secure programming via visibly pushdown safety games
DESCRIPTION
Secure Programming via Visibly Pushdown Safety Games. Bill Harris , Somesh Jha , and Thomas Reps. Computer Aided Verification 13 July 2012. One-slide Summary. Motivation: privilege-aware OS’s enable secure applications Problem: privilege-aware OS’s are hard to program for - PowerPoint PPT PresentationTRANSCRIPT
1
Secure Programming viaVisibly Pushdown Safety Games
Bill Harris, Somesh Jha, and Thomas Reps
Computer Aided Verification13 July 2012
2
One-slide Summary
1. Motivation: privilege-aware OS’s enable secure applications
2. Problem: privilege-aware OS’s arehard to program for
3. Solution: reduce programming for a privilege-aware OS to solving a safety game
3
Important Programs are Still Insecure
Vulnerabilities in:• Security-critical, network-facing programs– tcpdump (CVE-2007-3798)– fetchmail (CVE-2010-0562)– wget (CVE-2005-3185)
• Core utilities– bzip2 (CVE-2010-0405)– gzip (CVE-2010-0001)– tar (CVE-2007-4476)
4
Traditional Program Security
Program is analyzed passively to ensurethat it behaves securely.
5
Privilege-Aware OS’s
• OS maintains a privilege for each process
• Program actively manages its privilege byinvoking security system calls (primitives)
6
Example Privilege-Aware OS’s
• Information-flow control– Asbestos [SOSP 2005]– HiStar [OSDI 2006]– Flume [SOSP 2007]
• Tagged memory: Wedge [NSDI 2008]• Capabilities: Capsicum [USENIX Sec. 2010]
7
Running example: gzip
gzip() { files = parse_cl; for (f in files) (in, out) = open; compr(in, out);}
compr(in, out) { body;}
public_leak.com
8
An Informal Policy for gzip
When gzip executes body,it should only be able to read from inand write to out.
9
Capsicum: A Privilege-Aware OS
• Two levels of privilege:– High Capability (can open files)– Low Capability (cannot open files)
• Rules describing privilege:1. Process initially executes with
capability of its parent2. Process can invoke the drop system call
to take Low Capability
10
Securing gzip on Capsicum
gzip() { files = parse_cl; for (f in files) (in, out) = open; compr(in, out);}
compr(in, out) { drop(); body;}
High Cap.
Low Cap.
public_leak.com
11
compr(in, out) { drop(); body;}
Securing gzip on Capsicum
High Cap.
High Cap.High Cap.
High Cap.
Low Cap.gzip() { files = parse_cl; for (f in files) (in, out) = open; compr(in, out);}
12
compr(in, out) { drop(); body;}
Securing gzip on Capsicum
Low Cap.Low Cap.
gzip() { files = parse_cl; for (f in files) (in, out) = open; compr(in, out);}
High Cap.
13
compr(in, out) { drop(); body;}
Securing gzip on Capsicum
High Cap.
gzip() { files = parse_cl; for (f in files) (in, out) = open; compr(in, out);}
fork_compr(in, out);
Low Cap.
High Cap.High Cap.
14
compr(in, out) { drop(); body;}
Securing gzip on Capsicum
High Cap.
Low Cap.gzip() { files = parse_cl; for (f in files) (in, out) = open; compr(in, out);}
fork_compr(in, out);
Capsicum
15
Program Policy
CapsicumPolicy Weaver
Capsicum Program
Progrmr.
Weaver Generator
Capsicum Dev.
Us
Pol. Wrtr.
OSPolicy Weaver
Capscium Dev.
CapsicumOS
Capsicum Program
CapsicumPolicy Weaver
16
Program Policy
OS Program
Progrmr.
Weaver Generator
OS Dev.
Us
Pol. Wrtr.
