retrofitting legacy code with authorization mechanisms n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Retrofitting Legacy Code with Authorization Mechanisms PowerPoint Presentation
Download Presentation
Retrofitting Legacy Code with Authorization Mechanisms

Loading in 2 Seconds...

play fullscreen
1 / 107

Retrofitting Legacy Code with Authorization Mechanisms - PowerPoint PPT Presentation


  • 107 Views
  • Uploaded on

Retrofitting Legacy Code with Authorization Mechanisms. Principle of Design for Security. Historic example: MULTICS [Corbato et al. ‘65] More recent examples: Operating systems Database servers. To create a secure system, design it to be secure from the ground up.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Retrofitting Legacy Code with Authorization Mechanisms' - salim


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
principle of design for security
Principle of Design for Security
  • Historic example:
    • MULTICS [Corbato et al. ‘65]
  • More recent examples:
    • Operating systems
    • Database servers

To create a secure system, design

it to be secure from the ground up

Retrofitting Legacy Code for Authorization Policy Enforcement

relevance of the principle today
Relevance of the Principle today

Most deployed software is

not designed for security

  • Deadline-driven software development
    • Design.Build.(Patch)* is here to stay
    • Few people have expertise with a single large codebase.
    • Tedious to sift through large codebases and reason about security.
    • Diverse/Evolving security requirements
      • MULTICS security study [Karger and Schell, ‘72]

Retrofitting Legacy Code for Authorization Policy Enforcement

retrofitting legacy code
Retrofitting legacy code

Need systematic techniques to

retrofit legacy code for security

Legacy

code

Retrofitted

code

INSECURE

SECURE

Retrofitting Legacy Code for Authorization Policy Enforcement

retrofitting legacy code1
Retrofitting legacy code
  • Enforcing type safety
    • CCured [Necula et al. ’02]
  • Partitioning for privilege separation
    • PrivTrans [Brumley and Song, ’04]
  • Enforcing authorization policies

Need systematic techniques to

retrofit legacy code for security

Retrofitting Legacy Code for Authorization Policy Enforcement

enforcing authorization policies

Operation request

Response

Allowed?

YES/NO

Enforcing authorization policies

Resource user

Resource manager

Reference monitor

‹Alice, /etc/passwd, File_Read›

Authorization policy

Retrofitting Legacy Code for Authorization Policy Enforcement

retrofitting for authorization
Retrofitting for authorization
  • Mandatory access control for Linux
    • Linux Security Modules [Wright et al.,’02]
    • SELinux [Loscocco and Smalley,’01]
  • Secure windowing systems
    • Trusted X,Compartmented-mode workstation, X11/SELinux [Epstein et al.,’90][Berger et al.,’90][Kilpatrick et al.,’03]
  • Java Virtual Machine/SELinux [Fletcher,‘06]
  • IBM Websphere/SELinux [Hocking et al.,‘06]

Painstaking, manual procedure

Retrofitting Legacy Code for Authorization Policy Enforcement

this tutorial
This tutorial

Three program analysis and transformation techniques (in increasing order of sophistication) to retrofit legacy code with reference monitors

Retrofitting Legacy Code for Authorization Policy Enforcement

contents of the tutorial
Contents of the tutorial

Analyses and transformations for

authorization policy enforcement

  • Fingerprints: A new representation for security-sensitive operations
  • Three algorithms to mine fingerprints
  • Results: Reduced effort to retrofit legacy code for authorization policy enforcement
    • Manual effort needed reduces to a few hours
    • Applied to X server, Linux kernel, etc.

Retrofitting Legacy Code for Authorization Policy Enforcement

outline
Outline
  • Motivation
  • Problem
    • Example
    • Retrofitting legacy code: Lifecycle
  • Solutions
    • Dynamic fingerprint mining
    • Static mining with concept analysis
    • Static mining leveraging user choice

Retrofitting Legacy Code for Authorization Policy Enforcement

x server with multiple x clients

REMOTE

LOCAL

X server with multiple X clients

Retrofitting Legacy Code for Authorization Policy Enforcement

malicious remote x client

REMOTE

LOCAL

Malicious remote X client

Retrofitting Legacy Code for Authorization Policy Enforcement

undesirable information flow

REMOTE

LOCAL

Undesirable information flow

Retrofitting Legacy Code for Authorization Policy Enforcement

desirable information flow
Desirable information flow

REMOTE

LOCAL

Retrofitting Legacy Code for Authorization Policy Enforcement

other policies to enforce
Other policies to enforce
  • Prevent unauthorized
    • Copy and paste
    • Modification of inputs meant for other clients
    • Changes to window settings of other clients
    • Retrieval of bitmaps: Screenshots

