for reliable, available, and secure software · -and avoid delayed use of security-critical patches...
TRANSCRIPT
![Page 1: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/1.jpg)
Programming Languages and Analysesfor
Reliable, Available, and Secure Software
Michael HicksUniversity of Maryland,
College Park
Tuesday, September 25, 2012
![Page 2: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/2.jpg)
Software runs the world
2
Tuesday, September 25, 2012
![Page 3: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/3.jpg)
Software runs the world
• We (sometimes indirectly) interact with devices running (lots of) software every day
2
Tuesday, September 25, 2012
![Page 4: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/4.jpg)
Software runs the world
• We (sometimes indirectly) interact with devices running (lots of) software every day■ Desktops, laptops, routers, smartphones, tablets
2
Tuesday, September 25, 2012
![Page 5: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/5.jpg)
Software runs the world
• We (sometimes indirectly) interact with devices running (lots of) software every day■ Desktops, laptops, routers, smartphones, tablets
■ Coffee makers, TVs, energy meters, medical devices
2
Tuesday, September 25, 2012
![Page 6: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/6.jpg)
Software runs the world
• We (sometimes indirectly) interact with devices running (lots of) software every day■ Desktops, laptops, routers, smartphones, tablets
■ Coffee makers, TVs, energy meters, medical devices
■ Cars, aircraft, weapon systems, nuclear centrifuges
2
Tuesday, September 25, 2012
![Page 7: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/7.jpg)
Software failures are disruptive
3
Tuesday, September 25, 2012
![Page 8: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/8.jpg)
Software failures are disruptive
• 3/11: Mizuho FG’s ATM system goes down
■ 5,600 machines offline for 24 hours
3
Tuesday, September 25, 2012
![Page 9: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/9.jpg)
Software failures are disruptive
• 3/11: Mizuho FG’s ATM system goes down
■ 5,600 machines offline for 24 hours
• 8/10: Toyota Prius brakes fail due to software glitch
■ Ford also issues patch for similar problem
3
Tuesday, September 25, 2012
![Page 10: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/10.jpg)
Software failures are disruptive
• 3/11: Mizuho FG’s ATM system goes down
■ 5,600 machines offline for 24 hours
• 8/10: Toyota Prius brakes fail due to software glitch
■ Ford also issues patch for similar problem
• 6/10: Stuxnet malware
■ Exploits flaws in industrial control systems
3
Tuesday, September 25, 2012
![Page 11: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/11.jpg)
Software failures are disruptive
• 3/11: Mizuho FG’s ATM system goes down
■ 5,600 machines offline for 24 hours
• 8/10: Toyota Prius brakes fail due to software glitch
■ Ford also issues patch for similar problem
• 6/10: Stuxnet malware
■ Exploits flaws in industrial control systems
• 3/08: Heartland exposes 134M credit cards
■ SQL injection used to install spyware
3
Tuesday, September 25, 2012
![Page 12: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/12.jpg)
Software failures are disruptive
• 3/11: Mizuho FG’s ATM system goes down
■ 5,600 machines offline for 24 hours
• 8/10: Toyota Prius brakes fail due to software glitch
■ Ford also issues patch for similar problem
• 6/10: Stuxnet malware
■ Exploits flaws in industrial control systems
• 3/08: Heartland exposes 134M credit cards
■ SQL injection used to install spyware
• 8/07: LAX offline due to faulty network card
■ 17,000 planes grounded for eight hours
3
Tuesday, September 25, 2012
![Page 13: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/13.jpg)
Software failures are disruptive
• 3/11: Mizuho FG’s ATM system goes down
■ 5,600 machines offline for 24 hours
• 8/10: Toyota Prius brakes fail due to software glitch
■ Ford also issues patch for similar problem
• 6/10: Stuxnet malware
■ Exploits flaws in industrial control systems
• 3/08: Heartland exposes 134M credit cards
■ SQL injection used to install spyware
• 8/07: LAX offline due to faulty network card
■ 17,000 planes grounded for eight hours
• 8/03: Northeast, multi-state blackout
■ Race condition in power plant management software cascades
3
Tuesday, September 25, 2012
![Page 14: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/14.jpg)
• Typically require restarting the program
• interrupts active users / processing
• makes services unavailable
4
Software updates are disruptive too
Tuesday, September 25, 2012
![Page 15: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/15.jpg)
• Typically require restarting the program
• interrupts active users / processing
• makes services unavailable
4
Software updates are disruptive too
Tuesday, September 25, 2012
![Page 16: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/16.jpg)
• Typically require restarting the program
• interrupts active users / processing
• makes services unavailable
4
Software updates are disruptive too
Tuesday, September 25, 2012
![Page 17: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/17.jpg)
• Typically require restarting the program
• interrupts active users / processing
• makes services unavailable
4
Software updates are disruptive too
Tuesday, September 25, 2012
![Page 18: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/18.jpg)
• Typically require restarting the program
• interrupts active users / processing
• makes services unavailable
4
Software updates are disruptive too
Tuesday, September 25, 2012
![Page 19: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/19.jpg)
Programming LanguagesA vehicle to a solution
• The language facilitates and constrains software’s implementation■ To make it easy to implement a given design
■ While discouraging/disallowing poor coding idioms
• Software tools can play a similar role■ Enforce/encourage good coding practice
■ Simplify addition of useful features
■ Apply to existing software in existing languages
5
Tuesday, September 25, 2012
![Page 20: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/20.jpg)
My research
• Tackles problems of software■ reliability: software does what it should
■ security: software free from vulnerability
■ availability: avoid downtime by updating on the fly
- and avoid delayed use of security-critical patches and upgrades
• Two-pronged approach■ Formalize and prove key idea is correct
■ Implement and evaluate idea on real software
- Using existing software, or write new software in new language6
Tuesday, September 25, 2012
![Page 21: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/21.jpg)
Roadmap
• Dynamic software updating (DSU)■ Kitsune: Flexible and Efficient DSU for C programs
• Program analysis for security and reliability■ Knowledge-based security: quantitatively tracking
information
• Quick tour of some other work
7
Tuesday, September 25, 2012
![Page 22: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/22.jpg)
Dynamic Software Updating (DSU)
8
Tuesday, September 25, 2012
![Page 23: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/23.jpg)
Dynamic Software Updating (DSU)
• Goal: Update programs while they run ■ Avoid interruptions
- Overwhelming number of security breaches due to unpatched software
■ Preserve critical program state
8
Tuesday, September 25, 2012
![Page 24: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/24.jpg)
Dynamic Software Updating (DSU)
• Goal: Update programs while they run ■ Avoid interruptions
- Overwhelming number of security breaches due to unpatched software
■ Preserve critical program state
• Useful for:■ Non-stop services
- E.g., Financial processing, air traffic control, network infrastructure
■ Programs with long-lived connections
- E.g., OpenSSH and media streaming
■ Long-running programs with large in-memory state
- E.g., operating systems, caching servers, in-memory databases
8
Tuesday, September 25, 2012
![Page 25: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/25.jpg)
Dynamic Software Updating (DSU)
• Run program at the old version
• At some point update to the new version, preserving and updating existing program state
• existing connections, important data on the stack and heap, program counter, ...
