![Page 1: Policy-Directed Code Safety David Evans evs@sds.lcs.mit.edu April 1999 Software Devices and Systems MIT Lab for Computer Science](https://reader035.vdocument.in/reader035/viewer/2022070413/5697bfbf1a28abf838ca2e87/html5/thumbnails/1.jpg)
Policy-Directed Code Safety
David Evans
http://[email protected]
April 1999
Software Devices and SystemsMIT Lab for Computer Science
![Page 2: Policy-Directed Code Safety David Evans evs@sds.lcs.mit.edu April 1999 Software Devices and Systems MIT Lab for Computer Science](https://reader035.vdocument.in/reader035/viewer/2022070413/5697bfbf1a28abf838ca2e87/html5/thumbnails/2.jpg)
2David Evans Policy-Directed Code Safety
What Are You Afraid Of?• Malicious attackers
– Melissa Word macro virus
• Questionable “trusted” programs– Win95 Registration Wizard
• Buggy programs– Therac-25
• User mistakes/bad interfaces– tar –cf *
![Page 3: Policy-Directed Code Safety David Evans evs@sds.lcs.mit.edu April 1999 Software Devices and Systems MIT Lab for Computer Science](https://reader035.vdocument.in/reader035/viewer/2022070413/5697bfbf1a28abf838ca2e87/html5/thumbnails/3.jpg)
3David Evans Policy-Directed Code Safety
LCLint [Evans, PLDI ‘96]
• Programmers add annotations to code
• Lightweight static checking detects inconsistencies (often bugs)
• Useful, but can’t provide code safety– Requires source code, expertise and effort– Too hard to prove most properties statically
![Page 4: Policy-Directed Code Safety David Evans evs@sds.lcs.mit.edu April 1999 Software Devices and Systems MIT Lab for Computer Science](https://reader035.vdocument.in/reader035/viewer/2022070413/5697bfbf1a28abf838ca2e87/html5/thumbnails/4.jpg)
4David Evans Policy-Directed Code Safety
Solution Space• Detect bad programs
– Malicious code detector (virus scanners)– Digital signatures
• Platform limits on what programs can do– Operating system, firewalls, Java sandbox
• Naccio: alter programs before running
![Page 5: Policy-Directed Code Safety David Evans evs@sds.lcs.mit.edu April 1999 Software Devices and Systems MIT Lab for Computer Science](https://reader035.vdocument.in/reader035/viewer/2022070413/5697bfbf1a28abf838ca2e87/html5/thumbnails/5.jpg)
5David Evans Policy-Directed Code Safety
• General method for defining policies– Abstract resources– Platform independent
• System architecture for enforcing policies
Program
Safe Program
SafetyPolicy
My Work
![Page 6: Policy-Directed Code Safety David Evans evs@sds.lcs.mit.edu April 1999 Software Devices and Systems MIT Lab for Computer Science](https://reader035.vdocument.in/reader035/viewer/2022070413/5697bfbf1a28abf838ca2e87/html5/thumbnails/6.jpg)
6David Evans Policy-Directed Code Safety
Policy description fileApplicationApplication transformertransformer
Program
Version of program that:• Uses policy-enforcing system library• Satisfies low-level code safety
Naccio Architecture
Platforms in development: JavaVM - program is collection of Java classes
Win32 [Andrew Twyman] - Win32 executable
Run by sysadmin or user
Policy Policy compilercompiler
Safety policy definition
Policy-enforcing system library
Run by policy-author
![Page 7: Policy-Directed Code Safety David Evans evs@sds.lcs.mit.edu April 1999 Software Devices and Systems MIT Lab for Computer Science](https://reader035.vdocument.in/reader035/viewer/2022070413/5697bfbf1a28abf838ca2e87/html5/thumbnails/7.jpg)
7David Evans Policy-Directed Code Safety
Related Work
• Software fault isolation [Wahbe et al, 93]• Similar enforcement mechanisms
– Execution monitoring [Schneider]– Ariel Project [Pandey, Hashii]
• Alternative: verify properties– Proof-carrying code [Necula, Lee]– Typed Assembly Language [Morrisett]
