Hemophilia Society, Bangalore Soumya Ganapathy Nagendra Singh.
Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University...
-
Upload
helen-barker -
Category
Documents
-
view
217 -
download
2
Transcript of Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University...
![Page 1: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/1.jpg)
Retrofitting Legacy Code with Authorization Mechanisms
Vinod GanapathyRutgers University
![Page 2: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/2.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 2
Principle of Design for Security
Historic example: • MULTICS [Corbato et al. ‘65]
More recent examples:• Operating systems • Database servers
To create a secure system, designit to be secure from the ground up
![Page 3: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/3.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 3
Relevance of the Principle today
Deadline-driven software development• Design.Build.(Patch)* is here to stay• Few people have expertise with a single large
codebase.• Tedious to sift through large codebases and
reason about security. • Diverse/Evolving security requirements
oMULTICS security study [Karger and Schell, ‘72]
Most deployed software is not designed for security
![Page 4: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/4.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 4
Retrofitting legacy code
Need systematic techniques toretrofit legacy code for security
Legacycode
Retrofitted code
INSECURE SECURE
![Page 5: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/5.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 5
Retrofitting legacy code
Enforcing type safety • CCured [Necula et al. ’02]
Partitioning for privilege separation• PrivTrans [Brumley and Song, ’04]
Enforcing authorization policies
Need systematic techniques toretrofit legacy code for security
![Page 6: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/6.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 6
Resource manager
Enforcing authorization policies
Resource user
Operation request Response
Authorization policy‹Alice, /etc/passwd, File_Read›
Reference monitor
Allowed? YES/NO
![Page 7: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/7.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 7
Retrofitting for authorization Mandatory access control for Linux
• Linux Security Modules [Wright et al.,’02]
• SELinux [Loscocco and Smalley,’01]
Secure windowing systems• Trusted X, Compartmented-mode workstation,
X11/SELinux [Epstein et al.,’90][Berger et al.,’90][Kilpatrick et al.,’03]
Java Virtual Machine/SELinux [Fletcher,‘06]
IBM Websphere/SELinux [Hocking et al.,‘06]
Painstaking, manual procedure
![Page 8: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/8.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 8
This tutorial
Three program analysis and transformation techniques (in increasing order of sophistication)
to retrofit legacy code with reference monitors
![Page 9: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/9.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 9
Contents of the tutorial
Fingerprints: A new representation for security-sensitive operations
Three algorithms to mine fingerprints Results: Reduced effort to retrofit legacy
code for authorization policy enforcement• Manual effort needed reduces to a few hours• Applied to X server, Linux kernel, etc.
Analyses and transformations forauthorization policy enforcement
![Page 10: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/10.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 10
Outline Motivation Problem
• Example• Retrofitting legacy code: Lifecycle
Solutions• Dynamic fingerprint mining• Static mining with concept analysis• Static mining leveraging user choice
![Page 11: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/11.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 11
X server with multiple X clients
REMOTE
LOCAL
![Page 12: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/12.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 12
REMOTE
Malicious remote X client
LOCAL
![Page 13: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/13.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 13
REMOTE
Undesirable information flow
LOCAL
![Page 14: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/14.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 14
Desirable information flow
LOCAL
REMOTE
![Page 15: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/15.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 15
Other policies to enforce Prevent unauthorized
• Copy and paste• Modification of inputs meant for other clients• Changes to window settings of other clients• Retrieval of bitmaps: Screenshots
[Berger et al., ’90]
[Epstein et al., ‘90]
[Kilpatrick et al., ‘03]
![Page 16: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/16.jpg)
Security is not a ‘blocker’ Security by design, in practice
“It isn't clear this qualifies as a blocker under any circumstances. The importance of
security increases only as we are into serious deployment and start becoming a target. First
things, first....”
- https://dev.laptop.org/ticket/260 Need a way to protect against applications sniffing each other's keystrokes, which X permits by default.
16
![Page 17: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/17.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 17
X server
X server with authorization
X client
Operation request Response
Authorization policy
Reference monitor
Allowed? YES/NO
![Page 18: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/18.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 18
Outline Motivation Problem
• Example• Retrofitting legacy code: Lifecycle
Solution
![Page 19: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/19.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 19
Retrofitting lifecycle
1. Identify security-sensitive operations
2. Locate where they are performed in code
3. Instrument these locations
Input_EventCreateDestroyCopyPasteMap
Security-sensitive operations Source Code Policy checks
Can the client receive this
Input_Event?
![Page 20: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/20.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 20
Problems
X11 ~ proposed 2003, implemented 2007, changing to date. [Kilpatrick et al., ‘03]
Linux Security Modules ~ 2 years [Wright et al., ’02]
PostgreSQL: Began in 2006, still not mainline.
Manual
At this point, SE-PostgreSQL has taken up a *lot* of community resources, not to mention an enormous and
doubtless frustrating amount of *the lead developer’s* time and effort, thus far without a single committed patch, or even a consensus as to what it should (or could) do. Rather than continuing to blunder
into the future, I think we need to do a reality check -
http://archives.postgresql.org/message-id/[email protected]
![Page 21: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/21.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 21
Problems
Violation of complete mediation Time-of-check to Time-of-use bugs [Zhang et al., ‘02]
[Jaeger et al., ‘04]
Error-prone
![Page 22: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/22.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 22
Our approach
Fingerprints: A new representation of security-sensitive operations
Legacy code retrofitted using fingerprints• Use of static and dynamic program analysis• Must achieve complete mediation• Ideally, must not place redundant hooks
Automated
Principled
![Page 23: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/23.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 23
Approach overviewLegacy code
Retrofitted code
Miner
Fingerprints
Matcher
![Page 24: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/24.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 24
Outline Motivation Problem Solution
• Fingerprints • Dynamic fingerprint mining• Static fingerprint mining with concept analysis• Static fingerprint mining leveraging user
choice
![Page 25: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/25.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 25
What are fingerprints?
Resource accesses that are unique to a security-sensitive operation
Denote key steps needed to perform the security-sensitive operation on a resource
Code-level signatures of security-sensitive operations
![Page 26: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/26.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 26
Examples of fingerprints Input_Event :- Cmp xEvent->type == KeyPress
Input_EventCreateDestroyCopyPasteMap
Security-sensitive operations Source Code
![Page 27: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/27.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 27
Examples of fingerprints Input_Event :-
Cmp xEvent->type == KeyPress Input_Event :- Cmp xEvent->type == MouseMove
Map :- Set Window->mapped to True & Set xEvent->type to MapNotify
Enumerate :- Read Window->firstChild & Read Window->nextSib & Cmp Window ≠ 0
![Page 28: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/28.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 28
MapSubWindows(Window *pParent, Client *pClient) { Window *pWin; … // Run through linked list of child windows pWin = pParent->firstChild; … for (;pWin != 0; pWin=pWin->nextSib) { ... // Code that maps each child window
... }}
Fingerprint matching X server function MapSubWindows
Performs Enumerate
Enumerate :- Read Window->firstChild & Read Window->nextSib & Cmp Window ≠ 0
![Page 29: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/29.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 29
MapSubWindows(Window *pParent, Client *pClient) { Window *pWin; … // Run through linked list of child windows if CHECK(pClient,pParent,Enumerate) == ALLOWED { pWin = pParent->firstChild; … for (;pWin != 0; pWin=pWin->nextSib) { ... // Code that maps each child window
... } } else { HANDLE_FAILURE }}
Placing authorization checks X server function MapSubWindows
![Page 30: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/30.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 30
Fingerprint matching Currently employ simple pattern matching More sophisticated matching possible
• Metacompilation [Engler et al., ‘01]
• MOPS [Chen and Wagner, ‘02] Inserting authorization checks is akin to
static aspect-weaving [Kiczales et al., ’97]
Other aspect-weaving techniques possible• Runtime aspect-weaving
![Page 31: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/31.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 31
Outline Motivation Problem Solution
• Fingerprints• Dynamic fingerprint mining • Static fingerprint mining with concept analysis• Static fingerprint mining leveraging user
choice
![Page 32: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/32.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 32
Dynamic fingerprint mining
Input_EventCreateDestroyCopyPasteMap
Security-sensitive operations Source Code
Output: FingerprintsInput_Event :- Cmp xEvent->type == KeyPress
![Page 33: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/33.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 33
Dynamic fingerprint mining Security-sensitive operations [NSA’03]
Use this information to induce the program to perform security-sensitive operations
Input_Event Input to window from device
Create Create new window
Destroy Destroy existing window
Map Map window to console