17
Paper Contributions
1. Designed an automata-theoreticweaver generator
2. Implemented an efficient weaver-generator via a scaffold-based safety-game solver
3. Experimentally evaluated practical feasibility
Weaver Generator
18
Program Policy
OSPolicy Weaver
OS Program
Progrmr.
Weaver Generator
OS
OS Dev.
Us
Pol. Wrtr.
19
open
Program: Prog Acts
parse_cl
call compr
ret comprexit
Program
Progrmr.
loop
body
20
Program Policy
OS Program
Progrmr.
OS
OS Developer
Us
Pol. Wrtr.
Weaver Generator
21
Policy: Prog Acts x Privs
*
(open, LowCap)
(body, HighCap)
Policy
Pol. Wrtr.
Privs = { High Cap, Low Cap}
22
Program Policy
OS Program
Progrmr.
OS
OS Dev.
Us
Pol. Wrtr.
Weaver Generator
23
OS
OS Dev.
AllowHighopen /
HighCap
Prims = { drop, fork, join }
OS: Prog Acts Prims Privs
AllowHigh
AllowLow
24
OS
OS Dev.
drop
OS: Prog Acts Prims Privs
AllowHigh AllowLow
25
OS
OS Dev.
open /
LowCap
OS: Prog Acts Prims Privs
AllowLow AllowLow
26
Program Policy
OS Program
Progrmr.
OS
OS Dev.
Us
Pol. Wrtr.
Weaver Generator
27
open /fork
parse_cl /noop
loop /noop body / noop
ret compr / join
OS Program
Instr: Prog Acts Prims
call compr / drop
28
Program Policy
OS Program
Progrmr.
OS
OS Dev.
Us
Pol. Wrtr.
Weaver Generator
29
Safety Games: A Quick Refresher
30
z
a yx
dd
e
b b
yx
f
c
y
y
31
Policy Weaving Safety GameProgram actions Attacker actions
OS primitives Defender actions
Policy Weaving Safety GameProgram actions Attacker actions
OS primitives Defender actionsCorrect
instrumentationWinning
Defender strategy
Policy Weaving Safety GameProgram actions Attacker actionsPolicy Weaving Safety Game
Weaving as a Game
32
fork
parse_cl noopdrop
bodybody
ret compr
open open
noopdrop
loop
call compr
noop
join
a
dd
e
b b
f
c
z
yxy
x
y
y
33
fork
parse_cl noopdrop
bodybody
ret compr
open open
noopdrop
loop
call compr
noop
join
34
fork
parse_cl noopdrop
bodybody
ret compr
open open
noopdrop
loop
call compr
noop
join
35
ret compr /
fork
parse_clparse_cl /drop
body
ret compr
open
noop
loop
call compr
noop
join
body /
loop /
call compr /
open /
noop
36
The Importance of VPA’s
• Accurately approximate the setof program paths
• Accurately model relationship betweenOS primitives and privileges
• Modular strategies formodular instrumentations
37
Paper Contributions
1. Designed an automata-theoreticweaver generator
2. Implemented an efficient weaver-generator via a scaffold-based game solver
3. Experimentally evaluated practical feasibility
38
Experiment Highlights
• Instantiated weaver-generator toa policy weaver for Capsicum
• Applied Capsicum policy weaver to six UNIXutilities from 8 to 108 kLoC
• Found strategies in 0:05 to 2:00
39
Summary
1. Motivation: privilege-aware OS’s enable secure applications
2. Problem: privilege-aware OS’s arehard to program for
3. Solution: reduce programming for a privilege-aware OS to solving a safety game
40
Questions?
41
Program Policy
OS Program
Progrmr.
OS
OS Developer
Us
Pol. Wrtr.
Weaver Generator
42
Extra Slides
43
Secure Programming viaVisibly Pushdown Safety Games
Bill Harris, Somesh Jha, and Thomas Reps
Computer Aided Verification 201213 July
Somesh Jha
44
fork comprparse_cl init
drop
body
ret compr
open
noop
loop