Wishnu Prasetya [email protected] Security Checking.

Wishnu Prasetya [email protected] www.cs.uu.nl/docs/vakken/pv Security Checking

Plan Extended static checking Credential model Security testing Exception 2

Extended Static Checking (ESC) To check some generic correctness properties, e.g. that the program wont crash due to division by zero, access to an array with an illegal index, null dereference, etc. Rely on auto-annotation. 3 tax(rate, income | tax) { if (income 10000) tax := 0 ; if (income 20000) tax := income / rate.low ; tax := tax + income / rate.high ; } { true } assert rate.high 0 if nothing else known, then true as pre-cond assert rate.low 0

Some notes on ESC We still have to deal with loops For automation, you may favor the while k approach, but this approach is not sound. There may be some crashes that we wont be able to detect. Is this bad? 4

Security Security: access to certain variables or methods may require certain credentials. Privacy : a piece of data may have a set of owners, and should only be accessed by these owners. Unifying concept: a credential specifies a set of users. c d means that d has at least the same level of access as c. Example: root, {u}, and More abstractly, assume a security domain (C, , ), complete lattice. 5

Expressing security policy in GCL Global variables cred 0 and cred cred 0 can only be assigned once. cred cred 0 should hold, at all time. Variables can declare the required credential var x c y d z in... end This requirement is static. Information can only flow towards variables with the same or lower credentials. Note that not all kinds of security policy can be expressed with these constructs. 6

Example Suppose var x c y d z in... Consider cred:=e ; z:=x+y Annotated to: assert e cred 0 ; cred:=e ; assert c cred ; assert d c ; assert d z:=x+y 7

Dealing with branches Consider: if x=0 then x:=y else z:=0 { Q } After annotation: if x=0 then { assert c cred ; x := y } else { assert d cred ; z := 0 } the wlp : (x=0 (c cred /\ Q[y/x])) /\ (x 0 d cred /\ Q[0/z]) Doubling the formula size Can we simplify? 8

Case reduction (a b) /\ ( a c) b /\ c Reducing wlp like this is sound, but in most cases this is too strong. There exists an f where f ((a b) /\ ( a c) b /\ c) A realistic f ? 9

Reducing branch, with security goals Recall the wlp : (x=0 (c cred /\ Q[y/x])) /\ (x 0 d cred /\ Q[0/z]) Consider d cred as the post-condition. The wlp would then be: (x=0 c cred /\ d cred) /\ (x 0 d cred) Is it reasonable to apply case-reduction on this? 10

Dealing with loops [while] k unfolding is too restrictive An unsound approach in not acceptable. while y>0 do {x := x+y ; y := y1} {c cred} Annotated to: 11 assert c cred ; while y > 0 do { assert c cred ; x := x+y ; assert c cred ; y := y1 ; assert c cred ; } W 0 = true W 1 = (y>0 /\ wlp body W 0 ) \/ (y 0 /\ c cred) = (y>0 /\ c cred) \/ (y 0 /\ c cred) = c cred W 2 =... fix point! Nice.

d cred Ok, how about this? A slightly different post-condition 12 while y > 0 do { assert c cred ; x := x+y ; assert c cred ; y := y1 ; assert c cred ; } W 0 = true W 1 = (y>0 /\ c cred) \/ (y 0 /\ d cred) W 2 = (y>1 /\ c cred) \/ (y=1 /\ c cred /\ d cred) \/ (y 0 /\ d cred).... does not terminate

d cred You have to fall back... Need a proposal for an invariant : c cred /\ d cred Can such a proposal be automated ? 13 while y > 0 do { assert c cred ; x := x+y ; assert c cred ; y := y1 ; assert c cred ; }

A loop that does something to credentials while y > 0 do {cred := cred+1 ; y := y1} { c cred } Annotated to: 14 assert c cred ; while y > 0 do { assert cred+1 cred 0 ; cred := cred+1 ; assert c cred ; y := y1 ; assert c cred ; } W 0 = true W 1 = (y>0 /\ cred+1 cred 0 /\ c cred+1) \/ (y 0 /\ c cred) = ((y>0 /\ c cred+1) \/ (y 0 /\ c cred)) /\ (y>0 cred+1 cred 0 ) W 2 = ((y>0 /\ c cred+1) \/ (y 0 /\ c cred)) /\ (y>1 cred+2 cred 0 ) /\ (y=1 cred+1 cred 0 )... does not terminate

