policy-directed code safety david evans evs@sds.lcs.mit.edu april 1999 software devices and systems...
Post on 18-Jan-2016
212 Views
Preview:
TRANSCRIPT
Policy-Directed Code Safety
David Evans
http://naccio.lcs.mit.eduevs@sds.lcs.mit.edu
April 1999
Software Devices and SystemsMIT Lab for Computer Science
2David Evans Policy-Directed Code Safety
What Are You Afraid Of?• Malicious attackers
– Melissa Word macro virus
• Questionable “trusted” programs– Win95 Registration Wizard
• Buggy programs– Therac-25
• User mistakes/bad interfaces– tar –cf *
3David Evans Policy-Directed Code Safety
LCLint [Evans, PLDI ‘96]
• Programmers add annotations to code
• Lightweight static checking detects inconsistencies (often bugs)
• Useful, but can’t provide code safety– Requires source code, expertise and effort– Too hard to prove most properties statically
4David Evans Policy-Directed Code Safety
Solution Space• Detect bad programs
– Malicious code detector (virus scanners)– Digital signatures
• Platform limits on what programs can do– Operating system, firewalls, Java sandbox
• Naccio: alter programs before running
5David Evans Policy-Directed Code Safety
• General method for defining policies– Abstract resources– Platform independent
• System architecture for enforcing policies
Program
Safe Program
SafetyPolicy
My Work
6David Evans Policy-Directed Code Safety
Policy description fileApplicationApplication transformertransformer
Program
Version of program that:• Uses policy-enforcing system library• Satisfies low-level code safety
Naccio Architecture
Platforms in development: JavaVM - program is collection of Java classes
Win32 [Andrew Twyman] - Win32 executable
Run by sysadmin or user
Policy Policy compilercompiler
Safety policy definition
Policy-enforcing system library
Run by policy-author
7David Evans Policy-Directed Code Safety
Related Work
• Software fault isolation [Wahbe et al, 93]• Similar enforcement mechanisms
– Execution monitoring [Schneider]– Ariel Project [Pandey, Hashii]
• Alternative: verify properties– Proof-carrying code [Necula, Lee]– Typed Assembly Language [Morrisett]
8David Evans Policy-Directed Code Safety
System architecture • Defining policies• Enforcing policies• Results
OutlineProgram
Safe Program
SafetyPolicy
9David Evans Policy-Directed Code Safety
Example Safety Policies• Access constraints
– JDK policies
• Resource use limits– Limit number of bytes that can be written
• Application-specific policies– TarCustom policy
• Behavior-modifying policies– Soft bandwidth limit
10David Evans Policy-Directed Code Safety
Describing Policies
Internet Explorer 5.0
public class AppletSecurity extends SecurityManager {
…
public synchronized void checkRead(String file, URL base) {
if (base != null) {
if (!initACL) { initializeACLs(); }
if (readACL == null) { return; }
String realPath = null;
try {
realPath = (new File(file)).getCanonicalPath();
} catch (IOException e) {
throw new AppletSecurityException
("checkread.exception1", e.getMessage(), file); …
}
HotJava SecurityManager
Want something:• More expressive• Easier to produce, understand and reason about
11David Evans Policy-Directed Code Safety
Problem
System LibrarySystem Library
Policy Author’s View
Files
Resources
Policy
System View
java.io.FileOutputStream.write (a)
Disk
Platfo
rm In
terfa
ceProgramProgram
System LibrarySystem Library
12David Evans Policy-Directed Code Safety
Safety Policy Definition
• Resource descriptions: abstract operational descriptions of resources (files, network, …)
• Platform interface: mapping between system API and abstract resources
• Resource use policy: constraints on manipulating those resources
13Policy-Directed Code SafetyDavid Evans
Resource Descriptionglobal resource RFileSystem
openRead (file: RFile) Called before file is opened for reading
openCreate (file: RFile) Called before new file is created and opened for writing
openWrite (file: RFile) Called before existing file is opened for writing
write (file: RFile, nbytes: int) Called before nbytes are written to file
preRead (file: RFile, nbytes: int) Called before up to nbytes are read from file
postRead (file: RFile, nbytes: int) Called after nbytes were read from file
… // other operations for observing properties of files, deleting, etc.
resource RFile
RFile (pathname: String) Constructs object corresponding to pathname
14David Evans Policy-Directed Code Safety
Platform Interface
• The ugly part - mapping from platform system calls to resource operations
• For every system procedure either:– Describe its effects on resources, or– Pass through checking to procedures it calls.