Tuesday, September 25, 2012
![Page 26: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/26.jpg)
Dynamic Software Updating (DSU)
• Run program at the old version
• At some point update to the new version, preserving and updating existing program state
• existing connections, important data on the stack and heap, program counter, ...
v0 process
Update
Tuesday, September 25, 2012
![Page 27: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/27.jpg)
Dynamic Software Updating (DSU)
• Run program at the old version
• At some point update to the new version, preserving and updating existing program state
• existing connections, important data on the stack and heap, program counter, ...
v0 process
v0 state Update
Tuesday, September 25, 2012
![Page 28: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/28.jpg)
Dynamic Software Updating (DSU)
• Run program at the old version
• At some point update to the new version, preserving and updating existing program state
• existing connections, important data on the stack and heap, program counter, ...
v1 code
v0 process
v0 state Update
Tuesday, September 25, 2012
![Page 29: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/29.jpg)
Dynamic Software Updating (DSU)
• Run program at the old version
• At some point update to the new version, preserving and updating existing program state
• existing connections, important data on the stack and heap, program counter, ...
v1 code
v0 process
v0 state transformed stateUpdate
Tuesday, September 25, 2012
![Page 30: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/30.jpg)
upd. process
Dynamic Software Updating (DSU)
• Run program at the old version
• At some point update to the new version, preserving and updating existing program state
• existing connections, important data on the stack and heap, program counter, ...
v1 code
v0 process
v0 state transformed state
Tuesday, September 25, 2012
![Page 31: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/31.jpg)
Many forms of DSU now mainstream
10
Tuesday, September 25, 2012
![Page 32: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/32.jpg)
Many forms of DSU now mainstream
language run-times
10
Tuesday, September 25, 2012
![Page 33: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/33.jpg)
Many forms of DSU now mainstream
language run-times app. tools
10
Tuesday, September 25, 2012
![Page 34: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/34.jpg)
Many forms of DSU now mainstream
language run-times app. tools OSes
10
Bought byOracle in
2011
Tuesday, September 25, 2012
![Page 35: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/35.jpg)
DSU research challenges
• Which mechanisms should we use to update a running program/service?■ Compilers, binary rewriters, run-time systems, VMs,
process migration, ...
• How do we ensure a dynamic update is correct?■ Formal specifications, static analyses, testing tools, ...
• How do we balance various competing concerns?■ Flexibility, efficiency, ease-of-use, portability, ...
11
Tuesday, September 25, 2012
![Page 36: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/36.jpg)
Our research in DSU
• We have thoroughly researched these questions■ We have built DSU implementations for C and Java
[PLDI’06, PLDI‘09x2, HotSWUp’10, OOPSLA’12]
■ We have experience performing dozens of real-world updates on a wide variety of programs
■ We have developed methods for systematic testing and static analysis to reason about dynamic updates [POPL’05, TOPLAS’07, POPL’08, HotSWUp’10, VSTTE’12]
■ We have developed and empirically validated a variety of automatic safety checks for ensuring safety [TSE’11]
• Next: Kitsune, new DSU system for C [OOPSLA’12]
12
Tuesday, September 25, 2012
![Page 37: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/37.jpg)
DSU state of the art: Transparency
• Goal: work on any program, with no changes
• Assessment: Laudable, but highly impractical■ At odds with the reasons people use C
- Control over low-level data representations, explicit resource management, legacy code, high performance
■ Empirical study shows existing transparent update approaches allow incorrect updates [TSE’11]
■ Not as transparent as they seem
- Often requires refactoring to permit future updates
- and/or requires satisfying a conservative static pointer analysis
13
Tuesday, September 25, 2012
![Page 38: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/38.jpg)
New approach: Kitsune
• Favors explicitness over transparency■ Kitsune treats DSU is a program feature and helps
developers implement and maintain it as such
• Having the developer orchestrate DSU allows:■ simpler DSU mechanisms
■ easier developer reasoning
■ full flexibility
■ better performance and control
• Principle: Pay for what you use■ Design carefully builds on lessons from earlier work
14
Kitsune (fox) - a shapeshifter accordingto Japanese folklore
Tuesday, September 25, 2012
![Page 39: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/39.jpg)
Results
• Applied Kitsune to six open-source programs■ memcached, redis, icecast, snort: 3-6 mos. of releases
■ Tor, vsftpd: 2, and 4, years of releases, respectively
• Performance overhead in the noise
• Update times typically less than 40ms
• Programmer effort manageable■ 50-160 LOC per program (largely one-time effort)
- Program sizes from 5KLOC up to 220KLOC
■ 27-200 LOC of xfgen specs across all releases
- xfgen is our DSL for writing state transformer functions15
Tuesday, September 25, 2012
![Page 40: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/40.jpg)
Kitsune: whole-program updates
16
driver
Tuesday, September 25, 2012
![Page 41: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/41.jpg)
Kitsune: whole-program updates
16
driver main()
ver 1
1. Load first version
Tuesday, September 25, 2012
![Page 42: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/42.jpg)
Kitsune: whole-program updates
16
driver main()
ver 1
1. Load first version2. Run it
Tuesday, September 25, 2012
![Page 43: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/43.jpg)
Kitsune: whole-program updates
16
driver main()
ver 1
state
1. Load first version2. Run it
Tuesday, September 25, 2012
![Page 44: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/44.jpg)
Kitsune: whole-program updates
16
driver main()
ver 1
state
1. Load first version2. Run it3. Call back to driver when update ready
Tuesday, September 25, 2012
![Page 45: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/45.jpg)
