Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
AvikChaudhuri
TowardsProvablySecureandCorrectSystems
Opera<ngsystemsStoragesystems
Webapplica<onframeworksMobiledeviceplaAorms
Clouds
Thesesystemsrunourcode.Whatsecurityandcorrectnessguaranteesdotheyprovide?
Systemswerelyon
Developfounda:onsofsecureandcorrectsystems
Analysisofsystems(specifica4on+verifica4on)
Construc<onofsystems(design+implementa4on)
Exploitprogramminglanguagesaslensprinciples,techniques
Aimofmyresearch
Overviewofpastandongoingworkonsystemanalysis Storagesystems(Plutus,OSD,PCFS)
Opera4ngsystems(WindowsVista,Asbestos) MobiledeviceplaForms(Android)
Webapplica4onframeworks(RubyonRails)
Systemsasprogramminglanguages
Programanalysesforsystemguarantees
Similarideascanguidesystemdesign
Thistalk
Analogy:Communica4onModelcryptographywithequa<onsdecrypt(encrypt(x,k),k)=x
Programminglanguagetodescribeprotocols createnewnames(keys) buildtermswithfunc<onsymbols(hashing,encryp4on) communicatetermsoverchannels composeparallelprocesses
[appliedpicalculus]
Specifica4onandVerifica4onAdversary(arbitraryunspecifiedcontext)Languageseman:csdefinesthepoweroftheadversary
Specifica<on(types,logicalasser<ons)
Prooftechniques(typesystems,abstractinterpreta<on)Tools(ProVerif,F7)Canverifyprotocols,theirimplementa:ons,andtheiruses
Thisapproachcanbeextendedtoothersystems!
Analysisofsecurefilesharingonuntrustedstorage[withB.Blanchet:S&P’08]
variousaOacks,preciseguarantees
Correctimplementa<onofdistributedaccesscontrol[withM.Abadi:FMSE’05,FORTE’06;FCS’08]
piFalls,generaldesignprinciples
Languagesupportforproof‐carryingauthoriza<on[withD.Garg:ESORICS’09]
automa4cproofmanagement
Storagesystems
Analysisofopera<ngsystemsecuritymodels[withS.Rajamaniandothers:CCS’08]
decidabilityresults,toolforsystemdesign
Typesystemforenforcingsecurityonanopera<ngsystem[withS.Rajamaniandothers:PLAS’08]
formaliza4onofdesigninten4onsandbestprac4ces
Opera4ngsystems
Securityverifica<onofmobiledeviceapplica<ons[PLAS’09;ongoingworkwithJ.Fosterandothers]
cer4fiedinstalla4onwithsecurityguarantees
MobiledeviceplaForms
Securityandcorrectnessverifica<onofwebapplica<ons[withJ.Fosterandothers:ASE’09,ongoingwork]
elimina4onofvariousclassesofaOacksandbugs
Webapplica4onframeworks
StorageReduc<onist:Storageis,aRerall,communica<on
write/readafile ≈send/receiveonachannel
storageonuntrusteddisks ≈communica4onoverinsecurenetworks
Shouldbeabletoleveragepreviousworkoncommunica:on
Pragma<st:Careful!Whydoweneeddynamicaccesscontrol?