[Berger et al., ’90]

[Epstein et al., ‘90]

[Kilpatrick et al., ‘03]

Retrofitting Legacy Code for Authorization Policy Enforcement

security is not a blocker
Security is not a ‘blocker’

“It isn't clear this qualifies as a blocker under any circumstances. The importance of security increases only as we are into serious deployment and start becoming a target. First things, first....”

- https://dev.laptop.org/ticket/260Need a way to protect against applications sniffing each other's keystrokes, which X permits by default.

Security by design, in practice

x server with authorization

Operation request

Response

Allowed?

YES/NO

X server with authorization

X client

X server

Reference monitor

Authorization policy

Retrofitting Legacy Code for Authorization Policy Enforcement

outline1
Outline
  • Motivation
  • Problem
    • Example
    • Retrofitting legacy code: Lifecycle
  • Solution

Retrofitting Legacy Code for Authorization Policy Enforcement

retrofitting lifecycle

Security-sensitive

operations

Source Code

Input_Event

Create

Destroy

Copy

Paste

Map

Can the client

receive this

Input_Event?

Retrofitting lifecycle
  • Identify security-sensitive operations
  • Locate where they are performed in code
  • Instrument these locations

Policy checks

Retrofitting Legacy Code for Authorization Policy Enforcement

problems
Problems

Manual

  • X11 ~ proposed 2003, implemented 2007, changing to date. [Kilpatrick et al., ‘03]
  • Linux Security Modules ~ 2 years [Wright et al., ’02]
  • PostgreSQL: Began in 2006, still not mainline.

At this point, SE-PostgreSQL has taken up a *lot* of community resources, not to mention an enormous and doubtless frustrating amount of *the lead developer’s* time and effort, thus far without a single committed patch, or even a consensus as to what it should (or could) do. Rather than continuing to blunder into the future, I think we need to do a reality check

- http://archives.postgresql.org/message-id/20090718160600.GE5172@fetter.org

Retrofitting Legacy Code for Authorization Policy Enforcement

problems1
Problems
  • Violation of complete mediation
  • Time-of-check to Time-of-use bugs [Zhang et al., ‘02][Jaeger et al., ‘04]

Error-prone

Retrofitting Legacy Code for Authorization Policy Enforcement

our approach
Our approach

Principled

  • Fingerprints: A new representation of security-sensitive operations
  • Legacy code retrofitted using fingerprints
    • Use of static and dynamic program analysis
    • Must achieve complete mediation
    • Ideally, must not place redundant hooks

Automated

Retrofitting Legacy Code for Authorization Policy Enforcement

approach overview
Approach overview

Legacy code

Miner

Fingerprints

Matcher

Retrofitted code

Retrofitting Legacy Code for Authorization Policy Enforcement

outline2
Outline
  • Motivation
  • Problem
  • Solution
    • Fingerprints
    • Dynamic fingerprint mining
    • Static fingerprint mining with concept analysis
    • Static fingerprint mining leveraging user choice

Retrofitting Legacy Code for Authorization Policy Enforcement

what are fingerprints
What are fingerprints?
  • Resource accesses that are unique to a security-sensitive operation
  • Denote key steps needed to perform the security-sensitive operation on a resource

Code-level signatures of

security-sensitive operations

Retrofitting Legacy Code for Authorization Policy Enforcement

examples of fingerprints

Security-sensitive

operations

Source Code

Input_Event

Create

Destroy

Copy

Paste

Map

Examples of fingerprints
  • Input_Event :-

Cmp xEvent->type == KeyPress

Retrofitting Legacy Code for Authorization Policy Enforcement

examples of fingerprints1
Examples of fingerprints
  • Input_Event :-

Cmp xEvent->type == KeyPress

  • Input_Event :-

Cmp xEvent->type == MouseMove

  • Map :-

Set Window->mappedtoTrue &

Set xEvent->typetoMapNotify

  • Enumerate :-

Read Window->firstChild &

Read Window->nextSib &

Cmp Window ≠ 0

Retrofitting Legacy Code for Authorization Policy Enforcement

fingerprint matching
Fingerprint matching
  • Enumerate :- ReadWindow->firstChild&
  • ReadWindow->nextSib&
  • CmpWindow ≠ 0
  • X server function MapSubWindows

MapSubWindows(Window *pParent, Client *pClient) {

Window *pWin;

// Run through linked list of child windows

pWin = pParent->firstChild; …

for (;pWin != 0; pWin=pWin->nextSib) {

...

