![Page 1: Secure Programming via Visibly Pushdown Safety Games](https://reader035.vdocument.in/reader035/viewer/2022062411/568166f1550346895ddb4f08/html5/thumbnails/1.jpg)
1
Secure Programming viaVisibly Pushdown Safety Games
Bill Harris, Somesh Jha, and Thomas Reps
Computer Aided Verification13 July 2012
![Page 2: Secure Programming via Visibly Pushdown Safety Games](https://reader035.vdocument.in/reader035/viewer/2022062411/568166f1550346895ddb4f08/html5/thumbnails/2.jpg)
2
One-slide Summary
1. Motivation: privilege-aware OS’s enable secure applications
2. Problem: privilege-aware OS’s arehard to program for
3. Solution: reduce programming for a privilege-aware OS to solving a safety game
![Page 3: Secure Programming via Visibly Pushdown Safety Games](https://reader035.vdocument.in/reader035/viewer/2022062411/568166f1550346895ddb4f08/html5/thumbnails/3.jpg)
3
Important Programs are Still Insecure
Vulnerabilities in:• Security-critical, network-facing programs– tcpdump (CVE-2007-3798)– fetchmail (CVE-2010-0562)– wget (CVE-2005-3185)
• Core utilities– bzip2 (CVE-2010-0405)– gzip (CVE-2010-0001)– tar (CVE-2007-4476)
![Page 4: Secure Programming via Visibly Pushdown Safety Games](https://reader035.vdocument.in/reader035/viewer/2022062411/568166f1550346895ddb4f08/html5/thumbnails/4.jpg)
4
Traditional Program Security
Program is analyzed passively to ensurethat it behaves securely.
![Page 5: Secure Programming via Visibly Pushdown Safety Games](https://reader035.vdocument.in/reader035/viewer/2022062411/568166f1550346895ddb4f08/html5/thumbnails/5.jpg)
5
Privilege-Aware OS’s
• OS maintains a privilege for each process
• Program actively manages its privilege byinvoking security system calls (primitives)
![Page 6: Secure Programming via Visibly Pushdown Safety Games](https://reader035.vdocument.in/reader035/viewer/2022062411/568166f1550346895ddb4f08/html5/thumbnails/6.jpg)
6
Example Privilege-Aware OS’s
• Information-flow control– Asbestos [SOSP 2005]– HiStar [OSDI 2006]– Flume [SOSP 2007]
• Tagged memory: Wedge [NSDI 2008]• Capabilities: Capsicum [USENIX Sec. 2010]
![Page 7: Secure Programming via Visibly Pushdown Safety Games](https://reader035.vdocument.in/reader035/viewer/2022062411/568166f1550346895ddb4f08/html5/thumbnails/7.jpg)
7
Running example: gzip
gzip() { files = parse_cl; for (f in files) (in, out) = open; compr(in, out);}
compr(in, out) { body;}
public_leak.com
![Page 8: Secure Programming via Visibly Pushdown Safety Games](https://reader035.vdocument.in/reader035/viewer/2022062411/568166f1550346895ddb4f08/html5/thumbnails/8.jpg)
8
An Informal Policy for gzip
When gzip executes body,it should only be able to read from inand write to out.
![Page 9: Secure Programming via Visibly Pushdown Safety Games](https://reader035.vdocument.in/reader035/viewer/2022062411/568166f1550346895ddb4f08/html5/thumbnails/9.jpg)
9
Capsicum: A Privilege-Aware OS
• Two levels of privilege:– High Capability (can open files)– Low Capability (cannot open files)
• Rules describing privilege:1. Process initially executes with
capability of its parent2. Process can invoke the drop system call
to take Low Capability
![Page 10: Secure Programming via Visibly Pushdown Safety Games](https://reader035.vdocument.in/reader035/viewer/2022062411/568166f1550346895ddb4f08/html5/thumbnails/10.jpg)
10
Securing gzip on Capsicum
gzip() { files = parse_cl; for (f in files) (in, out) = open; compr(in, out);}
compr(in, out) { drop(); body;}
High Cap.