Expectdynamicspecifica:ons(e.g.,dynamictrustassump:ons)
StorageonUntrustedDisks
Alice
Bob
Server:untrusted
Clients:sometrusted,someuntrusted
StorageonUntrustedDisks
Alice
Bob
Server:untrusted
Clients:sometrusted,someuntrusted
Files:encrypted/signed
StorageonUntrustedDisks
AliceReader
Writer
(knowsreadkey)
(knowswritekey)
Bob
Server:untrusted
Clients:sometrusted,someuntrusted
Files:encrypted/signed
StorageonUntrustedDisks
Alice
Carol
David
Eve
Reader
Writer
(knowsreadkey)
(knowswritekey)
Bob
Server:untrusted
Clients:sometrusted,someuntrusted
Files:encrypted/signed
StorageonUntrustedDisks
Alice
Carol
David
Eve
Reader
Writer
(knowsreadkey)
(knowswritekey)
Owner(creates/distributeskeys)
Bob
Server:untrusted
Clients:sometrusted,someuntrusted
Files:encrypted/signed
StorageonUntrustedDisks
Alice
Carol
David
Eve
Reader
Writer
Owner
Bob
Server:untrusted
Clients:sometrusted,someuntrusted
Files:encrypted/signed
StorageonUntrustedDisks
AliceDavid
Eve
(creates/distributesnewkeys)Carol
Reader
Writer
(knowsnewreadkey)
(knowsnewwritekey)
Owner
Bob
Server:untrusted
Clients:sometrusted,someuntrusted
Files:encrypted/signed
StorageonUntrustedDisks
Alice
Bob
Carol
David
Eve
Reader
Writer
Owner
Server:untrusted
Clients:sometrusted,someuntrusted
Files:encrypted/signed
StorageonUntrustedDisksDavid
Eve
Alice
Bob
Carol(creates/distributesnewkeys)
Reader
Writer
(knowsnewreadkey)
(knowsnewwritekey)
Owner
Server:untrusted
Clients:sometrusted,someuntrusted
Files:encrypted/signed
Op4miza4onsinPlutus Arefilesimmediatelyre‐securedwithnewkeys?No!Filessecuredwithnewkeysonsubsequentwrites“lazyrevoca<on”
Howdoreadersdecidewhichkeystouse?Throwawayoldkeys,derivefromnewkeysasrequired“keyrota<on”
Doestheprotocolimplementtheseop4miza4onscorrectly?Whatarethesecurityimplica4onsoftheseop4miza4ons?
Specifica4onandVerifica4onAutomatedsecurityanalysisofPlutuswithProVerif
Results Weakersecrecythanclaimedwriterscanactforreaders,secretsmayeventuallyleak
SeriousaXackonintegrity(cleverexploitofsubtlebug)adversarycancolludewithreaderstobecomewriters
appliedpicalculusprograms+
expectedproper<es
Hornlogicclauses+
queries
with
Keyidea:ModelCorrup4onSpecifycodeforeachroleintheprotocol
ownerstrusted readerstrustedorcorrupt writerstrustedorcorrupt(trusted=followsprotocol,corrupt=leakskeys)
Adversaryunspecified,controlsanyrunoftheprotocol
(e.g.,chooseswhichprincipalstocorruptandwhen)
Specifysecuritydespitecorrup<onSecurityviola:onPreciselowerboundsoncorrup:on
DistributedAccessControlNetworkedStorage(e.g.,OSD)
Capability:unforgeable/verifiableauthoriza<oncer4ficate
Revoca:onistrickyHowdowespecifyandverifycorrectnessofimplementa4ons?
Client
AccessControlAuthority
DiskServer“capability”
IdealStorage
Studypreserva<onoftraceproper<es,equivalences
ResultsVariouswaystobreakfullabstrac:onNevertheless,correctimplementa<onsexist
Generaldesignprinciples:Distributedimplementa:onofstatefulcomputa:ons
Implementa4onasRefinement
with
ClientAccessControlAuthority+DiskServer
Proof‐CarryingAuthoriza4on
Filesystemrequiresauthoriza<onproofsTremendousburdenonuser
Solu<onPCAL:Language/compilersupportforPCAsystemsuserwritesscript,compilermanagesproofs&instrumentsscriptTricky!(e.g.,proofsatcompile4memaybeinvalidatrun4me)
with
Client
DistributedAccessControlAuthori4es
FileSystem
Opera4ngSystemsVariouslevelsoftrust(ordered)
Protec<onmechanisms(e.g.,labelsforaccesscontrol)intendtorestrictinforma:onflowacrosslevelsoftrust
butoaendonot!(toorestric4ve)
Process
Loca4on
System Admin User Web> > >
AccessControlforIntegrity“nowriteup”
“noexecutedown”
Browsersecurity
WebdatacannotoverwriteUserloca4onWebcodecannotberunbyAdminprocess
Browserfunc:onality?
