Static analysis for security

Luis SierraNovember, 2007

Stic AmSud - ReSeCo WorkshopMontevideo, Uruguay

Plan

• Some motivation

• Static analysis

• PySTA: Python Static Analyzer

• Permission usage analysis

• Conclusions and further work

Motivation

• To understand and have experience of the permissions model of Besson, Dufay, and Jensen

• Looking for a quick prototype

• Moreover, I did not know Python

Static analysis: example

• Take a program S

• Take a property P

• Check if P holds in every possible execution of S– Checking at compile time– Approximate answers

[x := 2]1;[y := 4]2;[x := 1]3;[read (z)]4;if [z > x]5

then [z := y]6

else [z := x]7

Every assignment is useful

• Check if P holds in every possible execution of S– Checking at compile time

Static analysis: example

[x := 2]1;[y := 4]2;[x := 1]3;[read (z)]4;if [z > x]5

then [z := y]6

else [z := x]7

Every assignment is useful

•1 : set([])•2 : set(['y'])•3 : ...

Pysta

• Take a program S

• Take a property P

• If Om does not terminate, we should delete assignment 2. Our analysis solves the halting problem !!!– Checking at compile time– Approximate answers

Static analysis: example

[x := 2]1;[y := 4]2;[x := 1]3;[read (z)]4;if [z > x]5

then Om; [z := y]6

else [z := x]7

Every assignment is useful

• The analyzer navigates in the control flow graph, collecting relevant information.

• This process must terminate

Working list

• The analyzer navigates in the CFG with an iterator

• We exploit Python flexibility defining – an implementation with sets– and an implementation with lists

Working list

class workingList (object): def iter (self): pass def add (self, c): pass

def MFP (a): W = WLmap [WLoption] (a.flow) for (l1, l2) in W.iter (): ... W.add ([(s,t) for (s,t) in ...]) ...

Fix-point computationdef MFP (a): W = WLmap [WLoption] (a.flow) for (l1, l2) in W.iter (): fl = a.transfer (l1) if (not a.latt.leq (fl, a.a [l2])): a.a [l2] = a.latt.join (a.a [l2], fl) W.add ([(s,t) for (s,t) in a.flow if s==l2]) a.dump ()

A static analysis

def analyze (file, analysisType): s = open (file + '.xml').read() p = parseString (s).documentElement a = analysisType (p) MFP (a)

• The analysis is declared in the main program

Some implementations

• As well as with working lists, we implemented several static analysis– Live variables– Constraint propagation– Available expressions– Permission usage

A class for analysis

class MF (object): def __init__ (self, pgm, an): ... def defLattice (self): pass def defextremalValue (self): pass def transfer (self, l, s): pass def initialAnalysis (self): self.a = {} for l in self.Lab: self.a [l] = self.extremalValue \ if l in self.extremalLabel\ else self.latt.bottom () ...

Live Variables Analysis

class Analysis (MF): def __init__ (self, pgm): MF.__init__ (self, pgm, 'BW') def defLattice (self): self.latt = SetVarLat () def defextremalValue (self): self.extremalValue = SetVar ([]) def transfer (self, l): ... def kill (self, l): return SetVar (eval (getKill (self.Blocks[l]))) def gen (self, l): return SetVar (eval (getGen (self.Blocks[l])))

Lattices

• The information collected in a static analysis is good enough to provide– an operation of least upper bound (latt.join)– a comparison (latt.leq)

• We are not interested in proving that a structure is a lattice, but in implementing quickly the relevant operations

A lattice

class lattice (object): def U (self): """Support set of the lattice. Meaningful if the

support set is finite.""" pass def join (self, a, b): """Join operation: returns a new object with

value in the lattice.""" pass def leq (self, a, b): """Less or equal relation: returns True or

False.""" pass def bottom (self): """Bottom: returns a new object """ pass

A library of lattices

class semilattice (object): ...

## a cartesian product using tuplesclass cartesianProduct (lattice): ...

## a function spaceclass functionspace (lattice): ...

## a function using a dictionaryclass genFunction (object): ...

class newbottom (lattice): ...

class powerset (lattice): ...

class dual (lattice):

Multiplicities and permissions

1

0

Permissions lattice

Permissions analysis

class Analysis (MF): ... def defLattice (self): self.latt = Perm (self.Resources,

self.Action, self.ResType) def defextremalValue (self): self.extremalValue = self.latt.bottom () def transfer (self, l): ...

class Perm (functionspace): ...

Permissions analysis

class Res (powerset): ...

class Act (powerset): ...

class PermRT (newbottom): ...

class Mult (lattice): ...

class PermMult (cartesianProduct): ...

class RTfunc (oneFunction): ...

class Perm (functionspace): ...

A program

grant (http ('*'), read, inf)grant (https ('site'), read, 1)grant (file ('walletId'), read, 1)while ...: while ...: consume (http ('site'), read) if ...: consume (http ('*'), read) else: breakconsume (file ('walletId'), read)if ...: consume (http ('site'), read)else: grant (file ('walletVisa'), read, 1) consume (file ('walletVisa'), read) consume (https ('site'), read)

PySTA

pgmtoxmlAE, LV, PU, CP

.pgm

.xml

analyze dumpAE, LV, PU, CP

grant (http ('*'), read, inf)grant (https ('site'), read, 1)grant (file ('walletId'), read, 1)while True: while True: consume (http ('site'), read) if True: consume (http ('*'), read) else: breakconsume (file ('walletId'), read)if True: consume (http ('site'), read)else: grant (file ('walletVisa'), read, 1) consume (file ('walletVisa'), read) consume (https ('site'), read)

<?xml version="1.0" ?><pgm> <meta Actions="set(['read'])" Label="15" ResType="set(['http', 'file', 'https'])" Resources="set(['walletId', 'walletVisa', 'site'])"/> <main> <command gen="http * read inf" kill="" label="1"/> <command gen="https site read 1" kill="" label="2"/> <command gen="file walletId read 1" kill="" label="3"/> <loop breaks="[9]" label="4"> <loop breaks="[]" label="5"> </branch> </main></pgm>

1 P12 P23 P34 ERROR5 P4

Conclusions and further work

• Python is a good tool for fast and modular programming

• Compare the classes of PySTA with the Coq viewpoint

• Program interesting examples• Modify the permissions model using ad hoc

constructs• Program new analyses

Bibliography

• A Formal Model of Access Control for Mobile Interactive Devices. Frédéric Besson, Guillaume Dufay, and Thomas Jensen