• Platform determines procedures PFI must describe
• May describe additional methods to:– Improve performance and clarity– Treat system code differently (risky)
15David Evans Policy-Directed Code Safety
Java PFI Excerptwrapper java.io.FileOutputStream requires RFileMap; state RFile rfile;
wrapper void write (byte b[]) if (rfile != null) RFileSystem.write (rfile, b.length); %%% // original method call
… // wrappers needed for constructors, other write
// methods, close and getFD
16David Evans Policy-Directed Code Safety
Resource Use Policy
policy LimitWrite
NoOverwrite, LimitBytesWritten (1000000)
property NoOverwrite
check RFileSystem.openWrite (file: RFile)
violation (“Attempt to overwrite file.”);
• Policy is collection of properties
• Properties attach checking code to resource operations
17David Evans Policy-Directed Code Safety
LimitBytesWritten Property
stateblock TrackBytesWritten
addfield RFileSystem.bytes_written: int = 0;
precode RFileSystem.write (file: RFile, nbytes: int)
bytes_written += nbytes;
property LimitBytesWritten (n: int)
requires TrackBytesWritten;
check RFileSystem.write (file: RFile, nbytes: int)
if (bytes_written > n)
violation (“Attempt to write more than ” + n + “ bytes …”);
18David Evans Policy-Directed Code Safety
Enforceable Policies• Can enforce any policy that can be defined• What can be defined depends on resource
operations• Resource operations depend on platform
interface– Any manipulation done through API calls
• Cannot write policies that constrain memory and CPU usage– Solutions possible: insert calls
19David Evans Policy-Directed Code Safety
System architecture Defining policies• Enforcing policies• Results
OutlineProgram
Safe Program
SafetyPolicy
20David Evans Policy-Directed Code Safety
Policy description file
Resource descriptions
System libraryJava API classes
(e.g., java.io.FileOutputStream)
Platform interfaceDescribes Java API
Platform Platform independent independent
analysesanalyses
Platform dependent Platform dependent analyses and code analyses and code
generationgeneration
Resource use policy
Policy Compiler
Policy-enforcing system library• Implementations of resource operations
– Perform checking described by resource use policy
• Rewritten Java API classes– Call abstract resource operations as directed by platform interface wrappers
Safety policy definition
package naccio.p253.resource;
class RFileSystem { static int bytes_written = 0; static void write (RFile file, int nbytes) { bytes_written += nbytes; if (bytes_written > 1000000) Check.violation (“LimitWrite”, “Attempt to write …); } …
Policy compilerPolicy compiler
Resource implementations
Resource use policy
stateblock TrackBytesWritten
addfield RFileSystem.bytes_written: int;
precode RFileSystem.write (file: RFile, nbytes: int)
bytes_written += nbytes;
property LimitBytesWritten (n: int)
check RFileSystem.write (file: RFile, nbytes: int) if (bytes_written > n) violation (“Attempt …);
Implementing Resources
RFileSystemRFile
Resource descriptions
policy LimitWrite NoOverwrite, LimitBytesWritten (1000000)
22David Evans Policy-Directed Code Safety
class FileOutputStream { … public void write (byte b[]) { writeBytes (b, 0, b.length); }}
class FileOutputStream { naccio.p253.resource.RFile rfile; … // orig_write – same implementation as old write method void write (byte b[]) { if (rfile != null) naccio.p253.resource.RFileSystem.write (rfile, b.length); orig_write (b);}
Policy compilerPolicy compiler
Wrapped library classes
System library classes Platform interface
wrapper java.io.FileOutputStreamstate RFile rfile; wrapper void write (byte b[]) if (rfile != null) RFileSystem.write (rfile, b.length); %%% // original method call
Rewriting Classes
23David Evans Policy-Directed Code Safety
Optimizations• Only implement resource operation if it:
– May produce a violation– Modifies state used elsewhere
