Upload
jaxson-jay-steffen
View
215
Download
0
Tags:
Embed Size (px)
Citation preview
08/03/0708/03/07 11/41/41
Polymer: A Language and Polymer: A Language and System for Specifying System for Specifying
Complex, Modular Run-time Complex, Modular Run-time PoliciesPolicies
Jay Ligatti, University of South FloridaJay Ligatti, University of South Florida
Joint work with:Joint work with:Lujo Bauer, Carnegie Mellon UniversityLujo Bauer, Carnegie Mellon University
David Walker, Princeton UniversityDavid Walker, Princeton University
08/03/0708/03/07 22/41/41
Security Policy Security Policy EnforcementEnforcement
News flash:News flash:Software sometimes does bad stuffSoftware sometimes does bad stuff– BugsBugs– Malicious designMalicious design
One protection mechanism: One protection mechanism: Run-time program monitoringRun-time program monitoring– Monitoring software Monitoring software interposesinterposes whenever whenever
an untrusted application is about to an untrusted application is about to execute a security-relevant actionexecute a security-relevant action
08/03/0708/03/07 33/41/41
Program MonitoringProgram Monitoring
Monitors ensure that software dynamically Monitors ensure that software dynamically adheres to constraints specified by a adheres to constraints specified by a security security policypolicy
Practical examplesPractical examples– Stack inspection, firewalls, network auditors, Stack inspection, firewalls, network auditors,
sandboxing, intrusion detection systems, …sandboxing, intrusion detection systems, …
UntrustedTarget
ProgramMonitor
ExecutingSystem
Open(f,“w”)is OK
Open(f,“w”) Open(f,“w”)
08/03/0708/03/07 44/41/41
Security Policies Become Security Policies Become More Complex…More Complex…
1.1. As software becomes more sophisticatedAs software becomes more sophisticated(i.e., enters new domains)(i.e., enters new domains)– Multi-user and networked systemsMulti-user and networked systems– Electronic commerceElectronic commerce– Medical databases (HIPAA, EU Data Protection Medical databases (HIPAA, EU Data Protection
Law)Law)
08/03/0708/03/07 55/41/41
Security Policies Become Security Policies Become More Complex…More Complex…
1.1. As software becomes more sophisticatedAs software becomes more sophisticated(i.e., enters new domains)(i.e., enters new domains)– Multi-user and networked systemsMulti-user and networked systems– Electronic commerceElectronic commerce– Medical databases (HIPAA, EU Data Protection Medical databases (HIPAA, EU Data Protection
Law)Law)
2.2. As we tighten overly relaxed policiesAs we tighten overly relaxed policies– Insecure default configurations disallowedInsecure default configurations disallowed– Downloading .doc files requires warningDownloading .doc files requires warning
08/03/0708/03/07 66/41/41
Security Policies Become Security Policies Become More Complex…More Complex…
1.1. As software becomes more sophisticatedAs software becomes more sophisticated(i.e., enters new domains)(i.e., enters new domains)– Multi-user and networked systemsMulti-user and networked systems– Electronic commerceElectronic commerce– Medical databases (HIPAA, EU Data Protection Medical databases (HIPAA, EU Data Protection
Law)Law)
2.2. As we tighten overly relaxed policiesAs we tighten overly relaxed policies– Insecure default configurations disallowedInsecure default configurations disallowed– Downloading .doc files requires warningDownloading .doc files requires warning
3.3. As we relax overly tight policiesAs we relax overly tight policies– All applets sandboxed (JDK 1.0) vs. All applets sandboxed (JDK 1.0) vs.