![Page 8: Policy-Directed Code Safety David Evans evs@sds.lcs.mit.edu April 1999 Software Devices and Systems MIT Lab for Computer Science](https://reader035.vdocument.in/reader035/viewer/2022070413/5697bfbf1a28abf838ca2e87/html5/thumbnails/8.jpg)
8David Evans Policy-Directed Code Safety
System architecture • Defining policies• Enforcing policies• Results
OutlineProgram
Safe Program
SafetyPolicy
![Page 9: Policy-Directed Code Safety David Evans evs@sds.lcs.mit.edu April 1999 Software Devices and Systems MIT Lab for Computer Science](https://reader035.vdocument.in/reader035/viewer/2022070413/5697bfbf1a28abf838ca2e87/html5/thumbnails/9.jpg)
9David Evans Policy-Directed Code Safety
Example Safety Policies• Access constraints
– JDK policies
• Resource use limits– Limit number of bytes that can be written
• Application-specific policies– TarCustom policy
• Behavior-modifying policies– Soft bandwidth limit
![Page 10: Policy-Directed Code Safety David Evans evs@sds.lcs.mit.edu April 1999 Software Devices and Systems MIT Lab for Computer Science](https://reader035.vdocument.in/reader035/viewer/2022070413/5697bfbf1a28abf838ca2e87/html5/thumbnails/10.jpg)
10David Evans Policy-Directed Code Safety
Describing Policies
Internet Explorer 5.0
public class AppletSecurity extends SecurityManager {
…
public synchronized void checkRead(String file, URL base) {
if (base != null) {
if (!initACL) { initializeACLs(); }
if (readACL == null) { return; }
String realPath = null;
try {
realPath = (new File(file)).getCanonicalPath();
} catch (IOException e) {
throw new AppletSecurityException
("checkread.exception1", e.getMessage(), file); …
}
HotJava SecurityManager
Want something:• More expressive• Easier to produce, understand and reason about
![Page 11: Policy-Directed Code Safety David Evans evs@sds.lcs.mit.edu April 1999 Software Devices and Systems MIT Lab for Computer Science](https://reader035.vdocument.in/reader035/viewer/2022070413/5697bfbf1a28abf838ca2e87/html5/thumbnails/11.jpg)
11David Evans Policy-Directed Code Safety
Problem
System LibrarySystem Library
Policy Author’s View
Files
Resources
Policy
System View
java.io.FileOutputStream.write (a)
Disk
Platfo
rm In
terfa
ceProgramProgram
System LibrarySystem Library
![Page 12: Policy-Directed Code Safety David Evans evs@sds.lcs.mit.edu April 1999 Software Devices and Systems MIT Lab for Computer Science](https://reader035.vdocument.in/reader035/viewer/2022070413/5697bfbf1a28abf838ca2e87/html5/thumbnails/12.jpg)
12David Evans Policy-Directed Code Safety
Safety Policy Definition
• Resource descriptions: abstract operational descriptions of resources (files, network, …)
• Platform interface: mapping between system API and abstract resources
• Resource use policy: constraints on manipulating those resources
![Page 13: Policy-Directed Code Safety David Evans evs@sds.lcs.mit.edu April 1999 Software Devices and Systems MIT Lab for Computer Science](https://reader035.vdocument.in/reader035/viewer/2022070413/5697bfbf1a28abf838ca2e87/html5/thumbnails/13.jpg)
13Policy-Directed Code SafetyDavid Evans
Resource Descriptionglobal resource RFileSystem
openRead (file: RFile) Called before file is opened for reading
openCreate (file: RFile) Called before new file is created and opened for writing
openWrite (file: RFile) Called before existing file is opened for writing
write (file: RFile, nbytes: int) Called before nbytes are written to file
preRead (file: RFile, nbytes: int) Called before up to nbytes are read from file
postRead (file: RFile, nbytes: int) Called after nbytes were read from file
… // other operations for observing properties of files, deleting, etc.
