Retrofitting Legacy Code with Authorization Mechanisms

Vinod GanapathyRutgers University

vinodg@cs.rutgers.edu

Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 2

Principle of Design for Security

Historic example: • MULTICS [Corbato et al. ‘65]

More recent examples:• Operating systems • Database servers

To create a secure system, designit to be secure from the ground up

Relevance of the Principle today

Deadline-driven software development• Design.Build.(Patch)* is here to stay• Few people have expertise with a single large

codebase.• Tedious to sift through large codebases and

reason about security. • Diverse/Evolving security requirements

oMULTICS security study [Karger and Schell, ‘72]

Most deployed software is not designed for security

Retrofitting legacy code

Need systematic techniques toretrofit legacy code for security

Legacycode

Retrofitted code

INSECURE SECURE

Retrofitting legacy code

Enforcing type safety • CCured [Necula et al. ’02]

Partitioning for privilege separation• PrivTrans [Brumley and Song, ’04]

Enforcing authorization policies

Need systematic techniques toretrofit legacy code for security

Resource manager

Enforcing authorization policies

Resource userOperation request Response

Authorization policy‹Alice, /etc/passwd, File_Read›

Reference monitor

Allowed? YES/NO

Retrofitting for authorization Mandatory access control for Linux

• Linux Security Modules [Wright et al.,’02]

• SELinux [Loscocco and Smalley,’01]

Secure windowing systems• Trusted X, Compartmented-mode workstation,

X11/SELinux [Epstein et al.,’90][Berger et al.,’90][Kilpatrick et al.,’03]

Java Virtual Machine/SELinux [Fletcher,‘06]

IBM Websphere/SELinux [Hocking et al.,‘06]

Painstaking, manual procedure

This tutorial

Three program analysis and transformation techniques (in increasing order of sophistication)

to retrofit legacy code with reference monitors

Contents of the tutorial

Fingerprints: A new representation for security-sensitive operations

Three algorithms to mine fingerprints Results: Reduced effort to retrofit legacy

code for authorization policy enforcement• Manual effort needed reduces to a few hours• Applied to X server, Linux kernel, etc.

Analyses and transformations forauthorization policy enforcement

Outline Motivation Problem

• Example• Retrofitting legacy code: Lifecycle

Solutions• Dynamic fingerprint mining• Static mining with concept analysis• Static mining leveraging user choice

X server with multiple X clients

REMOTE

Malicious remote X client

REMOTE

Undesirable information flow

Desirable information flow

REMOTE

Other policies to enforce Prevent unauthorized

• Copy and paste• Modification of inputs meant for other clients• Changes to window settings of other clients• Retrieval of bitmaps: Screenshots

[Berger et al., ’90]

[Epstein et al., ‘90][Kilpatrick et al., ‘03]

Security is not a ‘blocker’ Security by design, in practice

“It isn't clear this qualifies as a blocker under any circumstances. The importance of

security increases only as we are into serious deployment and start becoming a target. First

things, first....”- https://dev.laptop.org/ticket/260 Need a way to protect against

applications sniffing each other's keystrokes, which X permits by default.

X server

X server with authorization

X clientOperation request Response

Authorization policy

Reference monitor

Allowed? YES/NO

Outline Motivation Problem

• Example• Retrofitting legacy code: Lifecycle

Solution

Retrofitting lifecycle1. Identify security-sensitive operations2. Locate where they are performed in code3. Instrument these locations

Input_EventCreateDestroyCopyPasteMap

Security-sensitive operations Source Code Policy checks

Can the client receive this

Input_Event?

Problems

X11 ~ proposed 2003, implemented 2007, changing to date. [Kilpatrick et al., ‘03]

Linux Security Modules ~ 2 years [Wright et al., ’02]

PostgreSQL: Began in 2006, still not mainline.

