync_fork()

noop

noop

noop

noop

cap_enter()

cap_enter()

L1:compress()

L1:compress()

L1:compress()

L1:compress()

noop

L0:open2()

capweave algorithm2
CapWeave Algorithm
  • Inputs: Program P, Amb Policy Q
  • Output: Instrumentation of P that always satisfies Q
  • Build finite IP# ⊇ instrumented runs that violate Q
  • From IP#, build safety game Gwon by violations of Q
  • From winning strategy for G,generate primitive controller for P
outline2
Outline
  • Ongoing work: HiStar
  • Motivation, problem statement
  • Previous work: Capsicum
  • Ongoing work: HiStar
  • Open challenges
the histar priv aware os zeldovich 06
The HiStar Priv-aware OS [Zeldovich ’06]
  • Privilege: OS allows flow between processes
  • Primitives: system calls update labels,which define allowed flows
  • Very powerful: mutually untrusting login (?!)
sandboxing a virus scanner
Sandboxing a Virus Scanner

launcher() {

exec(“/bin/scanner”);

}

wrapper() {

child = sync_fork(&launcher);

while (true) {

read(child, buf);

sanitize(buf);

write(netd, buf); }

}

a flow policy for a virus scanner
A Flow Policyfor a Virus Scanner
  • Information should never transitively flow from the scanner to the network,unless it goes through the wrapper
  • Information should always flow from the scanner to the wrapper
  • Information should always flow from the wrapper to the network
rules for histar s flow
Rules for HiStar’s Flow
  • A process’s label maps each categoryto low or high
  • If process p calls create_cat, then each process is low in c, and p can declassify c
  • Each process may raise its level at each category
  • Each process may relinquish declassification of any category
rules for histar s flow1
Rules for HiStar’s Flow
  • Information can flow from p to q if for each category:
  • The level of p is lower than the level of q at c, or
  • p can declassify c
sandboxing a virus scanner1
Sandboxing a Virus Scanner

launcher() {

exec(“/bin/scanner”); }

wrapper() {

child = sync_fork(&launcher);

while (true) {

read(child, buf);

sanitize(buf);

write(netd, buf); } }

drop_declass(x);

create_cat(&x);

raise(x);

histar challenges not appearing in this talk
HiStar Challenges Not Appearing in This Talk
  • There are actually four levels
  • Each process has to manage its clearance
  • Processes can create labeled closures(calling a closure implicitly performs two label operations and three ordering checks)
weave algorithm
Weave Algorithm

Cap

Hi

Amb

Flow

  • Inputs: Program P, Policy Q
  • Output: Instrumentation of P that satisfies Q
  • Build IP# ⊇ instrumented runs that violate Q(using semantics)
  • From IP#, build safety game Gwon by violations of Q
  • From winning strategy for G,generate primitive controller for P

Capsicum

HiStar

semantics
Semantics

Capsicum

HiStar

A

A

Q ≡

D

1.

2.

B

B

C

𝜏[action] ≡

A’(x) = A(x) ⋁ ∃ y. C(y) ⋀ B(q, p)

B’(x, y) = B(x, y) ⋁ (C(x) ⋀ D(y))

C’(x) = ...

D’(x) = ...

slide65
HiStar State as Structure

Netd

Label

Flows

Flows

Low

x

Low

High

Label

Label

Wrap

Scan

Flows

Cur

∀ w, s, n. Wrap(w) ⋀Scan(s) ⋀Netd(n) ⇒

Flows(s, w) ⋀ Flows(w, n)

slide66
HiStar State as Structure

Netd

Label

Flows

Flows

Low

x

Low

High

Label

Label

Wrap

Scan

Flows

Decl

Cur

∀ w, s, n. Wrap(w) ⋀Scan(s) ⋀Netd(n) ⇒

Flows(s, w) ⋀ Flows(w, n)

slide67
HiStar State Transformers

Flows

Low

Label

Fresh

Cur

x

Decl

Action

Structure Transform

Intro Fresh

Decl’(p, c) := Decl(p, c)

⋁ (Cur(p) ⋀ Fresh(c))

create_cat(&x)

slide68
HiStar State Transformers

Flows

High

Low

Label

Fresh

Cur

x

Decl

Action

Structure Transform

Intro Fresh

High’(l, c) := High(l, c)

