1 / 90

Secure Programs via Game-based Synthesis

Secure Programs via Game-based Synthesis. Somesh Jha, Tom Reps, and Bill Harris. One-slide summary. Secure programming on a conventional OS is intractable Privilege -aware OS’s take secure programming from intractable to challenging

jaimin
Download Presentation

Secure Programs via Game-based Synthesis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure Programs viaGame-based Synthesis • Somesh Jha, Tom Reps, and Bill Harris

  2. One-slide summary • Secure programming on a conventional OS is intractable • Privilege-aware OS’s take secure programmingfrom intractable to challenging • Our program rewriter takes secure programming from challenging to simple

  3. Outline • Motivation, problem statement • Motivation, problem statement • Previous work: Capsicum [CAV ’12, Oakland ’13] • Ongoing work: HiStar • Open challenges

  4. Secure Programmingis Intractable • 81 exploits in CVE since Sept. 2013 • Many exploit a software bugto carry out undesirable system operations • 2013-5751: exploit SAP NetWeaverto traverse a directory • 2013-5979: exploit bad filename handling inXibo to read arbitrary files • 2013-5725: exploit ByWordto overwrite files 4

  5. How to Carry Outan Exploit software vulnerability + OS privilege = security exploit

  6. Solution The Conventional-OS software vulnerability + OS privilege = security exploit

  7. Solution The Program-Verification software vulnerability + OS privilege = security exploit

  8. Priv.-aware OS • Introduce explicitprivileges over all system objects,primitives that update privileges • Programs call primitives to manage privilege

  9. Priv.-aware OS The Solution ( ) software vulnerability + OS privilege = security exploit + primitives monitor

  10. Priv.-aware OS The Capsicum [Watson ’10] • Privilege: ambient authority (Amb) to open descriptors to system objects • Primitives: program calls cap_enter()to manage Amb

  11. Rules of ’s Amb Capsicum • When a process is created,it has the Amb value of its parent • After a process calls cap_enter(),it does not have Amb • If a process does not have Amb,then it can never obtain Amb

  12. gzip • main() { • file_nms = parse_cl(); • for (f in file_nms): • L0: (in, out) = open2(f); • } L1: compress(in, out); L1:compress(in, out); /usr/local http://evil.com

  13. A simple policy gzip with AMB • When gzip calls open2() at L0,it should • When gzip calls compress() at L1,it should not be able to open descriptors have AMB have AMB able to open descriptors

  14. with AMB ? L0:AMB L1:no AMB ? gzip main() { file_nms = parse_cl(); for (f in file_nms): L0: (in, out) = open2(f); L1: compress(in, out); } cap_enter()

  15. Capsicum Programming Challenges • Amb policies are not explicit • cap_enter primitive has subtle temporal effects

  16. gzip Programming Challenges main() { file_nms = parse_cl(); for (f in file_nms): L0: (in, out) = open2(f); L1: compress(in, out); } AMB no AMB AMB no AMB AMB cap_enter(); no AMB L0:AMB L1:no AMB

  17. Rules of Capsicum’s Amb • When a process is created,it has the AMB value of its parent • After a process calls cap_enter(),it never has AMB • If a process does not have Amb,then it can never obtain Amb

  18. Instrumenting gzip AMB AMB AMB • main() { • file_nms = parse_cl(); • for (f in file_nms): • L0: (in, out) = open2(f); • L1: compress(in, out); • } AMB AMB sync_fork(); cap_enter(); no AMB sync_join(); L0:AMB L1:no AMB

  19. Capsicum ChallengesNot Appearing in This Talk • Program can construct capability from each UNIX descriptor • Capability has a vector of 63 access rights (~1 for every system call on a descriptor) • Programs can assume new capabilities via a Remote Procedure Call (RPC)

  20. with CapWeave Instrumenting Programs • Programmer writes an explicitAmb policy • CapWeave instruments program to invoke primitives so that it satisfies the policy

  21. with CapWeave gzip main() { file_nms = parse_cl(); for (f in file_nms): L0: (in, out) = open2(f); L1: compress(in, out); } Policy Cur(p) => (pc[L0](p) => AMB(p) & (pc[L1](p) => !AMB(p)) L0:AMB L1:no AMB

  22. main() { file_nms = parse_cl(); for (f in file_nms): L0: (in, out) = open2(f); L1: compress(in, out); } CapWeave void main() { L0: open2(...); sync_fork(); cap_enter(); L1: compress(); sync_join(); } Instrumented Program Policy Cur(p) => (pc[L0](p) => AMB(p) & (pc[L1](p) => !AMB(p))

  23. The Next 700Policy Weavers • Analogous challenges with Decentralized Information Flow Control (DIFC) • Asbestos [Efstathopoulos ‘05] • HiStar [Zeldovich ’06] • Flume [Krohn ‘07]

  24. gzip() { file_nms = parse_cl(); ... } Policy Cur(p) => (pc[L0](p) => AMB(p)) & (pc[L1](p) => !AMB(p)) CapWeave gzip() { file_nms = parse_cl(); sync_fork(); cap_enter(); ... } Programmer Capsicum Designer cap_enter: Amb’(p):= Amb(p) & ... WeaverGenerator