only only unsignedunsigned applets sandboxed (JDK 1.1) applets sandboxed (JDK 1.1)
08/03/0708/03/07 77/41/41
Managing Complexity Managing Complexity via Centralizationvia Centralization
Application with policyscattered throughout
Scattered policy is hard to find and reason about
Application with centralized policy
Centralized policy is easier to find and reason about
Policy contains: - Security code - When to run the security code
08/03/0708/03/07 88/41/41
Related Work: Managing Related Work: Managing Policy Complexity via Policy Complexity via
CentralizationCentralization General monitoring systemsGeneral monitoring systems– Java-MaCJava-MaC [Lee, Kannan, Kim, Sokolsky, Viswanathan ‘99][Lee, Kannan, Kim, Sokolsky, Viswanathan ‘99]
– NaccioNaccio [Evans, Twyman ’99][Evans, Twyman ’99]
– Policy Enforcement ToolkitPolicy Enforcement Toolkit [Erlingsson, Schneider ’00][Erlingsson, Schneider ’00]
– Aspect-oriented software systemsAspect-oriented software systems [Kiczales, Hilsdale, [Kiczales, Hilsdale, Hugunin, Kersten, Palm, Griswold ’01; …]Hugunin, Kersten, Palm, Griswold ’01; …]
– …… Language theoryLanguage theory
– Semantics for AOPLsSemantics for AOPLs [Tucker, Krishnamurthi ’03; [Tucker, Krishnamurthi ’03; Walker, Zdancewic, Ligatti ’03; Wand, Kiczales, Dutchyn Walker, Zdancewic, Ligatti ’03; Wand, Kiczales, Dutchyn ’04; …]’04; …]
Automata theoryAutomata theory– Security automataSecurity automata [Schneider ’00; Ligatti, Bauer, [Schneider ’00; Ligatti, Bauer,
Walker ’05]Walker ’05]
08/03/0708/03/07 99/41/41
Beyond Centralization: Beyond Centralization: CompositionComposition
Policy centralization is not enoughPolicy centralization is not enough– Need methodology for organizing a Need methodology for organizing a
complex centralized policycomplex centralized policy
All of the cited efforts lack a flexible All of the cited efforts lack a flexible methodology for decomposing methodology for decomposing complex policies into simpler complex policies into simpler modulesmodules
08/03/0708/03/07 1010/41/41
Polymer ContributionsPolymer Contributions
PolymerPolymer– Is a fully implemented language (with formal Is a fully implemented language (with formal
semantics) for specifying run-time policies on Java codesemantics) for specifying run-time policies on Java code– Provides a methodology for conveniently specifying Provides a methodology for conveniently specifying
and generating complex monitors from simpler and generating complex monitors from simpler modulesmodules
StrategyStrategy– MakeMake all all policies first-class and composeable policies first-class and composeable– So higher-order policies (So higher-order policies (superpoliciessuperpolicies) can compose ) can compose
simpler policies (simpler policies (subpoliciessubpolicies))
08/03/0708/03/07 1111/41/41
OutlineOutline
Motivation and goalMotivation and goal– Ease specification of run-time policiesEase specification of run-time policies
Polymer systemPolymer system Polymer languagePolymer language
– First-class actions, suggestions, policiesFirst-class actions, suggestions, policies– Policy examplesPolicy examples
Case studyCase study Formal Polymer languageFormal Polymer language ConclusionConclusion
08/03/0708/03/07 1212/41/41
Polymer System ToolsPolymer System Tools
Policy compilerPolicy compiler – Converts monitor policies written in the Polymer Converts monitor policies written in the Polymer
language into Java source codelanguage into Java source code– Then runs javac to compile the Java sourceThen runs javac to compile the Java source
Bytecode instrumenterBytecode instrumenter– Inserts calls to the monitor at the right places in: Inserts calls to the monitor at the right places in:
The core Java librariesThe core Java libraries The untrusted (The untrusted (targettarget) application) application
08/03/0708/03/07 1313/41/41
Securing Targets in Securing Targets in PolymerPolymer
Target Libraries… …
Original application
Instrumented target
Instrumentedlibraries
Compiled policy
… …
Secured application
08/03/0708/03/07 1414/41/41
Securing Targets in Securing Targets in PolymerPolymer
1.1. Create a listing of all security-relevant Create a listing of all security-relevant methods (methods (trigger actionstrigger actions))
2.2. Instrument trigger actions in core Java Instrument trigger actions in core Java librarieslibraries
3.3. Write and compile security policyWrite and compile security policy