Kitsune: whole-program updates
16
driver main()
ver 1
state
main()
ver 2
1. Load first version2. Run it3. Call back to driver when update ready4. Load second version
Tuesday, September 25, 2012
![Page 46: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/46.jpg)
Kitsune: whole-program updates
16
driver main()
ver 1
state
main()
ver 2
1. Load first version2. Run it3. Call back to driver when update ready4. Load second version
Tuesday, September 25, 2012
![Page 47: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/47.jpg)
Kitsune: whole-program updates
16
driver main()
ver 1
main()
ver 2
state
1. Load first version2. Run it3. Call back to driver when update ready4. Load second version5. Migrate and transform state
Tuesday, September 25, 2012
![Page 48: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/48.jpg)
Kitsune: whole-program updates
16
driver main()
ver 2
state
1. Load first version2. Run it3. Call back to driver when update ready4. Load second version5. Migrate and transform state6. Free up old resources
Tuesday, September 25, 2012
![Page 49: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/49.jpg)
Kitsune: whole-program updates
16
driver main()
ver 2
state
1. Load first version2. Run it3. Call back to driver when update ready4. Load second version5. Migrate and transform state6. Free up old resources7. Continue with new version
Tuesday, September 25, 2012
![Page 50: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/50.jpg)
Kitsune build process
17
Summary:• For each source file
• replace gcc -c with composition of kitc and gcc• Add -shared flag to linker and include kit-rt.a•Allows us to update the entire program at once
.c.c
.ckitc gcc -c
-fPIC
-fvis...=
gcc
-shared
.c.c
.c
.c.c
.o
.so
kit-rt.a
Tuesday, September 25, 2012
![Page 51: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/51.jpg)
Programmer obligations
• To implement DSU as a program feature, Kitsune requires the programmer to:■ Choose update points: where updates may take place
■ Code for data migration: Identify the state to be transformed, and where it should be received in the new code
■ Code for control migration: Ensure execution reaches the right event loop when the new version restarts
18
Tuesday, September 25, 2012
![Page 52: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/52.jpg)
Example single-threaded server
19
typedef int data;data *mapping;int l_fd;void client_loop() { int cl_fd = get_conn(l_fd); while (1) { // ... process client requests } }int main() { mapping = malloc(...); l_fd = setup_conn(); while (1) { client_loop(); } }
before modificationTuesday, September 25, 2012
![Page 53: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/53.jpg)
Example single-threaded server
20
typedef int data;data *mapping;int l_fd;void client_loop() { int cl_fd = get_conn(l_fd); while (1) {
// ... process client requests} }int main() {
mapping = malloc(...); l_fd = setup_conn();
while (1) { client_loop(); }}
after modification for KitsuneTuesday, September 25, 2012
![Page 54: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/54.jpg)
Example single-threaded server
20
typedef int data;data *mapping;int l_fd;void client_loop() { int cl_fd = get_conn(l_fd); while (1) {
// ... process client requests} }int main() {
mapping = malloc(...); l_fd = setup_conn();
while (1) { client_loop(); }}
after modification for Kitsune
1. Choose update points One per long running loop
Tuesday, September 25, 2012
![Page 55: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/55.jpg)
Example single-threaded server
20
typedef int data;data *mapping;int l_fd;void client_loop() { int cl_fd = get_conn(l_fd); while (1) {
// ... process client requests} }int main() {
mapping = malloc(...); l_fd = setup_conn();
while (1) { client_loop(); }}
after modification for Kitsune
kitsune_update("main");
1. Choose update points One per long running loop
Tuesday, September 25, 2012
![Page 56: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/56.jpg)
Example single-threaded server
20
typedef int data;data *mapping;int l_fd;void client_loop() { int cl_fd = get_conn(l_fd); while (1) {
// ... process client requests} }int main() {
mapping = malloc(...); l_fd = setup_conn();
while (1) { client_loop(); }}
after modification for Kitsune
kitsune_update("main");
kitsune_update("client");
1. Choose update points One per long running loop
Tuesday, September 25, 2012
![Page 57: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/57.jpg)
Example single-threaded server
20
typedef int data;data *mapping;int l_fd;void client_loop() { int cl_fd = get_conn(l_fd); while (1) {
// ... process client requests} }int main() {
mapping = malloc(...); l_fd = setup_conn();
while (1) { client_loop(); }}
after modification for Kitsune
kitsune_update("main");
kitsune_update("client");
2. Add data migration code Globals migrated by default Initiate at start of main()
Tuesday, September 25, 2012
![Page 58: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/58.jpg)
Example single-threaded server
20
typedef int data;data *mapping;int l_fd;void client_loop() { int cl_fd = get_conn(l_fd); while (1) {
// ... process client requests} }int main() {
mapping = malloc(...); l_fd = setup_conn();
while (1) { client_loop(); }}
after modification for Kitsune
kitsune_update("main");
kitsune_update("client");
kitsune_do_automigrate();
// automigrated// automigrated
2. Add data migration code Globals migrated by default Initiate at start of main()
Tuesday, September 25, 2012
![Page 59: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/59.jpg)
Example single-threaded server
20
typedef int data;data *mapping;int l_fd;void client_loop() { int cl_fd = get_conn(l_fd); while (1) {
// ... process client requests} }int main() {
mapping = malloc(...); l_fd = setup_conn();
while (1) { client_loop(); }}
after modification for Kitsune
kitsune_update("main");
kitsune_update("client");
kitsune_do_automigrate();
// automigrated// automigrated
3. Add control migration code Avoid reinitialization Redirect control to update point
Tuesday, September 25, 2012
![Page 60: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/60.jpg)
Example single-threaded server
20
typedef int data;data *mapping;int l_fd;void client_loop() { int cl_fd = get_conn(l_fd); while (1) {
// ... process client requests} }int main() {
mapping = malloc(...); l_fd = setup_conn();
while (1) { client_loop(); }}
after modification for Kitsune
kitsune_update("main");
kitsune_update("client");
