1 / 76

Efficient, Context-Sensitive Detection of Real-World Semantic Attacks

Michael Bond Varun Srivastava Kathryn McKinley Vitaly Shmatikov University of Texas at Austin. Efficient, Context-Sensitive Detection of Real-World Semantic Attacks. Real Semantic Exploits & Efficient, Context-Sensitive Detection. How an applet loads a class.

fleur
Download Presentation

Efficient, Context-Sensitive Detection of Real-World Semantic Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Michael Bond Varun Srivastava Kathryn McKinley Vitaly Shmatikov University of Texas at Austin Efficient, Context-Sensitive Detection of Real-World Semantic Attacks

  2. Real Semantic Exploits & Efficient, Context-Sensitive Detection

  3. How an applet loads a class classLoader.loadClass(“java.util.HashSet”);

  4. classLoader.loadClass(“java.util.HashSet”); loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass(); }

  5. Access-control security classLoader.loadClass(“java.util.HashSet”); loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass(); } SecurityManager.checkPackageAccess()

  6. classLoader.loadClass(“java.util.HashSet”); loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass(); } SecurityManager.checkPackageAccess() ClassLoader.loadClass():341 FileURLLoader.getResource():73 walkPathComponents() { ... 121: { ... if (file.exists()) ... } ... 139: { ... if (file.exists()) ... } ... }

  7. classLoader.loadClass(“java.util.HashSet”); loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass(); } SecurityManager.checkPackageAccess() ClassLoader.loadClass():341 FileURLLoader.getResource():73 walkPathComponents() { ... 121: { ... if (file.exists()) ... } ... 139: { ... if (file.exists()) ... } ... } File.exists():268 File.checkRead():1485 SecurityManager.checkRead()

  8. classLoader.loadClass(“sun/applet/AppletClassLoader”); Sun Java Virtual Machine 1.3

  9. classLoader.loadClass(“sun/applet/AppletClassLoader”); loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass(); }

  10. classLoader.loadClass(“sun/applet/AppletClassLoader”); loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass(); } SecurityManager.checkPackageAccess()

  11. classLoader.loadClass(“sun/applet/AppletClassLoader”); loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass(); } SecurityManager.checkPackageAccess() ClassLoader.loadClass():341 FileURLLoader.getResource():73 walkPathComponents() { ... 121: { ... if (file.exists()) ... } ... 139: { ... if (file.exists()) ... } ... } File.exists():268 File.checkRead():1485 SecurityManager.checkRead()

  12. classLoader.loadClass(“sun/applet/AppletClassLoader”); loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass(); } SecurityManager.checkPackageAccess() • Semantic exploit • Examples: • Omitted security check • Untrusted code executes in wrong context • Misconfigured security policy ClassLoader.loadClass():341 FileURLLoader.getResource():73 walkPathComponents() { ... 121: { ... if (file.exists()) ... } ... 139: { ... if (file.exists()) ... } ... } File.exists():268 File.checkRead():1485 SecurityManager.checkRead()

  13. classLoader.loadClass(“sun/applet/AppletClassLoader”); loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass(); } SecurityManager.checkPackageAccess() How to detect this exploit? Infeasible path detection? Does not violate semantics (e.g., type & memory safety, control-flow integrity) ClassLoader.loadClass():341 FileURLLoader.getResource():73 walkPathComponents() { ... 121: { ... if (file.exists()) ... } ... 139: { ... if (file.exists()) ... } ... } File.exists():268 File.checkRead():1485 SecurityManager.checkRead()

  14. classLoader.loadClass(“sun/applet/AppletClassLoader”); loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass(); } SecurityManager.checkPackageAccess() How to detect this exploit? Check against specification? No specification available ClassLoader.loadClass():341 FileURLLoader.getResource():73 walkPathComponents() { ... 121: { ... if (file.exists()) ... } ... 139: { ... if (file.exists()) ... } ... } File.exists():268 File.checkRead():1485 SecurityManager.checkRead()

  15. classLoader.loadClass(“sun/applet/AppletClassLoader”); loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass(); } SecurityManager.checkPackageAccess() How to detect this exploit? Infer specification from dynamic behavior? ClassLoader.loadClass():341 FileURLLoader.getResource():73 walkPathComponents() { ... 121: { ... if (file.exists()) ... } ... 139: { ... if (file.exists()) ... } ... } File.exists():268 File.checkRead():1485 SecurityManager.checkRead()

  16. classLoader.loadClass(“sun/applet/AppletClassLoader”); loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass(); } SecurityManager.checkPackageAccess() ClassLoader.loadClass():341 Which dynamic behavior? FileURLLoader.getResource():73 walkPathComponents() { ... 121: { ... if (file.exists()) ... } ... 139: { ... if (file.exists()) ... } ... } File.exists():268 File.checkRead():1485 SecurityManager.checkRead()

