CSE543 - Introduction to Computer and Network Security Module:...
Transcript of CSE543 - Introduction to Computer and Network Security Module:...
![Page 1: CSE543 - Introduction to Computer and Network Security Module: …pdm12/cse543-f08/slides/cse543-language... · 2008. 12. 12. · CSE543 - Introduction to Computer and Network Security](https://reader035.fdocuments.in/reader035/viewer/2022063023/5ffbff9c8141e109133387c0/html5/thumbnails/1.jpg)
CSE543 - Introduction to Computer and Network Security Page
CSE543 - Introduction to Computer and Network Security
Module: Language Security
Professor Patrick McDanielFall 2008
1
![Page 2: CSE543 - Introduction to Computer and Network Security Module: …pdm12/cse543-f08/slides/cse543-language... · 2008. 12. 12. · CSE543 - Introduction to Computer and Network Security](https://reader035.fdocuments.in/reader035/viewer/2022063023/5ffbff9c8141e109133387c0/html5/thumbnails/2.jpg)
CSE543 - Introduction to Computer and Network Security Page
Engineering Disaster?• Millions of Bots‣ Compromised applications
• Programming errors‣ Enable code insertion
• What can we do to fix them?• Just starting to get serious...
2
![Page 3: CSE543 - Introduction to Computer and Network Security Module: …pdm12/cse543-f08/slides/cse543-language... · 2008. 12. 12. · CSE543 - Introduction to Computer and Network Security](https://reader035.fdocuments.in/reader035/viewer/2022063023/5ffbff9c8141e109133387c0/html5/thumbnails/3.jpg)
CSE543 - Introduction to Computer and Network Security Page
Buffer Overflows• One means by which the bad guys
take over a host
‣ install root kits
‣ use as SPAM bots
‣ use as zombies
‣ launch other attacks
• There are many attacks, but this is most prevalent
• It starts with programmer mistake
‣ e.g., bad software
TEXT
DATA
HEAP
STACK
0x000....
0xfff....
3
![Page 4: CSE543 - Introduction to Computer and Network Security Module: …pdm12/cse543-f08/slides/cse543-language... · 2008. 12. 12. · CSE543 - Introduction to Computer and Network Security](https://reader035.fdocuments.in/reader035/viewer/2022063023/5ffbff9c8141e109133387c0/html5/thumbnails/4.jpg)
CSE543 - Introduction to Computer and Network Security Page
Buffer Overflow• How it works
4
Local Var
Buffer
Local Var
Return Address
Func Parameters
Previous Function
New Rtn
Evil CodeEvil CodeEvil CodeEvil Code
Stac
k Fr
ame
![Page 5: CSE543 - Introduction to Computer and Network Security Module: …pdm12/cse543-f08/slides/cse543-language... · 2008. 12. 12. · CSE543 - Introduction to Computer and Network Security](https://reader035.fdocuments.in/reader035/viewer/2022063023/5ffbff9c8141e109133387c0/html5/thumbnails/5.jpg)
CSE543 - Introduction to Computer and Network Security Page
Buffer Overflow Prevention• StackGuard‣ Push a ‘canary’ on the stack between the
local vars and the return pointer‣ Overwrite of canary indicates a buffer
overflow‣ Requires changes to the compiler
• Q: Would this solve the problem?
• Thorough summary:‣ www.blackhat.com/presentations/bh-
usa-04/bh-us-04-silberman/bh-us-04-silberman-paper.pdf
5
![Page 6: CSE543 - Introduction to Computer and Network Security Module: …pdm12/cse543-f08/slides/cse543-language... · 2008. 12. 12. · CSE543 - Introduction to Computer and Network Security](https://reader035.fdocuments.in/reader035/viewer/2022063023/5ffbff9c8141e109133387c0/html5/thumbnails/6.jpg)
CSE543 - Introduction to Computer and Network Security Page
Other Input Problems• Function Pointers‣ Overwrite a local function pointer variable‣ Q: What can be done?
• Heap overflow‣ Overflow a buffer on the heap
• Integer Overflow‣ For signed 8-bit integers
• 127+1 = ??
• Malformed Character Input‣ What does URL “<ipaddr>/scripts/..%c0%af../winnt/
system32” decode to?
6
![Page 7: CSE543 - Introduction to Computer and Network Security Module: …pdm12/cse543-f08/slides/cse543-language... · 2008. 12. 12. · CSE543 - Introduction to Computer and Network Security](https://reader035.fdocuments.in/reader035/viewer/2022063023/5ffbff9c8141e109133387c0/html5/thumbnails/7.jpg)
CSE543 - Introduction to Computer and Network Security Page
Java World• Type Safe Language‣ No buffer/heap/ptr overflows‣ No unsafe casts‣ Still have integer overflows?