// Code that maps each child window

...

}

}

Performs Enumerate

Retrofitting Legacy Code for Authorization Policy Enforcement

placing authorization checks
Placing authorization checks
  • X server function MapSubWindows

MapSubWindows(Window *pParent, Client *pClient) {

Window *pWin;

// Run through linked list of child windows

if CHECK(pClient,pParent,Enumerate) == ALLOWED {

pWin = pParent->firstChild; …

for (;pWin != 0; pWin=pWin->nextSib) {

...

// Code that maps each child window

...

}

} else { HANDLE_FAILURE }

}

Retrofitting Legacy Code for Authorization Policy Enforcement

fingerprint matching1
Fingerprint matching
  • Currently employ simple pattern matching
  • More sophisticated matching possible
    • Metacompilation [Engler et al., ‘01]
    • MOPS [Chen and Wagner, ‘02]
  • Inserting authorization checks is akin to static aspect-weaving [Kiczales et al., ’97]
  • Other aspect-weaving techniques possible
    • Runtime aspect-weaving

Retrofitting Legacy Code for Authorization Policy Enforcement

outline3
Outline
  • Motivation
  • Problem
  • Solution
    • Fingerprints
    • Dynamic fingerprint mining
    • Static fingerprint mining with concept analysis
    • Static fingerprint mining leveraging user choice

Retrofitting Legacy Code for Authorization Policy Enforcement

dynamic fingerprint mining

Security-sensitive

operations

Source Code

Input_Event

Create

Destroy

Copy

Paste

Map

Dynamic fingerprint mining

Output: Fingerprints

Input_Event :-

Cmp xEvent->type == KeyPress

Retrofitting Legacy Code for Authorization Policy Enforcement

dynamic fingerprint mining1
Dynamic fingerprint mining
  • Security-sensitive operations [NSA’03]
  • Use this information to induce the program to perform security-sensitive operations

Retrofitting Legacy Code for Authorization Policy Enforcement

problem definition
Problem definition
  • S: Set of security-sensitive operations
  • D: Descriptions of operations in S
  • R: Set of resource accesses
    • Read/Set/Cmp of Window/xEvent
  • Each sєS has a fingerprint
    • A fingerprint is a subset of R
    • Contains a resource access unique to s
  • Problem: Find fingerprints for each security-sensitive operation in S using D

Retrofitting Legacy Code for Authorization Policy Enforcement

traces contain fingerprints

Runtime trace

Security-sensitive

operations

Source Code

Input_Event

Create

Destroy

Copy

Paste

Map

Traces contain fingerprints
  • Induce security-sensitive operation
    • Typing to window will induce Input_Event
  • Fingerprint must be in runtime trace
    • Cmp xEvent->type == KeyPress

Retrofitting Legacy Code for Authorization Policy Enforcement

compare traces to localize

Security-sensitive

operations

Source Code

Input_Event

Create

Destroy

Copy

Paste

Map

Compare traces to localize

Runtime trace

  • Localize fingerprint in trace
    • Trace difference and intersection

Retrofitting Legacy Code for Authorization Policy Enforcement

runtime traces
Runtime traces
  • Trace the program and record reads/writes to resource data structures
    • Window and xEvent in our experiments
  • Example: from X server startup

(In function SetWindowtoDefaults)

Set Window->prevSibto0

Set Window->firstChildto0

Set Window->lastChildto0

about 1400 such resource accesses

Retrofitting Legacy Code for Authorization Policy Enforcement

using traces for fingerprinting
Using traces for fingerprinting
  • Obtain traces for each security-sensitive operation
    • Series of controlled tracing experiments
  • Examples
    • Typing to keyboard generates Input_Event
    • Creating new window generates Create
    • Creating window also generates Map
    • Closing existing window generates Destroy

