1 / 35

Mining Security-Sensitive Operations in Legacy Code

This paper discusses the challenges and solutions of mining security-sensitive operations in legacy code through concept analysis. It explores the retrofitting process for authorization policy enforcement and provides case studies in real-world servers.

waynew
Download Presentation

Mining Security-Sensitive Operations in Legacy Code

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Mining Security-SensitiveOperations in Legacy Code 29th ICSE, Minneapolis, Minnesota May 25th, 2007

  2. The X Window system REMOTE LOCAL Mining Security-Sensitive Operations in Legacy Code using Concept Analysis

  3. REMOTE LOCAL Malicious remote X client Mining Security-Sensitive Operations in Legacy Code using Concept Analysis

  4. REMOTE LOCAL Undesirable information flow Mining Security-Sensitive Operations in Legacy Code using Concept Analysis

  5. Desirable information flow REMOTE LOCAL Mining Security-Sensitive Operations in Legacy Code using Concept Analysis

  6. Operation request Response Allowed? YES/NO Retrofitting the X server X client X server Reference monitor • Subject: Alice • Object: Bob_Window • Security-sensitive operation: Input_Event Authorization policy Mining Security-Sensitive Operations in Legacy Code using Concept Analysis

  7. Retrofitting for authorization • Mandatory access control for Linux • Linux Security Modules [Wright et al.,’02] • SELinux [Loscocco and Smalley,’01] • Secure windowing systems • Trusted X,Compartmented-mode workstation, X11/SELinux [Epstein et al.,’90][Berger et al.,’90][Kilpatrick et al.,’03] • Java Virtual Machine/SELinux [Fletcher,‘06] • IBM Websphere/SELinux [Hocking et al.,‘06] Painstaking, manual procedure Mining Security-Sensitive Operations in Legacy Code using Concept Analysis

  8. Contributions • Mining security-sensitive operations via concept analysis • Application to real-world servers • ext2 file system • X11 server • PennMUSH Static analyses to retrofit legacy code for authorization policy enforcement Mining Security-Sensitive Operations in Legacy Code using Concept Analysis

  9. Outline • Motivation • Challenges • Solution • Case studies • Conclusion Mining Security-Sensitive Operations in Legacy Code using Concept Analysis

  10. Security-sensitive operations Source Code Input_Event Create Destroy Copy Paste Map Can the client receive this Input_Event? Retrofitting lifecycle • Identify security-sensitive operations • Locate where they are performed in code • Instrument these locations Policy checks Mining Security-Sensitive Operations in Legacy Code using Concept Analysis

  11. Problems Time-consuming • X11/SELinux ~ 2 years [Kilpatrick et al., ‘03] • Linux Security Modules ~ 2 years [Wright et al., ‘02] • Violation of complete mediation • Time-of-check to Time-of-use bugs [Zhang et al., ‘02][Jaeger et al., ‘04] Error-prone Mining Security-Sensitive Operations in Legacy Code using Concept Analysis

  12. Security-sensitive operations Source Code Input_Event Create Destroy Copy Paste Map Can the client receive this Input_Event? Our contributions Fingerprints Mining Matching Focus of this work [IEEE S&P 2006] Policy checks Mining Security-Sensitive Operations in Legacy Code using Concept Analysis

  13. Outline • Motivation • Challenges • Solution • Fingerprints • Matching fingerprints • Mining fingerprints • Case studies • Conclusion Mining Security-Sensitive Operations in Legacy Code using Concept Analysis

  14. What are fingerprints? • Resource accesses that are unique to a security-sensitive operation • Denote key steps needed to perform the security-sensitive operation on a resource Code-level signatures of security-sensitive operations Mining Security-Sensitive Operations in Legacy Code using Concept Analysis

  15. Security-sensitive operations Source Code Input_Event Create Destroy Copy Paste Map Examples of fingerprints • Input_Event :- Cmp xEvent->type == KeyPress Mining Security-Sensitive Operations in Legacy Code using Concept Analysis

  16. Examples of fingerprints • Input_Event :- Cmp xEvent->type == KeyPress • Input_Event :- Cmp xEvent->type == MouseMove • Enumerate :- Read Window->firstChild & Read Window->nextSib & Cmp Window ≠ 0 Mining Security-Sensitive Operations in Legacy Code using Concept Analysis

  17. Fingerprint matching • Enumerate :- ReadWindow->firstChild& • ReadWindow->nextSib& • CmpWindow ≠ 0 • X server function MapSubWindows MapSubWindows(Window *pParent, Client *pClient) { Window *pWin; … // Run through linked list of child windows pWin = pParent->firstChild; … for (;pWin != 0; pWin=pWin->nextSib) { ... // Code that maps each child window ... } } Performs Enumerate Mining Security-Sensitive Operations in Legacy Code using Concept Analysis