![Page 34: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/34.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 34
Problem definition S: Set of security-sensitive operations D: Descriptions of operations in S R: Set of resource accesses
• Read/Set/Cmp of Window/xEvent Each s є S has a fingerprint
• A fingerprint is a subset of R• Contains a resource access unique to s
Problem: Find fingerprints for each security-sensitive operation in S using D
![Page 35: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/35.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 35
Traces contain fingerprints
Induce security-sensitive operation • Typing to window will induce Input_Event
Fingerprint must be in runtime trace • Cmp xEvent->type == KeyPress
Input_EventCreateDestroyCopyPasteMap
Security-sensitive operations Source Code Runtime trace
![Page 36: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/36.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 36
Compare traces to localize
Localize fingerprint in trace• Trace difference and intersection
Input_EventCreateDestroyCopyPasteMap
Security-sensitive operations Source Code Runtime trace
![Page 37: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/37.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 37
Runtime traces Trace the program and record reads/writes
to resource data structures• Window and xEvent in our experiments
Example: from X server startup (In function SetWindowtoDefaults) Set Window->prevSib to 0 Set Window->firstChild to 0 Set Window->lastChild to 0
… about 1400 such resource accesses
![Page 38: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/38.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 38
Using traces for fingerprinting Obtain traces for each security-sensitive
operation• Series of controlled tracing experiments
Examples• Typing to keyboard generates Input_Event• Creating new window generates Create• Creating window also generates Map• Closing existing window generates Destroy
![Page 39: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/39.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 39
Comparison with “diff” and “∩”
Openxterm
Closexterm
Movexterm
Openbrowser
Switchwindows
Create
Destroy
Map
Unmap
Input_Event
Annotation is a manual step
![Page 40: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/40.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 40
- Move xtermCreate = Open xterm ∩ Open browser
Comparison with “diff” and “∩”
Openxterm
Closexterm
Movexterm
Openbrowser
Switchwindows
Create
Destroy
Map
Unmap
Input_Event
Perform same set operations on resource accesses
![Page 41: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/41.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 41
Set equations Each trace has a set of labels
• Open xterm: {Create, Map}• Browser: {Create, Destroy, Map, Unmap}• Move xterm: {Map, Input_Event}
Need set equation for {Create}• Compute an exact cover for this set• Open xterm ∩ Open browser – Move xterm
Perform the same set operations on the set of resource accesses in each trace
![Page 42: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/42.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 42
Experimental methodologySource code
Server with logging enabled
Raw traces
Relevant portions of traces
Pruned traces
gcc –-enable-logging
Run experiments and collect traces
Localize security-sensitive operation
Compare traces with “diff” and “∩”
![Page 43: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/43.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 43
Dynamic mining: Results1,000,000
54,000
900
126
1
10
100
1,000
10,000
100,000
1,000,000
Source Code Raw Traces RelevantPortions
PrunedTraces
Siz
e
Each fingerprint localized towithin 126 resource accesses
![Page 44: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/44.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 44
1. Incomplete: False negatives2. High-level description needed 3. Operations are manually induced
Limitations of dynamic mining
Input_EventCreateDestroyCopyPasteMap
Security-sensitive operations Source Code Runtime trace
![Page 45: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/45.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 45
Outline Motivation Problem Solution
• Fingerprints• Dynamic fingerprint mining• Static fingerprint mining with concept analysis• Static fingerprint mining leveraging user
choice
![Page 46: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/46.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 46
Static fingerprint mining
Input_EventCreateDestroyCopyPasteMap
Security-sensitive operations Source Code
Output: Candidate FingerprintsCmp xEvent->type == KeyPress
Resources
• Window• xEvent
![Page 47: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/47.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 47
Problem definition R: Set of resource accesses
• Read/Set/Cmp of Window/xEvent E: Set of entry points into the server Goal: Find fingerprints using R and E
Not given an a priori description of security-sensitive operations
![Page 48: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/48.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 48
Straw-man proposal I
Finest level of granularity Cmp xEvent->type == KeyPress Read Window->firstChild Read Window->nextSib Cmp Window ≠ 0
Each resource access in R is a fingerprint
