Retrofitting Legacy Code with Authorization Mechanisms
description
Transcript of Retrofitting Legacy Code with Authorization Mechanisms
Retrofitting Legacy Code with Authorization Mechanisms
Vinod GanapathyRutgers University
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 2
Principle of Design for Security
Historic example: • MULTICS [Corbato et al. ‘65]
More recent examples:• Operating systems • Database servers
To create a secure system, designit to be secure from the ground up
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 3
Relevance of the Principle today
Deadline-driven software development• Design.Build.(Patch)* is here to stay• Few people have expertise with a single large
codebase.• Tedious to sift through large codebases and
reason about security. • Diverse/Evolving security requirements
oMULTICS security study [Karger and Schell, ‘72]
Most deployed software is not designed for security
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 4
Retrofitting legacy code
Need systematic techniques toretrofit legacy code for security
Legacycode
Retrofitted code
INSECURE SECURE
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 5
Retrofitting legacy code
Enforcing type safety • CCured [Necula et al. ’02]
Partitioning for privilege separation• PrivTrans [Brumley and Song, ’04]
Enforcing authorization policies
Need systematic techniques toretrofit legacy code for security
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 6
Resource manager
Enforcing authorization policies
Resource userOperation request Response
Authorization policy‹Alice, /etc/passwd, File_Read›
Reference monitor
Allowed? YES/NO
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 7
Retrofitting for authorization Mandatory access control for Linux
• Linux Security Modules [Wright et al.,’02]
• SELinux [Loscocco and Smalley,’01]
Secure windowing systems• Trusted X, Compartmented-mode workstation,
X11/SELinux [Epstein et al.,’90][Berger et al.,’90][Kilpatrick et al.,’03]
Java Virtual Machine/SELinux [Fletcher,‘06]
IBM Websphere/SELinux [Hocking et al.,‘06]
Painstaking, manual procedure
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 8
This tutorial
Three program analysis and transformation techniques (in increasing order of sophistication)
to retrofit legacy code with reference monitors
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 9
Contents of the tutorial
Fingerprints: A new representation for security-sensitive operations
Three algorithms to mine fingerprints Results: Reduced effort to retrofit legacy
code for authorization policy enforcement• Manual effort needed reduces to a few hours• Applied to X server, Linux kernel, etc.
Analyses and transformations forauthorization policy enforcement
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 10
Outline Motivation Problem
• Example• Retrofitting legacy code: Lifecycle
Solutions• Dynamic fingerprint mining• Static mining with concept analysis• Static mining leveraging user choice
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 11
X server with multiple X clients
REMOTE
LOCAL
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 12
REMOTE
Malicious remote X client
LOCAL
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 13
REMOTE
Undesirable information flow
LOCAL
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 14
Desirable information flow
LOCAL
REMOTE
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 15
Other policies to enforce Prevent unauthorized
• Copy and paste• Modification of inputs meant for other clients• Changes to window settings of other clients• Retrieval of bitmaps: Screenshots
[Berger et al., ’90]
[Epstein et al., ‘90][Kilpatrick et al., ‘03]
Security is not a ‘blocker’ Security by design, in practice
“It isn't clear this qualifies as a blocker under any circumstances. The importance of
security increases only as we are into serious deployment and start becoming a target. First
things, first....”- https://dev.laptop.org/ticket/260 Need a way to protect against
applications sniffing each other's keystrokes, which X permits by default.
16
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 17
X server
X server with authorization
X clientOperation request Response
Authorization policy
Reference monitor
Allowed? YES/NO
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 18
Outline Motivation Problem
• Example• Retrofitting legacy code: Lifecycle
Solution
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 19
Retrofitting lifecycle1. Identify security-sensitive operations2. Locate where they are performed in code3. Instrument these locations
Input_EventCreateDestroyCopyPasteMap
Security-sensitive operations Source Code Policy checks
Can the client receive this
Input_Event?
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 20
Problems
X11 ~ proposed 2003, implemented 2007, changing to date. [Kilpatrick et al., ‘03]
Linux Security Modules ~ 2 years [Wright et al., ’02]
PostgreSQL: Began in 2006, still not mainline.