Manual

At this point, SE-PostgreSQL has taken up a *lot* of community resources, not to mention an enormous and

doubtless frustrating amount of *the lead developer’s* time and effort, thus far without a single committed patch, or even a consensus as to what it should (or could) do. Rather than continuing to blunder

into the future, I think we need to do a reality check -

http://archives.postgresql.org/message-id/20090718160600.GE5172@fetter.org

Problems

Violation of complete mediation Time-of-check to Time-of-use bugs [Zhang et al., ‘02]

[Jaeger et al., ‘04]

Error-prone

Our approach

Fingerprints: A new representation of security-sensitive operations

Legacy code retrofitted using fingerprints• Use of static and dynamic program analysis• Must achieve complete mediation• Ideally, must not place redundant hooks

Automated

Principled

Approach overviewLegacy code

Retrofitted code

Fingerprints

Matcher

Outline Motivation Problem Solution

• Fingerprints • Dynamic fingerprint mining• Static fingerprint mining with concept analysis• Static fingerprint mining leveraging user

choice

What are fingerprints?

Resource accesses that are unique to a security-sensitive operation

Denote key steps needed to perform the security-sensitive operation on a resource

Code-level signatures of security-sensitive operations

Examples of fingerprints Input_Event :- Cmp xEvent->type == KeyPress

Security-sensitive operations Source Code

Examples of fingerprints Input_Event :-

Cmp xEvent->type == KeyPress Input_Event :- Cmp xEvent->type == MouseMove

Map :- Set Window->mapped to True & Set xEvent->type to MapNotify

Enumerate :- Read Window->firstChild & Read Window->nextSib & Cmp Window ≠ 0

MapSubWindows(Window *pParent, Client *pClient) { Window *pWin; … // Run through linked list of child windows pWin = pParent->firstChild; … for (;pWin != 0; pWin=pWin->nextSib) { ... // Code that maps each child window

... }}

Fingerprint matching X server function MapSubWindows

Performs Enumerate

Enumerate :- Read Window->firstChild & Read Window->nextSib & Cmp Window ≠ 0

MapSubWindows(Window *pParent, Client *pClient) { Window *pWin; … // Run through linked list of child windows if CHECK(pClient,pParent,Enumerate) == ALLOWED { pWin = pParent->firstChild; … for (;pWin != 0; pWin=pWin->nextSib) { ... // Code that maps each child window

... } } else { HANDLE_FAILURE }}

Placing authorization checks X server function MapSubWindows

Fingerprint matching Currently employ simple pattern matching More sophisticated matching possible

• Metacompilation [Engler et al., ‘01] • MOPS [Chen and Wagner, ‘02]

Inserting authorization checks is akin to static aspect-weaving [Kiczales et al., ’97]

Other aspect-weaving techniques possible• Runtime aspect-weaving

• Fingerprints• Dynamic fingerprint mining • Static fingerprint mining with concept analysis• Static fingerprint mining leveraging user

choice

Dynamic fingerprint mining

Output: FingerprintsInput_Event :- Cmp xEvent->type == KeyPress

Dynamic fingerprint mining Security-sensitive operations [NSA’03]

Use this information to induce the program to perform security-sensitive operations

Input_Event Input to window from deviceCreate Create new windowDestroy Destroy existing windowMap Map window to console

Problem definition S: Set of security-sensitive operations D: Descriptions of operations in S R: Set of resource accesses

• Read/Set/Cmp of Window/xEvent Each s є S has a fingerprint

• A fingerprint is a subset of R• Contains a resource access unique to s

Problem: Find fingerprints for each security-sensitive operation in S using D

Traces contain fingerprints

Induce security-sensitive operation • Typing to window will induce Input_Event

Fingerprint must be in runtime trace • Cmp xEvent->type == KeyPress

Security-sensitive operations Source Code Runtime trace

Compare traces to localize

Localize fingerprint in trace• Trace difference and intersection

Runtime traces Trace the program and record reads/writes

to resource data structures• Window and xEvent in our experiments

Example: from X server startup (In function SetWindowtoDefaults) Set Window->prevSib to 0 Set Window->firstChild to 0 Set Window->lastChild to 0

… about 1400 such resource accesses

Using traces for fingerprinting Obtain traces for each security-sensitive

operation• Series of controlled tracing experiments

Examples• Typing to keyboard generates Input_Event• Creating new window generates Create• Creating window also generates Map• Closing existing window generates Destroy

Comparison with “diff” and “∩”

Openxterm

Closexterm

Movexterm

Openbrowser

Switchwindows

CreateDestroyMapUnmap

Input_Event

Annotation is a manual step

- Move xtermCreate = Open xterm ∩ Open browser

Comparison with “diff” and “∩”