if (!kitsune_is_updaFng()) {
}
kitsune_do_automigrate();
// automigrated// automigrated
3. Add control migration code Avoid reinitialization Redirect control to update point
Tuesday, September 25, 2012
![Page 61: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/61.jpg)
Example single-threaded server
20
typedef int data;data *mapping;int l_fd;void client_loop() { int cl_fd = get_conn(l_fd); while (1) {
// ... process client requests} }int main() {
mapping = malloc(...); l_fd = setup_conn();
while (1) { client_loop(); }}
after modification for Kitsune
kitsune_update("main");
kitsune_update("client");
if (!kitsune_is_updaFng()) {
}
kitsune_do_automigrate();
if (kitsune_is_updaFng_from (“client”)) { client_loop(); }
// automigrated// automigrated
3. Add control migration code Avoid reinitialization Redirect control to update point
Tuesday, September 25, 2012
![Page 62: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/62.jpg)
Example single-threaded server
20
typedef int data;data *mapping;int l_fd;void client_loop() { int cl_fd = get_conn(l_fd); while (1) {
// ... process client requests} }int main() {
mapping = malloc(...); l_fd = setup_conn();
while (1) { client_loop(); }}
after modification for Kitsune
kitsune_update("main");
kitsune_update("client");
if (!kitsune_is_updaFng()) {
}
kitsune_do_automigrate();
if (kitsune_is_updaFng_from (“client”)) { client_loop(); }
// automigrated// automigrated
We also support migration of localsGeneralizes to multi-threaded programs
Tuesday, September 25, 2012
![Page 63: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/63.jpg)
Migrating and transforming state
• State may need to be transformed to work with the new program■ Transformation piggybacks on top of migration
21
typedef int data;data *mapping;old typedef char *data;
data *mapping; new
Tuesday, September 25, 2012
![Page 64: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/64.jpg)
Migrating and transforming state
• State may need to be transformed to work with the new program■ Transformation piggybacks on top of migration
21
For each value x of type data in the running programand its corresponding loca6on p in the new program do *p = malloc(N); snprin5(*p,N,”%d”,x);end
Xform
typedef int data;data *mapping;old typedef char *data;
data *mapping; new
Tuesday, September 25, 2012
![Page 65: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/65.jpg)
Migrating and transforming state
• State may need to be transformed to work with the new program■ Transformation piggybacks on top of migration
21
For each value x of type data in the running programand its corresponding loca6on p in the new program do *p = malloc(N); snprin5(*p,N,”%d”,x);end
Xform
typedef int data;data *mapping;old typedef char *data;
data *mapping; new
new::mapsz = old::mapsz;new::mapping = malloc(new::mapsz*sizeof(char*));for (int i=0;i<new::mapsz;i++) { old::data x = old::mapping[i]; new::data *p = &new::mapping[i]; *p = malloc(N); snprinJ(*p,N,”%d”,x);}
Tuesday, September 25, 2012
![Page 66: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/66.jpg)
Migrating and transforming state
• State may need to be transformed to work with the new program■ Transformation piggybacks on top of migration
21
For each value x of type data in the running programand its corresponding loca6on p in the new program do *p = malloc(N); snprin5(*p,N,”%d”,x);end
Xform
typedef int data;data *mapping;old typedef char *data;
data *mapping; new
new::mapsz = old::mapsz;new::mapping = malloc(new::mapsz*sizeof(char*));for (int i=0;i<new::mapsz;i++) { old::data x = old::mapping[i]; new::data *p = &new::mapping[i]; *p = malloc(N); snprinJ(*p,N,”%d”,x);}
Xfgen tool• Require programmer to write relevant xform code using high-level specs• Automate generation of transformation code
•requires some additional type annotations
Tuesday, September 25, 2012
![Page 67: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/67.jpg)
Migrating and transforming state
• State may need to be transformed to work with the new program■ Transformation piggybacks on top of migration
21
Xform
typedef int data;data *mapping;old typedef char *data;
data *mapping; new
typedef data → typedef data: { $out = malloc(N); snprintf($out, N, “%d”, $in);}
Tuesday, September 25, 2012
![Page 68: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/68.jpg)
Using Kitsune and xfgen
22
.c.c
.ckitc gcc -c
-fPIC
-fvis...=
gcc
-sharedxfgen
.c.c
.ts
.xf
.c.c
.c
.c.c
.o
.so
st.c rt.a
.c.c
.ts
(old)
Tuesday, September 25, 2012
![Page 69: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/69.jpg)
Using Kitsune and xfgen
22
• Transformation specs in per-update .xf file• Linked in with new version and invoked by kitsune_do_automigrate() and MIGRATE_LOCAL()
.c.c
.ckitc gcc -c
-fPIC
-fvis...=
gcc
-sharedxfgen
.c.c
.ts
.xf
.c.c
.c
.c.c
.o
.so
st.c rt.a
.c.c
.ts
(old)
Tuesday, September 25, 2012
![Page 70: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/70.jpg)
Kitsune benchmarks: changes required
23
Tuesday, September 25, 2012
![Page 71: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/71.jpg)
Kitsune benchmarks: changes required
23
Tuesday, September 25, 2012
![Page 72: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/72.jpg)
Kitsune benchmarks: changes required
23
Tuesday, September 25, 2012
![Page 73: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/73.jpg)
Performance overhead
24
• 21 runs each, median, siqr reported
• Overall: -2.18% to 2.35% overhead (in the noise)• (No performance measurements for snort yet)
Tuesday, September 25, 2012
![Page 74: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/74.jpg)
Update times
25
• < 40ms in all cases but icecast■ Icecast includes 1s sleeps; icecast-nsp removes these
Program Med. (siqr) Min Max64-bit, 4×2.4Ghz E7450 (6 core), 24GB mem, RHEL 5.7
vsftpd →2.0.6 2.99ms (0.04ms) 2.62 3.09
memcached →1.2.4 2.50ms (0.05ms) 2.27 2.68
redis →2.0.4 39.70ms (0.98ms) 36.14 82.66
icecast →2.3.1 990.89ms (0.95ms) 451.73 992.71
icecast-nsp →2.3.1 187.89ms (1.77ms) 87.14 191.32
tor →0.2.1.30 11.81ms (0.12ms) 11.65 13.83
32-bit, 1×3.6Ghz Pentium D (2 core), 2GB mem, Ubuntu 10.10
vsftpd →2.0.3 2.62ms (0.03ms) 2.52 2.71
memcached →1.2.4 2.44ms (0.08ms) 2.27 3.12
redis →2.0.4 38.83ms (0.64ms) 37.69 41.80
icecast →2.3.1 885.39ms (7.47ms) 859.00 908.87
tor →0.2.1.30 10.43ms (0.46ms) 10.08 12.98
Table 3. Kitsune update times
download 7 music files, each roughly 2MB in size. For all
programs, we ran the client and server on the same machine.