Retrofitting Legacy Code for Authorization Policy Enforcement

comparison with diff and
Comparison with “diff” and “∩”

Annotation is a manual step

Retrofitting Legacy Code for Authorization Policy Enforcement

comparison with diff and1

Create = Open xterm ∩ Open browser

- Move xterm

Comparison with “diff” and “∩”

Perform same set operations on resource accesses

Retrofitting Legacy Code for Authorization Policy Enforcement

set equations
Set equations
  • Each trace has a set of labels
    • Open xterm: {Create, Map}
    • Browser: {Create, Destroy, Map, Unmap}
    • Move xterm: {Map, Input_Event}
  • Need set equation for {Create}
    • Compute an exact cover for this set
    • Open xterm ∩ Open browser – Move xterm
  • Perform the same set operations on the set of resource accesses in each trace

Retrofitting Legacy Code for Authorization Policy Enforcement

experimental methodology
Experimental methodology

Source code

gcc –-enable-logging

Server with logging enabled

Run experiments and collect traces

Raw traces

Localize security-sensitive operation

Relevant portions of traces

Compare traces with “diff” and “∩”

Pruned traces

Retrofitting Legacy Code for Authorization Policy Enforcement

dynamic mining results
Dynamic mining: Results

Each fingerprint localized to

within 126 resource accesses

Size

Retrofitting Legacy Code for Authorization Policy Enforcement

limitations of dynamic mining

Runtime trace

Security-sensitive

operations

Source Code

Input_Event

Create

Destroy

Copy

Paste

Map

Limitations of dynamic mining
  • Incomplete: False negatives
  • High-level description needed
  • Operations are manually induced

Retrofitting Legacy Code for Authorization Policy Enforcement

outline4
Outline
  • Motivation
  • Problem
  • Solution
    • Fingerprints
    • Dynamic fingerprint mining
    • Static fingerprint mining with concept analysis
    • Static fingerprint mining leveraging user choice

Retrofitting Legacy Code for Authorization Policy Enforcement

static fingerprint mining

Security-sensitive

operations

Source Code

Input_Event

Create

Destroy

Copy

Paste

Map

Static fingerprint mining
  • Resources
  • Window
  • xEvent

Output:Candidate Fingerprints

Cmp xEvent->type == KeyPress

Retrofitting Legacy Code for Authorization Policy Enforcement

problem definition1
Problem definition
  • R: Set of resource accesses
    • Read/Set/Cmp of Window/xEvent
  • E: Set of entry points into the server
  • Goal: Find fingerprints using R and E

Not given an a priori description

of security-sensitive operations

Retrofitting Legacy Code for Authorization Policy Enforcement

straw man proposal i
Straw-man proposal I
  • Finest level of granularity
  • Cmp xEvent->type == KeyPress
  • ReadWindow->firstChild
  • ReadWindow->nextSib
  • CmpWindow ≠ 0

Each resource access

in R is a fingerprint

Retrofitting Legacy Code for Authorization Policy Enforcement

problem with this proposal
Problem with this proposal
  • Cmp xEvent->type == KeyPress
  • ReadWindow->firstChild
  • ReadWindow->nextSib
  • CmpWindow ≠ 0

Difficult to write and maintain

policies at this level of granularity

Retrofitting Legacy Code for Authorization Policy Enforcement

straw man proposal ii
Straw-man proposal II
  • Coarsest level of granularity
  • CallMapSubWindows
  • CallMapWindow
  • Write policies allowing/disallowing the use of an API call

Each API in E is a fingerprint

Retrofitting Legacy Code for Authorization Policy Enforcement

problem with this proposal1
Problem with this proposal
  • Call MapSubWindows
    • Enumerates child windows and maps them to the screen
  • Call MapWindows
    • Maps a window onto the screen

Does not reflect actual resource

accesses performed by API call

Retrofitting Legacy Code for Authorization Policy Enforcement

our approach1
Our approach
  • Each API entry point implicitly defines a set of resource accesses
  • Cluster resource accesses based upon the API entry points that perform them

Cluster resource accesses

that always happen together

Retrofitting Legacy Code for Authorization Policy Enforcement

static analysis
Static analysis
  • Extract resource accesses potentially possible via each entry point
  • Example from the X server
    • Entry point: MapSubWindows(…)
    • Resource accesses:
    • SetxEvent->typeToMapNotify
    • SetWindow->mappedToTrue
  • ReadWindow->firstChild
    • ReadWindow->nextSib
    • CmpWindow ≠ 0

