ActionScript In-lined Reference Monitoring in Prolog Meera Sridhar and Kevin W. Hamlen The...

ActionScript In-lined Reference Monitoring in Prolog

Meera Sridhar and Kevin W. HamlenThe University of Texas at Dallas

January 18, 2010

Supported by a grant from AFOSR

PADL 2010Madrid, Spain

Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog

2

Reference Monitors

1/18/2010

OS/VM

REFERENCE MONITOR

grant/deny event

Examples: file system permissionsmemory safety

Disadvantages:

— changing the policy requires changing the OS/VM

— difficult to enforce finer-grained policies such as

“No modifications to files ending in .exe”

UNTRUSTED CODE


3

In-lined Reference Monitors [Schneider]

1/18/2010

OS/VM

REFERENCE MONITOR

grant/deny event

UNTRUSTED CODE

enforce safety policies by injecting runtime security guards directly into untrusted binarieso guards test whether the impending operation constitutes

a policy violation, and if so some corrective action is taken

maintain history of security-relevant events

Advantages: o No need to modify the OS/VM

o enforce richer policies: e.g., no network sends after file reads

o more flexible: code recipient can specify security policy

Examples: SASI [Erlingsson, Schneider], Java-MAC [Kim et al], Java-MOP [Chen, Rosu], Polymer [Bauer, Ligatti, Walker], ConSpec [Aktug, Naliuka], MoBILe [Hamlen, Morrisett, Schneider]

4

IRM Implementation Challenges— must be fairly light-weight because it runs on the code-

consumer side— binary code parsing and binary code generation are

tedious and error-prone— IRM must elegantly implement many AST analyses and

code-motion optimizations during rewriting— needed to preserve policy-compliant programs and generate

efficient code— generated code should be amenable to formal verification

(PCC[Necula & Lee], MoBILe[Hamlen, Morrisett, Schneider], and our recent work on Model-Checking IRMs [Sridhar & Hamlen, VMCAI 2010])

1/18/2010 Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog


5

An ActionScript Bytecode IRM system in Prolog

1/18/2010

approximately:— 400 lines of rewriter code per security policy family— 900 lines of shared parser/generator code— 2000 of verifier code


6

The Prolog AdvantageProlog turns out to be a surprisingly elegant language in which to implement IRM's!

— DCG's facilitate binary parser implementation.

— Reversible predicates combine the parser and code-generator into one piece of code!

— AST's are very elegantly represented and manipulated as Prolog structures.

— A Prolog implementation of binary rewriting is isomorphic to a search for a correctness proof. This is excellent for integration with a certifying IRM system (Model-Checking IRMs [Sridhar & Hamlen]) or a PCC system [Necula & Lee].

1/18/2010


7

Application: Preventing malicious URL-redirections

Adobe’s very real problem:- anyone can write a malicious ABC ad applet

and float them around- ad-distributor doesn’t have a good way of pre-

checking these since they might change dynamically

1/18/2010


8


Solution: Use an IRM framework!

– URL-redirections are implemented in ActionScript Bytecode by the navigateToURL system call

– let’s say we have a method checkURL, with a trusted implementation provided by the ad-distributor• checkURL validates the input to navigateToURL, and

may depend on dynamic information

1/18/2010


9


Solution (contd.):

– insert a call to checkURL(s) before a call to navigateToURL(s) directly into bytecode

– naïve approach – insert checkURL before every navigateToURL, but for efficiency reasons might want to pre-validate string

– fits the Flash/AIR model perfectly, because security-enforcement done at code-consumer end, and code-producer (ad-creator) need not be trusted at all!

1/18/2010


10

A couple other real-world policies

postok policy:

• sanitizes strings entered into message box widgets

• This can be helpful in preventing cross-site scripting attacks, privacy violations, and buffer-overflow exploits that affect older versions of the ActionScript VM.

• We enforced the policy on the Posty AIR application, which allows users to post messages to social networking sites such as Twitter, Jaiku, Tumblr, and Friendfeed.

1/18/2010


11

A couple other real-world policies

flimit policy

• enforces a resource bound that disallows the creation of more than n files on the user's machine

• enforced this policy on the FedEx Desktop AIR application, which continuously monitors a user's shipment status and sends tracking information directly to his or her desktop

• IRM implements the policy by injecting a counter into the untrusted code that tracks file creations

1/18/2010


12

Implementation and Results Details

for more details, please visit my website:www.utdallas.edu/~meera.sridhar

1/18/2010


13

Conclusion slide— IRM’s provide a more sophisticated security enforcement

mechanism than traditional means.— Prolog provides a very elegant solution to typical IRM

implementation challenges.— We implemented a prototype IRM system for ActionScript

bytecode.— We demonstrated the feasibility of our solution by enforcing

several real-world policies.

1/18/2010


14

Selected Citations1. B. W. DeVries, G. Gupta, K. W. Hamlen, S. Moore, and M. Sridhar.

ActionScript Bytecode Verification with Co-logic Programming. In Proc. of the ACM SIGPLAN Workshop on Prog. Languages and Analysis for Security (PLAS), 2009.

2. K. W. Hamlen, G. Morrisett, and F. B. Schneider. Computability Classes for Enforcement Mechanisms. In ACM Trans. Prog. Languages and Systems, 2006.

3. F. B. Schneider. Enforceable Security Policies. ACM Trans. Information and System Security, 3:30–50, 2000.

4. M. Sridhar and K. W. Hamlen. Model-checking In-lined Reference Monitors. In Proc. Intl. Conf. on Verification, Model-Checking and Abstract Interpretation, 2010.

1/18/2010

ActionScript In-lined Reference Monitoring in Prolog Meera Sridhar and Kevin W. Hamlen The...

Documents

Transcript of ActionScript In-lined Reference Monitoring in Prolog Meera Sridhar and Kevin W. Hamlen The...