Table 2 reports the results. We ran each benchmark 21
times and report the median time for the unmodified pro-
grams along with the semi-interquartile range (SIQR), and
the slowdowns for Kitsune and Ginseng (the median Kitsune
or Ginseng time compared to the median original time). The
top of the table gives results on a 24 core, 64-bit machine,
and the bottom gives results on a 2 core, 32-bit machine;
Ginseng only works in 32-bit mode.
From this data, we can see that Kitsune has essentially
no steady-state overhead: the performance differences range
from -2.18% to 1.79%, which is well within the noise on
modern environments [12]. In contrast, for two of the three
programs (vsftpd and memcached), the Ginseng overhead is
more significant. While we have not ourselves benchmarked
UpStare, the authors of that system report vsftpd overheads
of 4.9% and 7.4%, depending on the features enabled [10].
Tor. While we did not measure the overhead of Kitsune
on Tor directly, we did test it by running a Tor relay in
the wild. We dynamically updated this relay from version
0.2.1.18 to version 0.2.1.28 as it was carrying traffic for
Tor clients. We initiated several dynamic updates during
periods of load, when as many as four thousand connections
carrying up to 11Mb/s of traffic (up and down) were live. No
client connections were disrupted (which would have been
indicated by broken or renegotiated TLS sessions). Over the
course of this experiment, our relay carried 7TB of traffic.
Time required for an update. We also measured the
time it takes to deploy an update, i.e., the elapsed time from
when an update is signaled as available to when the update
has completed. Table 3 summarizes the results for the last
update in each streak, giving the median, SIQR, minimum,
and maximum update times. For each program, we picked a
suitable workload during which we did the update. For vs-
ftpd, we updated after an FTP client had connected to and
interacted with the server; for redis and Memcached, we
inserted 1K and 15K key-value pairs, respectively, prior to
update; and for icecast, we established one connection to a
Figure 4. State size vs. update time
music source and 10 clients receiving that stream prior to
updating. For Tor, we fully bootstrapped as a client, estab-
lishing multiple circuits through the network and communi-
cating with directory servers, and then applied the update.
For all programs except icecast, the update times are quite
small. For icecast, most of the nearly 1 second delay occurs
while the Kitsune runtime waits for each thread to reach an
update point. This time was lengthened by one-second sleeps
sprinkled throughout several of these threads. The line in
the table labeled icecast-nsp measures the update time when
these sleeps are removed, and shows the resulting time is
much shorter. Because the sleeps are there, we conjecture
icecast can tolerate the pause for updates; we did not observe
a noticeable stop in the streamed music during the update.
In recent work [8], we have developed techniques to support
faster update times, showing significant improvements for
icecast in particular. We plan to port these ideas to Kitsune
in the near future.
Recall from Section 3.2 that xfgen-generated transform-
ers may traverse significant portions of the heap, and thus
for some updates the update time may vary with the size of
the program state. Among our programs, the most likely to
exhibit this issue are redis and memcached, as they may ac-
cumulate significant state. Figure 4 graphs the update time
for these two programs versus the number of key-value pairs
stored. For redis, the update time grows linearly because we
traverse each of the data items on the heap, since some con-
tain pointers to global variables that must be redirected to
the new version’s data segment. On the other hand, mem-
cached’s update times remain relatively constant because it
stores its data in arrays that we treat opaquely, removing the
need to traverse each instance.
Examining redis more closely, we observed that the point-
ers that force us to traverse the heap in fact point to a small,
finite set of static locations. Thus, we created a modified
(42 LOC changed) version of redis, labeled redis-mod, that
stores integer indices into a table in place of those point-
ers. This obviates the need for a full heap traversal for all
Tuesday, September 25, 2012
![Page 75: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/75.jpg)
Key idea #1: Update points
26
Tuesday, September 25, 2012
![Page 76: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/76.jpg)
Key idea #1: Update points
• Competing approach: update anywhere■ (when code to be changed not running)
■ Used by Ksplice, K42 (OS), OPUS
26
Tuesday, September 25, 2012
![Page 77: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/77.jpg)
Key idea #1: Update points
• Competing approach: update anywhere■ (when code to be changed not running)
■ Used by Ksplice, K42 (OS), OPUS
• Benefits of update points■ Simplifies reasoning for programmers
- Particularly for multithreaded programs
■ May accelerate update times
- As opposed to waiting for updated code to become inactive
■ Simplifies updating mechanism
26
Tuesday, September 25, 2012
![Page 78: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/78.jpg)
Key idea #2: Whole program updates
27
Tuesday, September 25, 2012
![Page 79: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/79.jpg)
Key idea #2: Whole program updates
• Competing approach■ Program keeps running the current code, and subsequent
function calls to new versions
■ Used by Ginseng, POLUS, OPUS, Ksplice, K42
27
Tuesday, September 25, 2012
![Page 80: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/80.jpg)
Key idea #2: Whole program updates
• Competing approach■ Program keeps running the current code, and subsequent
function calls to new versions
■ Used by Ginseng, POLUS, OPUS, Ksplice, K42
• Benefits of whole-program updates:■ Can update active code (e.g., long-running loops) in an
arbitrary manner
- very important in practice
■ Explicit control migration simplifies reasoning, maintenance
■ More efficient implementation
- No need to insert levels of indirection, use trampolines, etc.
