150 likes | 273 Views
ActionScript In-lined Reference Monitoring in Prolog. Meera Sridhar and Kevin W. Hamlen The University of Texas at Dallas January 18, 2010 Supported by a grant from AFOSR PADL 2010 Madrid, Spain. Reference Monitors. Examples: file system permissions memory safety Disadvantages:
E N D
ActionScript In-lined Reference Monitoring in Prolog Meera Sridhar and Kevin W. Hamlen The University of Texas at Dallas January 18, 2010 Supported by a grant from AFOSR PADL 2010 Madrid, Spain
Reference Monitors • Examples: • file system permissions • memory safety • Disadvantages: • changing the policy requires changing the OS/VM • difficult to enforce finer-grained policies such as • “No modifications to files ending in .exe” OS/VM Reference Monitor grant/deny event untrusted code Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog
In-lined Reference Monitors [Schneider] • enforce safety policies by injecting runtime security guards directly into untrusted binaries • guards test whether the impending operation constitutes a policy violation, and if so some corrective action is taken • maintain history of security-relevant events • Advantages: • No need to modify the OS/VM • enforce richer policies: e.g., no network sends after file reads • more flexible: code recipient can specify security policy • Examples: SASI [Erlingsson, Schneider], Java-MAC [Kim et al], Java-MOP [Chen, Rosu], Polymer [Bauer, Ligatti, Walker], ConSpec [Aktug, Naliuka], MoBILe [Hamlen, Morrisett, Schneider] OS/VM Reference Monitor grant/deny event untrusted code Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog
IRM Implementation Challenges • must be fairly light-weight because it runs on the code-consumer side • binary code parsing and binary code generation are tedious and error-prone • IRM must elegantly implement many AST analyses and code-motion optimizations during rewriting • needed to preserve policy-compliant programs and generate efficient code • generated code should be amenable to formal verification (PCC[Necula & Lee], MoBILe[Hamlen, Morrisett, Schneider], and our recent work on Model-Checking IRMs [Sridhar & Hamlen, VMCAI 2010]) Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog
An ActionScriptBytecode IRM system in Prolog • approximately: • 400 lines of rewriter code per security policy family • 900 lines of shared parser/generator code • 2000 of verifier code Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog
The Prolog Advantage Prolog turns out to be a surprisingly elegant language in which to implement IRM's! • DCG's facilitate binary parser implementation. • Reversible predicates combine the parser and code-generator into one piece of code! • AST's are very elegantly represented and manipulated as Prolog structures. • A Prolog implementation of binary rewriting is isomorphic to a search for a correctness proof. This is excellent for integration with a certifying IRM system (Model-Checking IRMs [Sridhar & Hamlen]) or a PCC system [Necula & Lee]. Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog
Application: Preventing malicious URL-redirections Adobe’s very real problem: • anyone can write a malicious ABC ad applet and float them around • ad-distributor doesn’t have a good way of pre-checking these since they might change dynamically Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog
Application: Preventing malicious URL-redirections Solution: Use an IRM framework! • URL-redirections are implemented in ActionScriptBytecodeby the navigateToURL system call • let’s say we have a method checkURL,with a trusted implementation provided by the ad-distributor • checkURL validates the input to navigateToURL, and may depend on dynamic information Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog
Application: Preventing malicious URL-redirections Solution (contd.): • insert a call to checkURL(s) before a call to navigateToURL(s) directly into bytecode • naïve approach – insert checkURL before every navigateToURL, but for efficiency reasons might want to pre-validate string • fits the Flash/AIR model perfectly, because security-enforcement done at code-consumer end, and code-producer (ad-creator) need not be trusted at all! Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog
A couple other real-world policies postok policy: • sanitizes strings entered into message box widgets • This can be helpful in preventing cross-site scripting attacks, privacy violations, and buffer-overflow exploits that affect older versions of the ActionScript VM. • We enforced the policy on the Posty AIR application, which allows users to post messages to social networking sites such as Twitter, Jaiku, Tumblr, and Friendfeed. Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog
A couple other real-world policies flimit policy • enforces a resource bound that disallows the creation of more than n files on the user's machine • enforced this policy on the FedEx Desktop AIR application, which continuously monitors a user's shipment status and sends tracking information directly to his or her desktop • IRM implements the policy by injecting a counter into the untrusted code that tracks file creations Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog
Implementation and Results Details for more details, please visit my website: www.utdallas.edu/~meera.sridhar Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog
Conclusion slide • IRM’s provide a more sophisticated security enforcement mechanism than traditional means. • Prolog provides a very elegant solution to typical IRM implementation challenges. • We implemented a prototype IRM system for ActionScriptbytecode. • We demonstrated the feasibility of our solution by enforcing several real-world policies. Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog
Selected Citations • B. W. DeVries, G. Gupta, K. W. Hamlen, S. Moore, and M. Sridhar. ActionScriptBytecode Verification with Co-logic Programming. In Proc. of the ACM SIGPLAN Workshop on Prog. Languages and Analysis for Security (PLAS), 2009. • K. W. Hamlen, G. Morrisett, and F. B. Schneider. Computability Classes for Enforcement Mechanisms. In ACM Trans. Prog. Languages and Systems, 2006. • F. B. Schneider. Enforceable Security Policies. ACM Trans. Information and System Security, 3:30–50, 2000. • M. Sridhar and K. W. Hamlen. Model-checking In-lined Reference Monitors. In Proc. Intl. Conf. on Verification, Model-Checking and Abstract Interpretation, 2010. Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog