Secure Programming via Visibly Pushdown Safety Games

Secure Programming viaVisibly Pushdown Safety Games

Bill Harris, Somesh Jha, and Thomas Reps

Computer Aided Verification13 July 2012

One-slide Summary

1. Motivation: privilege-aware OS’s enable secure applications

2. Problem: privilege-aware OS’s arehard to program for

3. Solution: reduce programming for a privilege-aware OS to solving a safety game

Important Programs are Still Insecure

Vulnerabilities in:• Security-critical, network-facing programs– tcpdump (CVE-2007-3798)– fetchmail (CVE-2010-0562)– wget (CVE-2005-3185)

• Core utilities– bzip2 (CVE-2010-0405)– gzip (CVE-2010-0001)– tar (CVE-2007-4476)

Traditional Program Security

Program is analyzed passively to ensurethat it behaves securely.

Privilege-Aware OS’s

• OS maintains a privilege for each process

• Program actively manages its privilege byinvoking security system calls (primitives)

Example Privilege-Aware OS’s

• Information-flow control– Asbestos [SOSP 2005]– HiStar [OSDI 2006]– Flume [SOSP 2007]

• Tagged memory: Wedge [NSDI 2008]• Capabilities: Capsicum [USENIX Sec. 2010]

Running example: gzip

gzip() { files = parse_cl; for (f in files) (in, out) = open; compr(in, out);}

compr(in, out) { body;}

public_leak.com

An Informal Policy for gzip

When gzip executes body,it should only be able to read from inand write to out.

Capsicum: A Privilege-Aware OS

• Two levels of privilege:– High Capability (can open files)– Low Capability (cannot open files)

• Rules describing privilege:1. Process initially executes with

capability of its parent2. Process can invoke the drop system call

to take Low Capability

Securing gzip on Capsicum

compr(in, out) { drop(); body;}

High Cap.

Low Cap.

public_leak.com

High Cap.

High Cap.High Cap.

High Cap.

Low Cap.gzip() { files = parse_cl; for (f in files) (in, out) = open; compr(in, out);}

Low Cap.Low Cap.

High Cap.

fork_compr(in, out);

Low Cap.

High Cap.High Cap.

High Cap.

Low Cap.gzip() { files = parse_cl; for (f in files) (in, out) = open; compr(in, out);}

fork_compr(in, out);

Capsicum

Program Policy

CapsicumPolicy Weaver

Capsicum Program

Progrmr.

Weaver Generator

Capsicum Dev.

Pol. Wrtr.

OSPolicy Weaver

Capscium Dev.

CapsicumOS

Capsicum Program

CapsicumPolicy Weaver

Program Policy

OS Program

Progrmr.

Weaver Generator

OS Dev.

Pol. Wrtr.

Paper Contributions

1. Designed an automata-theoreticweaver generator

2. Implemented an efficient weaver-generator via a scaffold-based safety-game solver

3. Experimentally evaluated practical feasibility

Weaver Generator

Program Policy

OSPolicy Weaver

OS Program

Progrmr.

Weaver Generator

OS Dev.

Pol. Wrtr.

Program: Prog Acts

parse_cl

call compr

ret comprexit

Program

Progrmr.

Program Policy

OS Program

Progrmr.

OS Developer

Pol. Wrtr.

Weaver Generator

Policy: Prog Acts x Privs

(open, LowCap)

(body, HighCap)

Policy

Pol. Wrtr.

Privs = { High Cap, Low Cap}

Program Policy

OS Program

Progrmr.

OS Dev.

Pol. Wrtr.

Weaver Generator

OS Dev.

AllowHighopen /

HighCap

Prims = { drop, fork, join }

OS: Prog Acts Prims Privs

AllowHigh

AllowLow

OS Dev.

AllowHigh AllowLow

OS Dev.

open /

LowCap

AllowLow AllowLow

Program Policy

OS Program

Progrmr.

OS Dev.

Pol. Wrtr.

Weaver Generator

open /fork

parse_cl /noop

loop /noop body / noop

ret compr / join

OS Program

Instr: Prog Acts Prims

call compr / drop

Program Policy

OS Program

Progrmr.

OS Dev.

Pol. Wrtr.