resource RFile
RFile (pathname: String) Constructs object corresponding to pathname
![Page 14: Policy-Directed Code Safety David Evans evs@sds.lcs.mit.edu April 1999 Software Devices and Systems MIT Lab for Computer Science](https://reader035.vdocument.in/reader035/viewer/2022070413/5697bfbf1a28abf838ca2e87/html5/thumbnails/14.jpg)
14David Evans Policy-Directed Code Safety
Platform Interface
• The ugly part - mapping from platform system calls to resource operations
• For every system procedure either:– Describe its effects on resources, or– Pass through checking to procedures it calls.
• Platform determines procedures PFI must describe
• May describe additional methods to:– Improve performance and clarity– Treat system code differently (risky)
![Page 15: Policy-Directed Code Safety David Evans evs@sds.lcs.mit.edu April 1999 Software Devices and Systems MIT Lab for Computer Science](https://reader035.vdocument.in/reader035/viewer/2022070413/5697bfbf1a28abf838ca2e87/html5/thumbnails/15.jpg)
15David Evans Policy-Directed Code Safety
Java PFI Excerptwrapper java.io.FileOutputStream requires RFileMap; state RFile rfile;
wrapper void write (byte b[]) if (rfile != null) RFileSystem.write (rfile, b.length); %%% // original method call
… // wrappers needed for constructors, other write
// methods, close and getFD
![Page 16: Policy-Directed Code Safety David Evans evs@sds.lcs.mit.edu April 1999 Software Devices and Systems MIT Lab for Computer Science](https://reader035.vdocument.in/reader035/viewer/2022070413/5697bfbf1a28abf838ca2e87/html5/thumbnails/16.jpg)
16David Evans Policy-Directed Code Safety
Resource Use Policy
policy LimitWrite
NoOverwrite, LimitBytesWritten (1000000)
property NoOverwrite
check RFileSystem.openWrite (file: RFile)
violation (“Attempt to overwrite file.”);
• Policy is collection of properties
• Properties attach checking code to resource operations
![Page 17: Policy-Directed Code Safety David Evans evs@sds.lcs.mit.edu April 1999 Software Devices and Systems MIT Lab for Computer Science](https://reader035.vdocument.in/reader035/viewer/2022070413/5697bfbf1a28abf838ca2e87/html5/thumbnails/17.jpg)
17David Evans Policy-Directed Code Safety
LimitBytesWritten Property
stateblock TrackBytesWritten
addfield RFileSystem.bytes_written: int = 0;
precode RFileSystem.write (file: RFile, nbytes: int)
bytes_written += nbytes;
property LimitBytesWritten (n: int)
requires TrackBytesWritten;
check RFileSystem.write (file: RFile, nbytes: int)
if (bytes_written > n)
violation (“Attempt to write more than ” + n + “ bytes …”);
![Page 18: Policy-Directed Code Safety David Evans evs@sds.lcs.mit.edu April 1999 Software Devices and Systems MIT Lab for Computer Science](https://reader035.vdocument.in/reader035/viewer/2022070413/5697bfbf1a28abf838ca2e87/html5/thumbnails/18.jpg)
18David Evans Policy-Directed Code Safety
Enforceable Policies• Can enforce any policy that can be defined• What can be defined depends on resource
operations• Resource operations depend on platform
interface– Any manipulation done through API calls
• Cannot write policies that constrain memory and CPU usage– Solutions possible: insert calls
![Page 19: Policy-Directed Code Safety David Evans evs@sds.lcs.mit.edu April 1999 Software Devices and Systems MIT Lab for Computer Science](https://reader035.vdocument.in/reader035/viewer/2022070413/5697bfbf1a28abf838ca2e87/html5/thumbnails/19.jpg)
