• Home

  • Documents

  • Jay Ligatti and Srikar Reddy University of South Florida
47
A Theory of Runtime Enforcement, with Results Jay Ligatti and Srikar Reddy University of South Florida

Jay Ligatti and Srikar Reddy University of South Florida

  • Upload
    ivy-ida

  • View
    219

  • Download
    0

Embed Size (px)

Citation preview

  • Slide 1

Jay Ligatti and Srikar Reddy University of South Florida Slide 2 Also known as runtime/security/program monitors Ubiquitous Operating systems (e.g., file access control) Virtual machines (e.g., stack inspection) Web browsers (e.g., javascript sandboxing) Intrusion-detection systems Firewalls Auditing tools Spam filters Etc. 2 Slide 3 How do monitors operate to enforce policies? Which policies can runtime mechanisms enforce? Which policies should we never even try to enforce at runtime? All policies Runtime-enforceable policies 3 Slide 4 How do monitors operate to enforce policies? Which policies get enforced when we combine runtime mechanisms? mechanism M enforces policy P mechanism M enforces policy P M ^ M enforces? P ^ P ? What if P requires the first action executed to be fopen( f ), but P requires the first action executed to be fopen( f )? 4 Slide 5 How do monitors operate to enforce policies? How efficiently does a mechanism enforce a policy? What are the lower bounds on resources required to enforce policies of interest? What does it mean for a mechanism to be efficient? Low space usage (SHA of Fong, BHA of Talhi, Tawbi, and Debbabi) Low time usage ? 5 Slide 6 How do monitors operate to enforce policies? Which policies can runtime mechanisms enforce? Which policies get enforced when we combine runtime mechanisms? How efficiently does a mechanism enforce a policy? What are the lower bounds on resources required to enforce policies of interest? 6 Slide 7 How do monitors operate to enforce policies? Which policies can runtime mechanisms enforce? Which policies get enforced when we combine runtime mechanisms? How efficiently does a mechanism enforce a policy? What are the lower bounds on resources required to enforce policies of interest? 7 Slide 8 Research questions How do monitors operate to enforce policies? Which policies can runtime mechanisms enforce? Related work vs. this work The model: executions, monitors, policies, and enforcement Analysis of enforceable properties Summary and future work 8 Slide 9 Most analyses of monitors are based on truncation automata (Schneider, 2000) Operation: halt software being monitored (target) immediately before any policy violation Limitation: real monitors normally respond to violations with remedial actions target monitor executing system (OS/VM/CPU) action a Halt target! 9 Slide 10 Powerful model of runtime enforcement Operation: actively transform target actions to ensure they satisfy desired policy target monitor executing system (OS/VM/CPU) action a a a'a' etc. (quietly suppress a) 10 Slide 11 Limitation: All actions are assumed totally asynchronous Monitor can always get next action after suppressing previous actions Target cant care about results of executed actions; there are no results in the model E.g., the echo program x=input(); output(x); is outside the edit-automata model 11 Slide 12 Conservatively assume all actions are synchronous Operation: actively transform target actions and results of those actions to ensure they satisfy desired policy Untrusted Application valid results Executing System (Trusted) Security Monitor actions valid actions results 12 Slide 13 MRAs are stronger than truncation automata Can accept actions and halt targets but can also transform actions and results MRAs are weaker than edit automata Asynchronicity lets edit automata see arbitrarily far into the future Can postpone deciding how to edit an action until later Arbitrary postponement is normally unrealistic 13 Slide 14 1. MRAs can enforce result-sanitization policies (trusted) mechanism sanitizes results before they get input to (untrusted) target application Many privacy, information-flow, and access- control policies are result-sanitization Untrusted Application Executing System (Trusted) Security Monitor (1) ls (3) {foo.txt,.hidden} (2) ls (4) {foo.txt} 14 Slide 15 2. Model provides simpler and more expressive definitions of policies and enforcement than previous work (more on this later) 15 Slide 16 Research questions How do monitors operate to enforce policies? Which policies can runtime mechanisms enforce? Related work vs. this work The model: executions, monitors, policies, and enforcement Analysis of enforceable properties Summary and future work 16 Slide 17 Execution: finite or countably infinite sequence of MRA-relevant events (i.e., actions and results) 4 possibilities: (1) MRA inputs action a from the target Untrusted Application Executing System (Trusted) Security Monitor a => add a i to the current trace 17 Slide 18 Execution: finite or countably infinite sequence of MRA-relevant events (i.e., actions and results) 4 possibilities: (2) MRA outputs action a to be executed Untrusted Application Executing System (Trusted) Security Monitor a => add a o to the current trace 18 Slide 19 Execution: finite or countably infinite sequence of MRA-relevant events (i.e., actions and results) 4 possibilities: (3) MRA inputs result r from the system Untrusted Application Executing System (Trusted) Security Monitor r => add r i to the current trace 19 Slide 20 Execution: finite or countably infinite sequence of MRA-relevant events (i.e., actions and results) 4 possibilities: (4) MRA