Retrofitting Legacy Code for Authorization Policy Enforcement

resource accesses

Identify candidate fingerprints by

clustering resource accesses

Resource accesses

270 API functions

430 distinct resource accesses

Retrofitting Legacy Code for Authorization Policy Enforcement

concept analysis

Instances

Features

Comparison via

hierarchical clustering

Concept analysis

Retrofitting Legacy Code for Authorization Policy Enforcement

hierarchical clustering

A

B

C

Hierarchical clustering

MapSub

Windows

Map

Window

Keyboard

Input

1

2

3

4

5

6

SetxEvent->typeToMapNotify

SetWindow->mappedToTrue

ReadWindow->firstChild

ReadWindow->nextSib

CmpWindow ≠ 0

Cmp xEvent->type==KeyPress

{A,B,C}, Ф

{A,B}, {1,2}

{C}, {6}

{A}, {1,2,3,4,5}

Ф, {1,2,3,4,5,6}

Retrofitting Legacy Code for Authorization Policy Enforcement

mining candidate fingerprints

A

B

C

Cand. Fing. 1

Cand. Fing. 2

Cand. Fing. 3

Mining candidate fingerprints

MapSub

Windows

Map

Window

Keyboard

Input

1

2

3

4

5

6

SetxEvent->typeToMapNotify

SetWindow->mappedToTrue

ReadWindow->firstChild

ReadWindow->nextSib

CmpWindow ≠ 0

Cmp xEvent->type==KeyPress

{A,B,C}, Ф

{A,B}, {1,2}

{C}, {6}

{A}, {1,2,3,4,5}

Ф, {1,2,3,4,5,6}

Retrofitting Legacy Code for Authorization Policy Enforcement

static mining results

Benchmark

LOC

Cand. Fing.

Avg. Size

ext2

4,476

18

3.7

X Server/dix

30,096

115

3.7

PennMUSH

94,014

38

1.4

Static mining: Results

Retrofitting Legacy Code for Authorization Policy Enforcement

static mining results1

Manually identified

Security-sensitive ops

Candidate

fingerprints

Benchmark

ext2

11

X Server/dix

22

Static mining: Results

18

115

Able to find at least one fingerprint

for each security-sensitive operation

Retrofitting Legacy Code for Authorization Policy Enforcement

static mining results2

Manually identified

Security-sensitive ops

Candidate

fingerprints

Benchmark

ext2

11

X Server/dix

22

Identified automatically in a few minutes

Interpretation takes just a few hours

Identified as part of

multi-year efforts

Static mining: Results

18

115

Retrofitting Legacy Code for Authorization Policy Enforcement

static mining results3

Manually identified

Security-sensitive ops

Candidate

fingerprints

Benchmark

ext2

11

18

X Server/dix

22

115

Static mining: Results
  • Associated 59 candidate fingerprints with security-sensitive operations
  • Remaining are likely security-sensitive too
  • Read Window->DrawableRec->width& ReadWindow->DrawableRec->height

Retrofitting Legacy Code for Authorization Policy Enforcement

outline5
Outline
  • Motivation
  • Problem
  • Solution
    • Fingerprints
    • Dynamic fingerprint mining
    • Static fingerprint mining with concept analysis
    • Static fingerprint mining leveraging user choice
      • DivyaMuthukumaran and Trent Jaeger

Retrofitting Legacy Code for Authorization Policy Enforcement

shortcomings that remain
Shortcomings that remain
  • Identifying security-sensitive objects is still manual
  • Hook placement suggested by fingerprints:
    • Are they “minimal”?
    • How do they compare to manually-placed hooks?