Openxterm

Closexterm

Movexterm

Openbrowser

Switchwindows

CreateDestroyMapUnmap

Input_Event

Perform same set operations on resource accesses

Set equations Each trace has a set of labels

• Open xterm: {Create, Map}• Browser: {Create, Destroy, Map, Unmap}• Move xterm: {Map, Input_Event}

Need set equation for {Create}• Compute an exact cover for this set• Open xterm ∩ Open browser – Move xterm

Perform the same set operations on the set of resource accesses in each trace

Experimental methodologySource code

Server with logging enabled

Raw traces

Relevant portions of traces

Pruned traces

gcc –-enable-logging

Run experiments and collect traces

Localize security-sensitive operation

Compare traces with “diff” and “∩”

Dynamic mining: Results1,000,000

54,000

10,000

100,000

1,000,000

Source Code Raw Traces RelevantPortions

PrunedTraces

Each fingerprint localized towithin 126 resource accesses

1. Incomplete: False negatives2. High-level description needed 3. Operations are manually induced

Limitations of dynamic mining

• Fingerprints• Dynamic fingerprint mining• Static fingerprint mining with concept analysis• Static fingerprint mining leveraging user

choice

Static fingerprint mining

Output: Candidate FingerprintsCmp xEvent->type == KeyPress

Resources

• Window• xEvent

Problem definition R: Set of resource accesses

• Read/Set/Cmp of Window/xEvent E: Set of entry points into the server Goal: Find fingerprints using R and E

Not given an a priori description of security-sensitive operations

Straw-man proposal I

Finest level of granularity Cmp xEvent->type == KeyPress Read Window->firstChild Read Window->nextSib Cmp Window ≠ 0

Each resource access in R is a fingerprint

Problem with this proposal

Cmp xEvent->type == KeyPress Read Window->firstChild Read Window->nextSib Cmp Window ≠ 0

Difficult to write and maintainpolicies at this level of granularity

Straw-man proposal II

Coarsest level of granularity

Call MapSubWindows Call MapWindow

Write policies allowing/disallowing the use of an API call

Each API in E is a fingerprint

Problem with this proposal

Call MapSubWindows • Enumerates child windows and maps them to

the screen Call MapWindows

• Maps a window onto the screen

Does not reflect actual resourceaccesses performed by API call

Our approach

Each API entry point implicitly defines a set of resource accesses

Cluster resource accesses based upon the API entry points that perform them

Cluster resource accesses that always happen together

Static analysis Extract resource accesses potentially

possible via each entry point Example from the X server

• Entry point: MapSubWindows(…)• Resource accesses:

Set xEvent->type To MapNotify Set Window->mapped To True Read Window->firstChildRead Window->nextSibCmp Window ≠ 0

Resource accessesMapSubWindows

MapWindow

KeyboardInput

Set xEvent->type To MapNotify

Set Window->mapped To True

Read Window->firstChild

Read Window->nextSib

Cmp Window ≠ 0

Cmp xEvent->type==KeyPress

270 API functions430 distinct resource accesses

Identify candidate fingerprints by clustering resource accesses

FeaturesInstances

Concept analysisMapSubWindows

MapWindow

KeyboardInput

Cmp Window ≠ 0

Comparison via hierarchical clustering

123456

Hierarchical clustering

Cmp Window ≠ 0

KeyboardInput

MapWindow

MapSubWindows

{A,B,C}, Ф

{A,B}, {1,2}

{A}, {1,2,3,4,5}

{C}, {6}

Ф, {1,2,3,4,5,6}

{A}, {1,2,3,4,5}

123456

Mining candidate fingerprints

Cmp Window ≠ 0

KeyboardInput

MapWindow

MapSubWindows

{A,B,C}, Ф

{A,B}, {1,2}{C}, {6}

Ф, {1,2,3,4,5,6}

Cand. Fing. 1

Cand. Fing. 2

Cand. Fing. 3

Static mining: Results

1.4383.71153.718

94,014PennMUSH30,096X Server/dix4,476ext2

Avg. SizeCand. Fing.LOCBenchmark

1001,000

10,000100,000

ext2 X server PennMUSH

X Server/dixext2

Benchmark

Manually identifiedSecurity-sensitive ops

Candidatefingerprints

Able to find at least one fingerprint for each security-sensitive operation

Identified automatically in a few minutesInterpretation takes just a few hours

Identified as part of multi-year efforts

X Server/dixext2

Benchmark

Associated 59 candidate fingerprints with security-sensitive operations

Remaining are likely security-sensitive too

X Server/dixext2

Benchmark

Read Window->DrawableRec->width & Read Window->DrawableRec->height

• Fingerprints• Dynamic fingerprint mining• Static fingerprint mining with concept analysis• Static fingerprint mining leveraging user

choiceoDivya Muthukumaran and Trent Jaeger

Shortcomings that remain Identifying security-sensitive objects is still

manual Hook placement suggested by fingerprints:

• Are they “minimal”?• How do they compare to manually-placed

hooks?

Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement

Inferring security-sensitive objects and operations

Idea: Follow the client-request• In servers, client-request determines choice.

“Choice”: • Determines which objects are selected to be

operated upon. • Determines which operation is selected to be

performed on objects.

write v

BRequest Interface

Cv = Lookup(O,i)

User A

User B

read v

Program

Container O

Op1.3Op1.2Op1.1Security-sensitive

operation

Tainted variable

Security-sensitive variable

Control statement

Predicated on tainted variable

Program

User request

Lookup Function

Global Reads

A) Identify Tainted

Variables (VT)

B) Identify Security-sensitive

Objects(VS)

C) User-choice Operations

D) Security-sensitive operations

clientRequest stuff = ReadRequestFromClient(); …int ChangeWindowProperty(ClientPtr *c, WindowPtr * w){ WindowPtr * win; PropertyPtr * pProp; err = LookupWindow(&win,stuff->window, c); rc = LookupProperty(&pProp, win, stuff->property, c); if (rc == BadMatch) {/* Op 1*/ pProp->name = property; pProp->format = format; pProp->data = data; pProp->size = len; } else { /* Op 2 */ if (stuff->mode == REPLACE) { /* Op 2.1 */ pProp->data = data; pProp->size = len; pProp->format = format; } else if (stuff->mode == APPEND) {/* Op 2.2 */ pProp->data = data; pProp->size += len; } }}

clientRequest stuff = ReadRequestFromClient();

int ChangeWindowProperty(ClientPtr * c, WindowPtr * w){ WindowPtr * win; PropertyPtr * pProp; err = LookupWindow(&win,stuff->window, c); rc = LookupProperty(&pProp, win, stuff->property, c); if (rc == BadMatch) {/* Op 1*/ pProp->name = property; pProp->format = format; pProp->data = data; pProp->size = len; } else { /* Op 2 */ if (mode == REPLACE) { /* Op 2.1 */ pProp->data = data; pProp->size = len; pProp->format = format; } else if (mode == APPEND) {/* Op 2.2 */ pProp->data = data; pProp->size += len; } }}

Static Taint analysis

Program

User request

Lookup Function

Global Reads

A) Identify Tainted

Variables (VT)

Objects(VS)

Retrieval of objects from containers: • List access (*->next pointer)

• Array access (pointer arithmetic)…

List Access: LookupProperty

for (prop=win->userProps; prop; prop=prop->next {if (prop->name == pName)

break;*p = prop;}

return p;

Array Access: LookupWindow

Resource res = clientTable[i]return res;

Program

User request

Lookup Function

Global Reads

A) Identify Tainted

Variables (VT)

Objects(VS)

Def 2: A variable v V∈ S(P) if any following are true: a) If it is assigned a value from a container via a lookup

function using a variable v V∈ T(P), b) If D is true for some v’ V∈ S(P). c) If it is a global variable and in the set VT(P).

int ChangeWindowProperty(ClientPtr * c, WindowPtr * w, int mode){ WindowPtr * win; PropertyPtr * pProp; err = LookupWindow(&win,stuff->window, c); rc = LookupProperty(&pProp, win, stuff->property, c); if (rc == BadMatch) {/* Op 1*/ pProp->name = property; pProp->format = format; pProp->data = data; pProp->size = len; } else { /* Op 2 */ if (mode == REPLACE) { /* Op 2.1 */ pProp->data = data; pProp->size = len; pProp->format = format; } else if (mode == APPEND) {/* Op 2.2 */ pProp->data = data; pProp->size += len; } }}