Low Cap.
public_leak.com
![Page 11: Secure Programming via Visibly Pushdown Safety Games](https://reader035.vdocument.in/reader035/viewer/2022062411/568166f1550346895ddb4f08/html5/thumbnails/11.jpg)
11
compr(in, out) { drop(); body;}
Securing gzip on Capsicum
High Cap.
High Cap.High Cap.
High Cap.
Low Cap.gzip() { files = parse_cl; for (f in files) (in, out) = open; compr(in, out);}
![Page 12: Secure Programming via Visibly Pushdown Safety Games](https://reader035.vdocument.in/reader035/viewer/2022062411/568166f1550346895ddb4f08/html5/thumbnails/12.jpg)
12
compr(in, out) { drop(); body;}
Securing gzip on Capsicum
Low Cap.Low Cap.
gzip() { files = parse_cl; for (f in files) (in, out) = open; compr(in, out);}
High Cap.
![Page 13: Secure Programming via Visibly Pushdown Safety Games](https://reader035.vdocument.in/reader035/viewer/2022062411/568166f1550346895ddb4f08/html5/thumbnails/13.jpg)
13
compr(in, out) { drop(); body;}
Securing gzip on Capsicum
High Cap.
gzip() { files = parse_cl; for (f in files) (in, out) = open; compr(in, out);}
fork_compr(in, out);
Low Cap.
High Cap.High Cap.
![Page 14: Secure Programming via Visibly Pushdown Safety Games](https://reader035.vdocument.in/reader035/viewer/2022062411/568166f1550346895ddb4f08/html5/thumbnails/14.jpg)
14
compr(in, out) { drop(); body;}
Securing gzip on Capsicum
High Cap.
Low Cap.gzip() { files = parse_cl; for (f in files) (in, out) = open; compr(in, out);}
fork_compr(in, out);
![Page 15: Secure Programming via Visibly Pushdown Safety Games](https://reader035.vdocument.in/reader035/viewer/2022062411/568166f1550346895ddb4f08/html5/thumbnails/15.jpg)
Capsicum
15
Program Policy
CapsicumPolicy Weaver
Capsicum Program
Progrmr.
Weaver Generator
Capsicum Dev.
Us
Pol. Wrtr.
![Page 16: Secure Programming via Visibly Pushdown Safety Games](https://reader035.vdocument.in/reader035/viewer/2022062411/568166f1550346895ddb4f08/html5/thumbnails/16.jpg)
OSPolicy Weaver
Capscium Dev.
CapsicumOS
Capsicum Program
CapsicumPolicy Weaver
16
Program Policy
OS Program
Progrmr.
Weaver Generator
OS Dev.
Us
Pol. Wrtr.
![Page 17: Secure Programming via Visibly Pushdown Safety Games](https://reader035.vdocument.in/reader035/viewer/2022062411/568166f1550346895ddb4f08/html5/thumbnails/17.jpg)
17
Paper Contributions
1. Designed an automata-theoreticweaver generator
2. Implemented an efficient weaver-generator via a scaffold-based safety-game solver
3. Experimentally evaluated practical feasibility
![Page 18: Secure Programming via Visibly Pushdown Safety Games](https://reader035.vdocument.in/reader035/viewer/2022062411/568166f1550346895ddb4f08/html5/thumbnails/18.jpg)
Weaver Generator
18
Program Policy
OSPolicy Weaver
OS Program
Progrmr.
Weaver Generator
OS
OS Dev.
Us
Pol. Wrtr.
![Page 19: Secure Programming via Visibly Pushdown Safety Games](https://reader035.vdocument.in/reader035/viewer/2022062411/568166f1550346895ddb4f08/html5/thumbnails/19.jpg)
19
open
Program: Prog Acts
parse_cl
call compr
ret comprexit
Program
Progrmr.
loop
body
![Page 20: Secure Programming via Visibly Pushdown Safety Games](https://reader035.vdocument.in/reader035/viewer/2022062411/568166f1550346895ddb4f08/html5/thumbnails/20.jpg)
20
Program Policy
OS Program
Progrmr.
OS
OS Developer
Us
Pol. Wrtr.