19David Evans Policy-Directed Code Safety
System architecture Defining policies• Enforcing policies• Results
OutlineProgram
Safe Program
SafetyPolicy
![Page 20: Policy-Directed Code Safety David Evans evs@sds.lcs.mit.edu April 1999 Software Devices and Systems MIT Lab for Computer Science](https://reader035.vdocument.in/reader035/viewer/2022070413/5697bfbf1a28abf838ca2e87/html5/thumbnails/20.jpg)
20David Evans Policy-Directed Code Safety
Policy description file
Resource descriptions
System libraryJava API classes
(e.g., java.io.FileOutputStream)
Platform interfaceDescribes Java API
Platform Platform independent independent
analysesanalyses
Platform dependent Platform dependent analyses and code analyses and code
generationgeneration
Resource use policy
Policy Compiler
Policy-enforcing system library• Implementations of resource operations
– Perform checking described by resource use policy
• Rewritten Java API classes– Call abstract resource operations as directed by platform interface wrappers
Safety policy definition
![Page 21: Policy-Directed Code Safety David Evans evs@sds.lcs.mit.edu April 1999 Software Devices and Systems MIT Lab for Computer Science](https://reader035.vdocument.in/reader035/viewer/2022070413/5697bfbf1a28abf838ca2e87/html5/thumbnails/21.jpg)
package naccio.p253.resource;
class RFileSystem { static int bytes_written = 0; static void write (RFile file, int nbytes) { bytes_written += nbytes; if (bytes_written > 1000000) Check.violation (“LimitWrite”, “Attempt to write …); } …
Policy compilerPolicy compiler
Resource implementations
Resource use policy
stateblock TrackBytesWritten
addfield RFileSystem.bytes_written: int;
precode RFileSystem.write (file: RFile, nbytes: int)
bytes_written += nbytes;
property LimitBytesWritten (n: int)
check RFileSystem.write (file: RFile, nbytes: int) if (bytes_written > n) violation (“Attempt …);
Implementing Resources
RFileSystemRFile
Resource descriptions
policy LimitWrite NoOverwrite, LimitBytesWritten (1000000)
![Page 22: Policy-Directed Code Safety David Evans evs@sds.lcs.mit.edu April 1999 Software Devices and Systems MIT Lab for Computer Science](https://reader035.vdocument.in/reader035/viewer/2022070413/5697bfbf1a28abf838ca2e87/html5/thumbnails/22.jpg)
22David Evans Policy-Directed Code Safety
class FileOutputStream { … public void write (byte b[]) { writeBytes (b, 0, b.length); }}
class FileOutputStream { naccio.p253.resource.RFile rfile; … // orig_write – same implementation as old write method void write (byte b[]) { if (rfile != null) naccio.p253.resource.RFileSystem.write (rfile, b.length); orig_write (b);}
Policy compilerPolicy compiler
Wrapped library classes
System library classes Platform interface
wrapper java.io.FileOutputStreamstate RFile rfile; wrapper void write (byte b[]) if (rfile != null) RFileSystem.write (rfile, b.length); %%% // original method call
Rewriting Classes
![Page 23: Policy-Directed Code Safety David Evans evs@sds.lcs.mit.edu April 1999 Software Devices and Systems MIT Lab for Computer Science](https://reader035.vdocument.in/reader035/viewer/2022070413/5697bfbf1a28abf838ca2e87/html5/thumbnails/23.jpg)
23David Evans Policy-Directed Code Safety
Optimizations• Only implement resource operation if it:
– May produce a violation– Modifies state used elsewhere