Retrofitting Legacy Code for Authorization Policy Enforcement

inferring security sensitive objects and operations
Inferring security-sensitive objects and operations
  • Idea:Follow the client-request
    • In servers, client-request determines choice.
  • “Choice”:
    • Determines which objects are selected to be operated upon.
    • Determines which operation is selected to be performed on objects.
slide66

Pr

o

g

r

a

m

A

U

se

r

A

C

o

n

ta

i

n

e

r

R

e

q

u

e

st

O

I

n

t

e

rf

a

ce

B

i

U

se

r

B

o1

o2

C

v

=

L

o

o

ku

p

(O

,

i

)

o3

D

o4

E

F

K

I

re

a

d

v

w

ri

t

e

v

H

L

J

Op1.2

Op1.1

Op1.3

Tainted variable

Security-sensitive variable

Control statement

Predicated on tainted variable

Security-sensitive operation

slide67

User

request

Lookup Function

Global

Reads

B) Identify Security-sensitive Objects(VS)

D) Security-sensitive operations

A) Identify Tainted Variables (VT)

Program

C) User-choice

Operations

slide68

clientRequeststuff =ReadRequestFromClient();

int ChangeWindowProperty(ClientPtr *c,WindowPtr * w){WindowPtr * win;PropertyPtr * pProp;err = LookupWindow(&win,stuff->window, c);  rc =  LookupProperty(&pProp, win, stuff->property, c);if (rc == BadMatch)    {/* Op 1*/pProp->name = property;pProp->format = format;pProp->data = data;pProp->size = len;    }else    { /* Op 2 */if(stuff->mode == REPLACE)       { /* Op 2.1 */pProp->data = data;pProp->size = len;pProp->format = format;       }elseif(stuff->mode == APPEND)       {/* Op 2.2 */pProp->data = data;pProp->size += len;       }    }}

slide69

Static Taint analysis

clientRequeststuff =ReadRequestFromClient();

int ChangeWindowProperty(ClientPtr* c,WindowPtr * w){WindowPtr * win;PropertyPtr * pProp;err = LookupWindow(&win,stuff->window, c);rc = LookupProperty(&pProp, win, stuff->property, c);if (rc == BadMatch)    {/* Op 1*/pProp->name = property;pProp->format = format;pProp->data = data;pProp->size = len;    }else    { /* Op 2 */if (mode == REPLACE)       { /* Op 2.1 */pProp->data = data;pProp->size = len;pProp->format = format;       }elseif(mode == APPEND)       {/* Op 2.2 */pProp->data = data;pProp->size += len;       }    }}

slide70

User

request

Lookup Function

Global

Reads

B) Identify Security-sensitive Objects(VS)

  • Retrieval of objects from containers:
  • List access (*->next pointer)
  • Array access (pointer arithmetic)

D) Security-sensitive operations

A) Identify Tainted Variables (VT)

Program

C) User-choice

Operations

slide71

List Access: LookupProperty

for (prop=win->userProps; prop; prop=prop->next {

if (prop->name == pName)

break;

*p = prop;

}

return p;

Array Access: LookupWindow

Resource res = clientTable[i]

return res;

slide72

User

request

Lookup Function

Global

Reads

B) Identify Security-sensitive Objects(VS)

D) Security-sensitive operations

A) Identify Tainted Variables (VT)

Program

C) User-choice

Operations

Def 2: A variable v∈ VS(P) if any following are true:

If it is assigned a value from a container via a lookup function using a variable v∈VT(P),

If D is true for some v’ ∈ VS(P).

c) If it is a global variable and in the set VT(P).

slide73

Technology

Detecting code patterns

Static Taint analysis

int ChangeWindowProperty(ClientPtr* c,WindowPtr * w, int mode){WindowPtr * win;PropertyPtr * pProp;err = LookupWindow(&win,stuff->window, c);rc =  LookupProperty(&pProp, win, stuff->property, c);if (rc == BadMatch)    {/* Op 1*/pProp->name = property;pProp->format = format;pProp->data = data;pProp->size = len;    }else    { /* Op 2 */if (mode == REPLACE)       { /* Op 2.1 */pProp->data = data;pProp->size = len;pProp->format = format;       }elseif(mode == APPEND)       {/* Op 2.2 */pProp->data = data;pProp->size += len;       }    }}

slide74

User

request

Lookup Function

Global

Reads

B) Identify Security-sensitive Objects(VS)

D) Security-sensitive operations

A) Identify Tainted Variables (VT)

Program

C) User-choice

Operations

slide75

int ChangeWindowProperty(ClientPtr* c,WindowPtr * w, int mode){WindowPtr * win;PropertyPtr * pProp;err = LookupWindow(&win,stuff->window, c);rc =  LookupProperty(&pProp, win, stuff->property, c);if (rc == BadMatch)    {/* Op 1*/pProp->name = property;pProp->format = format;pProp->data = data;pProp->size = len;    }else    { /* Op 2 */if(stuff->mode == REPLACE)       { /* Op 2.1 */pProp->data = data;pProp->size = len;pProp->format = format;       }elseif(stuff->mode == APPEND)       {/* Op 2.2 */pProp->data = data;pProp->size += len;       }    }}

slide76

Not- taken

Taken

Taken

Not-taken

A

C

A

B

C

D

B

D

Control Dependence Graph (CDG)

