policy-directed code safety david evans [email protected] april 1999 software devices and systems...

Policy-Directed Code Safety

David Evans

http://[email protected]

April 1999

Software Devices and SystemsMIT Lab for Computer Science

2David Evans Policy-Directed Code Safety

What Are You Afraid Of?• Malicious attackers

– Melissa Word macro virus

• Questionable “trusted” programs– Win95 Registration Wizard

• Buggy programs– Therac-25

• User mistakes/bad interfaces– tar –cf *


LCLint [Evans, PLDI ‘96]

• Programmers add annotations to code

• Lightweight static checking detects inconsistencies (often bugs)

• Useful, but can’t provide code safety– Requires source code, expertise and effort– Too hard to prove most properties statically


Solution Space• Detect bad programs

– Malicious code detector (virus scanners)– Digital signatures

• Platform limits on what programs can do– Operating system, firewalls, Java sandbox

• Naccio: alter programs before running


• General method for defining policies– Abstract resources– Platform independent

• System architecture for enforcing policies

Program

Safe Program

SafetyPolicy

My Work


Policy description fileApplicationApplication transformertransformer

Program

Version of program that:• Uses policy-enforcing system library• Satisfies low-level code safety

Naccio Architecture

Platforms in development: JavaVM - program is collection of Java classes

Win32 [Andrew Twyman] - Win32 executable

Run by sysadmin or user

Policy Policy compilercompiler

Safety policy definition

Policy-enforcing system library

Run by policy-author


Related Work

• Software fault isolation [Wahbe et al, 93]• Similar enforcement mechanisms

– Execution monitoring [Schneider]– Ariel Project [Pandey, Hashii]

• Alternative: verify properties– Proof-carrying code [Necula, Lee]– Typed Assembly Language [Morrisett]


System architecture • Defining policies• Enforcing policies• Results

OutlineProgram

Safe Program

SafetyPolicy


Example Safety Policies• Access constraints

– JDK policies

• Resource use limits– Limit number of bytes that can be written

• Application-specific policies– TarCustom policy

• Behavior-modifying policies– Soft bandwidth limit


Describing Policies

Internet Explorer 5.0

public class AppletSecurity extends SecurityManager {

…

public synchronized void checkRead(String file, URL base) {

if (base != null) {

if (!initACL) { initializeACLs(); }

if (readACL == null) { return; }

String realPath = null;

try {

realPath = (new File(file)).getCanonicalPath();

} catch (IOException e) {

throw new AppletSecurityException

("checkread.exception1", e.getMessage(), file); …

}

HotJava SecurityManager

Want something:• More expressive• Easier to produce, understand and reason about


Problem

System LibrarySystem Library

Policy Author’s View

Files

Resources

Policy

System View

java.io.FileOutputStream.write (a)

Disk

Platfo

rm In

terfa

ceProgramProgram



Safety Policy Definition

• Resource descriptions: abstract operational descriptions of resources (files, network, …)

• Platform interface: mapping between system API and abstract resources

• Resource use policy: constraints on manipulating those resources

13Policy-Directed Code SafetyDavid Evans

Resource Descriptionglobal resource RFileSystem

openRead (file: RFile) Called before file is opened for reading

openCreate (file: RFile) Called before new file is created and opened for writing

openWrite (file: RFile) Called before existing file is opened for writing

write (file: RFile, nbytes: int) Called before nbytes are written to file

preRead (file: RFile, nbytes: int) Called before up to nbytes are read from file

postRead (file: RFile, nbytes: int) Called after nbytes were read from file

… // other operations for observing properties of files, deleting, etc.

resource RFile

RFile (pathname: String) Constructs object corresponding to pathname


Platform Interface

• The ugly part - mapping from platform system calls to resource operations

• For every system procedure either:– Describe its effects on resources, or– Pass through checking to procedures it calls.

• Platform determines procedures PFI must describe

• May describe additional methods to:– Improve performance and clarity– Treat system code differently (risky)


Java PFI Excerptwrapper java.io.FileOutputStream requires RFileMap; state RFile rfile;

wrapper void write (byte b[]) if (rfile != null) RFileSystem.write (rfile, b.length); %%% // original method call

… // wrappers needed for constructors, other write

// methods, close and getFD


Resource Use Policy

policy LimitWrite

NoOverwrite, LimitBytesWritten (1000000)

property NoOverwrite

check RFileSystem.openWrite (file: RFile)

violation (“Attempt to overwrite file.”);

• Policy is collection of properties

• Properties attach checking code to resource operations


LimitBytesWritten Property

stateblock TrackBytesWritten

addfield RFileSystem.bytes_written: int = 0;

precode RFileSystem.write (file: RFile, nbytes: int)

bytes_written += nbytes;

property LimitBytesWritten (n: int)

requires TrackBytesWritten;

check RFileSystem.write (file: RFile, nbytes: int)

if (bytes_written > n)

violation (“Attempt to write more than ” + n + “ bytes …”);


Enforceable Policies• Can enforce any policy that can be defined• What can be defined depends on resource

operations• Resource operations depend on platform

interface– Any manipulation done through API calls

• Cannot write policies that constrain memory and CPU usage– Solutions possible: insert calls


System architecture Defining policies• Enforcing policies• Results

OutlineProgram

Safe Program

SafetyPolicy


Policy description file

Resource descriptions

System libraryJava API classes

(e.g., java.io.FileOutputStream)