Need a proposal again... We can try : cred+y cred 0 /\ c cred Or even: cred+y cred 0 /\ ((y>0 /\ c cred+1) \/ (y 0 /\ c cred)) 15 { c cred } assert c cred ; while y > 0 do { assert cred+1 cred 0 ; cred := cred+1 ; assert c cred ; y := y1 ; assert c cred ; }

What do we do with loops like the previous one? Maybe we only have a few Heuristics to statically analyze the program, and propose invariants Dynamically infer proposals from logs 16

Dealing with containers E.g. arrays, or objects In a real language, you may have two variables y and z pointing to the same object. What do we do if y and z are declared with different credential requirements? Extend composite structures to have their own credential requirements What is a container contains an object o with a different credential requirement? Note that o can also be a member of another container! Impose that adding an object to a container, respect the requirement of the container. 17

Unauthorized use of resource Represent secured resources as objects, that can only be accessed through their methods. Programs/Methods can now declare required credential: e Pr(x | r ) body Annotate calls to Pr accordingly. Methods credential is static; so this is just a simple extension of the scheme we have so far. How about dynamic binding ? 18

Input injection attack Use of external components is security risk. Imagine Pr(x), where x is a user input and inside it sends a query to a backend DB engine. A program cannot naively trust its users input. Typical approach is to sanitize inputs. 19 query := "SELECT * FROM users + WHERE name =" + userName + ";" " or 1=1"

Modeling sanitation Introduce function sanitize(expr) We prefer to treat this function abstractly uninterpreted function. But the programmer has to specify, to what credential the result would be appropriate. syntax: sanitize(expr,c) It will be the programmers responsibility to make sure that the credential claim is met. our logic will check over the consequences of that. 20

Examples y := x+1 { true } The resulting wlp will be unsatisfiable the program is definitely not safe the logic detected it, yay! y := sanitize(x,c)+1 { true } But what if we want to prove this post-cond: y=0 Losing information due to the taken abstraction... 21

Exception Exception introduces non-standard flow of execution, which are often error prone; thus also security prone. The problem is, exception can be thrown from many points in the program, basically exploding the goals to solve for verification. But first... how to deal with exception in Hoare logic / wlp ? 22

Exception Introduce a global variable exc : bool, initially false raise sets this variable to true entering a handler reset it to false A state where exc is true, is an exceptional state, else it is a normal state. Note that multiple exception types can be encoded. The obvious: wlp raise Q = Q[true/exc] 23

Assignments and guards In GCL evaluating an expression does not crash; so you have to properly annotate the expression to model crashes. E.g. : x := a[k]/y should be transformed to e.g. : if k

Sequential composition is now ugly S 1 ; S 2 S 1 ; if exc then skip else S 2 wlp (S 1 ; S 2 ) Q = wlp S 1 (exc /\ Q) \/ wlp S 1 ( exc /\ wlp S 2 Q) Now ; also doubles the formula However, you can statically check if S 1 contains raise, if it does not, we dont do the expansion. while g do S while... /\ exc do S 25

exception handler S ! H S ; if exc then { exc:=false ; H } else skip wlp (S ! H) Q = wlp S ( exc /\ Q) \/ wlp S (exc /\ ((wlp H Q)[false/exc])) Two scenarios S manages to terminate normally H is not executed S throws an exception control goes to H 26

Summary Static Security Checking can be done, almost automatically. Require critical variables or classes to declare needed credential Rely on annotating transformation Calculating wlp of loops can be challenging, but it looks like it can be mitigated Branches explode the formula, exception make its even worse; some heuristic to reduce the formula on the fly would be nice; but do watch for the overhead. 27

Wishnu Prasetya [email protected] Security Checking.

Documents

Transcript of Wishnu Prasetya [email protected] Security Checking.