Manual
At this point, SE-PostgreSQL has taken up a *lot* of community resources, not to mention an enormous and
doubtless frustrating amount of *the lead developer’s* time and effort, thus far without a single committed patch, or even a consensus as to what it should (or could) do. Rather than continuing to blunder
into the future, I think we need to do a reality check -
http://archives.postgresql.org/message-id/[email protected]
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 21
Problems
Violation of complete mediation Time-of-check to Time-of-use bugs [Zhang et al., ‘02]
[Jaeger et al., ‘04]
Error-prone
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 22
Our approach
Fingerprints: A new representation of security-sensitive operations
Legacy code retrofitted using fingerprints• Use of static and dynamic program analysis• Must achieve complete mediation• Ideally, must not place redundant hooks
Automated
Principled
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 23
Approach overviewLegacy code
Retrofitted code
Miner
Fingerprints
Matcher
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 24
Outline Motivation Problem Solution
• Fingerprints • Dynamic fingerprint mining• Static fingerprint mining with concept analysis• Static fingerprint mining leveraging user
choice
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 25
What are fingerprints?
Resource accesses that are unique to a security-sensitive operation
Denote key steps needed to perform the security-sensitive operation on a resource
Code-level signatures of security-sensitive operations
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 26
Examples of fingerprints Input_Event :- Cmp xEvent->type == KeyPress
Input_EventCreateDestroyCopyPasteMap
Security-sensitive operations Source Code
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 27
Examples of fingerprints Input_Event :-
Cmp xEvent->type == KeyPress Input_Event :- Cmp xEvent->type == MouseMove
Map :- Set Window->mapped to True & Set xEvent->type to MapNotify
Enumerate :- Read Window->firstChild & Read Window->nextSib & Cmp Window ≠ 0
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 28
MapSubWindows(Window *pParent, Client *pClient) { Window *pWin; … // Run through linked list of child windows pWin = pParent->firstChild; … for (;pWin != 0; pWin=pWin->nextSib) { ... // Code that maps each child window
... }}
Fingerprint matching X server function MapSubWindows
Performs Enumerate
Enumerate :- Read Window->firstChild & Read Window->nextSib & Cmp Window ≠ 0
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 29
MapSubWindows(Window *pParent, Client *pClient) { Window *pWin; … // Run through linked list of child windows if CHECK(pClient,pParent,Enumerate) == ALLOWED { pWin = pParent->firstChild; … for (;pWin != 0; pWin=pWin->nextSib) { ... // Code that maps each child window
... } } else { HANDLE_FAILURE }}
Placing authorization checks X server function MapSubWindows
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 30
Fingerprint matching Currently employ simple pattern matching More sophisticated matching possible
• Metacompilation [Engler et al., ‘01] • MOPS [Chen and Wagner, ‘02]
Inserting authorization checks is akin to static aspect-weaving [Kiczales et al., ’97]
Other aspect-weaving techniques possible• Runtime aspect-weaving
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 31
Outline Motivation Problem Solution
• Fingerprints• Dynamic fingerprint mining • Static fingerprint mining with concept analysis• Static fingerprint mining leveraging user
choice
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 32
Dynamic fingerprint mining
Input_EventCreateDestroyCopyPasteMap
Security-sensitive operations Source Code
Output: FingerprintsInput_Event :- Cmp xEvent->type == KeyPress
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 33
Dynamic fingerprint mining Security-sensitive operations [NSA’03]
Use this information to induce the program to perform security-sensitive operations
Input_Event Input to window from deviceCreate Create new windowDestroy Destroy existing windowMap Map window to console
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 34
Problem definition S: Set of security-sensitive operations D: Descriptions of operations in S R: Set of resource accesses
• Read/Set/Cmp of Window/xEvent Each s є S has a fingerprint
• A fingerprint is a subset of R• Contains a resource access unique to s
Problem: Find fingerprints for each security-sensitive operation in S using D
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 35
Traces contain fingerprints
Induce security-sensitive operation • Typing to window will induce Input_Event
Fingerprint must be in runtime trace • Cmp xEvent->type == KeyPress
Input_EventCreateDestroyCopyPasteMap
Security-sensitive operations Source Code Runtime trace
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 36
Compare traces to localize
Localize fingerprint in trace• Trace difference and intersection
Input_EventCreateDestroyCopyPasteMap
Security-sensitive operations Source Code Runtime trace
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 37
Runtime traces Trace the program and record reads/writes
to resource data structures• Window and xEvent in our experiments