• Java Virtual Machine‣ Interpret bytecodes (or compile
together)‣ Security Manager (reference monitor
for JVM)
• Q: What is the trust model of a Java application?
7
![Page 8: CSE543 - Introduction to Computer and Network Security Module: …pdm12/cse543-f08/slides/cse543-language... · 2008. 12. 12. · CSE543 - Introduction to Computer and Network Security](https://reader035.fdocuments.in/reader035/viewer/2022063023/5ffbff9c8141e109133387c0/html5/thumbnails/8.jpg)
Page CSE543 Computer and Network Security - Fall 2007 - Professor Jaeger
Ccured
• From C to Memory-safe C Translator– Find the minimum number of runtime checks to ensure memory
safety• Classify Pointers
– Safe – Wild
• Need runtime checks for wild pointers
• Runtime Checks– Similar to declassifiers in DLM– Written by hand, in general
8
![Page 9: CSE543 - Introduction to Computer and Network Security Module: …pdm12/cse543-f08/slides/cse543-language... · 2008. 12. 12. · CSE543 - Introduction to Computer and Network Security](https://reader035.fdocuments.in/reader035/viewer/2022063023/5ffbff9c8141e109133387c0/html5/thumbnails/9.jpg)
Page CSE543 Computer and Network Security - Fall 2007 - Professor Jaeger
C Analysis
• Assume Type Safety in Analysis– On what basis?– Trust that the programmer does not subvert
• Is this a reasonable assumption?– Unsound analysis
• False negatives are possible– Sound analysis
• If no unsafe behavior relative to analysis can be assumed
• Actually, lots of work in this area• Used in production code: Microsoft
9
![Page 10: CSE543 - Introduction to Computer and Network Security Module: …pdm12/cse543-f08/slides/cse543-language... · 2008. 12. 12. · CSE543 - Introduction to Computer and Network Security](https://reader035.fdocuments.in/reader035/viewer/2022063023/5ffbff9c8141e109133387c0/html5/thumbnails/10.jpg)
Page CSE543 Computer and Network Security - Fall 2007 - Professor Jaeger
Source Code Analysis
• Shallow tools for bug finding– Prefix, Prefast -- Microsoft
• Companies that will check your code– Coverity -- based on MC
• Deep tools for verifying correctness– SLAM -- for device drivers
• Add security to legacy code– Generate LSM– Generate reference monitor for X Server
• Lots of other topics– Privilege separation– Domain transition– Error reporting
10
![Page 11: CSE543 - Introduction to Computer and Network Security Module: …pdm12/cse543-f08/slides/cse543-language... · 2008. 12. 12. · CSE543 - Introduction to Computer and Network Security](https://reader035.fdocuments.in/reader035/viewer/2022063023/5ffbff9c8141e109133387c0/html5/thumbnails/11.jpg)
CSE543 - Introduction to Computer and Network Security Page
Enforcing security policy• DAC• MAC• certificates• trust management• SELinux• anti-virus• IDS• firewalls• encryption• legal measures
11
E-StoreSoftware
Application
Credit card
company
credit card
order form
order form
credit card
E-Store
customer
credit
card
??
???
credit
card
Leak???Security
Policy
Do not leak
credit card
information to
E-store local
storage
Leak???
None of these provide end-to-end confidentiality
![Page 12: CSE543 - Introduction to Computer and Network Security Module: …pdm12/cse543-f08/slides/cse543-language... · 2008. 12. 12. · CSE543 - Introduction to Computer and Network Security](https://reader035.fdocuments.in/reader035/viewer/2022063023/5ffbff9c8141e109133387c0/html5/thumbnails/12.jpg)
CSE543 - Introduction to Computer and Network Security Page
Information-flow control
12
• What is it?
‣ Simple security
‣ ★-property
• Why?