![Page 49: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/49.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 49
Problem with this proposal
Cmp xEvent->type == KeyPress Read Window->firstChild Read Window->nextSib Cmp Window ≠ 0
Difficult to write and maintainpolicies at this level of granularity
![Page 50: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/50.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 50
Straw-man proposal II
Coarsest level of granularity
Call MapSubWindows Call MapWindow
Write policies allowing/disallowing the use of an API call
Each API in E is a fingerprint
![Page 51: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/51.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 51
Problem with this proposal
Call MapSubWindows • Enumerates child windows and maps them to
the screen Call MapWindows
• Maps a window onto the screen
Does not reflect actual resourceaccesses performed by API call
![Page 52: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/52.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 52
Our approach
Each API entry point implicitly defines a set of resource accesses
Cluster resource accesses based upon the API entry points that perform them
Cluster resource accesses that always happen together
![Page 53: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/53.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 53
Static analysis Extract resource accesses potentially
possible via each entry point Example from the X server
• Entry point: MapSubWindows(…)• Resource accesses:
Set xEvent->type To MapNotify Set Window->mapped To True Read Window->firstChildRead Window->nextSibCmp Window ≠ 0
![Page 54: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/54.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 54
Resource accessesMapSubWindows
MapWindow
KeyboardInput
Set xEvent->type To MapNotify
Set Window->mapped To True
Read Window->firstChild
Read Window->nextSib
Cmp Window ≠ 0
Cmp xEvent->type==KeyPress
270 API functions430 distinct resource accesses
Identify candidate fingerprints by clustering resource accesses
![Page 55: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/55.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 55
FeaturesInstances
Concept analysisMapSubWindows
MapWindow
KeyboardInput
Set xEvent->type To MapNotify
Set Window->mapped To True
Read Window->firstChild
Read Window->nextSib
Cmp Window ≠ 0
Cmp xEvent->type==KeyPress
Comparison via hierarchical clustering
![Page 56: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/56.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 56
A B C
123456
Hierarchical clustering
Cmp xEvent->type==KeyPress
Cmp Window ≠ 0
Read Window->nextSib
Read Window->firstChild
Set Window->mapped To True
Set xEvent->type To MapNotify
Keyboard
Input
Map
Window
MapSub
Windows
{A,B,C}, Ф
{A,B}, {1,2}
{A}, {1,2,3,4,5}
{C}, {6}
Ф, {1,2,3,4,5,6}
![Page 57: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/57.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 57
{A}, {1,2,3,4,5}
A B C
123456
Mining candidate fingerprints
Cmp xEvent->type==KeyPress
Cmp Window ≠ 0
Read Window->nextSib
Read Window->firstChild
Set Window->mapped To True
Set xEvent->type To MapNotify
Keyboard
Input
Map
Window
MapSub
Windows
{A,B,C}, Ф
{A,B}, {1,2}{C}, {6}
Ф, {1,2,3,4,5,6}
Cand. Fing. 1
Cand. Fing. 2
Cand. Fing. 3
![Page 58: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/58.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 58
Static mining: Results
1.438
3.7115
3.718
94,014PennMUSH
30,096X Server/dix
4,476ext2
Avg. SizeCand. Fing.LOCBenchmark
1
10
100
1,000
10,000
100,000
ext2 X server PennMUSH
Siz
e
![Page 59: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/59.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 59
X Server/dix
ext2
Benchmark
22
11
Manually identified
Security-sensitive ops
Candidate
fingerprints
Static mining: Results
115
18
Able to find at least one fingerprint for each security-sensitive operation
![Page 60: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/60.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 60
Identified automatically in a few minutesInterpretation takes just a few hours
Identified as part of multi-year efforts
Static mining: Results
115
18
X Server/dix
ext2
Benchmark
22
11
Manually identified
Security-sensitive ops
Candidate
fingerprints
![Page 61: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/61.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 61
Associated 59 candidate fingerprints with security-sensitive operations
Remaining are likely security-sensitive too
Static mining: Results
X Server/dix
ext2
Benchmark
22
11
Manually identified
Security-sensitive ops
Candidate
fingerprints
115
18
Read Window->DrawableRec->width & Read Window->DrawableRec->height
![Page 62: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/62.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 62
Outline Motivation Problem Solution
• Fingerprints• Dynamic fingerprint mining• Static fingerprint mining with concept analysis• Static fingerprint mining leveraging user
choiceoDivya Muthukumaran and Trent Jaeger
![Page 63: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/63.jpg)
63
Shortcomings that remain Identifying security-sensitive objects is still
manual Hook placement suggested by fingerprints:
• Are they “minimal”?• How do they compare to manually-placed
hooks?