outputs result r to the target Untrusted Application Executing System (Trusted) Security Monitor => add r o to the current trace r 20 Slide 21 ls i ; ls o ; {foo.txt,.hidden} i ; {foo.txt} o Untrusted Application Executing System (Trusted) Security Monitor ls 21 Slide 22 ls i ; ls o ; {foo.txt,.hidden} i ; {foo.txt} o Untrusted Application Executing System (Trusted) Security Monitor ls 22 Slide 23 ls i ; ls o ; {foo.txt,.hidden} i ; {foo.txt} o Untrusted Application Executing System (Trusted) Security Monitor {foo.txt,.hidden} 23 Slide 24 ls i ; ls o ; {foo.txt,.hidden} i ; {foo.txt} o Untrusted Application Executing System (Trusted) Security Monitor {foo.txt} 24 Slide 25 shutdown i ; popupConfirm o ; OK i ; shutdown o Untrusted Application Executing System (Trusted) Security Monitor shutdown 25 Slide 26 shutdown i ; popupConfirm o ; OK i ; shutdown o Untrusted Application Executing System (Trusted) Security Monitor popupConfirm 26 Slide 27 shutdown i ; popupConfirm o ; OK i ; shutdown o Untrusted Application Executing System (Trusted) Security Monitor OK 27 Slide 28 shutdown i ; popupConfirm o ; OK i ; shutdown o Untrusted Application Executing System (Trusted) Security Monitor shutdown 28 Slide 29 An MRA M is a tuple (E, Q, q 0, ) E = event set over which M operates Q = Ms finite or countably infinite state set q 0 = Ms initial state = Ms transition function : Q x E Q x E given a current MRA state and an event just input, returns the next MRA state and an event to output 29 Slide 30 Hidden-file filtering MRA M = (E, Q, q 0, ) E = { ls, } Q = { T, F } (are we executing an ls?) q 0 = { F } ( F, e ) if q=F and els (q,e) = ( T, e ) if q=F and e=ls ( F, filter(e)) if q=T 30 Slide 31 Shutdown-confirming MRA M=(E, Q, q 0, ) E = { shutdown, popupConfirm, OK, cancel, null, } Q = { T, F } (are we confirming a shutdown?) q 0 = { F } ( F, e ) if q=F and eshutdown (q,e) = ( T, popupConfirm ) if q=F and e=shutdown ( F, null ) if q=T and e=cancel ( F, shutdown ) if q=T and e=OK 31 Slide 32 MRA operations match the possible behaviors weve observed in many implemented monitoring systems Polymer (with Bauer and Walker) PSLang (Erlingsson and Schneider) AspectJ (Kiczales et al.) Etc. For every input action and input result, monitor may output an action or a result Previous models couldnt transform results => couldnt model the last 2 realistic examples 32 Slide 33 MRA operations can be formalized with six small rules dictating how traces get built Please see conference proceedings for details 33 Slide 34 (Technical note: here were really only considering special kinds of policies called properties) Policies are predicates on executions P(x) iff execution x satisfies policy P 34 Slide 35 P( ) P(ls i ) P(ls i ; e o ) iff e=ls directory listings L: P(ls i ; ls o ; L i ) P(ls i ; ls o ; L i ; e o ) iff e=filter(L) [its OK for the target to do nothing] [monitor may not just stop upon inputting ls; must then output ls] [monitor must output only ls after inputting ls; its then OK for the system to never return a listing] [monitor may not stop upon inputting L; must return the filtered list to the target] [monitor must filter listings] 35 Slide 36 Policies here can reason about results Enables result-sanitization policies E.g., filter-hidden-file policy Policies here can reason about input events Enables policies to dictate exactly how mechanisms can/must transform events E.g., confirm-shutdown policy => Powerful, but practical, expressiveness 36 Slide 37 Sound enforcement (no false -s) Complete enforcement (no false +s) Precise enforcement (no false +s or -s) M soundly enforces P iff executions x: (M produces x P(x)) M completely enforces P iff executions x: (P(x) M produces x) M precisely enforces policy P iff M soundly and completely enforces P 37 Slide 38 Simpler: no need for extra transparency constraints that can be rolled into policy definitions (now that policies can reason about input events) More expressive: can reason about complete and precise enforcement too 38 Slide 39 Research questions How do monitors operate to enforce policies? Which policies can runtime mechanisms enforce? Related work vs. this work The model: executions, monitors, policies, and enforcement Analysis of enforceable properties Summary and future work 39 Slide 40 40 Slide 41 41 Slide 42 42 Slide 43 Research questions How do monitors operate to enforce policies? Which policies can runtime mechanisms enforce? Related work vs. this work The model: executions, monitors, policies, and enforcement Analysis of enforceable properties Summary and future work 43 Slide 44 Started building a theory of runtime enforcement based on MRAs, which: model the realistic ability of runtime mechanisms to transform synchronous actions and their results. can enforce result-sanitization policies and policies based on input events. provide simpler and more expressive definitions of policies and enforcement than previous models. 44 Slide 45 Something between edit automata (which assume asynchronous actions) and MRAs (which assume synchronous actions)? How would the monitor know when the target is waiting for a result, and for which action? Static analysis of target application? Could get complicated 45 Slide 46 Which policies get enforced when we combine runtime mechanisms? How efficiently does a mechanism enforce a policy? What are the lower bounds on resources required to enforce policies of interest? Having a realistic operational model of runtime enforcement seems like a good first step to address these research questions 46 Slide 47 47


