Modular Program Monitors

Modular Program Monitors David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Program Monitors • A program monitor is a coroutine that runs in parallel with an untrusted application • monitors process security-relevant actions • decide to allow/disallow application actions • may terminate or suspend application execution • monitors detect, prevent, and recover from erroneous or malicious applications at run time Modular Run-time Program Monitors

Simple Monitor Structure • Monitors have 3 components • set of security-relevant application actions • security state • computation Access Control Monitor a state actions computation fopen fclose acl acl lookup Modular Run-time Program Monitors

Polymer Project • Polymer • An extension of Java designed to simplify construction of run-time program monitors • Design methodology • A formula for producing well-structured, easy-to-understand, easy-to-modify monitors Modular Run-time Program Monitors

Policy Architecture: The Problem Untrusted application Host System (Java) Program Monitor Definition Polymer language extensions Java core Modular Run-time Program Monitors

Policy Architecture: Simple Policies system interface Simple Policy Def. Host System (Java) Polymer language extensions Java core Modular Run-time Program Monitors

A Simple Polymer Policy class limitFiles extends Policy { private int openFiles = 0; private int maxOpen = 0; limitFiles(int max) { maxOpen = max; } .... } private policy state, protected from malicious applications policy constructor Modular Run-time Program Monitors

A Simple Polymer Policy Continued class limitFiles extends Policy { private int openFiles = ... private int maxOpen = ... private ActionSet actions = new ActionSet( new String[] {“fileOpen(String)”, “fileClose()”} ); .... } set of policy- relevant methods Modular Run-time Program Monitors

A Simple Polymer Policy Continued class limitFiles extends Policy { private ActionSet actions = ... private int openFiles = ... private int maxOpen = ... Suggestion step(Action a) { aswitch (a) { case fileOpen(String s) : if (++openFiles <= maxOpen) return Suggestion.OK(); else return Suggestion.Halt(); case fileClose() : ... policy behaviour Modular Run-time Program Monitors

A Simple Polymer Policy Continued class limitFiles extends Policy { private ActionSet actions = ... private int openFiles = ... private int maxOpen = ... Suggestion step(Action a) { aswitch (a) { case fileOpen(String s) : if (++openFiles <= maxOpen) return Suggestion.OK(); else return Suggestion.Halt(); case fileClose() : ... Modular Run-time Program Monitors

Realistic Monitors • Protect complex system interfaces • interfaces replicate functionality in many different places • method parameters communicate information in different forms • eg: Java file system interface • 9 different methods to open files • 4 different methods to close files • filename strings, file objects, self used to identify files Modular Run-time Program Monitors

Policy Architecture: Abstract Actions abstract system interface Host System (Java) Simple Policy Def. Abstract Action Def. Polymer language extensions concrete system interface Java core Modular Run-time Program Monitors

Abstract Action Definitions java.lang.io FileReader(String fileName); FileReader(File file); RandomAccessFile(...); ... FileReader.close(); RandomAccessFile.close(); ... fileOpen(String n); fileClose(); Modular Run-time Program Monitors

Realistic Monitors • Combine simple policies defined over a variety of different resources • eg: sample applet policy • file system access control • bounds on bytes written and number of files opened • restricted network access • no access after file system read • communication with applet source only Modular Run-time Program Monitors

Policy Architecture:Complex Policies Complex, System-specific Policy abstract system interface Simple Policy Def. Policy Comb. Def. Abstract Action Def. Host System (Java) Polymer language extensions concrete system interface Java core Modular Run-time Program Monitors

Policy Combinators • Conjunction, Disjunction, Chinese wall,... Conjunctive Policy P1 P2  s2 s1 s Modular Run-time Program Monitors

Related Work • Aspect-oriented programming • New polymer features: • first-class suggestions, abstract actions, action patterns, policy combinators, policy architecture, formal semantics • Monitoring languages • Poet and Pslang, Naccio, Ariel, Spin Kernel • Logical monitoring specifications • MAC (temporal logic), Bigwig (second-order monadic logic) Modular Run-time Program Monitors

Summary: Polymer • First steps towards the design of a modern language for programming modular run-time security monitors • For future software releases & papers see • www.cs.princeton.edu/sip/projects/polymer/ Modular Run-time Program Monitors

End Modular Run-time Program Monitors

Modular Program Monitors

Modular Program Monitors

Presentation Transcript

LCD Monitors

Monitors

WORKSHOP DCA MODULAR BUILDING PROGRAM

Enforcing Non-safety Security Policies with Program Monitors

MAN CAMPS TX Modular Program

Enforcing Security Policies with Run-time Program Monitors

Monitors

Patient Monitors

Monitors

Monitors

Computer Monitors

Loss Monitors

Monitors

Monitors

Modular and Verified Automatic Program Repair

MODULAR MAMMOGRAPHY PROGRAM (MMP)

Monitors

Monitors

Monitors

Monitors

Monitors

Monitors