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement
![Page 64: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/64.jpg)
64
![Page 65: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/65.jpg)
65
Inferring security-sensitive objects and operations
Idea: Follow the client-request• In servers, client-request determines choice.
“Choice”: • Determines which objects are selected to be
operated upon. • Determines which operation is selected to be
performed on objects.
![Page 66: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/66.jpg)
66
write v
o1
o2
o3
o4
BRequest Interface
i
Cv = Lookup(O,i)
User A
User B
D
A
FI
JH
read v
K
L
E
Program
Container O
Op1.3Op1.2Op1.1Security-sensitive
operation
Tainted variable
Security-sensitive variable
Control statement
Predicated on tainted variable
![Page 67: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/67.jpg)
67
Program
User request
Lookup Function
Global Reads
A) Identify Tainted
Variables (VT)
B) Identify Security-sensitive
Objects(VS)
C) User-choice Operations
D) Security-sensitive operations
![Page 68: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/68.jpg)
68
clientRequest stuff = ReadRequestFromClient(); …
int ChangeWindowProperty(ClientPtr *c, WindowPtr * w){ WindowPtr * win; PropertyPtr * pProp; err = LookupWindow(&win,stuff->window, c); rc = LookupProperty(&pProp, win, stuff->property, c); if (rc == BadMatch) {/* Op 1*/ pProp->name = property; pProp->format = format; pProp->data = data; pProp->size = len; } else { /* Op 2 */ if (stuff->mode == REPLACE) { /* Op 2.1 */ pProp->data = data; pProp->size = len; pProp->format = format; } else if (stuff->mode == APPEND) {/* Op 2.2 */ pProp->data = data; pProp->size += len; } }}
![Page 69: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/69.jpg)
69
clientRequest stuff = ReadRequestFromClient();
int ChangeWindowProperty(ClientPtr * c, WindowPtr * w){ WindowPtr * win; PropertyPtr * pProp; err = LookupWindow(&win,stuff->window, c); rc = LookupProperty(&pProp, win, stuff->property, c); if (rc == BadMatch) {/* Op 1*/ pProp->name = property; pProp->format = format; pProp->data = data; pProp->size = len; } else { /* Op 2 */ if (mode == REPLACE) { /* Op 2.1 */ pProp->data = data; pProp->size = len; pProp->format = format; } else if (mode == APPEND) {/* Op 2.2 */ pProp->data = data; pProp->size += len; } }}
Static Taint analysis
![Page 70: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/70.jpg)
70
Program
User request
Lookup Function
Global Reads
A) Identify Tainted
Variables (VT)
B) Identify Security-sensitive
Objects(VS)
C) User-choice Operations
D) Security-sensitive operations
Retrieval of objects from containers: • List access (*->next pointer)
• Array access (pointer arithmetic)…
![Page 71: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/71.jpg)
71
List Access: LookupProperty
for (prop=win->userProps; prop; prop=prop->next {if (prop->name == pName)
break;*p = prop;}
return p;
Array Access: LookupWindow
Resource res = clientTable[i]return res;
![Page 72: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/72.jpg)
72
Program
User request
Lookup Function
Global Reads
A) Identify Tainted
Variables (VT)
B) Identify Security-sensitive
Objects(VS)
C) User-choice Operations
D) Security-sensitive operations
Def 2: A variable v V∈ S(P) if any following are true: a) If it is assigned a value from a container via a lookup
function using a variable v V∈ T(P), b) If D is true for some v’ V∈ S(P). c) If it is a global variable and in the set VT(P).