‣ Leandro Aragoncillo, e.g.• Problem: Information release
• Solution: Information Flow Control
• Stronger enforcement than reference monitors
{NUC, EUR, US}
{NUC, EUR} {NUC, US} {EUR, US}
{NUC} {EUR} {US}
Access to all compartments
Access to no compartments
![Page 13: CSE543 - Introduction to Computer and Network Security Module: …pdm12/cse543-f08/slides/cse543-language... · 2008. 12. 12. · CSE543 - Introduction to Computer and Network Security](https://reader035.fdocuments.in/reader035/viewer/2022063023/5ffbff9c8141e109133387c0/html5/thumbnails/13.jpg)
CSE543 - Introduction to Computer and Network Security Page
Label and monitor
13
• Key: ‣ tag data ‣ monitor flows
• RMs tag actual data‣ all data/processes have label‣ central security monitor checks op-
erations, data access against policy
• Security-typed languages use virtual tags‣ data types are labeled‣ type checker validates flows
Label all data
Monitor flows
![Page 14: CSE543 - Introduction to Computer and Network Security Module: …pdm12/cse543-f08/slides/cse543-language... · 2008. 12. 12. · CSE543 - Introduction to Computer and Network Security](https://reader035.fdocuments.in/reader035/viewer/2022063023/5ffbff9c8141e109133387c0/html5/thumbnails/14.jpg)
CSE543 - Introduction to Computer and Network Security Page
Build on type safety• A type-safe
language maintains the semantics of types. E.g. can’t add int’s to Object’s.
• Type-safety is compositional. A function promises to maintain type safety.
14
Example 1Object obj;int i;obj = obj + i;
Example 2String proc_obj(Object o);...main(){ Object obj; String s = proc_obj(obj); ...}
X
![Page 15: CSE543 - Introduction to Computer and Network Security Module: …pdm12/cse543-f08/slides/cse543-language... · 2008. 12. 12. · CSE543 - Introduction to Computer and Network Security](https://reader035.fdocuments.in/reader035/viewer/2022063023/5ffbff9c8141e109133387c0/html5/thumbnails/15.jpg)
CSE543 - Introduction to Computer and Network Security Page
Labeling types
• Key insight:label types with security levels
• Security-typing is compositional
15
Example 1int{high} h1,h2;int{low} l;l = 5;h2 = l;h1 = h2 + 10;l = h2 + l;
Example 2String{low} proc_obj(Object{high} o);...main(){ Object{high} obj; String{low} s; s = proc_obj(obj); ...}
X
![Page 16: CSE543 - Introduction to Computer and Network Security Module: …pdm12/cse543-f08/slides/cse543-language... · 2008. 12. 12. · CSE543 - Introduction to Computer and Network Security](https://reader035.fdocuments.in/reader035/viewer/2022063023/5ffbff9c8141e109133387c0/html5/thumbnails/16.jpg)
CSE543 - Introduction to Computer and Network Security Page
Implicit flows
16
intLow mydata = 0;
intLow mydata2 = 0;
if (testHigh)
mydata = 1;
else
mydata = 2;
mydata2 = 0;
printLow(mydata2);
printLow(mydata);
…
Static (virtual) tagging
Causes type error at compile-time
mydata contains information about test so it can no longer
be Low,but mydata2 is outside the
conditional, so it is untainted by test
![Page 17: CSE543 - Introduction to Computer and Network Security Module: …pdm12/cse543-f08/slides/cse543-language... · 2008. 12. 12. · CSE543 - Introduction to Computer and Network Security](https://reader035.fdocuments.in/reader035/viewer/2022063023/5ffbff9c8141e109133387c0/html5/thumbnails/17.jpg)
CSE543 - Introduction to Computer and Network Security Page
Declassification• MLS is too restrictive• Examples:‣ Encryption‣ Distributed auction‣ Password check
• Solutions:‣ Declassification
• Reduce the level of data -- tolerable leakage
17
![Page 18: CSE543 - Introduction to Computer and Network Security Module: …pdm12/cse543-f08/slides/cse543-language... · 2008. 12. 12. · CSE543 - Introduction to Computer and Network Security](https://reader035.fdocuments.in/reader035/viewer/2022063023/5ffbff9c8141e109133387c0/html5/thumbnails/18.jpg)
CSE543 - Introduction to Computer and Network Security Page
Open challenges• System-wide security• Certifying compilation• Abstraction-violating attacks• Dynamic policies• Practical issues• Variations of static analysis
18
![Page 19: CSE543 - Introduction to Computer and Network Security Module: …pdm12/cse543-f08/slides/cse543-language... · 2008. 12. 12. · CSE543 - Introduction to Computer and Network Security](https://reader035.fdocuments.in/reader035/viewer/2022063023/5ffbff9c8141e109133387c0/html5/thumbnails/19.jpg)
CSE543 - Introduction to Computer and Network Security Page
Take away
19
“The inability to express or enforce end-to-end security policies is a serious problem with our current computing infrastructure, and language-based techniques appear to be essential to any solution to this problem.”