Example: from X server startup (In function SetWindowtoDefaults) Set Window->prevSib to 0 Set Window->firstChild to 0 Set Window->lastChild to 0
… about 1400 such resource accesses
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 38
Using traces for fingerprinting Obtain traces for each security-sensitive
operation• Series of controlled tracing experiments
Examples• Typing to keyboard generates Input_Event• Creating new window generates Create• Creating window also generates Map• Closing existing window generates Destroy
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 39
Comparison with “diff” and “∩”
Openxterm
Closexterm
Movexterm
Openbrowser
Switchwindows
CreateDestroyMapUnmap
Input_Event
Annotation is a manual step
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 40
- Move xtermCreate = Open xterm ∩ Open browser
Comparison with “diff” and “∩”
Openxterm
Closexterm
Movexterm
Openbrowser
Switchwindows
CreateDestroyMapUnmap
Input_Event
Perform same set operations on resource accesses
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 41
Set equations Each trace has a set of labels
• Open xterm: {Create, Map}• Browser: {Create, Destroy, Map, Unmap}• Move xterm: {Map, Input_Event}
Need set equation for {Create}• Compute an exact cover for this set• Open xterm ∩ Open browser – Move xterm
Perform the same set operations on the set of resource accesses in each trace
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 42
Experimental methodologySource code
Server with logging enabled
Raw traces
Relevant portions of traces
Pruned traces
gcc –-enable-logging
Run experiments and collect traces
Localize security-sensitive operation
Compare traces with “diff” and “∩”
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 43
Dynamic mining: Results1,000,000
54,000
900
126
1
10
100
1,000
10,000
100,000
1,000,000
Source Code Raw Traces RelevantPortions
PrunedTraces
Size
Each fingerprint localized towithin 126 resource accesses
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 44
1. Incomplete: False negatives2. High-level description needed 3. Operations are manually induced
Limitations of dynamic mining
Input_EventCreateDestroyCopyPasteMap
Security-sensitive operations Source Code Runtime trace
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 45
Outline Motivation Problem Solution
• Fingerprints• Dynamic fingerprint mining• Static fingerprint mining with concept analysis• Static fingerprint mining leveraging user
choice
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 46
Static fingerprint mining
Input_EventCreateDestroyCopyPasteMap
Security-sensitive operations Source Code
Output: Candidate FingerprintsCmp xEvent->type == KeyPress
Resources
• Window• xEvent
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 47
Problem definition R: Set of resource accesses
• Read/Set/Cmp of Window/xEvent E: Set of entry points into the server Goal: Find fingerprints using R and E
Not given an a priori description of security-sensitive operations
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 48
Straw-man proposal I
Finest level of granularity Cmp xEvent->type == KeyPress Read Window->firstChild Read Window->nextSib Cmp Window ≠ 0
Each resource access in R is a fingerprint
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 49
Problem with this proposal
Cmp xEvent->type == KeyPress Read Window->firstChild Read Window->nextSib Cmp Window ≠ 0
Difficult to write and maintainpolicies at this level of granularity
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 50
Straw-man proposal II
Coarsest level of granularity
Call MapSubWindows Call MapWindow
Write policies allowing/disallowing the use of an API call
Each API in E is a fingerprint
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 51
Problem with this proposal
Call MapSubWindows • Enumerates child windows and maps them to
the screen Call MapWindows
• Maps a window onto the screen
Does not reflect actual resourceaccesses performed by API call
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 52
Our approach
Each API entry point implicitly defines a set of resource accesses
Cluster resource accesses based upon the API entry points that perform them
Cluster resource accesses that always happen together
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 53
Static analysis Extract resource accesses potentially
possible via each entry point Example from the X server
• Entry point: MapSubWindows(…)• Resource accesses:
Set xEvent->type To MapNotify Set Window->mapped To True Read Window->firstChildRead Window->nextSibCmp Window ≠ 0
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 54
Resource accessesMapSubWindows
MapWindow
KeyboardInput
Set xEvent->type To MapNotify
Set Window->mapped To True
Read Window->firstChild
Read Window->nextSib
Cmp Window ≠ 0
Cmp xEvent->type==KeyPress
270 API functions430 distinct resource accesses
Identify candidate fingerprints by clustering resource accesses
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 55
FeaturesInstances
Concept analysisMapSubWindows
MapWindow
KeyboardInput
Set xEvent->type To MapNotify
Set Window->mapped To True
Read Window->firstChild
Read Window->nextSib
Cmp Window ≠ 0
Cmp xEvent->type==KeyPress
