ActionScript In-lined Reference Monitoring in Prolog Meera Sridhar and Kevin W. Hamlen The...
-
Upload
brent-lang -
Category
Documents
-
view
212 -
download
0
Transcript of ActionScript In-lined Reference Monitoring in Prolog Meera Sridhar and Kevin W. Hamlen The...
ActionScript In-lined Reference Monitoring in Prolog
Meera Sridhar and Kevin W. HamlenThe University of Texas at Dallas
January 18, 2010
Supported by a grant from AFOSR
PADL 2010Madrid, Spain
Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog
2
Reference Monitors
1/18/2010
OS/VM
REFERENCE MONITOR
grant/deny event
Examples: file system permissionsmemory safety
Disadvantages:
— changing the policy requires changing the OS/VM
— difficult to enforce finer-grained policies such as
“No modifications to files ending in .exe”
UNTRUSTED CODE
Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog
3
In-lined Reference Monitors [Schneider]
1/18/2010
OS/VM
REFERENCE MONITOR
grant/deny event
UNTRUSTED CODE
enforce safety policies by injecting runtime security guards directly into untrusted binarieso guards test whether the impending operation constitutes
a policy violation, and if so some corrective action is taken
maintain history of security-relevant events
Advantages: o No need to modify the OS/VM
o enforce richer policies: e.g., no network sends after file reads
o more flexible: code recipient can specify security policy
Examples: SASI [Erlingsson, Schneider], Java-MAC [Kim et al], Java-MOP [Chen, Rosu], Polymer [Bauer, Ligatti, Walker], ConSpec [Aktug, Naliuka], MoBILe [Hamlen, Morrisett, Schneider]
4
IRM Implementation Challenges— must be fairly light-weight because it runs on the code-
consumer side— binary code parsing and binary code generation are
tedious and error-prone— IRM must elegantly implement many AST analyses and
code-motion optimizations during rewriting— needed to preserve policy-compliant programs and generate
efficient code— generated code should be amenable to formal verification
(PCC[Necula & Lee], MoBILe[Hamlen, Morrisett, Schneider], and our recent work on Model-Checking IRMs [Sridhar & Hamlen, VMCAI 2010])
1/18/2010 Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog
Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog
5
An ActionScript Bytecode IRM system in Prolog
1/18/2010
approximately:— 400 lines of rewriter code per security policy family— 900 lines of shared parser/generator code— 2000 of verifier code
Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog
6
The Prolog AdvantageProlog turns out to be a surprisingly elegant language in which to implement IRM's!
— DCG's facilitate binary parser implementation.
— Reversible predicates combine the parser and code-generator into one piece of code!
— AST's are very elegantly represented and manipulated as Prolog structures.
— A Prolog implementation of binary rewriting is isomorphic to a search for a correctness proof. This is excellent for integration with a certifying IRM system (Model-Checking IRMs [Sridhar & Hamlen]) or a PCC system [Necula & Lee].
1/18/2010
Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog
7
Application: Preventing malicious URL-redirections
Adobe’s very real problem:- anyone can write a malicious ABC ad applet
and float them around- ad-distributor doesn’t have a good way of pre-
checking these since they might change dynamically
1/18/2010
Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog
8
Application: Preventing malicious URL-redirections
Solution: Use an IRM framework!
– URL-redirections are implemented in ActionScript Bytecode by the navigateToURL system call
– let’s say we have a method checkURL, with a trusted implementation provided by the ad-distributor• checkURL validates the input to navigateToURL, and
may depend on dynamic information
1/18/2010
Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog
9
Application: Preventing malicious URL-redirections
Solution (contd.):
– insert a call to checkURL(s) before a call to navigateToURL(s) directly into bytecode
– naïve approach – insert checkURL before every navigateToURL, but for efficiency reasons might want to pre-validate string
– fits the Flash/AIR model perfectly, because security-enforcement done at code-consumer end, and code-producer (ad-creator) need not be trusted at all!
1/18/2010
Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog
10
A couple other real-world policies
postok policy:
• sanitizes strings entered into message box widgets
• This can be helpful in preventing cross-site scripting attacks, privacy violations, and buffer-overflow exploits that affect older versions of the ActionScript VM.
• We enforced the policy on the Posty AIR application, which allows users to post messages to social networking sites such as Twitter, Jaiku, Tumblr, and Friendfeed.
1/18/2010
Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog
11
A couple other real-world policies
flimit policy
• enforces a resource bound that disallows the creation of more than n files on the user's machine
• enforced this policy on the FedEx Desktop AIR application, which continuously monitors a user's shipment status and sends tracking information directly to his or her desktop
• IRM implements the policy by injecting a counter into the untrusted code that tracks file creations
1/18/2010
Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog
12
Implementation and Results Details
for more details, please visit my website:www.utdallas.edu/~meera.sridhar
1/18/2010
Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog
13
Conclusion slide— IRM’s provide a more sophisticated security enforcement
mechanism than traditional means.— Prolog provides a very elegant solution to typical IRM
implementation challenges.— We implemented a prototype IRM system for ActionScript
bytecode.— We demonstrated the feasibility of our solution by enforcing
several real-world policies.
1/18/2010
Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog
14
Selected Citations1. B. W. DeVries, G. Gupta, K. W. Hamlen, S. Moore, and M. Sridhar.
ActionScript Bytecode Verification with Co-logic Programming. In Proc. of the ACM SIGPLAN Workshop on Prog. Languages and Analysis for Security (PLAS), 2009.
2. K. W. Hamlen, G. Morrisett, and F. B. Schneider. Computability Classes for Enforcement Mechanisms. In ACM Trans. Prog. Languages and Systems, 2006.
3. F. B. Schneider. Enforceable Security Policies. ACM Trans. Information and System Security, 3:30–50, 2000.
4. M. Sridhar and K. W. Hamlen. Model-checking In-lined Reference Monitors. In Proc. Intl. Conf. on Verification, Model-Checking and Abstract Interpretation, 2010.
1/18/2010