- No need to compile datastructures differently27
Tuesday, September 25, 2012
![Page 81: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/81.jpg)
Ongoing work
28
Tuesday, September 25, 2012
![Page 82: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/82.jpg)
Ongoing work
• Means to specify and verify the correctness of dynamic software updates [VSTTE’12]
■ Reuse specifications for each version individually
■ Explicate acceptable backward-incompatible behaviors
28
Tuesday, September 25, 2012
![Page 83: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/83.jpg)
Ongoing work
• Means to specify and verify the correctness of dynamic software updates [VSTTE’12]
■ Reuse specifications for each version individually
■ Explicate acceptable backward-incompatible behaviors
• Means to automatically generate state transformations from dynamic analysis [OOPSLA’12]
■ E.g., automatically correct leaks in running heap
28
Tuesday, September 25, 2012
![Page 84: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/84.jpg)
Ongoing work
• Means to specify and verify the correctness of dynamic software updates [VSTTE’12]
■ Reuse specifications for each version individually
■ Explicate acceptable backward-incompatible behaviors
• Means to automatically generate state transformations from dynamic analysis [OOPSLA’12]
■ E.g., automatically correct leaks in running heap
• Adapt Kitsune methodology to Java■ Contrast to our earlier VM-based approach [PLDI’09]
28
Tuesday, September 25, 2012
![Page 85: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/85.jpg)
Ongoing work
• Means to specify and verify the correctness of dynamic software updates [VSTTE’12]
■ Reuse specifications for each version individually
■ Explicate acceptable backward-incompatible behaviors
• Means to automatically generate state transformations from dynamic analysis [OOPSLA’12]
■ E.g., automatically correct leaks in running heap
• Adapt Kitsune methodology to Java■ Contrast to our earlier VM-based approach [PLDI’09]
• Implement lazy state transformation for Kitsune28
Tuesday, September 25, 2012
![Page 86: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/86.jpg)
DSU project team
• Former students / post-docs
■ Manuel Oriol, post-doc 2005-06, @University of York (UK) and ABB
■ Gareth Stoyle, Ph.D. (Cambridge) 2007, @UBS (UK)
■ Iulian Neamtiu, Ph.D. 2008, @UC Riverside
■ Suriya Subramanian, Ph.D. (UT Austin) 2011, @Intel
■ Stephen Magill, post-doc 2010-11, @IDA/CCS (Gov. lab)
■ Chris Hayden, Ph.D. 2012, @Washington Post Labs
• Current students
■ Karla Saur (3rd year), Ted Smith (undergrad), Luis Pina (3rd year, visiting)
• Profs/researchers
■ Kathryn McKinley, Prof @UT, MSR; Jeff Foster, Prof @Maryland;
■ Nate Foster, Prof @Cornell; Peter Sewell, Prof @Cambridge; Gavin Bierman, @MSR Cambridge
29
Tuesday, September 25, 2012
![Page 87: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/87.jpg)
Roadmap
• Dynamic software updating (DSU)■ Kitsune: Flexible and Efficient DSU for C programs
• Program analysis for security and reliability■ Knowledge-based security: quantitatively tracking
information
• Quick tour of some other work
30
Tuesday, September 25, 2012
![Page 88: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/88.jpg)
Program analysis to improve quality
• Software is ubiquitous, and critically important■ Yet it is often unreliable and insecure
• So: build tools to analyze software automatically■ Static analysis applied before running the program
- Examples: Type checkers/inferencers, tools like FindBugs
- Pros: Complete coverage (considers all runs), no run-time overhead
- Cons: problems are undecidable, so often false alarms
■ Dynamic analysis observes actual executions
- Pros: Very precise, no false alarms
- Cons: Less coverage, instrumentation adds run-time overhead, discovered problems hard to remediate in deployment
31
Tuesday, September 25, 2012
![Page 89: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/89.jpg)
Hybrid analysis: best of both worlds
• Dynamic analysis, optimized by static analysis■ Eliminate redundant checks; no false alarms
■ Ex: concurrency error checking [POPL’10], atomicity enforcement [TX’06]
• Dynamic analysis, proved correct statically■ Prove that necessary checks take place for all possible executions
■ Ex: Fable/SELinks for security checking [Oakland’08, SIGMOD’09]
• Static analysis, made more precise by dynamic analysis ■ Added contextual information reduces false alarms
■ Ex: Synthesis of DSU state transformers [OOPSLA’12], Knowledge-based security [CSF’11, PLAS’12], Rubydust [POPL’11, STOP’11]
32
Tuesday, September 25, 2012
![Page 90: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/90.jpg)
Hybrid analysis: best of both worlds
• Dynamic analysis, optimized by static analysis■ Eliminate redundant checks; no false alarms
■ Ex: concurrency error checking [POPL’10], atomicity enforcement [TX’06]
• Dynamic analysis, proved correct statically■ Prove that necessary checks take place for all possible executions
■ Ex: Fable/SELinks for security checking [Oakland’08, SIGMOD’09]
• Static analysis, made more precise by dynamic analysis ■ Added contextual information reduces false alarms
■ Ex: Synthesis of DSU state transformers [OOPSLA’12], Knowledge-based security [CSF’11, PLAS’12], Rubydust [POPL’11, STOP’11]
33
Tuesday, September 25, 2012
![Page 91: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/91.jpg)
No privacy: They have your data
Photography
34
your data
you
query/filter
page + ads
advertisers
This is the status quo
Tuesday, September 25, 2012
![Page 92: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/92.jpg)
Alternative: Maintain your own data
Photographyresponse
35
querier
you
query
Tuesday, September 25, 2012
![Page 93: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/93.jpg)
Alternative: Maintain your own data
Photographyresponse
35
querier
you
query
The question then becomes: Which queries should you answer
and which should you refuse?
Tuesday, September 25, 2012
![Page 94: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/94.jpg)
Query 1: Useful and non-revealing
Photography
out = 24 ≤ Age ≤ 30& Female?
& Engaged? *
true
36* real query used by a Facebook advertiser
querier
you
Tuesday, September 25, 2012
![Page 95: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/95.jpg)
Query 2: Reveals too much!
out = (gender,
zip-code, birth-date) *
reject
37* - gender, zip-code, birth-date can be used to uniquely identify 87% of Americans
Tuesday, September 25, 2012
![Page 96: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/96.jpg)
• Maintain a representation of the querier’s belief about secret’s possible values• Each query result revises the belief; reject if actual secret becomes too likely
• Cannot let rejection defeat our protection.
time
…
38
When to accept, when to reject
Tuesday, September 25, 2012
![Page 97: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/97.jpg)
• Maintain a representation of the querier’s belief about secret’s possible values• Each query result revises the belief; reject if actual secret becomes too likely
• Cannot let rejection defeat our protection.
time
…
38
When to accept, when to reject
Tuesday, September 25, 2012
![Page 98: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/98.jpg)
• Maintain a representation of the querier’s belief about secret’s possible values• Each query result revises the belief; reject if actual secret becomes too likely
• Cannot let rejection defeat our protection.
time
…
38
Belief ≜probabilitydistribution
When to accept, when to reject
Tuesday, September 25, 2012
![Page 99: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/99.jpg)
• Maintain a representation of the querier’s belief about secret’s possible values• Each query result revises the belief; reject if actual secret becomes too likely
• Cannot let rejection defeat our protection.
time
…
38
When to accept, when to reject
Tuesday, September 25, 2012
![Page 100: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/100.jpg)
• Maintain a representation of the querier’s belief about secret’s possible values• Each query result revises the belief; reject if actual secret becomes too likely
• Cannot let rejection defeat our protection.