Comparison via hierarchical clustering
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 56
A B C
123456
Hierarchical clustering
Cmp xEvent->type==KeyPress
Cmp Window ≠ 0
Read Window->nextSib
Read Window->firstChild
Set Window->mapped To True
Set xEvent->type To MapNotify
KeyboardInput
MapWindow
MapSubWindows
{A,B,C}, Ф
{A,B}, {1,2}
{A}, {1,2,3,4,5}
{C}, {6}
Ф, {1,2,3,4,5,6}
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 57
{A}, {1,2,3,4,5}
A B C
123456
Mining candidate fingerprints
Cmp xEvent->type==KeyPress
Cmp Window ≠ 0
Read Window->nextSib
Read Window->firstChild
Set Window->mapped To True
Set xEvent->type To MapNotify
KeyboardInput
MapWindow
MapSubWindows
{A,B,C}, Ф
{A,B}, {1,2}{C}, {6}
Ф, {1,2,3,4,5,6}
Cand. Fing. 1
Cand. Fing. 2
Cand. Fing. 3
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 58
Static mining: Results
1.4383.71153.718
94,014PennMUSH30,096X Server/dix4,476ext2
Avg. SizeCand. Fing.LOCBenchmark
110
1001,000
10,000100,000
ext2 X server PennMUSH
Siz
e
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 59
X Server/dixext2
Benchmark
2211
Manually identifiedSecurity-sensitive ops
Candidatefingerprints
Static mining: Results
11518
Able to find at least one fingerprint for each security-sensitive operation
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 60
Identified automatically in a few minutesInterpretation takes just a few hours
Identified as part of multi-year efforts
Static mining: Results
11518
X Server/dixext2
Benchmark
2211
Manually identifiedSecurity-sensitive ops
Candidatefingerprints
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 61
Associated 59 candidate fingerprints with security-sensitive operations
Remaining are likely security-sensitive too
Static mining: Results
X Server/dixext2
Benchmark
2211
Manually identifiedSecurity-sensitive ops
Candidatefingerprints
11518
Read Window->DrawableRec->width & Read Window->DrawableRec->height
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 62
Outline Motivation Problem Solution
• Fingerprints• Dynamic fingerprint mining• Static fingerprint mining with concept analysis• Static fingerprint mining leveraging user
choiceoDivya Muthukumaran and Trent Jaeger
63
Shortcomings that remain Identifying security-sensitive objects is still
manual Hook placement suggested by fingerprints:
• Are they “minimal”?• How do they compare to manually-placed
hooks?
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement
64
65
Inferring security-sensitive objects and operations
Idea: Follow the client-request• In servers, client-request determines choice.
“Choice”: • Determines which objects are selected to be
operated upon. • Determines which operation is selected to be
performed on objects.
66
write v
o1
o2
o3
o4
BRequest Interface
i
Cv = Lookup(O,i)
User A
User B
D
A
FI
JH
read v
K
L
E
Program
Container O
Op1.3Op1.2Op1.1Security-sensitive
operation
Tainted variable
Security-sensitive variable
Control statement
Predicated on tainted variable
67
Program
User request
Lookup Function
Global Reads
A) Identify Tainted
Variables (VT)
B) Identify Security-sensitive
Objects(VS)
C) User-choice Operations
D) Security-sensitive operations
68
clientRequest stuff = ReadRequestFromClient(); …int ChangeWindowProperty(ClientPtr *c, WindowPtr * w){ WindowPtr * win; PropertyPtr * pProp; err = LookupWindow(&win,stuff->window, c); rc = LookupProperty(&pProp, win, stuff->property, c); if (rc == BadMatch) {/* Op 1*/ pProp->name = property; pProp->format = format; pProp->data = data; pProp->size = len; } else { /* Op 2 */ if (stuff->mode == REPLACE) { /* Op 2.1 */ pProp->data = data; pProp->size = len; pProp->format = format; } else if (stuff->mode == APPEND) {/* Op 2.2 */ pProp->data = data; pProp->size += len; } }}
69
clientRequest stuff = ReadRequestFromClient();
int ChangeWindowProperty(ClientPtr * c, WindowPtr * w){ WindowPtr * win; PropertyPtr * pProp; err = LookupWindow(&win,stuff->window, c); rc = LookupProperty(&pProp, win, stuff->property, c); if (rc == BadMatch) {/* Op 1*/ pProp->name = property; pProp->format = format; pProp->data = data; pProp->size = len; } else { /* Op 2 */ if (mode == REPLACE) { /* Op 2.1 */ pProp->data = data; pProp->size = len; pProp->format = format; } else if (mode == APPEND) {/* Op 2.2 */ pProp->data = data; pProp->size += len; } }}
Static Taint analysis
70
Program
User request
Lookup Function
Global Reads
A) Identify Tainted
Variables (VT)
B) Identify Security-sensitive
Objects(VS)
C) User-choice Operations
D) Security-sensitive operations
Retrieval of objects from containers: • List access (*->next pointer)
• Array access (pointer arithmetic)…
71
List Access: LookupProperty
for (prop=win->userProps; prop; prop=prop->next {if (prop->name == pName)
break;*p = prop;}
return p;
Array Access: LookupWindow
Resource res = clientTable[i]return res;
72
Program
User request
Lookup Function
Global Reads
A) Identify Tainted
Variables (VT)
B) Identify Security-sensitive
Objects(VS)
C) User-choice Operations
D) Security-sensitive operations
Def 2: A variable v V∈ S(P) if any following are true: a) If it is assigned a value from a container via a lookup
function using a variable v V∈ T(P), b) If D is true for some v’ V∈ S(P). c) If it is a global variable and in the set VT(P).