Weaver Generator
![Page 21: Secure Programming via Visibly Pushdown Safety Games](https://reader035.vdocument.in/reader035/viewer/2022062411/568166f1550346895ddb4f08/html5/thumbnails/21.jpg)
21
Policy: Prog Acts x Privs
*
(open, LowCap)
(body, HighCap)
Policy
Pol. Wrtr.
Privs = { High Cap, Low Cap}
![Page 22: Secure Programming via Visibly Pushdown Safety Games](https://reader035.vdocument.in/reader035/viewer/2022062411/568166f1550346895ddb4f08/html5/thumbnails/22.jpg)
22
Program Policy
OS Program
Progrmr.
OS
OS Dev.
Us
Pol. Wrtr.
Weaver Generator
![Page 23: Secure Programming via Visibly Pushdown Safety Games](https://reader035.vdocument.in/reader035/viewer/2022062411/568166f1550346895ddb4f08/html5/thumbnails/23.jpg)
23
OS
OS Dev.
AllowHighopen /
HighCap
Prims = { drop, fork, join }
OS: Prog Acts Prims Privs
AllowHigh
AllowLow
![Page 24: Secure Programming via Visibly Pushdown Safety Games](https://reader035.vdocument.in/reader035/viewer/2022062411/568166f1550346895ddb4f08/html5/thumbnails/24.jpg)
24
OS
OS Dev.
drop
OS: Prog Acts Prims Privs
AllowHigh AllowLow
![Page 25: Secure Programming via Visibly Pushdown Safety Games](https://reader035.vdocument.in/reader035/viewer/2022062411/568166f1550346895ddb4f08/html5/thumbnails/25.jpg)
25
OS
OS Dev.
open /
LowCap
OS: Prog Acts Prims Privs
AllowLow AllowLow
![Page 26: Secure Programming via Visibly Pushdown Safety Games](https://reader035.vdocument.in/reader035/viewer/2022062411/568166f1550346895ddb4f08/html5/thumbnails/26.jpg)
26
Program Policy
OS Program
Progrmr.
OS
OS Dev.
Us
Pol. Wrtr.
Weaver Generator
![Page 27: Secure Programming via Visibly Pushdown Safety Games](https://reader035.vdocument.in/reader035/viewer/2022062411/568166f1550346895ddb4f08/html5/thumbnails/27.jpg)
27
open /fork
parse_cl /noop
loop /noop body / noop
ret compr / join
OS Program
Instr: Prog Acts Prims
call compr / drop
![Page 28: Secure Programming via Visibly Pushdown Safety Games](https://reader035.vdocument.in/reader035/viewer/2022062411/568166f1550346895ddb4f08/html5/thumbnails/28.jpg)
28
Program Policy
OS Program
Progrmr.
OS
OS Dev.
Us
Pol. Wrtr.
Weaver Generator
![Page 29: Secure Programming via Visibly Pushdown Safety Games](https://reader035.vdocument.in/reader035/viewer/2022062411/568166f1550346895ddb4f08/html5/thumbnails/29.jpg)
29
Safety Games: A Quick Refresher
![Page 30: Secure Programming via Visibly Pushdown Safety Games](https://reader035.vdocument.in/reader035/viewer/2022062411/568166f1550346895ddb4f08/html5/thumbnails/30.jpg)
30
z
a yx
dd
e
b b
yx
f
c
y
y
![Page 31: Secure Programming via Visibly Pushdown Safety Games](https://reader035.vdocument.in/reader035/viewer/2022062411/568166f1550346895ddb4f08/html5/thumbnails/31.jpg)
31
Policy Weaving Safety GameProgram actions Attacker actions
OS primitives Defender actions
Policy Weaving Safety GameProgram actions Attacker actions
OS primitives Defender actionsCorrect
instrumentationWinning
Defender strategy
Policy Weaving Safety GameProgram actions Attacker actionsPolicy Weaving Safety Game
Weaving as a Game
![Page 32: Secure Programming via Visibly Pushdown Safety Games](https://reader035.vdocument.in/reader035/viewer/2022062411/568166f1550346895ddb4f08/html5/thumbnails/32.jpg)
32
fork
parse_cl noopdrop
bodybody
ret compr
open open
noopdrop
loop
call compr
noop
join
a
dd
e
b b
f
c
z
yxy
x
y
y
![Page 33: Secure Programming via Visibly Pushdown Safety Games](https://reader035.vdocument.in/reader035/viewer/2022062411/568166f1550346895ddb4f08/html5/thumbnails/33.jpg)
33
fork
parse_cl noopdrop
bodybody
ret compr
open open
noopdrop
loop
call compr
noop
join
![Page 34: Secure Programming via Visibly Pushdown Safety Games](https://reader035.vdocument.in/reader035/viewer/2022062411/568166f1550346895ddb4f08/html5/thumbnails/34.jpg)
34
fork
parse_cl noopdrop
bodybody
ret compr
open open
noopdrop
loop
call compr
noop
join
![Page 35: Secure Programming via Visibly Pushdown Safety Games](https://reader035.vdocument.in/reader035/viewer/2022062411/568166f1550346895ddb4f08/html5/thumbnails/35.jpg)
35
ret compr /
fork
parse_clparse_cl /drop
body
ret compr
open
noop
loop
call compr
noop
join
body /
loop /
call compr /
open /
noop
![Page 36: Secure Programming via Visibly Pushdown Safety Games](https://reader035.vdocument.in/reader035/viewer/2022062411/568166f1550346895ddb4f08/html5/thumbnails/36.jpg)
36
The Importance of VPA’s
• Accurately approximate the setof program paths
• Accurately model relationship betweenOS primitives and privileges
• Modular strategies formodular instrumentations
![Page 37: Secure Programming via Visibly Pushdown Safety Games](https://reader035.vdocument.in/reader035/viewer/2022062411/568166f1550346895ddb4f08/html5/thumbnails/37.jpg)
37
Paper Contributions
1. Designed an automata-theoreticweaver generator
2. Implemented an efficient weaver-generator via a scaffold-based game solver
3. Experimentally evaluated practical feasibility
![Page 38: Secure Programming via Visibly Pushdown Safety Games](https://reader035.vdocument.in/reader035/viewer/2022062411/568166f1550346895ddb4f08/html5/thumbnails/38.jpg)
38
Experiment Highlights
• Instantiated weaver-generator toa policy weaver for Capsicum
• Applied Capsicum policy weaver to six UNIXutilities from 8 to 108 kLoC
• Found strategies in 0:05 to 2:00
![Page 39: Secure Programming via Visibly Pushdown Safety Games](https://reader035.vdocument.in/reader035/viewer/2022062411/568166f1550346895ddb4f08/html5/thumbnails/39.jpg)
39
Summary
1. Motivation: privilege-aware OS’s enable secure applications
2. Problem: privilege-aware OS’s arehard to program for
3. Solution: reduce programming for a privilege-aware OS to solving a safety game
![Page 40: Secure Programming via Visibly Pushdown Safety Games](https://reader035.vdocument.in/reader035/viewer/2022062411/568166f1550346895ddb4f08/html5/thumbnails/40.jpg)
40
Questions?
![Page 41: Secure Programming via Visibly Pushdown Safety Games](https://reader035.vdocument.in/reader035/viewer/2022062411/568166f1550346895ddb4f08/html5/thumbnails/41.jpg)
41
Program Policy
OS Program
Progrmr.
OS
OS Developer
Us
Pol. Wrtr.
Weaver Generator
![Page 42: Secure Programming via Visibly Pushdown Safety Games](https://reader035.vdocument.in/reader035/viewer/2022062411/568166f1550346895ddb4f08/html5/thumbnails/42.jpg)
42
Extra Slides
![Page 43: Secure Programming via Visibly Pushdown Safety Games](https://reader035.vdocument.in/reader035/viewer/2022062411/568166f1550346895ddb4f08/html5/thumbnails/43.jpg)
43
Secure Programming viaVisibly Pushdown Safety Games
Bill Harris, Somesh Jha, and Thomas Reps
Computer Aided Verification 201213 July
Somesh Jha
![Page 44: Secure Programming via Visibly Pushdown Safety Games](https://reader035.vdocument.in/reader035/viewer/2022062411/568166f1550346895ddb4f08/html5/thumbnails/44.jpg)
44
fork comprparse_cl init
drop
body
ret compr
open
noop
loop