1 / 25

Efficient Runtime Policy Enforcement Using Counterexample-Guided Abstraction Refinement

Efficient Runtime Policy Enforcement Using Counterexample-Guided Abstraction Refinement. Matt Fredrikson , Rich Joiner , Somesh Jha , Tom Reps, Phillip Porras , Hassen Saïdi , Vinod Yegneswaran. Funded by :. Outline. Ensuring safety properties: current practice

eman
Download Presentation

Efficient Runtime Policy Enforcement Using Counterexample-Guided Abstraction Refinement

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Efficient Runtime Policy Enforcement Using Counterexample-Guided Abstraction Refinement Matt Fredrikson, Rich Joiner, SomeshJha, Tom Reps, Phillip Porras, HassenSaïdi, VinodYegneswaran Funded by:

  2. Outline • Ensuring safety properties: current practice • CEGAR: program verification • IRM: filtering program behavior • SafetyWeave: a hybrid approach • Implementation and experimental results

  3. CEGAR Invalid counter-example Model Refinement No counter-examples Source Code “Verified” Model Construction Model Checking Safety Property Counterexample Trace Valid counter-example

  4. CEGAR Issues • Computational complexity • Model grows exponentially with each refinement step • May not terminate (in our lifetimes) • Statically indeterminable behavior • Higher-order functions • Dynamic scope • No recourse for valid counterexamples • Requires manual intervention Takeaway: CEGAR can be an expensive analysis

  5. Runtime Enforcement Source Code Dynamically-filtered Source Code Inlined Reference Monitoring Safety Property ÚlfarErlingsson, Fred B. Schneider, “The inlinedreferencemonitor approach to security policy enforcement,” 2004

  6. var state = 0; if (state == 0 && check("var d = document", "call(document.getElementById)")) state = 1; if (state == 0 && check("var d = document", "call(document.getElementsByTagName)")) state = 1; if (state == 1 && check("var d = document", "set(document.cookie)")) halt(); 1 var d = document; if (state == 0 && check("varf = d.getElementById", "call(document.getElementById)")) state = 1; if (state == 0 && check("varf = d.getElementById", "call(document.getElementsByTagName)")) state = 1; if (state == 1 && check("varf = d.getElementById", "set(document.cookie)")) halt(); 2 var f = d.getElementById; if (state == 0 && check("vart = f('secret')", "call(document.getElementById)")) state = 1; if (state == 0 && check("var t = f('secret')", "call(document.getElementsByTagName)")) state = 1; if (state == 1 && check("var t = f('secret')", "set(document.cookie)")) halt(); 3 var t = f('secret'); if (state == 0 && check("if (t)", "call(document.getElementById)")) state = 1; if (state == 0 && check("if (t)", "call(document.getElementsByTagName)")) state = 1; if (state == 1 && check("if (t)", "set(document.cookie)")) halt(); 4 if (t) { if (state == 0 && check("d.cookie= t.innerHTML", "call(document.getElementById)")) state = 1; if (state == 0 && check("d.cookie= t.innerHTML", "call(document.getElementsByTagName)")) state = 1; if (state == 1 && check("d.cookie= t.innerHTML", "set(document.cookie)")) halt(); 5d.cookie = t.innerHTML; 6 } IRM Example var state = 0; if (state == 0 && check("var d = document", "call(document.getElementById)")) state = 1; if (state == 0 && check("var d = document", "call(document.getElementsByTagName)")) state = 1; if (state == 1 && check("var d = document", "set(document.cookie)")) halt(); 1 var d = document; if (state == 0 && check("varf = d.getElementById", "call(document.getElementById)")) state = 1; if (state == 0 && check("varf = d.getElementById", "call(document.getElementsByTagName)")) state = 1; if (state == 1 && check("varf = d.getElementById", "set(document.cookie)")) halt(); 2 var f = d.getElementById; if (state == 0 && check("vart = f('secret')", "call(document.getElementById)")) state = 1; if (state == 0 && check("var t = f('secret')", "call(document.getElementsByTagName)")) state = 1; if (state == 1 && check("var t = f('secret')", "set(document.cookie)")) halt(); 3 var t = f('secret'); if (state == 0 && check("if (t)", "call(document.getElementById)")) state = 1; if (state == 0 && check("if (t)", "call(document.getElementsByTagName)")) state = 1; if (state == 1 && check("if (t)", "set(document.cookie)")) halt(); 4 if (t) { if (state == 0 && check("d.cookie= t.innerHTML", "call(document.getElementById)")) state = 1; if (state == 0 && check("d.cookie= t.innerHTML", "call(document.getElementsByTagName)")) state = 1; if (state == 1 && check("d.cookie= t.innerHTML", "set(document.cookie)")) halt(); 5d.cookie = t.innerHTML; 6 } 1 var d = document; 2 var f = d.getElementById; 3 var t = f('secret'); 4 if (t) { 5d.cookie = t.innerHTML; 6 } 1 var d = document; 2 var f = d.getElementById; 3 var t = f('secret'); 4 if (t) { 5d.cookie = t.innerHTML; 6 } Safety property: Don’t inspect the document prior to assigning to the cookie. Safety property: Don’t inspect the document prior to assigning to the cookie.