Control Flow Graph (CFG)

slide78

User

request

Lookup Function

Global

Reads

B) Identify Security-sensitive Objects(VS)

D) Security-sensitive operations

A) Identify Tainted Variables (VT)

Program

C) User-choice

Operations

results
Results

Two sets of programs:

a) With manually placed hooks: X server, postgres.

B) No manual hooks: pennmush, memcached.

comparing with manual hooks
Comparing with manual hooks
  • X Server:
    • Manual: ~200 hooks
    • Automated: ~530 hooks
  • Postgres:
    • Manual: ~370
    • Automated: ~570

What does this mean?

criteria for comparing hooks
Criteria for comparing hooks

Control dominance

Data dominance

Hooks

Criteria

summary
Summary

Fingerprints

Mining

Matching

Input_Event

Create

Destroy

Copy

Paste

Map

Can the client

receive this

Input_Event?

Retrofitting Legacy Code for Authorization Policy Enforcement

lessons for the future
Lessons for the future
  • Modifications may break software
  • Modifying executables is challenging

Modifying legacy code is non-trivial

Low-overhead runtime system for policy

enforcement on unmodified code

Retrofitting Legacy Code for Authorization Policy Enforcement

lessons for the future1
Lessons for the future
  • Type-safety violations the main problem

Soundness/completeness

hard to achieve for C

Provable guarantees with

additional runtime checks?

Retrofitting Legacy Code for Authorization Policy Enforcement

lessons for the future2
Lessons for the future

Difficult to automate failure handling

  • Failure handling is a crosscutting-concern
  • Handling failure gracefully is the main challenge

Aspect-oriented solution?

Checkpoint and rollback?

Retrofitting Legacy Code for Authorization Policy Enforcement

example x server
Example: X Server

Remote Client A

Remote Client A

Remote Client B

Remote Client B

example x server1
Example: X Server
  • Confidentiality violation

Remote Client A

GetScreen,WinA

Getscreen,WinB

WinA

GetScreen

GetScreen

WinB

Remote Client B

example x server2
Example: X Server
  • Confidentiality violation
  • Integrity violation

Remote Client A

ChangeProp, WinA

ChangeProp, WinA

ChangeProp

Remote Client A

ChangeProp

Remote Client B

Remote Client B

example x server3

Policy:

(clientA, WinA, ChangeProp)

(clientB, WinB, ChangeProp)

Example: X Server
  • Confidentiality violation
  • Integrity violation

Remote Client A

ChangeProp, WinA

ChangeProp, WinA

ChangeProp

Remote Client A

ChangeProp

Remote Client B

Remote Client B

errors in labeling traces i
Errors in labeling traces (I)

Retrofitting Legacy Code for Authorization Policy Enforcement

errors in labeling traces i1
Errors in labeling traces (I)

CREATE = Trace1 – Trace3

Retrofitting Legacy Code for Authorization Policy Enforcement

errors in labeling traces ii
Errors in labeling traces (II)

Retrofitting Legacy Code for Authorization Policy Enforcement

dealing with errors in labeling
Dealing with errors in labeling
  • Missing labels from traces:
    • “∩” operation will not discard fingerprint
    • “diff” operation may erroneously eliminate a fingerprint
  • Extra labels on traces:
    • May erroneously eliminate a fingerprint
  • Trial-and-error
    • Relabel and recompute set-equations
  • Empirically: tolerance of about 15% errors

Retrofitting Legacy Code for Authorization Policy Enforcement

comparing with manual hooks1
Comparing with manual hooks
  • Observation 1: Automated hooks tend to be finer grained
    • Finer-grained operations
    • Finer-grained objects
comparing with manual hooks2
Comparing with manual hooks
  • Observation 1: Automated hooks tend to be finer grained
    • Finer-grained operations
    • Finer-grained objects
finer grained objects
Finer-grained objects

read(pWin->firstChild->nextSib)

write(pChild->mapped)