4.4. Run target using instrumented Run target using instrumented libraries, libraries, instrumenting target classes as they instrumenting target classes as they load (with a custom class loader)load (with a custom class loader)
08/03/0708/03/07 1515/41/41
OutlineOutline
Motivation and goalMotivation and goal– Ease specification of run-time policiesEase specification of run-time policies
Polymer systemPolymer system Polymer languagePolymer language
– First-class actions, suggestions, policiesFirst-class actions, suggestions, policies– Policy examplesPolicy examples
Case studyCase study Formal Polymer languageFormal Polymer language ConclusionConclusion
08/03/0708/03/07 1616/41/41
Polymer Language Polymer Language OverviewOverview
Syntactically almost identical to Java Syntactically almost identical to Java sourcesource
Primary additions to JavaPrimary additions to Java– Key abstractions for first-class Key abstractions for first-class actionsactions, ,
suggestionssuggestions, and , and policiespolicies– Programming disciplineProgramming discipline– Composeable policy organizationComposeable policy organization
08/03/0708/03/07 1717/41/41
First-class ActionsFirst-class Actions
ActionAction objects contain information objects contain information about a method invocationabout a method invocation– Static method signatureStatic method signature– Dynamic calling object Dynamic calling object – Dynamic parametersDynamic parameters
Policies can analyze trigger actionsPolicies can analyze trigger actions Policies can synthesize actions to Policies can synthesize actions to
insertinsert
08/03/0708/03/07 1818/41/41
Action PatternsAction Patterns
For convenient analysis, action objects For convenient analysis, action objects can be matched to patterns in aswitch can be matched to patterns in aswitch statementsstatements
Wildcards can appear in action patternsWildcards can appear in action patterns
aswitch(a) { case <void System.exit(int status)>: E; …}
<public void java.io.*.<init>(int i, …)>
08/03/0708/03/07 1919/41/41
First-class SuggestionsFirst-class Suggestions
Policies return Policies return SuggestionSuggestion objects to objects to indicate how to handle trigger actionsindicate how to handle trigger actions– IrrSugIrrSug: action is irrelevant: action is irrelevant– OKSugOKSug: action is relevant but safe: action is relevant but safe– InsSugInsSug: defer judgment until after running and : defer judgment until after running and
evaluating some auxiliary codeevaluating some auxiliary code– ReplSugReplSug: replace action (which computes a : replace action (which computes a
return value) with another return valuereturn value) with another return value– ExnSugExnSug: raise an exception to notify target that : raise an exception to notify target that
it is not allowed to execute this actionit is not allowed to execute this action– HaltSugHaltSug: disallow action and halt execution: disallow action and halt execution
08/03/0708/03/07 2020/41/41
First-class PoliciesFirst-class Policies
PoliciesPolicies include state and several methods: include state and several methods:– query()query() suggests how to deal with trigger actionssuggests how to deal with trigger actions– accept()accept() performs bookkeeping before a performs bookkeeping before a
suggestion is followedsuggestion is followed– result()result() performs bookkeeping after an OK’d or performs bookkeeping after an OK’d or
inserted action returns a resultinserted action returns a result
public abstract class Policy { public abstract Sug query(Action a); public void accept(Sug s) { }; public void result(Sug s, Object result, boolean wasExnThn) { };}
08/03/0708/03/07 2121/41/41
Compositional Policy DesignCompositional Policy Design
query()query() methods should be effect-free methods should be effect-free– Superpolicies test reactions of subpolicies Superpolicies test reactions of subpolicies
by calling their query() methodsby calling their query() methods– Superpolicies combine reactions in Superpolicies combine reactions in
meaningful waysmeaningful ways– Policies cannot assume suggestions will be Policies cannot assume suggestions will be
followedfollowed Effects postponed for Effects postponed for accept()accept() and and
result()result()
08/03/0708/03/07 2222/41/41
A Simple Policy That A Simple Policy That Forbids Runtime.exec(..) Forbids Runtime.exec(..)