TechnologyDetecting code patterns

Static Taint analysis

Program

User request

Lookup Function

Global Reads

A) Identify Tainted

Variables (VT)

Objects(VS)

int ChangeWindowProperty(ClientPtr * c, WindowPtr * w, int mode){ WindowPtr * win; PropertyPtr * pProp; err = LookupWindow(&win,stuff->window, c); rc = LookupProperty(&pProp, win, stuff->property, c); if (rc == BadMatch) {/* Op 1*/ pProp->name = property; pProp->format = format; pProp->data = data; pProp->size = len; } else { /* Op 2 */ if (stuff->mode == REPLACE) { /* Op 2.1 */ pProp->data = data; pProp->size = len; pProp->format = format; } else if (stuff->mode == APPEND) {/* Op 2.2 */ pProp->data = data; pProp->size += len; } }}

A DB C

Taken Not- takenTaken Not-taken

Control Flow Graph (CFG)

Control Dependence Graph (CDG)

Program

User request

Lookup Function

Global Reads

A) Identify Tainted

Variables (VT)

Objects(VS)

Results: Reduction in programmer effortProgram X Server postgres pennmush memcached

LOC 28k 49k 78k 9k

Total variables 7795 12350 24372 2350

Tainted variables

2975 (38%) 5100 (41%) 4168 (17%) 490 (20%)

Security sensitive variables

823 (9%) 402 (3%) 1573 (6%) 82 (3%)

Data Structures 404 278 311 41

Sensitive Data structures

61(15%)

30 (10%)

38 (12%)

7(17%)

User-choice Operations

4760 5063 6485 996

Sensitive operations 1382 (29%)

1378 (27%)

1382 (21%)

203(20%)

LOC 28k 49k 78k 9k

Total variables 7795 12350 24372 2350

Tainted variables

2975 (38%) 5100 (41%) 4168 (17%) 490 (20%)

823 (9%) 402 (3%) 1573 (6%) 82 (3%)

61(15%)

30 (10%)

38 (12%)

7(17%)

4760 5063 6485 996

Sensitive operations 1382 (29%)

1378 (27%)

1382 (21%)

203(20%)

LOC 28k 49k 78k 9k

Total variables 7795 12350 24372 2350

Tainted variables

2975 (38%) 5100 (41%) 4168 (17%) 490 (20%)

823 (10%) 402 (3%) 1573 (6%) 82 (3%)

61(15%) 30 (10%)

38 (12%)

7(17%)

4760 5063 6485 996

Sensitive operations 1382 (29%) 1378 (27%) 1382 (21%)

203(20%)

Results Two sets of programs: a) With manually placed hooks: X server,

postgres. B) No manual hooks: pennmush,

memcached.

Results: Reduction in programmer effort

Program X Server postgres pennmush memcached

LOC 28k 49k 78k 9k

823 (10%) 402 (3%) 1573 (6%) 82 (3%)

Sensitive operations 1382 (29%) 1378 (27%) 1382 (21%)

203(20%)

Hooks 532 (11%)

579 (11%)

714(11%)

56(5%)

Comparing with manual hooks

X Server:• Manual: ~200 hooks• Automated: ~530 hooks

Postgres: • Manual: ~370• Automated: ~570

What does this mean?

Criteria for comparing hooks

Control dominance Data dominance

Hooks Criteria

Comparison of manual and automated hook placements

Summary

Can the client receive this

Input_Event?

Fingerprints

MatchingMining

Lessons for the future

Modifications may break software Modifying executables is challenging

Modifying legacy code is non-trivial

Low-overhead runtime system for policy enforcement on unmodified code

Lessons for the future

Type-safety violations the main problem

Soundness/completeness hard to achieve for C

Provable guarantees with additional runtime checks?

Lessons for the futureDifficult to automate failure handling

Aspect-oriented solution?

Failure handling is a crosscutting-concern Handling failure gracefully is the main

challenge

Checkpoint and rollback?

94Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement

Example: X Server Remote Client A

Remote Client B

Remote Client A

Remote Client B

Example: X Server Confidentiality violation Remote Client A

Remote Client B

GetScreen,WinAGetscreen,WinB

GetScreenGetScreen

Example: X Server Confidentiality violation Integrity violation

Remote Client B

Remote Client A

Remote Client B

ChangeProp, WinAChangeProp, WinA

ChangeProp

Remote Client A

Example: X Server Confidentiality violation Integrity violation

Remote Client B

Remote Client A

Remote Client B

ChangeProp, WinAChangeProp, WinA

ChangeProp

Remote Client A

Policy: (clientA, WinA, ChangeProp) (clientB, WinB, ChangeProp)

Errors in labeling traces (I)

Openxterm

Closexterm

Movexterm

Openbrowser

Switchwindows

CREATEDESTROYMAPUNMAP

INPUTEVENT

Errors in labeling traces (I)

Openxterm

Closexterm

Movexterm

Openbrowser

Switchwindows

INPUTEVENT

CREATE = Trace1 – Trace3

Errors in labeling traces (II)

Openxterm

Closexterm

Movexterm

Openbrowser

Switchwindows

INPUTEVENT

Dealing with errors in labeling Missing labels from traces:

• “∩” operation will not discard fingerprint• “diff” operation may erroneously eliminate a

fingerprint Extra labels on traces:

• May erroneously eliminate a fingerprint Trial-and-error

• Relabel and recompute set-equations Empirically: tolerance of about 15% errors

Observation 1: Automated hooks tend to be finer grained• Finer-grained operations• Finer-grained objects

Finer-grained operations

Observation 1: Automated hooks tend to be finer grained• Finer-grained operations• Finer-grained objects

Finer-grained objects

write(pChild->mapped)

read(pWin->firstChild->nextSib)

Comparison of manual and automated hook placements

Retrofitting Legacy Code with Authorization Mechanisms

Documents

Transcript of Retrofitting Legacy Code with Authorization Mechanisms

Seismic retrofitting of lifeline structures in Uttarakhanddmmc.uk.gov.in/files/Seismic_Retrofitting_English.pdf · 4. Seismic retrofitting 9 4.1 Retrofitting need 10 4.2 Execution

G.Necula et al. Taming C Pointers. George C. Necula, Jeremy Condit, Matthew Harren. CCured: Type-Safe Retrofitting of Legacy Software. ACM Transactions.

Retrofitting Learning Environments

Retrofitting hotels: evidence from the Protea Hospitality ...€¦ · Retrofitting hotels: evidence from the Protea Hospitality ... ... retrofitting.

Retrofitting of Industrial Structure - cias-italia.it - Retrofitting of Industrial Structure.pdf · RETROFITTING OF INDUSTRIAL ... seismic retrofitting of existing industrial facilities

RETROFITTING & RECONDITIONING RETROFITTING & …

CCured : Type-Safe Retrofitting of Legacy Code

RETROFITTING SINGAPORE’S JURONG WATER … Folder/RETROFITTING SINGA… · 1 retrofitting singapore’s jurong water reclamation plant with membrane bioreactor – minimizing energy

CCured: Type-Safe Retrofitting of Legacy Software - University of

15. RETROFITTING SUBURBIAurbanhs.com/.../CH-15-Retrofitting-Suburbia-final.pdf · Retrofitting Suburbia 15. RETROFITTING SUBURBIA ... walking, bicycling, and person-to-person interaction.

Seismic Retrofitting Techniques

Retrofitting Adaptive Designs

Sustainable retrofitting of blocks of flats: environmental ... · PDF fileSustainable retrofitting of blocks of flats: environmental, economic and social aspects . ... retrofitting

Retrofitting Legacy Code for Authorization Policy Enforcementvinodg/papers/oakland2006/oakland200… · IEEE S&P 2006 Ganapathy/Jaeger/Jha: Retrofitting Legacy Code for Authorization

Retrofitting Legacy Code for Authorization Policy Enforcement Vinod Ganapathy vg@cs.wisc.edu Trent Jaeger tjaeger@cse.psu.edu Somesh Jha jha@cs.wisc.edu.

SEISMIC RETROFITTING TECHNIQUES.pdf

Retrofitting 3rd

Retrofitting Techniques

Retrofitting Bureaucracy: Factors Influencing Charter ... · Retrofitting Bureaucracy: Factors Influencing Charter ... Retrofitting Bureaucracy: Factors Influencing Charter Schools

Retrofitting Legacy Code for Authorization Policy Enforcement Vinod Ganapathy Ph.D. Thesis Defense Thursday, July 12 th, 2007.