1 / 107

Retrofitting Legacy Code with Authorization Mechanisms

Retrofitting Legacy Code with Authorization Mechanisms. Principle of Design for Security. Historic example: MULTICS [Corbato et al. ‘65] More recent examples: Operating systems Database servers. To create a secure system, design it to be secure from the ground up.

salim
Download Presentation

Retrofitting Legacy Code with Authorization Mechanisms

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Retrofitting Legacy Code with Authorization Mechanisms

  2. Principle of Design for Security • Historic example: • MULTICS [Corbato et al. ‘65] • More recent examples: • Operating systems • Database servers To create a secure system, design it to be secure from the ground up Retrofitting Legacy Code for Authorization Policy Enforcement

  3. Relevance of the Principle today Most deployed software is not designed for security • Deadline-driven software development • Design.Build.(Patch)* is here to stay • Few people have expertise with a single large codebase. • Tedious to sift through large codebases and reason about security. • Diverse/Evolving security requirements • MULTICS security study [Karger and Schell, ‘72] Retrofitting Legacy Code for Authorization Policy Enforcement

  4. Retrofitting legacy code Need systematic techniques to retrofit legacy code for security Legacy code Retrofitted code INSECURE SECURE Retrofitting Legacy Code for Authorization Policy Enforcement

  5. Retrofitting legacy code • Enforcing type safety • CCured [Necula et al. ’02] • Partitioning for privilege separation • PrivTrans [Brumley and Song, ’04] • Enforcing authorization policies Need systematic techniques to retrofit legacy code for security Retrofitting Legacy Code for Authorization Policy Enforcement

  6. Operation request Response Allowed? YES/NO Enforcing authorization policies Resource user Resource manager Reference monitor ‹Alice, /etc/passwd, File_Read› Authorization policy Retrofitting Legacy Code for Authorization Policy Enforcement

  7. Retrofitting for authorization • Mandatory access control for Linux • Linux Security Modules [Wright et al.,’02] • SELinux [Loscocco and Smalley,’01] • Secure windowing systems • Trusted X,Compartmented-mode workstation, X11/SELinux [Epstein et al.,’90][Berger et al.,’90][Kilpatrick et al.,’03] • Java Virtual Machine/SELinux [Fletcher,‘06] • IBM Websphere/SELinux [Hocking et al.,‘06] Painstaking, manual procedure Retrofitting Legacy Code for Authorization Policy Enforcement

  8. This tutorial Three program analysis and transformation techniques (in increasing order of sophistication) to retrofit legacy code with reference monitors Retrofitting Legacy Code for Authorization Policy Enforcement

  9. Contents of the tutorial Analyses and transformations for authorization policy enforcement • Fingerprints: A new representation for security-sensitive operations • Three algorithms to mine fingerprints • Results: Reduced effort to retrofit legacy code for authorization policy enforcement • Manual effort needed reduces to a few hours • Applied to X server, Linux kernel, etc. Retrofitting Legacy Code for Authorization Policy Enforcement

  10. Outline • Motivation • Problem • Example • Retrofitting legacy code: Lifecycle • Solutions • Dynamic fingerprint mining • Static mining with concept analysis • Static mining leveraging user choice Retrofitting Legacy Code for Authorization Policy Enforcement

  11. REMOTE LOCAL X server with multiple X clients Retrofitting Legacy Code for Authorization Policy Enforcement

  12. REMOTE LOCAL Malicious remote X client Retrofitting Legacy Code for Authorization Policy Enforcement

  13. REMOTE LOCAL Undesirable information flow Retrofitting Legacy Code for Authorization Policy Enforcement

  14. Desirable information flow REMOTE LOCAL Retrofitting Legacy Code for Authorization Policy Enforcement

  15. Other policies to enforce • Prevent unauthorized • Copy and paste • Modification of inputs meant for other clients • Changes to window settings of other clients • Retrieval of bitmaps: Screenshots [Berger et al., ’90] [Epstein et al., ‘90] [Kilpatrick et al., ‘03] Retrofitting Legacy Code for Authorization Policy Enforcement

  16. Security is not a ‘blocker’ “It isn't clear this qualifies as a blocker under any circumstances. The importance of security increases only as we are into serious deployment and start becoming a target. First things, first....” - https://dev.laptop.org/ticket/260Need a way to protect against applications sniffing each other's keystrokes, which X permits by default. Security by design, in practice

  17. Operation request Response Allowed? YES/NO X server with authorization X client X server Reference monitor Authorization policy Retrofitting Legacy Code for Authorization Policy Enforcement

  18. Outline • Motivation • Problem • Example • Retrofitting legacy code: Lifecycle • Solution Retrofitting Legacy Code for Authorization Policy Enforcement