methodsmethodspublic class DisSysCalls extends Policy { public Sug query(Action a) { aswitch(a) { case <* java.lang.Runtime.exec(..)>: return new HaltSug(this, a); } return new IrrSug(this); } public void accept(Sug s) { if(s.isHalt()) { System.err.println(“Illegal method called”); System.err.println(“About to halt target.”); } } }
08/03/0708/03/07 2323/41/41
Policy CombinatorsPolicy Combinators
Polymer provides library of generic Polymer provides library of generic superpolicies (superpolicies (combinatorscombinators))
Policy writers are free to create new Policy writers are free to create new combinatorscombinators
Standard form:Standard form:public class Conjunction extends Policy { private Policy p1, p2; public Conjunction(Policy p1, Policy p2) { this.p1 = p1; this.p2 = p2; } public Sug query(Action a) { Sug s1 = p1.query(a), s2 = p2.query(a); //return the conjunction of s1 and s2 …
08/03/0708/03/07 2424/41/41
Conjunctive CombinatorConjunctive Combinator
Apply several policies at once, first making Apply several policies at once, first making any insertions suggested by subpoliciesany insertions suggested by subpolicies
When no subpolicy suggests an insertion, When no subpolicy suggests an insertion, obey most restrictive subpolicy suggestion obey most restrictive subpolicy suggestion
Irrelevant OK
Replace(v1)Replace(v2)
…Replace(v3)
Exception Halt
Least restrictive Most restrictive
Policy netPoly = new Conjunction(new FirewallPoly(), new LogSocketsPoly(), new WarnB4DownloadPoly());
08/03/0708/03/07 2525/41/41
Selector CombinatorsSelector Combinators
Make some initial choice about which Make some initial choice about which subpolicy to enforce and forget about subpolicy to enforce and forget about the other subpoliciesthe other subpolicies
IsClientSignedIsClientSigned: Enforce first subpolicy : Enforce first subpolicy if and only if target is if and only if target is cryptographically signedcryptographically signed
Policy sandboxUnsigned = new IsClientSigned( new TrivialPolicy(), new SandboxPolicy());
08/03/0708/03/07 2626/41/41
Unary CombinatorsUnary Combinators
Perform some extra operations while Perform some extra operations while enforcing a single subpolicyenforcing a single subpolicy
AutoUpdateAutoUpdate: Obey sole subpolicy but : Obey sole subpolicy but also intermittently check for also intermittently check for subpolicy updatessubpolicy updates
08/03/0708/03/07 2727/41/41
OutlineOutline
Motivation and goalMotivation and goal– Ease specification of run-time policiesEase specification of run-time policies
Polymer systemPolymer system Polymer languagePolymer language
– First-class actions, suggestions, policiesFirst-class actions, suggestions, policies– Policy examplesPolicy examples
Case studyCase study Formal Polymer languageFormal Polymer language ConclusionConclusion
08/03/0708/03/07 2828/41/41
Case StudyCase Study
Polymer policy for email clients that use the Polymer policy for email clients that use the JavaMail APIJavaMail API– Approx. 1800 lines of Polymer code, available atApprox. 1800 lines of Polymer code, available at
http://www.cs.princeton.edu/sip/projects/polymerhttp://www.cs.princeton.edu/sip/projects/polymer
Tested on Pooka Tested on Pooka [http://www.suberic.net/pooka][http://www.suberic.net/pooka]
– Approx. 50K lines of Java code + librariesApprox. 50K lines of Java code + libraries
(Java standard libraries, JavaMail, JavaBeans (Java standard libraries, JavaMail, JavaBeans Activation Framework, JavaHelp, The Knife mbox Activation Framework, JavaHelp, The Knife mbox provider, Kunststoff Look and Feel, and ICE JNI provider, Kunststoff Look and Feel, and ICE JNI library)library)
08/03/0708/03/07 2929/41/41
Email Policy HierarchyEmail Policy Hierarchy
Related policyRelated policyconcerns areconcerns aremodularizedmodularized
=>=>1) Easier to 1) Easier to
create the create the policypolicy- Modules are - Modules are reusablereusable
- Modules can - Modules can be written in be written in isolationisolation
2) Easier to 2) Easier to understand understand the policythe policy
3) Easier to 3) Easier to update the update the policypolicy
08/03/0708/03/07 3030/41/41
OutlineOutline
Motivation and goalMotivation and goal– Ease specification of run-time policiesEase specification of run-time policies
Polymer systemPolymer system Polymer languagePolymer language
– First-class actions, suggestions, policiesFirst-class actions, suggestions, policies– Policy examplesPolicy examples
Case studyCase study Formal Polymer languageFormal Polymer language ConclusionConclusion
08/03/0708/03/07 3131/41/41
Formal SemanticsFormal Semantics
MotivationMotivation– Unambiguously communicate central Unambiguously communicate central
