Static analysis for security
description
Transcript of Static analysis for security
![Page 1: Static analysis for security](https://reader036.fdocuments.in/reader036/viewer/2022062809/568158dd550346895dc623da/html5/thumbnails/1.jpg)
Static analysis for security
Luis SierraNovember, 2007
Stic AmSud - ReSeCo WorkshopMontevideo, Uruguay
![Page 2: Static analysis for security](https://reader036.fdocuments.in/reader036/viewer/2022062809/568158dd550346895dc623da/html5/thumbnails/2.jpg)
Plan
• Some motivation
• Static analysis
• PySTA: Python Static Analyzer
• Permission usage analysis
• Conclusions and further work
![Page 3: Static analysis for security](https://reader036.fdocuments.in/reader036/viewer/2022062809/568158dd550346895dc623da/html5/thumbnails/3.jpg)
Motivation
• To understand and have experience of the permissions model of Besson, Dufay, and Jensen
• Looking for a quick prototype
• Moreover, I did not know Python
![Page 4: Static analysis for security](https://reader036.fdocuments.in/reader036/viewer/2022062809/568158dd550346895dc623da/html5/thumbnails/4.jpg)
Static analysis: example
• Take a program S
• Take a property P
• Check if P holds in every possible execution of S– Checking at compile time– Approximate answers
[x := 2]1;[y := 4]2;[x := 1]3;[read (z)]4;if [z > x]5
then [z := y]6
else [z := x]7
Every assignment is useful
![Page 5: Static analysis for security](https://reader036.fdocuments.in/reader036/viewer/2022062809/568158dd550346895dc623da/html5/thumbnails/5.jpg)
• Check if P holds in every possible execution of S– Checking at compile time
Static analysis: example
[x := 2]1;[y := 4]2;[x := 1]3;[read (z)]4;if [z > x]5
then [z := y]6
else [z := x]7
Every assignment is useful
•1 : set([])•2 : set(['y'])•3 : ...
Pysta
![Page 6: Static analysis for security](https://reader036.fdocuments.in/reader036/viewer/2022062809/568158dd550346895dc623da/html5/thumbnails/6.jpg)
• Take a program S
• Take a property P
• If Om does not terminate, we should delete assignment 2. Our analysis solves the halting problem !!!– Checking at compile time– Approximate answers
Static analysis: example
[x := 2]1;[y := 4]2;[x := 1]3;[read (z)]4;if [z > x]5
then Om; [z := y]6
else [z := x]7
Every assignment is useful
![Page 7: Static analysis for security](https://reader036.fdocuments.in/reader036/viewer/2022062809/568158dd550346895dc623da/html5/thumbnails/7.jpg)
• The analyzer navigates in the control flow graph, collecting relevant information.
• This process must terminate
![Page 8: Static analysis for security](https://reader036.fdocuments.in/reader036/viewer/2022062809/568158dd550346895dc623da/html5/thumbnails/8.jpg)
Working list
• The analyzer navigates in the CFG with an iterator
• We exploit Python flexibility defining – an implementation with sets– and an implementation with lists
![Page 9: Static analysis for security](https://reader036.fdocuments.in/reader036/viewer/2022062809/568158dd550346895dc623da/html5/thumbnails/9.jpg)
Working list
class workingList (object): def iter (self): pass def add (self, c): pass
def MFP (a): W = WLmap [WLoption] (a.flow) for (l1, l2) in W.iter (): ... W.add ([(s,t) for (s,t) in ...]) ...
![Page 10: Static analysis for security](https://reader036.fdocuments.in/reader036/viewer/2022062809/568158dd550346895dc623da/html5/thumbnails/10.jpg)
Fix-point computationdef MFP (a): W = WLmap [WLoption] (a.flow) for (l1, l2) in W.iter (): fl = a.transfer (l1) if (not a.latt.leq (fl, a.a [l2])): a.a [l2] = a.latt.join (a.a [l2], fl) W.add ([(s,t) for (s,t) in a.flow if s==l2]) a.dump ()
![Page 11: Static analysis for security](https://reader036.fdocuments.in/reader036/viewer/2022062809/568158dd550346895dc623da/html5/thumbnails/11.jpg)
A static analysis
def analyze (file, analysisType): s = open (file + '.xml').read() p = parseString (s).documentElement a = analysisType (p) MFP (a)
• The analysis is declared in the main program
![Page 12: Static analysis for security](https://reader036.fdocuments.in/reader036/viewer/2022062809/568158dd550346895dc623da/html5/thumbnails/12.jpg)
Some implementations
• As well as with working lists, we implemented several static analysis– Live variables– Constraint propagation– Available expressions– Permission usage
![Page 13: Static analysis for security](https://reader036.fdocuments.in/reader036/viewer/2022062809/568158dd550346895dc623da/html5/thumbnails/13.jpg)
A class for analysis
class MF (object): def __init__ (self, pgm, an): ... def defLattice (self): pass def defextremalValue (self): pass def transfer (self, l, s): pass def initialAnalysis (self): self.a = {} for l in self.Lab: self.a [l] = self.extremalValue \ if l in self.extremalLabel\ else self.latt.bottom () ...