  25. Programmer HiStar Designer create_cat(&c):Flows’(p, q) := Flows(p, q) || ... wrapper() { exec(...); ... } Policy forall w, s. Flows(w, s) => ... HiWeave WeaverGenerator scanner() { create_cat(&c); exec(...); ... }

  26. Outline • Previous work: Capsicum • Motivation, problem statement • Previous work: Capsicum • Ongoing work: HiStar • Open challenges

  27. CapWeave Algorithm • Inputs: Program P, Amb Policy Q • Output: Instrumentation of P that always satisfies Q • Build finite IP#⊇instrumented runs that violate Q

  28. 1. Building IP#: Inputs Program Amb Policy L0: Amb L1: no Amb main() { file_nms = parse_cl(); for (f in file_nms): L0: (in, out) = open2(f); L1: compress(in, out); }

  29. 1. Building IP#: Output parse_cl cap_enter noop L0:open2() L0:open2() sync_join() noop sync_fork() noop noop noop noop cap_enter() cap_enter() L1:compress() L1:compress() L1:compress() L1:compress() noop L1: no Amb L0:open2()

  30. 1. Building IP#: Output parse_cl cap_enter noop L0:open2() L0:open2() sync_join() noop sync_fork() noop noop noop noop cap_enter() cap_enter() L1:compress() L1:compress() L1:compress() L1:compress() noop L0:open2() L0: Amb

  31. Building IP# • Basic idea: construct IP# as a forward explorationof an abstract state space

  32. 1(a). IP#: Define Abstract State-space 𝛼 Q# Q

  33. 1(b). IP#: Define Abstract Transformers 𝜏[cap_enter]# 𝛼 Q# Q 𝜏[cap_enter]

  34. 𝜏[noop]# ... noop ... 1(c). Explore Abstract State Space 𝜏[cap_enter]# 𝛼 𝜏[parse_cl]# ... Q# cap_enter ... parse_cl Q L0’ L0 init

  35. parse_cl cap_enter noop L0:open2() L0:open2() sync_join() noop sync_fork() noop noop noop noop cap_enter() cap_enter() L1:compress() L1:compress() L1:compress() L1:compress() noop L0:open2() 𝜏[parse_cl]#

  36. ≡{ } A A D B B C State-Structure Exploration If a concrete state is a logical structure, ... Q

  37. State-Structure Exploration properties are FOL formulas, ... ∀p. A(p) ⇒ ((B(p) ⇒C(p)) ⋀ (D(p) ⇒ ¬C(p)))

  38. State-Structure Exploration ...and semantics is given as predicate updates, ... A’(x) = A(x) ⋁∃ y. C(y) ⋀ B(q, p) B’(x, y) = B(x, y) ⋁ (C(x) ⋀ D(y)) C’(x) = ... D’(x) = ... 𝜏[action] ≡

  39. State-Structure Exploration ...then abstract space and transformers can be generated automatically [Sagiv ’99] 𝜏[action]# Q# 𝛼 𝛼 𝜏[action] Q

  40. Capsicum Semantics A A Q ≡ D 1. 2. B B C A’(x) = A(x) ⋁∃ y. C(y) ⋀ B(q, p) B’(x, y) = B(x, y) ⋁ (C(x) ⋀ D(y)) C’(x) = ... D’(x) = ... 𝜏[action] ≡

  41. Capsicum State as Structure Cur Parent L1 Amb Amb ⊭ ∀ p. Cur(p) ⋀L1(p) ⇒ ¬ Amb(p)

  42. Capsicum State as Structure Cur Parent L1 Amb Amb ⊨ ∀ p. Cur(p) ⋀L1(p) ⇒ ¬ Amb(p)

  43. Capsicum Structure Transformers Fresh Cur Parent Cur Amb Amb Structure Transformer Action Intro Fresh Amb’(p) := Amb(p) ⋁ ( Fresh(p) ⋀ ∃ q. Cur(q) ⋀Amb(q)) sync_fork()

  44. Capsicum Structure Transformers Fresh Parent Cur Amb Amb Structure Transformer Action Amb’(p) := Amb(p) ⋀ ¬Cur(p) cap_enter()

  45. Building IP#: Summary • If semantics is given astransforms of logical structures,we can generate an approximation of runs that cause a violation • Capsicum semantics can be modeled as structure transforms

  46. CapWeave Algorithm • Inputs: Program P, Amb Policy Q • Output: Instrumentation of P that always satisfies Q • Build finite IP#⊇instrumented runs that violate Q • From IP#, build safety game Gwon by violations of Q

  47. Two-Player Safety Games • In an Attacker state,the Attacker chooses the next input • In a Defender state,the Defender chooses the next input • Attacker wants to reach an accepting state

  48. a x y b b w y z c c y x y x d d d d y b

  49. Instrumentation as a Game

  50. gzip IP# parse_cl cap_enter noop L0:open2() L0:open2() sync_join() noop sync_fork() noop noop noop noop cap_enter() cap_enter() L1:compress() L1:compress() L1:compress() L1:compress() noop L0:open2()

More Related