• Only wrap library method if it:– Calls implemented resource operation – Modifies state used meaningfully– Alters behavior
• Simple dataflow dependency analysis• Not done yet: inline methods and state to
remove resource overhead
24David Evans Policy-Directed Code Safety
Application Transformer
Policy description file
ProgramCollection of Java classes
Platform Platform independentindependent
Platform Platform dependent dependent
transformationstransformations
Version of program that:1. Uses policy-enforcing library
• Set CLASSPATH (or rename classes)2. Satisfies low-level code safety
• Run byte code verifier• Protect dynamic class loading, reflection
25David Evans Policy-Directed Code Safety
What’s different for Win32?• Program is Win32 executable and DLLs• Platform interface describes Win32 API• Policy compiler
– Generate DLLs instead of Java classes
• Application transformer – Replace DLL names in import table– Low-level code safety is platform-specific
• SFI for jumps, PFI wrappers to protect memory• Scan for kernel traps
• Policies can be reused
26David Evans Policy-Directed Code Safety
Outline System architecture Defining policies Enforcing policies• Results - JavaVM
– Preparation costs– Execution performance
Program
Safe Program
SafetyPolicy
27David Evans Policy-Directed Code Safety
Preparation Costs
• Policy generation– Time to generate policy: 1-10 minutes – Cost of storing policy
• Average case: ~250 KB
• Application transformation– Basically free
• Integrate into byte code verifier• Simple string replacements in constant pool
28David Evans Policy-Directed Code Safety
Performance
0
1
2
3
4
5
6
7
FileExists Tar Socket
No
rmal
ized
Ru
n T
ime
JDK-NullNaccio-Null
JDK-JavaAppletNaccio-JavaAppletNaccio-JavaApplet Optimized
10.5
29David Evans Policy-Directed Code Safety
Policy Performance
0.9
1
1.1
1.2
1.3
1.4
1.5
FileExists Tar Socket
No
rmal
ize
d R
un
Tim
e
Null
LimitWrite
TarCustom
LimitWrite-Optimized
TarCustom-Optimized
30David Evans Policy-Directed Code Safety
Contributions
• Method for defining safety policies– In terms of abstract resources– Policies may be reused on different platforms
• General architecture for code safety – Prototypes for Win32 and JavaVM
• Encouraging results for JavaVM– Minimal preparation costs– Enforces policies more efficiently than JDK
31David Evans Policy-Directed Code Safety
Future Work• What’s left to do
– Implementing inlining optimizations– Validating/synthesizing platform interface– Multiple threads– Deployment, user interface, policy authoring tools
• Applications of Naccio’s mechanisms– Performance, debugging, behavior modification
• Can we protect vendors as well?– Restrict what modifications can be done– Trust external components– Use a policy to protect copyright, distribution, etc.
32David Evans Policy-Directed Code Safety
Conclusion• Supporting large class of precise safety
policies important• Naccio provides good way to define and
enforce policies• Close to being practical
http://naccio.lcs.mit.edu
Paper to appear in IEEE Security and Privacy, Oakland, May 1999.
33David Evans Policy-Directed Code Safety
END
David Evans Policy-Directed Code Safety
Problem
System LibrarySystem Library
Policy Author’s View
Files
Resources
Policy
System View
java.io.FileOutputStream.write (a)
Disk
ProgramProgram
System LibrarySystem Library
11
35David Evans Policy-Directed Code Safety
Performance
0
1
2
3
4
5
6
7
FileExists Tar Socket
No
rmal
ized
Ru
n T
ime
Naccio-NullJDK-Null
Naccio-JavaAppletJDK-JavaAppletNaccio-JavaApplet Optimized
10.6
0
1
2
3
4
5
6
7
FileExists Tar Socket
No
rmal
ized
Ru
n T
ime
Naccio-NullJDK-Null
Naccio-JavaAppletJDK-JavaAppletNaccio-JavaApplet Optimized
10.6
0
1
2
3
4
5
6
7
FileExists Tar Socket
No
rmal
ized
Ru
n T
ime
Naccio-NullJDK-Null
Naccio-JavaAppletJDK-JavaAppletNaccio-JavaApplet Optimized
10.6
top related