UserneedstodownloaddatafromWeb(e.g.,emailaOachment)
AdminneedstoinstallcodefromWeb(e.g.,gameapplica4on)
> > >
DynamicControlofLabelsWindowsVista
spawnuntrustedprocess(executelesstrustedcode)
readuntrustedloca4on(onlyoverwriteuntrusteddata)
trustuntrustedloca4on(verifytrustbyothermeans)
>Process
Loca4on
AdmincaninstallcodefromWeb UsercansavedatafromWeb
WindowsVista
Implicitdesigninten:ons,bestprac:ces?(Similarideasinotheropera4ngsystems,e.g.,Asbestos)
DynamicControlofLabels
spawnuntrustedprocess(executelesstrustedcode)
readuntrustedloca4on(onlyoverwriteuntrusteddata)
trustuntrustedloca4on(verifytrustbyothermeans)
AdmincaninstallcodefromWeb UsercansavedatafromWeb
>Process
Loca4on
Specifica4onandVerifica4onSystemDesigner:Whatguaranteescanthesystemprovide? modelbehaviors(dynamicseman4cs)
analyzerestric<ons(sta4cseman4cs)
ProVerif✗ undecidablequeryevalua:oncanbeaproblem!
Solu<onEon:dynamiclogicprogramming
✓ expressiveenough✓ decidablequeryevalua:on
with
EonEon=Datalog+new+next+somesyntac4crestric4ons(unarydynamicpredicates,monotonicity)
new:createconstantsini4alizedwithsomepredicatesnext:updatepredicatesforsuchconstants
Datalog:enforceconstraints
Queryevalua:on:reduc:ontoDatalogquerysa:sfiability(new=existen<alquan<fier,next=statetransformer)
AutomatedAnalysiswithEonExperiments
modelbehaviors(dynamicseman4cs) analyzerestric<ons(sta4cseman4cs)
Results
WindowsVistaAdackscanbeblamedontrustedprocesses(interes4ngdesignprinciple)
Soundmonitoringoftrustedprocessestoeliminateadacks
Explicitdesigninten4ons,bestprac4ces!
CodeAnalysisforSecurityWindowsVistaAOackscanbeeliminatedbyrestric4ngtrustedcode
Idea
Enforcerestric:onsoncodeviaasecuritytypesystem
types=securityinvariants
soundness=typepreserva<onwith
AccessControl+SecurityTypesProgramminglanguagetodescribecoderunningonsystem createprocesses/loca<onsthatareprotectedwithlabels updatelabels(accesscontrol) packcodeasdata(compila4on)
read/write/executecontentsatloca4ons
Accesscontrolencodedindynamicseman<csSecuritytypesenforcesta<cseman<cs
Hybridtypechecking(soundness,precision,op4miza4on)
AccessControl+SecurityTypesSecuritytypeTL(dataoftypeT,trustedsta<callyatlevelL)TypeLocTL(loca<onthatcontainsdataofsecuritytypeTL)
Ifloc:LocTL,thendynamiclabelofloc≥LByaccesscontrol,levels<Lcannot
writetoloc controldynamiclabelofloc
Bytypechecking,ensurethatlevels≥Lalways writedatathatflowsfromlevels≥Ltoloc
maintaindynamiclabelofloc≥L
Examplesini4alizecmd.exeini4alizeurl
ie.execontainscode:readsurl&executescontents
executesie.exeatWeb
virus.execontainscode:overwritescmd.exe
urlcontainsvirus.exe
[System]
[User]
[Web]
Codetypechecks[Webcannotwritetocmd.exe]
Examplesini4alizesetup.exe
ini4alizeurl
ie.execontainscode:readsurl&copiescontentstosetup.exe
executesie.exeatWeb
virus.execontainscode:overwriteshome
urlcontainsvirus.exe
[System]
[User]
[Web]
ini4alizehome
trustssetup.exe&executesit
[Admin]
Codedoesnottypecheck[Admincanwritetohome]
MobileDevicePlaFormsAndroid opera4ngsystem+coreapps
SDK:JavaAPIstodevelopnewapps
AppscansharecomponentsSharingcontrolledsta<cally(atinstall4me)
CanAliceknowwhetherBob’sappissafe?