time
Q1…
38
When to accept, when to reject
Tuesday, September 25, 2012
![Page 101: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/101.jpg)
• Maintain a representation of the querier’s belief about secret’s possible values• Each query result revises the belief; reject if actual secret becomes too likely
• Cannot let rejection defeat our protection.
time
Q1…
38
Bayesian reasoningto revise
belief
When to accept, when to reject
Tuesday, September 25, 2012
![Page 102: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/102.jpg)
• Maintain a representation of the querier’s belief about secret’s possible values• Each query result revises the belief; reject if actual secret becomes too likely
• Cannot let rejection defeat our protection.
time
Q1…
38
OK (answer)
When to accept, when to reject
Tuesday, September 25, 2012
![Page 103: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/103.jpg)
• Maintain a representation of the querier’s belief about secret’s possible values• Each query result revises the belief; reject if actual secret becomes too likely
• Cannot let rejection defeat our protection.
time
Q1…
38
OK (answer)
When to accept, when to reject
Tuesday, September 25, 2012
![Page 104: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/104.jpg)
• Maintain a representation of the querier’s belief about secret’s possible values• Each query result revises the belief; reject if actual secret becomes too likely
• Cannot let rejection defeat our protection.
time
Q1… Q2
38
OK (answer)
When to accept, when to reject
Tuesday, September 25, 2012
![Page 105: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/105.jpg)
• Maintain a representation of the querier’s belief about secret’s possible values• Each query result revises the belief; reject if actual secret becomes too likely
• Cannot let rejection defeat our protection.
time
Q1… Q2
Reject
38
OK (answer)
When to accept, when to reject
Tuesday, September 25, 2012
![Page 106: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/106.jpg)
• Maintain a representation of the querier’s belief about secret’s possible values• Each query result revises the belief; reject if actual secret becomes too likely
• Cannot let rejection defeat our protection.
time
Q1… Q2
Reject
38
OK (answer)
When to accept, when to reject
Tuesday, September 25, 2012
![Page 107: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/107.jpg)
• Maintain a representation of the querier’s belief about secret’s possible values• Each query result revises the belief; reject if actual secret becomes too likely
• Cannot let rejection defeat our protection.
time
Q1 Q3… Q2
Reject
38
OK (answer) OK (answer)
When to accept, when to reject
Tuesday, September 25, 2012
![Page 108: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/108.jpg)
• Maintain a representation of the querier’s belief about secret’s possible values• Each query result revises the belief; reject if actual secret becomes too likely
• Cannot let rejection defeat our protection.
time
Q1 Q3… …Q2
Reject
38
OK (answer) OK (answer)
When to accept, when to reject
Tuesday, September 25, 2012
![Page 109: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/109.jpg)
Meet Bob
= 0 ≤ bday ≤ 3641956 ≤ byear ≤ 1992
Bob (born September 24, 1980)bday = 267byear = 1980 Secret
bday
byear
1956
1992
0 364
39
Assumption: this is accurateeach equally likely
Tuesday, September 25, 2012
![Page 110: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/110.jpg)
bday-query1today := 260;if bday ≤ today && bday < (today + 7) then out := 1 else out := 0
|= (out = 0)
1956
1992
0 364259 267
40
1956
1992
0 364
Tuesday, September 25, 2012
![Page 111: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/111.jpg)
bday-query1today := 260;if bday ≤ today && bday < (today + 7) then out := 1 else out := 0
|= (out = 0)
1956
1992
0 364259 267
=
41
Problem Policy: Is this acceptable?
Tuesday, September 25, 2012
![Page 112: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/112.jpg)
Idea: policy as knowledge threshold
•Answer a query if, for querier’s revised belief, Pr[my secret] < t• Call t the knowledge threshold
•Choice of t depends on the risk of revelation
42
Tuesday, September 25, 2012
![Page 113: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/113.jpg)
Bob’s policies
= 0 ≤ bday ≤ 3641956 ≤ byear ≤ 1992
Bob (born September 24, 1980)bday = 267byear = 1980 Secret
PolicyPr[bday] < 0.2Pr[bday,byear] < 0.05
bday
byear
1956
1992
0 364
CurrentlyPr[bday] = 1/365Pr[bday,byear] = 1/(365*37)
Pr[bday = 267] …
43
each equally likely
Tuesday, September 25, 2012
![Page 114: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/114.jpg)
bday-query1today := 260;if bday ≤ today && bday < (today + 7) then out := 1 else out := 0
|= (out = 0)
1956
1992
0 364259 267
44
1956
1992
0 364
Back to the query ...
Tuesday, September 25, 2012
![Page 115: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/115.jpg)
bday-query1today := 260;if bday ≤ today && bday < (today + 7) then out := 1 else out := 0
|= (out = 0)
1956
1992
0 364259 267
PotentiallyPr[bday] = 1/358 < 0.2Pr[bday,byear] = 1/(358*37) < 0.05
=
45
Tuesday, September 25, 2012
![Page 116: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/116.jpg)
bday-query2today := 261;if bday ≤ today && bday < (today + 7) then out := 1 else out := 0
Next day …
1956
1992
0 364259 267
|= (out = 1)
46
1956
1992
0 267 So reject?Pr[bday] = 1
P
Tuesday, September 25, 2012
![Page 117: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/117.jpg)
1956
1992
0 267
if bday ≠ 267 if bday = 267
1956
1992
0 364259 268
Querier’s perspective
will get answer will get reject
Assume querier knows policy
47
Tuesday, September 25, 2012
![Page 118: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/118.jpg)
Rejection problem
| =reject
• Policy: Pr[bday = 267 | out = o] < t• Rejection, intended to protect secret, reveals secret!