• Only wrap library method if it:– Calls implemented resource operation – Modifies state used meaningfully– Alters behavior
• Simple dataflow dependency analysis• Not done yet: inline methods and state to
remove resource overhead
![Page 24: Policy-Directed Code Safety David Evans evs@sds.lcs.mit.edu April 1999 Software Devices and Systems MIT Lab for Computer Science](https://reader035.vdocument.in/reader035/viewer/2022070413/5697bfbf1a28abf838ca2e87/html5/thumbnails/24.jpg)
24David Evans Policy-Directed Code Safety
Application Transformer
Policy description file
ProgramCollection of Java classes
Platform Platform independentindependent
Platform Platform dependent dependent
transformationstransformations
Version of program that:1. Uses policy-enforcing library
• Set CLASSPATH (or rename classes)2. Satisfies low-level code safety
• Run byte code verifier• Protect dynamic class loading, reflection
![Page 25: Policy-Directed Code Safety David Evans evs@sds.lcs.mit.edu April 1999 Software Devices and Systems MIT Lab for Computer Science](https://reader035.vdocument.in/reader035/viewer/2022070413/5697bfbf1a28abf838ca2e87/html5/thumbnails/25.jpg)
25David Evans Policy-Directed Code Safety
What’s different for Win32?• Program is Win32 executable and DLLs• Platform interface describes Win32 API• Policy compiler
– Generate DLLs instead of Java classes
• Application transformer – Replace DLL names in import table– Low-level code safety is platform-specific
• SFI for jumps, PFI wrappers to protect memory• Scan for kernel traps
• Policies can be reused
![Page 26: Policy-Directed Code Safety David Evans evs@sds.lcs.mit.edu April 1999 Software Devices and Systems MIT Lab for Computer Science](https://reader035.vdocument.in/reader035/viewer/2022070413/5697bfbf1a28abf838ca2e87/html5/thumbnails/26.jpg)
26David Evans Policy-Directed Code Safety
Outline System architecture Defining policies Enforcing policies• Results - JavaVM
– Preparation costs– Execution performance
Program
Safe Program
SafetyPolicy
![Page 27: Policy-Directed Code Safety David Evans evs@sds.lcs.mit.edu April 1999 Software Devices and Systems MIT Lab for Computer Science](https://reader035.vdocument.in/reader035/viewer/2022070413/5697bfbf1a28abf838ca2e87/html5/thumbnails/27.jpg)
27David Evans Policy-Directed Code Safety
Preparation Costs
• Policy generation– Time to generate policy: 1-10 minutes – Cost of storing policy
• Average case: ~250 KB
• Application transformation– Basically free
• Integrate into byte code verifier• Simple string replacements in constant pool
![Page 28: Policy-Directed Code Safety David Evans evs@sds.lcs.mit.edu April 1999 Software Devices and Systems MIT Lab for Computer Science](https://reader035.vdocument.in/reader035/viewer/2022070413/5697bfbf1a28abf838ca2e87/html5/thumbnails/28.jpg)
28David Evans Policy-Directed Code Safety
Performance
0
1
2
3
4
5
6
7
FileExists Tar Socket
No
rmal
ized
Ru
n T
ime
JDK-NullNaccio-Null
JDK-JavaAppletNaccio-JavaAppletNaccio-JavaApplet Optimized
10.5
![Page 29: Policy-Directed Code Safety David Evans evs@sds.lcs.mit.edu April 1999 Software Devices and Systems MIT Lab for Computer Science](https://reader035.vdocument.in/reader035/viewer/2022070413/5697bfbf1a28abf838ca2e87/html5/thumbnails/29.jpg)
29David Evans Policy-Directed Code Safety
Policy Performance
0.9
1
1.1
1.2
1.3
1.4
1.5
FileExists Tar Socket
No
rmal
ize
d R
un
Tim
e
Null
LimitWrite
TarCustom
LimitWrite-Optimized