  18. Placing authorization checks • X server function MapSubWindows MapSubWindows(Window *pParent, Client *pClient) { Window *pWin; … // Run through linked list of child windows if CHECK(pClient,pParent,Enumerate) == ALLOWED { pWin = pParent->firstChild; … for (;pWin != 0; pWin=pWin->nextSib) { ... // Code that maps each child window ... } } else { HANDLE_FAILURE } } Mining Security-Sensitive Operations in Legacy Code using Concept Analysis

  19. Security-sensitive operations Source Code Input_Event Create Destroy Copy Paste Map Fingerprint mining • Resources • Window • xEvent • Cmp xEvent->type == KeyPress • ReadWindow->firstChild & • ReadWindow->nextSib & • CmpWindow ≠ 0 Mining Security-Sensitive Operations in Legacy Code using Concept Analysis

  20. Straw-man solution I • Finest level of granularity • Cmp xEvent->type == KeyPress • ReadWindow->firstChild • ReadWindow->nextSib • CmpWindow ≠ 0 Each resource access is a fingerprint Mining Security-Sensitive Operations in Legacy Code using Concept Analysis

  21. Problem with this solution • Cmp xEvent->type == KeyPress • ReadWindow->firstChild • ReadWindow->nextSib • CmpWindow ≠ 0 Difficult to write and maintain policies at this level of granularity Mining Security-Sensitive Operations in Legacy Code using Concept Analysis

  22. Straw-man solution II • Coarsest level of granularity • CallMapSubWindows • CallMapWindow • Write policies allowing/disallowing the use of an API call Each API call is a fingerprint Mining Security-Sensitive Operations in Legacy Code using Concept Analysis

  23. Problem with this solution • Call MapSubWindows • Enumerates child windows and maps them to the screen • Call MapWindows • Maps a window onto the screen Does not reflect actual resource accesses performed by API call Mining Security-Sensitive Operations in Legacy Code using Concept Analysis

  24. Our solution • Each API entry point implicitly defines a set of resource accesses • Cluster resource accesses based upon the API entry points that perform them Cluster resource accesses that always happen together Mining Security-Sensitive Operations in Legacy Code using Concept Analysis

  25. Clustering resource accesses Mining Security-Sensitive Operations in Legacy Code using Concept Analysis

  26. Instances Features Clustering using concept analysis Concept analysis Mining Security-Sensitive Operations in Legacy Code using Concept Analysis

  27. A B C Concept analysis MapSub Windows Map Window Keyboard Input 1 2 3 4 5 6 SetxEvent->typeToMapNotify SetWindow->mappedToTrue ReadWindow->firstChild ReadWindow->nextSib CmpWindow ≠ 0 Cmp xEvent->type==KeyPress {A,B,C}, Ф {A,B}, {1,2} {C}, {6} {A}, {1,2,3,4,5} Ф, {1,2,3,4,5,6} Mining Security-Sensitive Operations in Legacy Code using Concept Analysis

  28. A B C Fingerprint 1 Fingerprint 2 Fingerprint 3 Mining fingerprints MapSub Windows Map Window Keyboard Input 1 2 3 4 5 6 SetxEvent->typeToMapNotify SetWindow->mappedToTrue ReadWindow->firstChild ReadWindow->nextSib CmpWindow ≠ 0 Cmp xEvent->type==KeyPress {A,B,C}, Ф {A,B}, {1,2} {C}, {6} {A}, {1,2,3,4,5} Ф, {1,2,3,4,5,6} Mining Security-Sensitive Operations in Legacy Code using Concept Analysis

  29. Outline • Motivation • Challenges • Solution • Case studies • Conclusion Mining Security-Sensitive Operations in Legacy Code using Concept Analysis

  30. Software LOC Fingerprints Avg. Size ext2 4,476 18 3.7 X Server/dix 30,096 115 3.7 PennMUSH 94,014 38 1.4 Results on case studies Mining Security-Sensitive Operations in Legacy Code using Concept Analysis

  31. Results on case studies Manually identified Security-sensitive ops Benchmark Fingerprints ext2 11 18 X Server/dix 22 115 Able to find at least one fingerprint for each security-sensitive operation Mining Security-Sensitive Operations in Legacy Code using Concept Analysis

  32. Identified automatically in a few minutes Identified as part of multi-year efforts Results on case studies Manually identified Security-sensitive ops Benchmark Fingerprints ext2 11 18 X Server/dix 22 115 Mining Security-Sensitive Operations in Legacy Code using Concept Analysis

  33. 18 115 Results on case studies • Associated 59 candidate fingerprints with security-sensitive operations • Remaining are likely security-sensitive too Manually identified Security-sensitive ops Benchmark Fingerprints ext2 11 X Server/dix 22 • Read Window->DrawableRec->width& ReadWindow->DrawableRec->height Mining Security-Sensitive Operations in Legacy Code using Concept Analysis

  34. Summary • Fingerprints • Fingerprint mining with concept analysis • Results: • Mined fingerprints for security-sensitive operations in ext2, X server and PennMUSH Static approach to retrofit legacy code for authorization policy enforcement Mining Security-Sensitive Operations in Legacy Code using Concept Analysis

  35. Mining Security-Sensitive Operations in Legacy Code

More Related