48
Tuesday, September 25, 2012
![Page 119: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/119.jpg)
Rejection revised
• Policy: Pr[bday = 267 | out = o] < t
• Solution?• Decide policy independently of secret
• Revised policy
• for every possible output o,• for every possible bday b,
• Pr[bday = b | out = o] < t
• So the real bday in particular
49
Tuesday, September 25, 2012
![Page 120: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/120.jpg)
bday-query1today := 260;if bday ≤ today && bday < (today + 7) then out := 1 else out := 0
accept
50
initial belief
Tuesday, September 25, 2012
![Page 121: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/121.jpg)
bday-query2today := 261;if bday ≤ today && bday < (today + 7) then out := 1 else out := 0
reject
(regardless of what bday actually is)
51
(after bday-query1)
Tuesday, September 25, 2012
![Page 122: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/122.jpg)
bday-query3today := 266;if bday ≤ today && bday < (today + 7) then out := 1 else out := 0
52
(after bday-query1)
accept
This is acceptable since it is five days after the last accept, keeping the probability within t = 0.2; i.e., Pr[266 ≤ bday ≤ 270] = 1/5 if out =1, Pr[bday] = 1/353 otherwise
Tuesday, September 25, 2012
![Page 123: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/123.jpg)
Implementation
• Our query analysis in the style of abstract interpretation■ We developed a novel probabilistic polyhedral domain
■ Scales far better than monte carlo sampling
• Precisely analyzes a particular sequence of queries, rather than all possible sequences■ Far less conservative than considering all possible
sequences of queries
53
Tuesday, September 25, 2012
![Page 124: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/124.jpg)
Illustration of improved scalability
54
0 0.2 0.4 0.6 0.8
1
0 4 8 12 16m
ax b
elie
frunning time [s]
prob-scheme prob-poly-set
0 0.2 0.4 0.6 0.8
1
0 4 8 12 16 20 24 28 32 36
max
bel
ief
running time [s]
= 0 ! bday ! 364
1956 ! byear ! 1992
= 0 ! bday ! 364
1910 ! byear ! 2010
each equally likely
each equally likely
bday1 small
bday 1 large
Tuesday, September 25, 2012
![Page 125: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/125.jpg)
Illustration of improved scalability
54
0 0.2 0.4 0.6 0.8
1
0 4 8 12 16m
ax b
elie
frunning time [s]
prob-scheme prob-poly-set
0 0.2 0.4 0.6 0.8
1
0 4 8 12 16 20 24 28 32 36
max
bel
ief
running time [s]
= 0 ! bday ! 364
1956 ! byear ! 1992
= 0 ! bday ! 364
1910 ! byear ! 2010
each equally likely
each equally likely
bday1 small
bday 1 large
Our approachbest precisiontime indep. of state size
Tuesday, September 25, 2012
![Page 126: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/126.jpg)
Illustration of improved scalability
54
0 0.2 0.4 0.6 0.8
1
0 4 8 12 16m
ax b
elie
frunning time [s]
prob-scheme prob-poly-set
0 0.2 0.4 0.6 0.8
1
0 4 8 12 16 20 24 28 32 36
max
bel
ief
running time [s]
= 0 ! bday ! 364
1956 ! byear ! 1992
= 0 ! bday ! 364
1910 ! byear ! 2010
each equally likely
each equally likely
bday1 small
bday 1 large
Samplingsame precisionmuch slower OOM
Tuesday, September 25, 2012
![Page 127: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/127.jpg)
Related work
• Significant work on database-oriented privacy, e.g., differential privacy. Key differences:■ Trusts third party data provider to run safe aggregate
queries. We work with individual data directly
■ DP’s powerful adversary severely compromises utility, particularly for queries specific to individuals
■ Does not perform on-the-fly query analysis
• Also work on quantifying information flow■ Tracks “bits leaked” but not relevant policies
■ Considers all possible query streams; too conservative
55
Tuesday, September 25, 2012
![Page 128: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/128.jpg)
Current activities
• Application to secure multiparty computation [PLAS’12]
■ Two parties p1, p2 have secrets s1, s2 and compute compute f(s1,s2) = x, revealing only x to each
■ How much does x reveal about s1 and s2?
• Time-indexed data: protect predictive features■ Cooperative computations over coalition sensor
networks
■ Ensuring anonymity of location traces [CCS’12]
• General direction: Privacy as a right
56
Tuesday, September 25, 2012
![Page 129: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/129.jpg)
Collaborators (on analyses/tools)
• Former students / post-docs
■ Nikhil Swamy, Ph.D. 2008, @MSR Redmond
■ Polyvios Pratikakis, Ph.D. 2008, @FORTH Labs (Crete, Greece)
■ Avik Chaudhuri, post-doc 2009-10, @Adobe Research
■ Saurabh Srivastava, Ph.D. 2010, @Berkeley (CIFellow post-doc)
■ Martin Ma, Ph.D. 2011, @Amazon
■ Nataliya Guts, post-doc 2011-12, @Google
• Current students/post-docs
■ Khoo Yit Phang (7th year), Piotr Mardziel (4th year), Aseem Rastogi (4th year), Matt Hammer (post-doc)
• Profs/researchers
■ Jeff Foster (Maryland); Jonathan Katz (Maryland); Mudhakar Srivatsa (IBM T.J. Watson); Miguel Castro et al. (MSR Cambridge); Daan Leijen (MSR Redmond)
57
Tuesday, September 25, 2012
![Page 130: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/130.jpg)
Other research
• Systems/networking research■ Pavlos Papageorgiou (Ph.D,
2008), Passive-Aggressive Measurement with MGRP [SIGCOMM’09]
■ Justin McCann (Ph.D., 2012), Automating Performance Diagnosis in Networked Systems
• SCORE: Agile method for academic research [CACM’10]
58
Tuesday, September 25, 2012
![Page 131: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/131.jpg)
Maryland Cybersecurity Center (MC2)
• MC2 Director (since Oct 2011)
■ Two new CMSC faculty (Shi and Feamster)
■ Fifteen corporate partners (SAIC, NGC, Sourcefire, ...)
■ First MC2 Symposium, May 2011
■ Google Cybersecurity Seminars
■ ACES honors program, Prof. Masters, new courses
• Several new research initiatives underway■ Privacy as a right
■ Anti-censorship
59
MC2MarylandCybersecurityCenter
Tuesday, September 25, 2012
![Page 132: for Reliable, Available, and Secure Software · -and avoid delayed use of security-critical patches and upgrades • Two-pronged approach Formalize and prove key idea is correct Implement](https://reader034.vdocument.in/reader034/viewer/2022050303/5f6bca69724bfb6f2b093d57/html5/thumbnails/132.jpg)
Summary: Building better software
• Along with colleagues and students, I am working to understand how to construct software that is available, reliable, and secure; i.e., software that■ never crashes
■ adapts to changing circumstances and requirements
■ properly protects data
■ nevertheless provides useful and efficient services
60
• Programming languages, tools, and analyses, utilizing theory and implementation, are a powerful mechanism to this end
Tuesday, September 25, 2012