  19. Security-sensitive operations Source Code Input_Event Create Destroy Copy Paste Map Can the client receive this Input_Event? Retrofitting lifecycle • Identify security-sensitive operations • Locate where they are performed in code • Instrument these locations Policy checks Retrofitting Legacy Code for Authorization Policy Enforcement

  20. Problems Manual • X11 ~ proposed 2003, implemented 2007, changing to date. [Kilpatrick et al., ‘03] • Linux Security Modules ~ 2 years [Wright et al., ’02] • PostgreSQL: Began in 2006, still not mainline. At this point, SE-PostgreSQL has taken up a *lot* of community resources, not to mention an enormous and doubtless frustrating amount of *the lead developer’s* time and effort, thus far without a single committed patch, or even a consensus as to what it should (or could) do. Rather than continuing to blunder into the future, I think we need to do a reality check - http://archives.postgresql.org/message-id/20090718160600.GE5172@fetter.org Retrofitting Legacy Code for Authorization Policy Enforcement

  21. Problems • Violation of complete mediation • Time-of-check to Time-of-use bugs [Zhang et al., ‘02][Jaeger et al., ‘04] Error-prone Retrofitting Legacy Code for Authorization Policy Enforcement

  22. Our approach Principled • Fingerprints: A new representation of security-sensitive operations • Legacy code retrofitted using fingerprints • Use of static and dynamic program analysis • Must achieve complete mediation • Ideally, must not place redundant hooks Automated Retrofitting Legacy Code for Authorization Policy Enforcement

  23. Approach overview Legacy code Miner Fingerprints Matcher Retrofitted code Retrofitting Legacy Code for Authorization Policy Enforcement

  24. Outline • Motivation • Problem • Solution • Fingerprints • Dynamic fingerprint mining • Static fingerprint mining with concept analysis • Static fingerprint mining leveraging user choice Retrofitting Legacy Code for Authorization Policy Enforcement

  25. What are fingerprints? • Resource accesses that are unique to a security-sensitive operation • Denote key steps needed to perform the security-sensitive operation on a resource Code-level signatures of security-sensitive operations Retrofitting Legacy Code for Authorization Policy Enforcement

  26. Security-sensitive operations Source Code Input_Event Create Destroy Copy Paste Map Examples of fingerprints • Input_Event :- Cmp xEvent->type == KeyPress Retrofitting Legacy Code for Authorization Policy Enforcement

  27. Examples of fingerprints • Input_Event :- Cmp xEvent->type == KeyPress • Input_Event :- Cmp xEvent->type == MouseMove • Map :- Set Window->mappedtoTrue & Set xEvent->typetoMapNotify • Enumerate :- Read Window->firstChild & Read Window->nextSib & Cmp Window ≠ 0 Retrofitting Legacy Code for Authorization Policy Enforcement

  28. Fingerprint matching • Enumerate :- ReadWindow->firstChild& • ReadWindow->nextSib& • CmpWindow ≠ 0 • X server function MapSubWindows MapSubWindows(Window *pParent, Client *pClient) { Window *pWin; … // Run through linked list of child windows pWin = pParent->firstChild; … for (;pWin != 0; pWin=pWin->nextSib) { ... // Code that maps each child window ... } } Performs Enumerate Retrofitting Legacy Code for Authorization Policy Enforcement

  29. Placing authorization checks • X server function MapSubWindows MapSubWindows(Window *pParent, Client *pClient) { Window *pWin; … // Run through linked list of child windows if CHECK(pClient,pParent,Enumerate) == ALLOWED { pWin = pParent->firstChild; … for (;pWin != 0; pWin=pWin->nextSib) { ... // Code that maps each child window ... } } else { HANDLE_FAILURE } } Retrofitting Legacy Code for Authorization Policy Enforcement

  30. Fingerprint matching • Currently employ simple pattern matching • More sophisticated matching possible • Metacompilation [Engler et al., ‘01] • MOPS [Chen and Wagner, ‘02] • Inserting authorization checks is akin to static aspect-weaving [Kiczales et al., ’97] • Other aspect-weaving techniques possible • Runtime aspect-weaving Retrofitting Legacy Code for Authorization Policy Enforcement

  31. Outline • Motivation • Problem • Solution • Fingerprints • Dynamic fingerprint mining • Static fingerprint mining with concept analysis • Static fingerprint mining leveraging user choice Retrofitting Legacy Code for Authorization Policy Enforcement

  32. Security-sensitive operations Source Code Input_Event Create Destroy Copy Paste Map Dynamic fingerprint mining Output: Fingerprints Input_Event :- Cmp xEvent->type == KeyPress Retrofitting Legacy Code for Authorization Policy Enforcement

  33. Dynamic fingerprint mining • Security-sensitive operations [NSA’03] • Use this information to induce the program to perform security-sensitive operations Retrofitting Legacy Code for Authorization Policy Enforcement