Geetha Reddy

Geetha Reddy

Documents
kdpdownload.nic.inkdpdownload.nic.in/kadapa/Form C approved Peddakalvapalli.pdf · Jayachandra Reddy Slo Venkata Reddy 3)Nimmanapalli Ramachandra Reddy S/o Venkata Reddy 4)Nimmanapalli

kdpdownload.nic.inkdpdownload.nic.in/kadapa/Form C approved Peddakalvapalli.pdf · Jayachandra Reddy Slo Venkata Reddy 3)Nimmanapalli Ramachandra Reddy S/o Venkata Reddy 4)Nimmanapalli

Documents
Qcl 14-v3 5-s_national institute of industrial engineering_chennamsetty srikar

Qcl 14-v3 5-s_national institute of industrial engineering_chennamsetty srikar

Education
Mahender reddy

Mahender reddy

Economy & Finance
Subba Reddy

Subba Reddy

Real Estate
sadhana reddy

sadhana reddy

Documents
Reddappa Reddy

Reddappa Reddy

Documents
€¦ · XLS file · Web viewN ANKAMMA 102000AP00051046 V KOTI REDDY 102000AP00049670 VV REDDY 102000AP0051073 DN REDDY 102000AP00051134 A VENKATESWARULU 102000AP00051107 DVR REDDY