73
int ChangeWindowProperty(ClientPtr * c, WindowPtr * w, int mode){ WindowPtr * win; PropertyPtr * pProp; err = LookupWindow(&win,stuff->window, c); rc = LookupProperty(&pProp, win, stuff->property, c); if (rc == BadMatch) {/* Op 1*/ pProp->name = property; pProp->format = format; pProp->data = data; pProp->size = len; } else { /* Op 2 */ if (mode == REPLACE) { /* Op 2.1 */ pProp->data = data; pProp->size = len; pProp->format = format; } else if (mode == APPEND) {/* Op 2.2 */ pProp->data = data; pProp->size += len; } }}
TechnologyDetecting code patterns
Static Taint analysis
74
Program
User request
Lookup Function
Global Reads
A) Identify Tainted
Variables (VT)
B) Identify Security-sensitive
Objects(VS)
C) User-choice Operations
D) Security-sensitive operations
75
int ChangeWindowProperty(ClientPtr * c, WindowPtr * w, int mode){ WindowPtr * win; PropertyPtr * pProp; err = LookupWindow(&win,stuff->window, c); rc = LookupProperty(&pProp, win, stuff->property, c); if (rc == BadMatch) {/* Op 1*/ pProp->name = property; pProp->format = format; pProp->data = data; pProp->size = len; } else { /* Op 2 */ if (stuff->mode == REPLACE) { /* Op 2.1 */ pProp->data = data; pProp->size = len; pProp->format = format; } else if (stuff->mode == APPEND) {/* Op 2.2 */ pProp->data = data; pProp->size += len; } }}
76
A C
B D
A DB C
Taken Not- takenTaken Not-taken
Control Flow Graph (CFG)
Control Dependence Graph (CDG)
77
78
Program
User request
Lookup Function
Global Reads
A) Identify Tainted
Variables (VT)
B) Identify Security-sensitive
Objects(VS)
C) User-choice Operations
D) Security-sensitive operations
79
80
Results: Reduction in programmer effortProgram X Server postgres pennmush memcached
LOC 28k 49k 78k 9k
Total variables 7795 12350 24372 2350
Tainted variables
2975 (38%) 5100 (41%) 4168 (17%) 490 (20%)
Security sensitive variables
823 (9%) 402 (3%) 1573 (6%) 82 (3%)
Data Structures 404 278 311 41
Sensitive Data structures
61(15%)
30 (10%)
38 (12%)
7(17%)
User-choice Operations
4760 5063 6485 996
Sensitive operations 1382 (29%)
1378 (27%)
1382 (21%)
203(20%)
81
Results: Reduction in programmer effortProgram X Server postgres pennmush memcached
LOC 28k 49k 78k 9k
Total variables 7795 12350 24372 2350
Tainted variables
2975 (38%) 5100 (41%) 4168 (17%) 490 (20%)
Security sensitive variables
823 (9%) 402 (3%) 1573 (6%) 82 (3%)
Data Structures 404 278 311 41
Sensitive Data structures
61(15%)
30 (10%)
38 (12%)
7(17%)
User-choice Operations
4760 5063 6485 996
Sensitive operations 1382 (29%)
1378 (27%)
1382 (21%)
203(20%)
2241
82
Results: Reduction in programmer effortProgram X Server postgres pennmush memcached
LOC 28k 49k 78k 9k
Total variables 7795 12350 24372 2350
Tainted variables
2975 (38%) 5100 (41%) 4168 (17%) 490 (20%)
Security sensitive variables
823 (10%) 402 (3%) 1573 (6%) 82 (3%)
Data Structures 404 278 311 41
Sensitive Data structures
61(15%) 30 (10%)
38 (12%)
7(17%)
User-choice Operations
4760 5063 6485 996
Sensitive operations 1382 (29%) 1378 (27%) 1382 (21%)
203(20%)
< 95%
83
84
Results Two sets of programs: a) With manually placed hooks: X server,
postgres. B) No manual hooks: pennmush,
memcached.