workings of language and highlight workings of language and highlight their simplicitytheir simplicity
StyleStyle– Lambda calculus, rather than class-Lambda calculus, rather than class-
based calculus (again, for simplicity)based calculus (again, for simplicity)
08/03/0708/03/07 3232/41/41
SyntaxSyntax
08/03/0708/03/07 3333/41/41
Static SemanticsStatic Semantics
08/03/0708/03/07 3434/41/41
Dynamic Semantics IDynamic Semantics I
08/03/0708/03/07 3535/41/41
Dynamic Semantics IIDynamic Semantics II
08/03/0708/03/07 3636/41/41
Type SafetyType Safety
Particularly important for monitor-Particularly important for monitor-based policy-specification languagesbased policy-specification languages– Application expressions in well-typed Application expressions in well-typed
programs cannot:programs cannot: circumvent monitor checks (complete circumvent monitor checks (complete
mediation) mediation) tamper with monitor code or statetamper with monitor code or state
Straightforward proofStraightforward proof– Context weakening, Typing inversion, Context weakening, Typing inversion,
Canonical Forms, Substitution, Canonical Forms, Substitution, Preservation, ProgressPreservation, Progress
08/03/0708/03/07 3737/41/41
OutlineOutline
Motivation and goalMotivation and goal– Ease specification of run-time policiesEase specification of run-time policies
Polymer systemPolymer system Polymer languagePolymer language
– First-class actions, suggestions, policiesFirst-class actions, suggestions, policies– Policy examplesPolicy examples
Case studyCase study Formal Polymer languageFormal Polymer language ConclusionConclusion
08/03/0708/03/07 3838/41/41
SummarySummary
An approach to managing policy An approach to managing policy complexity:complexity:– Design policies for compositionDesign policies for composition– Complex policies can be decomposed into Complex policies can be decomposed into
simpler subpoliciessimpler subpolicies Enabling the approachEnabling the approach
– First-class actions, suggestions, and policiesFirst-class actions, suggestions, and policies– Policy organization (effectless query methods Policy organization (effectless query methods
and effectful bookkeeping methods)and effectful bookkeeping methods) Implemented end-to-end systemImplemented end-to-end system
– Library of useful combinatorsLibrary of useful combinators– Case study policy hierarchyCase study policy hierarchy
08/03/0708/03/07 3939/41/41
Current Work: Improving Current Work: Improving Specification Specification ConvenienceConvenience
Effectful query methodsEffectful query methods– Writing effectless query methods is tediousWriting effectless query methods is tedious– Algorithm seems to exist for compiling an Algorithm seems to exist for compiling an
effectful-query policy into an effectless-query effectful-query policy into an effectless-query policypolicy
Polymer GUIPolymer GUI– Policies written at too low of level for many usersPolicies written at too low of level for many users– GUI would allow safe policy specification, GUI would allow safe policy specification,
visualization, and update by selection from a visualization, and update by selection from a library of prepackaged policieslibrary of prepackaged policies
08/03/0708/03/07 4040/41/41
More InformationMore Information
Source code and example policies:Source code and example policies:http://www.cs.princeton.edu/sip/projects/polymehttp://www.cs.princeton.edu/sip/projects/polymerr
Papers:Papers:– Composing security policies with Polymer Composing security policies with Polymer
(PLDI 2005)(PLDI 2005)
– Composing expressive run-time security Composing expressive run-time security policies (journal article in submission)policies (journal article in submission)
08/03/0708/03/07 4141/41/41
EndEnd
Thanks / Questions?
08/03/0708/03/07 4242/41/41
Implementation NumbersImplementation Numbers
Polymer sizePolymer size– 30 core classes (approx. 2500 lines of Java) + 30 core classes (approx. 2500 lines of Java) +
JavaCC + Apache BCELJavaCC + Apache BCEL (Unoptimized) Performance (Unoptimized) Performance
– Instrument all Java core libraries = 107s = 3.7 ms Instrument all Java core libraries = 107s = 3.7 ms per methodper method
– Typical class loading time = 12 ms Typical class loading time = 12 ms (vs. 6 ms with default class loader) (vs. 6 ms with default class loader)
– Monitored method call = 0.6 ms overheadMonitored method call = 0.6 ms overhead– Policy code’s performance typically dominates costPolicy code’s performance typically dominates cost
08/03/0708/03/07 4343/41/41
Another ExampleAnother Example
(logs incoming email and prepends “SPAM:” to subject lines on messages flagged by a spam filter)