![Page 73: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/73.jpg)
73
int ChangeWindowProperty(ClientPtr * c, WindowPtr * w, int mode){ WindowPtr * win; PropertyPtr * pProp; err = LookupWindow(&win,stuff->window, c); rc = LookupProperty(&pProp, win, stuff->property, c); if (rc == BadMatch) {/* Op 1*/ pProp->name = property; pProp->format = format; pProp->data = data; pProp->size = len; } else { /* Op 2 */ if (mode == REPLACE) { /* Op 2.1 */ pProp->data = data; pProp->size = len; pProp->format = format; } else if (mode == APPEND) {/* Op 2.2 */ pProp->data = data; pProp->size += len; } }}
TechnologyDetecting code patterns
Static Taint analysis
![Page 74: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/74.jpg)
74
Program
User request
Lookup Function
Global Reads
A) Identify Tainted
Variables (VT)
B) Identify Security-sensitive
Objects(VS)
C) User-choice Operations
D) Security-sensitive operations
![Page 75: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/75.jpg)
75
int ChangeWindowProperty(ClientPtr * c, WindowPtr * w, int mode){ WindowPtr * win; PropertyPtr * pProp; err = LookupWindow(&win,stuff->window, c); rc = LookupProperty(&pProp, win, stuff->property, c); if (rc == BadMatch) {/* Op 1*/ pProp->name = property; pProp->format = format; pProp->data = data; pProp->size = len; } else { /* Op 2 */ if (stuff->mode == REPLACE) { /* Op 2.1 */ pProp->data = data; pProp->size = len; pProp->format = format; } else if (stuff->mode == APPEND) {/* Op 2.2 */ pProp->data = data; pProp->size += len; } }}
![Page 76: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/76.jpg)
76
A C
B D
A DB C
Taken Not- takenTaken Not-taken
Control Flow Graph (CFG)
Control Dependence Graph (CDG)
![Page 77: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/77.jpg)
77
![Page 78: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/78.jpg)
78
Program
User request
Lookup Function
Global Reads
A) Identify Tainted
Variables (VT)
B) Identify Security-sensitive
Objects(VS)
C) User-choice Operations
D) Security-sensitive operations
![Page 79: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/79.jpg)
79
![Page 80: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/80.jpg)
80
Results: Reduction in programmer effortProgram X Server postgres pennmush memcached
LOC 28k 49k 78k 9k
Total variables 7795 12350 24372 2350
Tainted variables
2975 (38%) 5100 (41%) 4168 (17%) 490 (20%)
Security sensitive variables
823 (9%) 402 (3%) 1573 (6%) 82 (3%)
Data Structures 404 278 311 41
Sensitive Data structures
61(15%)
30 (10%)
38 (12%)
7(17%)
User-choice Operations
4760 5063 6485 996
Sensitive operations 1382 (29%)
1378 (27%)
1382 (21%)
203(20%)
![Page 81: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/81.jpg)
81
Results: Reduction in programmer effortProgram X Server postgres pennmush memcached
LOC 28k 49k 78k 9k
Total variables 7795 12350 24372 2350
Tainted variables
2975 (38%) 5100 (41%) 4168 (17%) 490 (20%)
Security sensitive variables
823 (9%) 402 (3%) 1573 (6%) 82 (3%)
Data Structures 404 278 311 41
Sensitive Data structures
61(15%)
30 (10%)
38 (12%)
7(17%)
User-choice Operations
4760 5063 6485 996
Sensitive operations 1382 (29%)
1378 (27%)
1382 (21%)
203(20%)
2241
![Page 82: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/82.jpg)
82
Results: Reduction in programmer effortProgram X Server postgres pennmush memcached
LOC 28k 49k 78k 9k
Total variables 7795 12350 24372 2350
Tainted variables
2975 (38%) 5100 (41%) 4168 (17%) 490 (20%)
Security sensitive variables
823 (10%) 402 (3%) 1573 (6%) 82 (3%)
Data Structures 404 278 311 41
Sensitive Data structures
61(15%) 30 (10%)
38 (12%)
7(17%)
User-choice Operations
4760 5063 6485 996
Sensitive operations 1382 (29%) 1378 (27%) 1382 (21%)
203(20%)
< 95%
![Page 83: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/83.jpg)
83
![Page 84: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/84.jpg)
84
Results Two sets of programs: a) With manually placed hooks: X server,
postgres. B) No manual hooks: pennmush,
memcached.