  17. loadClass(“java.util.HashMap”); …  SecurityManager.checkPackageAccess() … …  FileURLLoader.getResource():73 walkPathComponents() :121  File.exists() loadClass(“sun/applet/AppletClassLoader”); …  SecurityManager.checkPackageAccess() … …  FileURLLoader.getResource():73 walkPathComponents() :121  File.exists() loadClass(“MyClass”); …  SecurityManager.checkPackageAccess() … …  FileURLLoader.getResource():73 walkPathComponents() :139 File.exists()

  18. loadClass(“java.util.HashMap”); …  SecurityManager.checkPackageAccess() … …  FileURLLoader.getResource():73 walkPathComponents() :121  File.exists() loadClass(“sun/applet/AppletClassLoader”); …  SecurityManager.checkPackageAccess() … …  FileURLLoader.getResource():73 walkPathComponents() :121  File.exists() loadClass(“MyClass”); …  SecurityManager.checkPackageAccess() … …  FileURLLoader.getResource():73 walkPathComponents() :139 File.exists() Train Deploy

  19. classLoader.loadClass(“MyClass”);

  20. classLoader.loadClass(“MyClass”); loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass(); }

  21. classLoader.loadClass(“MyClass”); loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass(); } SecurityManager.checkPackageAccess()

  22. classLoader.loadClass(“MyClass”); loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass(); } SecurityManager.checkPackageAccess() ClassLoader.loadClass():341 FileURLLoader.getResource():73 walkPathComponents() { ... 121: { ... if (file.exists()) ... } ... 139: { ... if (file.exists()) ... } ... } File.exists():268 File.checkRead():1485 SecurityManager.checkRead()

  23. loadClass(“java.util.HashMap”); …  SecurityManager.checkPackageAccess() … …  FileURLLoader.getResource():73 walkPathComponents() :121  File.exists() loadClass(“sun/applet/AppletClassLoader”); …  SecurityManager.checkPackageAccess() … …  FileURLLoader.getResource():73 walkPathComponents() :121 File.exists() loadClass(“MyClass”); …  SecurityManager.checkPackageAccess() … …  FileURLLoader.getResource():73 walkPathComponents() :139 File.exists()

  24. loadClass(“java.util.HashMap”); …  SecurityManager.checkPackageAccess() … …  FileURLLoader.getResource():73 walkPathComponents() :121  File.exists() loadClass(“sun/applet/AppletClassLoader”); …  SecurityManager.checkPackageAccess() … …  FileURLLoader.getResource():73 walkPathComponents() :121 File.exists() loadClass(“MyClass”); …  SecurityManager.checkPackageAccess() … …  FileURLLoader.getResource():73 walkPathComponents() :139 File.exists()

  25. loadClass(“java.util.HashMap”); …  SecurityManager.checkPackageAccess() … …  FileURLLoader.getResource():73 walkPathComponents() :121  File.exists() loadClass(“sun/applet/AppletClassLoader”); …  SecurityManager.checkPackageAccess() … …  FileURLLoader.getResource():73 walkPathComponents() :121 File.exists() loadClass(“MyClass”); …  SecurityManager.checkPackageAccess() … …  FileURLLoader.getResource():73 walkPathComponents() :139 File.exists() Train Deploy Train

  26. ClassLoader.loadClass():312 ClassLoader.loadClass():341 More context sensitivity FileURLLoader.getResource():73 FileURLLoader.walkPathComponents():121 File.exists():268 File.checkRead():1485 SecurityManager.checkRead()

  27. ClassLoader.loadClass():312 ClassLoader.loadClass():341 False negatives More context sensitivity False positives FileURLLoader.getResource():73 FileURLLoader.walkPathComponents():121 File.exists():268 File.checkRead():1485 SecurityManager.checkRead()

  28. ClassLoader.loadClass():312 ClassLoader.loadClass():341 False negatives Overhead More context sensitivity False positives FileURLLoader.getResource():73 FileURLLoader.walkPathComponents():121 File.exists():268 File.checkRead():1485 SecurityManager.checkRead()

  29. classLoader.loadClass(“java.util.HashSet”); loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass(); } SecurityManager.checkPackageAccess() ClassLoader.loadClass():341 FileURLLoader.getResource():73 walkPathComponents() { ... 121: { ... if (file.exists()) ... } ... 139: { ... if (file.exists()) ... } ... } File.exists():268 File.checkRead():1485 SecurityManager.checkRead()

  30. classLoader.loadClass(“java.util.HashSet”); loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass(); } S ←walkStack () check ( S ) SecurityManager.checkPackageAccess() ClassLoader.loadClass():341 FileURLLoader.getResource():73 walkPathComponents() { ... 121: { ... if (file.exists()) ... } ... 139: { ... if (file.exists()) ... } ... } File.exists():268 File.checkRead():1485 S ←walkStack () check ( S ) SecurityManager.checkRead()