Platform interfaceDescribes Java API

Platform Platform independent independent

analysesanalyses

Platform dependent Platform dependent analyses and code analyses and code

generationgeneration

Resource use policy

Policy Compiler

Policy-enforcing system library• Implementations of resource operations

– Perform checking described by resource use policy

• Rewritten Java API classes– Call abstract resource operations as directed by platform interface wrappers

Safety policy definition

package naccio.p253.resource;

class RFileSystem { static int bytes_written = 0; static void write (RFile file, int nbytes) { bytes_written += nbytes; if (bytes_written > 1000000) Check.violation (“LimitWrite”, “Attempt to write …); } …

Policy compilerPolicy compiler

Resource implementations

Resource use policy

stateblock TrackBytesWritten

addfield RFileSystem.bytes_written: int;

precode RFileSystem.write (file: RFile, nbytes: int)

bytes_written += nbytes;

property LimitBytesWritten (n: int)

check RFileSystem.write (file: RFile, nbytes: int) if (bytes_written > n) violation (“Attempt …);

Implementing Resources

RFileSystemRFile

Resource descriptions

policy LimitWrite NoOverwrite, LimitBytesWritten (1000000)


class FileOutputStream { … public void write (byte b[]) { writeBytes (b, 0, b.length); }}

class FileOutputStream { naccio.p253.resource.RFile rfile; … // orig_write – same implementation as old write method void write (byte b[]) { if (rfile != null) naccio.p253.resource.RFileSystem.write (rfile, b.length); orig_write (b);}

Policy compilerPolicy compiler

Wrapped library classes

System library classes Platform interface

wrapper java.io.FileOutputStreamstate RFile rfile; wrapper void write (byte b[]) if (rfile != null) RFileSystem.write (rfile, b.length); %%% // original method call

Rewriting Classes


Optimizations• Only implement resource operation if it:

– May produce a violation– Modifies state used elsewhere

• Only wrap library method if it:– Calls implemented resource operation – Modifies state used meaningfully– Alters behavior

• Simple dataflow dependency analysis• Not done yet: inline methods and state to

remove resource overhead


Application Transformer

Policy description file

ProgramCollection of Java classes

Platform Platform independentindependent

Platform Platform dependent dependent

transformationstransformations

Version of program that:1. Uses policy-enforcing library

• Set CLASSPATH (or rename classes)2. Satisfies low-level code safety

• Run byte code verifier• Protect dynamic class loading, reflection


What’s different for Win32?• Program is Win32 executable and DLLs• Platform interface describes Win32 API• Policy compiler

– Generate DLLs instead of Java classes

• Application transformer – Replace DLL names in import table– Low-level code safety is platform-specific

• SFI for jumps, PFI wrappers to protect memory• Scan for kernel traps

• Policies can be reused


Outline System architecture Defining policies Enforcing policies• Results - JavaVM

– Preparation costs– Execution performance

Program

Safe Program

SafetyPolicy


Preparation Costs

• Policy generation– Time to generate policy: 1-10 minutes – Cost of storing policy

• Average case: ~250 KB

• Application transformation– Basically free

• Integrate into byte code verifier• Simple string replacements in constant pool


Performance

0

1

2

3

4

5

6

7

FileExists Tar Socket

No

rmal

ized

Ru

n T

ime

JDK-NullNaccio-Null

JDK-JavaAppletNaccio-JavaAppletNaccio-JavaApplet Optimized

10.5


Policy Performance

0.9

1

1.1

1.2

1.3

1.4

1.5


No

rmal

ize

d R

un

Tim

e

Null

LimitWrite

TarCustom

LimitWrite-Optimized

TarCustom-Optimized


Contributions

• Method for defining safety policies– In terms of abstract resources– Policies may be reused on different platforms

• General architecture for code safety – Prototypes for Win32 and JavaVM

• Encouraging results for JavaVM– Minimal preparation costs– Enforces policies more efficiently than JDK


Future Work• What’s left to do

– Implementing inlining optimizations– Validating/synthesizing platform interface– Multiple threads– Deployment, user interface, policy authoring tools

• Applications of Naccio’s mechanisms– Performance, debugging, behavior modification

• Can we protect vendors as well?– Restrict what modifications can be done– Trust external components– Use a policy to protect copyright, distribution, etc.


Conclusion• Supporting large class of precise safety

policies important• Naccio provides good way to define and

enforce policies• Close to being practical

http://naccio.lcs.mit.edu

Paper to appear in IEEE Security and Privacy, Oakland, May 1999.


END

David Evans Policy-Directed Code Safety

Problem


Policy Author’s View

Files

Resources

Policy

System View

java.io.FileOutputStream.write (a)

Disk

ProgramProgram


11


Performance

0

1

2

3

4

5

6

7


No

rmal

ized

Ru

n T

ime

Naccio-NullJDK-Null

Naccio-JavaAppletJDK-JavaAppletNaccio-JavaApplet Optimized

10.6

0

1

2

3

4

5

6

7


No

rmal

ized

Ru

n T

ime

Naccio-NullJDK-Null


10.6

0

1

2

3

4

5

6

7


No

rmal

ized

Ru

n T

ime

Naccio-NullJDK-Null


10.6

policy-directed code safety david evans [email protected] april 1999 software devices and systems...

Documents