![Page 85: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/85.jpg)
85
Results: Reduction in programmer effort
Program X Server postgres pennmush memcached
LOC 28k 49k 78k 9k
Security sensitive variables
823 (10%) 402 (3%) 1573 (6%) 82 (3%)
Sensitive operations 1382 (29%) 1378 (27%) 1382 (21%)
203(20%)
Hooks 532 (11%)
579 (11%)
714(11%)
56(5%)
< 61%
![Page 86: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/86.jpg)
86
Comparing with manual hooks
X Server:• Manual: ~200 hooks• Automated: ~530 hooks
Postgres: • Manual: ~370• Automated: ~570
What does this mean?
![Page 87: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/87.jpg)
Criteria for comparing hooks
Control dominance Data dominance
Hooks Criteria
87
![Page 88: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/88.jpg)
88
Comparison of manual and automated hook placements
![Page 89: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/89.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 89
Summary
Input_EventCreateDestroyCopyPasteMap
Can the client receive this
Input_Event?
Fingerprints
MatchingMining
![Page 90: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/90.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 90
Lessons for the future
Modifications may break software Modifying executables is challenging
Modifying legacy code is non-trivial
Low-overhead runtime system for policy enforcement on unmodified code
![Page 91: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/91.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 91
Lessons for the future
Type-safety violations the main problem
Soundness/completeness hard to achieve for C
Provable guarantees with additional runtime checks?
![Page 92: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/92.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 92
Lessons for the futureDifficult to automate failure handling
Aspect-oriented solution?
Failure handling is a crosscutting-concern Handling failure gracefully is the main
challenge
Checkpoint and rollback?
![Page 93: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/93.jpg)
![Page 94: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/94.jpg)
94Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement
![Page 95: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/95.jpg)
Example: X Server
Remote Client A
Remote Client B
Remote Client A
Remote Client B
95
![Page 96: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/96.jpg)
Example: X Server Confidentiality violation Remote Client A
Remote Client B
WinA
WinB
GetScreen,WinAGetscreen,WinB
96
GetScreen
GetScreen
![Page 97: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/97.jpg)
Example: X Server Confidentiality violation Integrity violation
Remote Client B
Remote Client A
Remote Client B
ChangeProp, WinAChangeProp, WinA
97
ChangeProp
ChangeProp
Remote Client A
![Page 98: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/98.jpg)
Example: X Server Confidentiality violation Integrity violation
Remote Client B
Remote Client A
Remote Client B
ChangeProp, WinAChangeProp, WinA
98
ChangeProp
ChangeProp
Remote Client A
Policy: (clientA, WinA, ChangeProp) (clientB, WinB, ChangeProp)
…
![Page 99: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/99.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 99
Errors in labeling traces (I)
Openxterm
Closexterm
Movexterm
Openbrowser
Switchwindows
CREATE
DESTROY
MAP
UNMAP
INPUTEVENT
![Page 100: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/100.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 100
Errors in labeling traces (I)
Openxterm
Closexterm
Movexterm
Openbrowser
Switchwindows
CREATE
DESTROY
MAP
UNMAP
INPUTEVENT
CREATE = Trace1 – Trace3
![Page 101: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/101.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 101
Errors in labeling traces (II)
Openxterm
Closexterm
Movexterm
Openbrowser
Switchwindows
CREATE
DESTROY
MAP
UNMAP
INPUTEVENT
![Page 102: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/102.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 102
Dealing with errors in labeling Missing labels from traces:
• “∩” operation will not discard fingerprint• “diff” operation may erroneously eliminate a
fingerprint Extra labels on traces:
• May erroneously eliminate a fingerprint Trial-and-error
• Relabel and recompute set-equations Empirically: tolerance of about 15% errors
![Page 103: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/103.jpg)
103
Comparing with manual hooks
Observation 1: Automated hooks tend to be finer grained• Finer-grained operations• Finer-grained objects
![Page 104: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/104.jpg)
104
Finer-grained operations
![Page 105: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/105.jpg)
105
Comparing with manual hooks
Observation 1: Automated hooks tend to be finer grained• Finer-grained operations• Finer-grained objects
![Page 106: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/106.jpg)
106
Finer-grained objects
write(pChild->mapped)
read(pWin->firstChild->nextSib)
![Page 107: Retrofitting Legacy Code with Authorization Mechanisms Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu.](https://reader036.fdocuments.in/reader036/viewer/2022070410/56649f0e5503460f94c229d8/html5/thumbnails/107.jpg)
107
Comparison of manual and automated hook placements
6,1
9,3
51,5