  7. IRM Issues • Runtime overhead • Spurious instrumentation placement • Programs run slower Takeaway: IRM can be expensive at runtime

  8. The Idea • Combine CEGAR and IRM • Statically remove naïve IRM instrumentation • Limit the size of the abstract program model

  9. Rewritten Program var state = 0; 1 var d = document; 2 var f = d.getElementById; if (state == 0 && check("vart = f('secret')", "call(document.getElementById)")) state = 1; 3 var t = f('secret'); 4 if (t) { if (state == 1 && check("d.cookie= t.innerHTML", "set(document.cookie)")) halt(); 5d.cookie = t.innerHTML; 6 } 1 var d = document; 2 var f = d.getElementById; 3 var t = f('secret'); 4 if (t) { 5d.cookie = t.innerHTML; 6 } Safety property: Don’t inspect the document prior to assigning to the cookie.

  10. The SafetyWeave Algorithm • INPUT: Program, safety property • OUTPUT: Rewritten program • Sound • Rewritten program proven safe w.r.t. the property • All benign execution is preserved • Language-independent • Tunable tradeoff between static and dynamic overhead • Always terminates Characteristics

  11. Safety Properties • Temporal state traces that a program should not exhibit • Can be encoded as an automaton with state predicateslabeling the edges call(document.getElementById) set(document.cookie) A B C * * call(document.getElementsByTagName)

  12. Invalid counter-example Model Refinement Source Code Key Insight: CEGAR analysis used to minimize IRM instrumentation No counter-examples Verified, Instrumented Source Code Model Construction Model Checking Safety Property Source CodeRewriting Valid counter-example

  13. Model Refinement Source Code Key Insight: Number of predicates learned limited to ensure termination No counter-examples Verified, Instrumented Source Code Model Construction Model Checking Safety Property Abstraction Limit Reached Source CodeRewriting

  14. Prototype Implementation • JaM is the JavaScript Model Checker • Why JavaScript? • Pervasive on the Internet • Code often comes from many authors • Libraries, advertisements, mash-ups, web service interfaces • JavaScript is challenging to analyze statically • Higher-order functions, scope-resolution rules, writable native objects

  15. Deployment Scenario JaM is part of a DARPA clean-slate security effort Verified online ad service JaM analysis server Website owners: JaM Ads entreprenuer:

  16. Model Refinement Source Code OpenNWA XSB, Kaluza/Yices Verified, Instrumented Source Code Model Construction Model Checking Safety Property Closure Compiler Source CodeRewriting

  17. JavaScript Language Model • Implements symbolic pre-image operator over program statements • Based on JavaScript semantics of Maffeis et al. • Sergio Maffeis, John Mitchell, AnkurTaly, “Operational Semantics of JavaScript,” APLAS ‘08 • Operational semantics encoded as a logic program To evaluate the “this” keyword, traverse the scope chain and retrieve its reference value. exp(H,L,E,H,L,Va) :- is_this(E), scope(H,L,'@this',L1), aget(H,L1,'@this',Va). Scope(H,l,@this)= l1 H,l1.@Get(@this)= va -------------------- [E-This] H,l,this -> H,l,va

  18. Applications and Policies • Benchmark applications • 12 real programs used on the WWW • Range from 25 to 4000 lines • Exercise a wide range of JavaScript coding patterns and constructs • JaM safety properties • Communication with external hosts • Modification of persistent storage to reflect page contents • Creation of foreign pop-up dialog boxes • DOM access/modification

  19. Experimental Results • Initial abstract model (without refinement) • Program model composed of predicates used in safety property • 89% to 100% of statements deemed safe • Effect of model refinement • 5 of 12: required no refinement • 5 of 12: reduced spurious counterexamples by learning 1 to 4 predicates

  20. Invalid counter-example Model Refinement Source Code No counter-examples Verified, Instrumented Source Code Model Construction Model Checking Safety Property Abstraction Limit Reached Source CodeRewriting Valid counter-example

  21. Complete Results

  22. A Simple Example: Program & Policy 1 api[0] = readFile; 2 api[1] = sendPacket; 3 while (true) { 4 instr, data = read(); 5 api[instr](data); 6 } call readHistory call sendPacket A B C * call readFile *

  23. Control Flow Automaton api[0] = readFile api[1] = sendPacket api[instr](data) while(true) {true} {false} instr, data = read() {exit}

  24. Data Automaton α: call readFile β: call readHistory γ: call sendPacket !α !β !γ !α α [Self-edges omitted for sanity] !β !β γ !γ !α β !γ

More Related