⋁ ∃ p. Cur(p) & Label(p, l) & x(c)

raise(&x)

summary histar semantics
Summary: HiStar Semantics
  • We can define the HiStar semantics as FOL predicate transforms and automatically generate a weaver for HiStar
  • FOL predicate transforms can describecapability and DIFCsemantics
scanner game
Scanner Game

noop

create_cat(&c)

raise(c)

noop

noop

sync_fork

sync_fork

sync_fork

exec

noop

drop_decl(c)

exec

...

hiweave performance
HiWeave 𝛼 Performance
  • Generates code for clamwrap in < 3 mins
slide72
Programmer

HiStar Designer

create_cat(&c):Decl’(p, c) := Decl(p, c) || ...

scanner() {

sync_fork();

...

}

Policy

forall w, s, n.

Wrap(w) && ...

HiWeave

WeaverGenerator

scanner() {

create_cat(&c);

sync_fork();

...

}

outline3
Outline
  • Motivation, problem statement
  • Previous work: Capsicum
  • Ongoing work: HiStar
  • Open challenges
open challenges
Open Challenges
  • Automating abstraction refinement
  • Automating error diagnosis
  • Compositional synthesis
  • Optimizing generated code
  • Designing a policy logic
automating abstraction refinement
AutomatingAbstraction Refinement
  • Picking the right abstraction predicates requires a lot of design effort
  • Can we refine the abstraction predicates via counter-strategies?
automating error diagnosis
AutomatingError Diagnosis
  • When weaver fails, it has a counter-strategy
  • How can we simplify these when presenting them to the user?
compositional synthesis
Compositional Synthesis
  • Real programs are structuredas a composition of processes
  • Policies are expressed naturally asconjunction of local, global policies
  • Can we adapt compositional verification?[Long, ’89]
histar logger
HiStar Logger

Local (security) policy: only Logger

should be able to modify log

Logger

log.txt

histar logger1
HiStar Logger

Global (functionality) policy: under certain conditions,Logger will append log on behalf of Environment

Logger

Environment

log.txt

optimizing generated code
OptimizingGenerated Code
  • Mean-payoff games present an appealing cost model, but have high complexity in general
  • Can we apply any domain specific optimizations?
designing a policy logic
Designing a Policy Logic
  • The weaver generator allows a policy writer to declare policies purely over privileges
  • What logic over privileges is easiest for a policy writer to understand?
  • How do we evaluate value added?
our collaborators
Our Collaborators

Capsicum-dev

Pawel Jakub Dawidek

Khilan Gudka

Ben Laurie

Peter Neumann

MIT-LL

HiStar

TVLA

Michael Zhivich

Nickolai Zeldovich

Mooly Sagiv

Jeffrey Seibert

slide83
Questions?

create_cat(&c):Decl’(p, c) := Decl(p, c) || ...

scanner() {

sync_fork();

...

}

Policy

forall w, s, n.

Wrap(w) && ...

HiWeave

WeaverGenerator

scanner() {

create_cat(&c);

sync_fork();

...

}

three valued logic
Three-valued logic
  • Values: true, false, and unknown
  • true & unknown = unknown
  • false & unknown = false
three valued structures
Three-valued Structures

Parent

Amb

Cur

Parent

Amb

Cur

Amb

Cur

Parent

Amb

Amb

Cur

...

Parent

Parent

abstraction function
Abstraction Function

alpha_{Cur}

Amb

Cur

Parent

Amb

Amb

Cur

Parent

Parent

abstraction function1
Abstraction Function

alpha_{Cur}

Amb?

Cur

Parent

Amb

Cur

Parent

Parent

abstract fork def
Abstract Fork (def)

Amb

Fresh

Cur

Amb

Amb

Amb

Cur

Parent

Parent

Action

Semantics

Intro Fresh

Amb(p) := Amb(p)

|| (Fresh(p) & E q. Cur(q) & Amb(q))

fork()

abstract fork definite
Abstract Fork (definite)

Amb

Cur

Amb

Fresh

Cur

Fresh

Amb

Amb

Parent

Parent

Parent

Action

Semantics

Intro Fresh

Amb(p) := Amb(p)

|| (Fresh(p) & E q. Cur(q) & Amb(q))

fork()

ad