  34. Problem definition • S: Set of security-sensitive operations • D: Descriptions of operations in S • R: Set of resource accesses • Read/Set/Cmp of Window/xEvent • Each sєS has a fingerprint • A fingerprint is a subset of R • Contains a resource access unique to s • Problem: Find fingerprints for each security-sensitive operation in S using D Retrofitting Legacy Code for Authorization Policy Enforcement

  35. Runtime trace Security-sensitive operations Source Code Input_Event Create Destroy Copy Paste Map Traces contain fingerprints • Induce security-sensitive operation • Typing to window will induce Input_Event • Fingerprint must be in runtime trace • Cmp xEvent->type == KeyPress Retrofitting Legacy Code for Authorization Policy Enforcement

  36. Security-sensitive operations Source Code Input_Event Create Destroy Copy Paste Map Compare traces to localize Runtime trace • Localize fingerprint in trace • Trace difference and intersection Retrofitting Legacy Code for Authorization Policy Enforcement

  37. Runtime traces • Trace the program and record reads/writes to resource data structures • Window and xEvent in our experiments • Example: from X server startup (In function SetWindowtoDefaults) Set Window->prevSibto0 Set Window->firstChildto0 Set Window->lastChildto0 … about 1400 such resource accesses Retrofitting Legacy Code for Authorization Policy Enforcement

  38. Using traces for fingerprinting • Obtain traces for each security-sensitive operation • Series of controlled tracing experiments • Examples • Typing to keyboard generates Input_Event • Creating new window generates Create • Creating window also generates Map • Closing existing window generates Destroy Retrofitting Legacy Code for Authorization Policy Enforcement

  39. Comparison with “diff” and “∩” Annotation is a manual step Retrofitting Legacy Code for Authorization Policy Enforcement

  40. Create = Open xterm ∩ Open browser - Move xterm Comparison with “diff” and “∩” Perform same set operations on resource accesses Retrofitting Legacy Code for Authorization Policy Enforcement

  41. Set equations • Each trace has a set of labels • Open xterm: {Create, Map} • Browser: {Create, Destroy, Map, Unmap} • Move xterm: {Map, Input_Event} • Need set equation for {Create} • Compute an exact cover for this set • Open xterm ∩ Open browser – Move xterm • Perform the same set operations on the set of resource accesses in each trace Retrofitting Legacy Code for Authorization Policy Enforcement

  42. Experimental methodology Source code gcc –-enable-logging Server with logging enabled Run experiments and collect traces Raw traces Localize security-sensitive operation Relevant portions of traces Compare traces with “diff” and “∩” Pruned traces Retrofitting Legacy Code for Authorization Policy Enforcement

  43. Dynamic mining: Results Each fingerprint localized to within 126 resource accesses Size Retrofitting Legacy Code for Authorization Policy Enforcement

  44. Runtime trace Security-sensitive operations Source Code Input_Event Create Destroy Copy Paste Map Limitations of dynamic mining • Incomplete: False negatives • High-level description needed • Operations are manually induced Retrofitting Legacy Code for Authorization Policy Enforcement

  45. Outline • Motivation • Problem • Solution • Fingerprints • Dynamic fingerprint mining • Static fingerprint mining with concept analysis • Static fingerprint mining leveraging user choice Retrofitting Legacy Code for Authorization Policy Enforcement

  46. Security-sensitive operations Source Code Input_Event Create Destroy Copy Paste Map Static fingerprint mining • Resources • Window • xEvent Output:Candidate Fingerprints Cmp xEvent->type == KeyPress Retrofitting Legacy Code for Authorization Policy Enforcement

  47. Problem definition • R: Set of resource accesses • Read/Set/Cmp of Window/xEvent • E: Set of entry points into the server • Goal: Find fingerprints using R and E Not given an a priori description of security-sensitive operations Retrofitting Legacy Code for Authorization Policy Enforcement

  48. Straw-man proposal I • Finest level of granularity • Cmp xEvent->type == KeyPress • ReadWindow->firstChild • ReadWindow->nextSib • CmpWindow ≠ 0 Each resource access in R is a fingerprint Retrofitting Legacy Code for Authorization Policy Enforcement

  49. Problem with this proposal • Cmp xEvent->type == KeyPress • ReadWindow->firstChild • ReadWindow->nextSib • CmpWindow ≠ 0 Difficult to write and maintain policies at this level of granularity Retrofitting Legacy Code for Authorization Policy Enforcement

  50. Straw-man proposal II • Coarsest level of granularity • CallMapSubWindows • CallMapWindow • Write policies allowing/disallowing the use of an API call Each API in E is a fingerprint Retrofitting Legacy Code for Authorization Policy Enforcement

More Related