![Page 14: Static analysis for security](https://reader036.fdocuments.in/reader036/viewer/2022062809/568158dd550346895dc623da/html5/thumbnails/14.jpg)
Live Variables Analysis
class Analysis (MF): def __init__ (self, pgm): MF.__init__ (self, pgm, 'BW') def defLattice (self): self.latt = SetVarLat () def defextremalValue (self): self.extremalValue = SetVar ([]) def transfer (self, l): ... def kill (self, l): return SetVar (eval (getKill (self.Blocks[l]))) def gen (self, l): return SetVar (eval (getGen (self.Blocks[l])))
![Page 15: Static analysis for security](https://reader036.fdocuments.in/reader036/viewer/2022062809/568158dd550346895dc623da/html5/thumbnails/15.jpg)
Lattices
• The information collected in a static analysis is good enough to provide– an operation of least upper bound (latt.join)– a comparison (latt.leq)
• We are not interested in proving that a structure is a lattice, but in implementing quickly the relevant operations
![Page 16: Static analysis for security](https://reader036.fdocuments.in/reader036/viewer/2022062809/568158dd550346895dc623da/html5/thumbnails/16.jpg)
A lattice
class lattice (object): def U (self): """Support set of the lattice. Meaningful if the
support set is finite.""" pass def join (self, a, b): """Join operation: returns a new object with
value in the lattice.""" pass def leq (self, a, b): """Less or equal relation: returns True or
False.""" pass def bottom (self): """Bottom: returns a new object """ pass
![Page 17: Static analysis for security](https://reader036.fdocuments.in/reader036/viewer/2022062809/568158dd550346895dc623da/html5/thumbnails/17.jpg)
A library of lattices
class semilattice (object): ...
## a cartesian product using tuplesclass cartesianProduct (lattice): ...
## a function spaceclass functionspace (lattice): ...
## a function using a dictionaryclass genFunction (object): ...
class newbottom (lattice): ...
class powerset (lattice): ...
class dual (lattice):
![Page 18: Static analysis for security](https://reader036.fdocuments.in/reader036/viewer/2022062809/568158dd550346895dc623da/html5/thumbnails/18.jpg)
Multiplicities and permissions
1
0
![Page 19: Static analysis for security](https://reader036.fdocuments.in/reader036/viewer/2022062809/568158dd550346895dc623da/html5/thumbnails/19.jpg)
Permissions lattice
![Page 20: Static analysis for security](https://reader036.fdocuments.in/reader036/viewer/2022062809/568158dd550346895dc623da/html5/thumbnails/20.jpg)
Permissions analysis
class Analysis (MF): ... def defLattice (self): self.latt = Perm (self.Resources,
self.Action, self.ResType) def defextremalValue (self): self.extremalValue = self.latt.bottom () def transfer (self, l): ...
class Perm (functionspace): ...
![Page 21: Static analysis for security](https://reader036.fdocuments.in/reader036/viewer/2022062809/568158dd550346895dc623da/html5/thumbnails/21.jpg)
Permissions analysis
class Res (powerset): ...
class Act (powerset): ...
class PermRT (newbottom): ...
class Mult (lattice): ...
class PermMult (cartesianProduct): ...
class RTfunc (oneFunction): ...
class Perm (functionspace): ...
![Page 22: Static analysis for security](https://reader036.fdocuments.in/reader036/viewer/2022062809/568158dd550346895dc623da/html5/thumbnails/22.jpg)
A program
grant (http ('*'), read, inf)grant (https ('site'), read, 1)grant (file ('walletId'), read, 1)while ...: while ...: consume (http ('site'), read) if ...: consume (http ('*'), read) else: breakconsume (file ('walletId'), read)if ...: consume (http ('site'), read)else: grant (file ('walletVisa'), read, 1) consume (file ('walletVisa'), read) consume (https ('site'), read)
![Page 23: Static analysis for security](https://reader036.fdocuments.in/reader036/viewer/2022062809/568158dd550346895dc623da/html5/thumbnails/23.jpg)
PySTA
pgmtoxmlAE, LV, PU, CP
.pgm
.xml
analyze dumpAE, LV, PU, CP
![Page 24: Static analysis for security](https://reader036.fdocuments.in/reader036/viewer/2022062809/568158dd550346895dc623da/html5/thumbnails/24.jpg)
grant (http ('*'), read, inf)grant (https ('site'), read, 1)grant (file ('walletId'), read, 1)while True: while True: consume (http ('site'), read) if True: consume (http ('*'), read) else: breakconsume (file ('walletId'), read)if True: consume (http ('site'), read)else: grant (file ('walletVisa'), read, 1) consume (file ('walletVisa'), read) consume (https ('site'), read)
<?xml version="1.0" ?><pgm> <meta Actions="set(['read'])" Label="15" ResType="set(['http', 'file', 'https'])" Resources="set(['walletId', 'walletVisa', 'site'])"/> <main> <command gen="http * read inf" kill="" label="1"/> <command gen="https site read 1" kill="" label="2"/> <command gen="file walletId read 1" kill="" label="3"/> <loop breaks="[9]" label="4"> <loop breaks="[]" label="5"> </branch> </main></pgm>
1 P12 P23 P34 ERROR5 P4
![Page 25: Static analysis for security](https://reader036.fdocuments.in/reader036/viewer/2022062809/568158dd550346895dc623da/html5/thumbnails/25.jpg)
Conclusions and further work
• Python is a good tool for fast and modular programming
• Compare the classes of PySTA with the Coq viewpoint
• Program interesting examples• Modify the permissions model using ad hoc
constructs• Program new analyses
![Page 26: Static analysis for security](https://reader036.fdocuments.in/reader036/viewer/2022062809/568158dd550346895dc623da/html5/thumbnails/26.jpg)
Bibliography
• A Formal Model of Access Control for Mobile Interactive Devices. Frédéric Besson, Guillaume Dufay, and Thomas Jensen