85
Results: Reduction in programmer effort
Program X Server postgres pennmush memcached
LOC 28k 49k 78k 9k
Security sensitive variables
823 (10%) 402 (3%) 1573 (6%) 82 (3%)
Sensitive operations 1382 (29%) 1378 (27%) 1382 (21%)
203(20%)
Hooks 532 (11%)
579 (11%)
714(11%)
56(5%)
< 61%
86
Comparing with manual hooks
X Server:• Manual: ~200 hooks• Automated: ~530 hooks
Postgres: • Manual: ~370• Automated: ~570
What does this mean?
Criteria for comparing hooks
Control dominance Data dominance
Hooks Criteria
87
88
Comparison of manual and automated hook placements
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 89
Summary
Input_EventCreateDestroyCopyPasteMap
Can the client receive this
Input_Event?
Fingerprints
MatchingMining
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 90
Lessons for the future
Modifications may break software Modifying executables is challenging
Modifying legacy code is non-trivial
Low-overhead runtime system for policy enforcement on unmodified code
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 91
Lessons for the future
Type-safety violations the main problem
Soundness/completeness hard to achieve for C
Provable guarantees with additional runtime checks?
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 92
Lessons for the futureDifficult to automate failure handling
Aspect-oriented solution?
Failure handling is a crosscutting-concern Handling failure gracefully is the main
challenge
Checkpoint and rollback?
94Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement
Example: X Server Remote Client A
Remote Client B
Remote Client A
Remote Client B
95
Example: X Server Confidentiality violation Remote Client A
Remote Client B
WinA
WinB
GetScreen,WinAGetscreen,WinB
96
GetScreenGetScreen
Example: X Server Confidentiality violation Integrity violation
Remote Client B
Remote Client A
Remote Client B
ChangeProp, WinAChangeProp, WinA
97
ChangeProp
ChangeProp
Remote Client A
Example: X Server Confidentiality violation Integrity violation
Remote Client B
Remote Client A
Remote Client B
ChangeProp, WinAChangeProp, WinA
98
ChangeProp
ChangeProp
Remote Client A
Policy: (clientA, WinA, ChangeProp) (clientB, WinB, ChangeProp)
…
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 99
Errors in labeling traces (I)
Openxterm
Closexterm
Movexterm
Openbrowser
Switchwindows
CREATEDESTROYMAPUNMAP
INPUTEVENT
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 100
Errors in labeling traces (I)
Openxterm
Closexterm
Movexterm
Openbrowser
Switchwindows
CREATEDESTROYMAPUNMAP
INPUTEVENT
CREATE = Trace1 – Trace3
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 101
Errors in labeling traces (II)
Openxterm
Closexterm
Movexterm
Openbrowser
Switchwindows
CREATEDESTROYMAPUNMAP
INPUTEVENT
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 102
Dealing with errors in labeling Missing labels from traces:
• “∩” operation will not discard fingerprint• “diff” operation may erroneously eliminate a
fingerprint Extra labels on traces:
• May erroneously eliminate a fingerprint Trial-and-error
• Relabel and recompute set-equations Empirically: tolerance of about 15% errors
103
Comparing with manual hooks
Observation 1: Automated hooks tend to be finer grained• Finer-grained operations• Finer-grained objects
104
Finer-grained operations
105
Comparing with manual hooks
Observation 1: Automated hooks tend to be finer grained• Finer-grained operations• Finer-grained objects
106
Finer-grained objects
write(pChild->mapped)
read(pWin->firstChild->nextSib)
107
Comparison of manual and automated hook placements
6,1
9,3
51,5