CanBobconvinceAlicethattheappissafe?Bob(developer)
Alice(user)
appstore
Cer4fiedInstalla4on(PCC)BobconstructsaproofthathisappissafeAliceverifiestheproofbeforeinstallingtheapp(proofsmaybeimplementedascer<ficates)
Requirements
Opera<onalseman<csforappsrunningonAndroidformalspecifica<onsofAPIsprovidedbySDKSeparateverifica:onofAPIsforefficiency
Sta<canalysisofAndroidappsforsafetyformalizedasasecuritytypesystemSoundnessofanalysisprovidesnecessaryproofs
codemaybelongtootherappsrunwithpermissionsofthoseapps
AndroidApplica4ons
stackofwindows
pooloflisteners
data
componentsinheritedclasses,overriddenmethods
manifestdeclarenecessarypermissions
specifyaccesscontrolsforotherapps
sta<c dynamic
Securityspecifica<onsderivedfrommanifestsofinstalledappsTypecheckingguaranteesthataccesscontrolsenforcesecurity
SupposethatreadingmycontactslistrequirespermissionPThenonlyappsinstalledwithpermissionPcanknowmycontacts
Droid:cer<fiedinstallerforAndroidapps(inprogress)
Sta4cAnalysis
concretecode[Java]
abstractcode (typecheck)
with
RubyonRails Ruby:dynamicallytypedOOscrip<nglanguage
Rails:RubyAPIsforautoma<ngdevelopmentofwebapps
Models,Views,Controllersmodelsconnectedtodatabasetablesviewsdescribedbycode‐embeddedmarkup
controllersrouterequeststoresponses
Conven:onoverConfigura:on
WebApplica4onFrameworks
controllers models
databaseviews
request
response
Sta4cAnalysisRailsmakesextensiveuseofmeta‐programminginRubyDirectanalysisisdifficultDRails:translatetoexplicitRubycodethatiseasiertoanalyze
TypecheckingguaranteesthatmethodcallssucceedButalmosteverythingisamethodcallinRuby!
ResultsBugsthatcrashexis4ngapps(confirmedbydevelopers)
concretecode[RubyonRails]
translatedcode[Ruby]
(typecheck)[DRuby]
with
Simpletypecheckingcannotcatchlogicalerrors/securityaOacksAdvancedtypesystemsdifficulttobuildforRuby
Rubyx:symbolicverifica<onofRubyscripts(inprogress)
Keyidea:executablespecifica<ons
Sta4cAnalysis
concretecode[RubyonRails]
translatedcode[Ruby]
(executeandverify)
with
SystemsoftheFutureInfluenceofprogramminglanguages
Principles Core,expressiveabstrac4ons Strongguaranteesofsecurityandcorrectness Implementa4onsasrefinements
Techniques Richtypes/invariantsforspecifica4onandverifica4on Combina4onsofsta4canddynamicmechanisms
SystemsoftheFutureInfluenceofprogramminglanguages
Revisitacademicprogramminglanguages
“strongfounda4onsreducecomplexity,spurinven4ons”
Viewsystemdesignaslanguagedesign
“generaliza4onsprovideinsight,settrends”
Opportunitytomakelas:ngcontribu:ons