Weaver Generator

Safety Games: A Quick Refresher

Policy Weaving Safety GameProgram actions Attacker actions

OS primitives Defender actions

Policy Weaving Safety GameProgram actions Attacker actions

OS primitives Defender actionsCorrect

instrumentationWinning

Defender strategy

Policy Weaving Safety GameProgram actions Attacker actionsPolicy Weaving Safety Game

Weaving as a Game

parse_cl noopdrop

bodybody

ret compr

open open

noopdrop

call compr

parse_cl noopdrop

bodybody

ret compr

open open

noopdrop

call compr

parse_cl noopdrop

bodybody

ret compr

open open

noopdrop

call compr

ret compr /

parse_clparse_cl /drop

ret compr

call compr

body /

loop /

call compr /

open /

The Importance of VPA’s

• Accurately approximate the setof program paths

• Accurately model relationship betweenOS primitives and privileges

• Modular strategies formodular instrumentations

Paper Contributions

1. Designed an automata-theoreticweaver generator

2. Implemented an efficient weaver-generator via a scaffold-based game solver

3. Experimentally evaluated practical feasibility

Experiment Highlights

• Instantiated weaver-generator toa policy weaver for Capsicum

• Applied Capsicum policy weaver to six UNIXutilities from 8 to 108 kLoC

• Found strategies in 0:05 to 2:00

Summary

1. Motivation: privilege-aware OS’s enable secure applications

2. Problem: privilege-aware OS’s arehard to program for

3. Solution: reduce programming for a privilege-aware OS to solving a safety game

Questions?

Program Policy

OS Program

Progrmr.

OS Developer

Pol. Wrtr.

Weaver Generator

Extra Slides

Secure Programming viaVisibly Pushdown Safety Games

Bill Harris, Somesh Jha, and Thomas Reps

Computer Aided Verification 201213 July

Somesh Jha

fork comprparse_cl init

ret compr

Secure Programming via Visibly Pushdown Safety Games

Documents

Visibly Pushdown LanguagesAlur/Stoc04.pdf2 Visibly pushdown languages 2.1 De nition via pushdown automata A pushdown alphabet is a tuple =e h c; r; ‘i that comprises three disjoint

Pushdown Automata (PDA)

Pushdown Automata PDAs

Using Pushdown Optimization

Predicate Pushdown

Pushdown Automata - cs.unc.eduotternes/comp455/6-pushdown-automata.pdf · Pushdown Automata (PDAs) A pushdown automaton (PDA) is essentially a finite automaton with a stack. Example

Pushdown Automata A pushdown automata (PDA) is essentially an

Reachability in pushdown register automatawrap.warwick.ac.uk/86773/7/WRAP-reachability-pushdown... · 2017-08-04 · Higher-order pushdown automata [15] take the idea of pushdown

Chapter 7 Pushdown Automata

1 Pushdown Automata - pdfs.semanticscholar.org · 1 Pushdown Automata? HendrikJanHoogeboomandJoostEngelfriet InstituteforAdvancedComputerScience, UniversiteitLeiden,theNetherlands

Secure Programming via Visibly Pushdown Safety Gamespages.cs.wisc.edu/~wrharris/publications/secure... · Web servers and VPN clients execute unsafe code, and yet are ... capability

Secure Programming via Visibly Pushdown Safety Gameswharris/publications/secure... · stack-based automata, in particular visibly pushdown automata (VPAs) [5], are su cient to model

Symbolic Visibly Pushdown Automata⋆

PushDown Analysis in Usfos

Pushdown automata

7. Pushdown Automata

More Applications - CSUmassey/Teaching/cs301/Restricted...– Nondeterministic Pushdown Automata – Pushdown Automata and Context Free Grammars – Deterministic Pushdown Automata

Pushdown autometa

Automata theory and its applicationslcs.ios.ac.cn/~wuzl/pub/lecture-07-08.pdf · Automata theory and its applications Lecture 7-8: Visibly pushdown languages Zhilin Wu State Key Laboratory

MODEL CHECKING PROBABILISTIC PUSHDOWN AUTOMATA · PDF filemodel checking probabilistic pushdown automata ... (ppda) and properties ... model checking probabilistic pushdown automata