TarCustom-Optimized
![Page 30: Policy-Directed Code Safety David Evans evs@sds.lcs.mit.edu April 1999 Software Devices and Systems MIT Lab for Computer Science](https://reader035.vdocument.in/reader035/viewer/2022070413/5697bfbf1a28abf838ca2e87/html5/thumbnails/30.jpg)
30David Evans Policy-Directed Code Safety
Contributions
• Method for defining safety policies– In terms of abstract resources– Policies may be reused on different platforms
• General architecture for code safety – Prototypes for Win32 and JavaVM
• Encouraging results for JavaVM– Minimal preparation costs– Enforces policies more efficiently than JDK
![Page 31: Policy-Directed Code Safety David Evans evs@sds.lcs.mit.edu April 1999 Software Devices and Systems MIT Lab for Computer Science](https://reader035.vdocument.in/reader035/viewer/2022070413/5697bfbf1a28abf838ca2e87/html5/thumbnails/31.jpg)
31David Evans Policy-Directed Code Safety
Future Work• What’s left to do
– Implementing inlining optimizations– Validating/synthesizing platform interface– Multiple threads– Deployment, user interface, policy authoring tools
• Applications of Naccio’s mechanisms– Performance, debugging, behavior modification
• Can we protect vendors as well?– Restrict what modifications can be done– Trust external components– Use a policy to protect copyright, distribution, etc.
![Page 32: Policy-Directed Code Safety David Evans evs@sds.lcs.mit.edu April 1999 Software Devices and Systems MIT Lab for Computer Science](https://reader035.vdocument.in/reader035/viewer/2022070413/5697bfbf1a28abf838ca2e87/html5/thumbnails/32.jpg)
32David Evans Policy-Directed Code Safety
Conclusion• Supporting large class of precise safety
policies important• Naccio provides good way to define and
enforce policies• Close to being practical
http://naccio.lcs.mit.edu
Paper to appear in IEEE Security and Privacy, Oakland, May 1999.
![Page 33: Policy-Directed Code Safety David Evans evs@sds.lcs.mit.edu April 1999 Software Devices and Systems MIT Lab for Computer Science](https://reader035.vdocument.in/reader035/viewer/2022070413/5697bfbf1a28abf838ca2e87/html5/thumbnails/33.jpg)
33David Evans Policy-Directed Code Safety
END
![Page 34: Policy-Directed Code Safety David Evans evs@sds.lcs.mit.edu April 1999 Software Devices and Systems MIT Lab for Computer Science](https://reader035.vdocument.in/reader035/viewer/2022070413/5697bfbf1a28abf838ca2e87/html5/thumbnails/34.jpg)
David Evans Policy-Directed Code Safety
Problem
System LibrarySystem Library
Policy Author’s View
Files
Resources
Policy
System View
java.io.FileOutputStream.write (a)
Disk
ProgramProgram
System LibrarySystem Library
11
![Page 35: Policy-Directed Code Safety David Evans evs@sds.lcs.mit.edu April 1999 Software Devices and Systems MIT Lab for Computer Science](https://reader035.vdocument.in/reader035/viewer/2022070413/5697bfbf1a28abf838ca2e87/html5/thumbnails/35.jpg)
35David Evans Policy-Directed Code Safety
Performance
0
1
2
3
4
5
6
7
FileExists Tar Socket
No
rmal
ized
Ru
n T
ime
Naccio-NullJDK-Null
Naccio-JavaAppletJDK-JavaAppletNaccio-JavaApplet Optimized
10.6
0
1
2
3
4
5
6
7
FileExists Tar Socket
No
rmal
ized
Ru
n T
ime
Naccio-NullJDK-Null
Naccio-JavaAppletJDK-JavaAppletNaccio-JavaApplet Optimized
10.6
0
1
2
3
4
5
6
7
FileExists Tar Socket
No
rmal
ized
Ru
n T
ime
Naccio-NullJDK-Null
Naccio-JavaAppletJDK-JavaAppletNaccio-JavaApplet Optimized
10.6