  31. Costs of Context Sensitivity

  32. Costs of Context Sensitivity Proportional to depth & security calls High overhead at security calls

  33. Efficient, Depth-Limited Context Sensitivity

  34. Probabilistic Calling Context[Bond & McKinley ’07] Represent calling context as probabilistically unique integer

  35. Probabilistic Calling Context[Bond & McKinley ’07] Compute value at every call Use value at security calls

  36. Probabilistic Calling Context[Bond & McKinley ’07] Compute value at every call Use value at security calls Always-available context Low overhead at security calls

  37. classLoader.loadClass(“java.util.HashSet”); loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass(); } SecurityManager.checkPackageAccess() ClassLoader.loadClass():341 FileURLLoader.getResource():73 walkPathComponents() { ... 121: { ... if (file.exists()) ... } ... 139: { ... if (file.exists()) ... } ... } File.exists():268 File.checkRead():1485 SecurityManager.checkRead()

  38. classLoader.loadClass(“java.util.HashSet”); V0 ← 0 loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass(); } V1 ←f ( V0 , cs1 ) SecurityManager.checkPackageAccess() ClassLoader.loadClass():341 FileURLLoader.getResource():73 walkPathComponents() { ... 121: { ... if (file.exists()) ... } ... 139: { ... if (file.exists()) ... } ... } File.exists():268 File.checkRead():1485 SecurityManager.checkRead()

  39. classLoader.loadClass(“java.util.HashSet”); V0 ← 0 loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass(); } V1 ←f ( V0 , cs1 ) SecurityManager.checkPackageAccess() V2 ←f ( V0 , cs2 ) ClassLoader.loadClass():341 FileURLLoader.getResource():73 walkPathComponents() { ... 121: { ... if (file.exists()) ... } ... 139: { ... if (file.exists()) ... } ... } File.exists():268 File.checkRead():1485 SecurityManager.checkRead()

  40. classLoader.loadClass(“java.util.HashSet”); V0 ← 0 loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass(); } V1 ←f ( V0 , cs1 ) SecurityManager.checkPackageAccess() V2 ←f ( V0 , cs2 ) V3 ←f ( V2 , cs3 ) ClassLoader.loadClass():341 V4 ←f ( V3 , cs4 ) FileURLLoader.getResource():73 walkPathComponents() { ... 121: { ... if (file.exists()) ... } ... 139: { ... if (file.exists()) ... } ... } V5 ←f ( V4 , cs5 ) File.exists():268 V6 ←f ( V5 , cs6 ) File.checkRead():1485 V7 ←f ( V6 , cs7 ) SecurityManager.checkRead()

  41. classLoader.loadClass(“java.util.HashSet”); V0 ← 0 loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass(); } V1 ←f ( V0 , cs1 ) check ( V1 ) SecurityManager.checkPackageAccess() V2 ←f ( V0 , cs2 ) V3 ←f ( V2 , cs3 ) ClassLoader.loadClass():341 V4 ←f ( V3 , cs4 ) FileURLLoader.getResource():73 walkPathComponents() { ... 121: { ... if (file.exists()) ... } ... 139: { ... if (file.exists()) ... } ... } V5 ←f ( V4 , cs5 ) File.exists():268 V6 ←f ( V5 , cs6 ) File.checkRead():1485 V7 ←f ( V6 , cs7 ) check ( V7 ) SecurityManager.checkRead()

  42. classLoader.loadClass(“java.util.HashSet”); V0 ← 0 loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass(); } V1 ←f ( V0 , cs1 ) check ( V1 ) SecurityManager.checkPackageAccess() V2 ←f ( V0 , cs2 ) History sensitivity V3 ←f ( V2 , cs3 ) ClassLoader.loadClass():341 V4 ←f ( V3 , cs4 ) FileURLLoader.getResource():73 walkPathComponents() { ... 121: { ... if (file.exists()) ... } ... 139: { ... if (file.exists()) ... } ... } V5 ←f ( V4 , cs5 ) File.exists():268 V6 ←f ( V5 , cs6 ) File.checkRead():1485 V7 ←f ( V6 , cs7 ) check ( V7 ) SecurityManager.checkRead()

  43. PCC Function f ( V , cs ) ≡ 3V + cs (mod 232)

  44. PCC Function f ( V , cs ) ≡ 3V +cs(mod 232) Motivated by MPI data-type hashing [Langou et al. ’05] [Gropp ’00]

  45. PCC Function f ( V , cs ) ≡ 3V + cs (mod 232) Encodes entire calling context

  46. PCC Function f ( V , cs ) ≡ 232/kV +cs(mod 232) Encodes last k call sites

  47. PCC Function f ( V , cs ) ≡ 232/kV + cs (mod 232) • Cheap to compute

  48. PCC Function f ( V , cs ) ≡ 232/kV +cs(mod 232) • Cheap to compute • Composition cheap to compute

  49. PCC Function f ( V , cs ) ≡ 232/kV +cs(mod 232) • Cheap to compute • Composition cheap to compute • Non-commutative

More Related