€¦ · XLS file · Web viewN ANKAMMA 102000AP00051046 V KOTI REDDY 102000AP00049670 VV REDDY 102000AP0051073 DN REDDY 102000AP00051134 A VENKATESWARULU 102000AP00051107 DVR REDDY

Documents
FLEXIBLE MICROFLUIDIC CIRCUIT WITH by SRIKAR C. …

FLEXIBLE MICROFLUIDIC CIRCUIT WITH by SRIKAR C. …

Documents
reddy the Fly campaign toolkit reddy the Fly

reddy the Fly campaign toolkit reddy the Fly

Documents
aruna reddy

aruna reddy

Documents
Srikar Velagapudi Ashok Kumar Alex Spivak Matthew Franchetti The University of Toledo

Srikar Velagapudi Ashok Kumar Alex Spivak Matthew Franchetti The University of Toledo

Documents
Modular Program Monitors David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Modular Program Monitors David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Documents
Jyothi reddy

Jyothi reddy

Documents
SUPPL - SEC.gov | HOME · 2014. 6. 24. · Dr Prathap Reddy Ms Sucharitha Reddy Ms Preetha Reddy Ms Suneeta Reddy Ms Shobana Kamineni Ms Sangita Reddy Mr Karthik Anand Mr Hrshad Reddy

SUPPL - SEC.gov | HOME · 2014. 6. 24. · Dr Prathap Reddy Ms Sucharitha Reddy Ms Preetha Reddy Ms Suneeta Reddy Ms Shobana Kamineni Ms Sangita Reddy Mr Karthik Anand Mr Hrshad Reddy

Documents
16. yrk reddy cg-csr-2012 - yrk reddy

16. yrk reddy cg-csr-2012 - yrk reddy

Business
Presentation1rohitha reddy

Presentation1rohitha reddy

Documents
SAMA_RAGAVA REDDY

SAMA_RAGAVA REDDY

Documents
kdpdownload.nic.inkdpdownload.nic.in/kadapa/Award approval.pdf · Gurivireddygari Pulla Reddy S/o Chinna Pulla Reddy Chinna Gurivireddygari Nagi Reddy S/o Pedda Nagi Reddy Subtotal

kdpdownload.nic.inkdpdownload.nic.in/kadapa/Award approval.pdf · Gurivireddygari Pulla Reddy S/o Chinna Pulla Reddy Chinna Gurivireddygari Nagi Reddy S/o Pedda Nagi Reddy Subtotal

Documents
SIP vs H323 Over Wireless networks Presented by Srikar Reddy Yeruva Instructor Chin Chin Chang

SIP vs H323 Over Wireless networks Presented by Srikar Reddy Yeruva Instructor Chin Chin Chang

Documents
SEBI of and forPalem Srinivas Reddy P Soujanya Reddy Palem Srikanth Reddy Supriya Reddy Palem Stuthi Reddy 4. /voting ; Capital I Capital share/ voting I wherever 1 capital of TC qnnticg.olg

SEBI of and forPalem Srinivas Reddy P Soujanya Reddy Palem Srikanth Reddy Supriya Reddy Palem Stuthi Reddy 4. /voting ; Capital I Capital share/ voting I wherever 1 capital of TC qnnticg.olg

Documents
General information about company - viceroyhotels.in data/SHAREHOLDING... · reddy allampati vijay vardhan reddy p prabhakar reddy nirmala kondalapudi p divya reddy chakradhar reddy

General information about company - viceroyhotels.in data/SHAREHOLDING... · reddy allampati vijay vardhan reddy p prabhakar reddy nirmala kondalapudi p divya reddy chakradhar reddy

Documents
12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida

12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida

Documents
IVCon: A GUI-based Tool for Visualizing and Modularizing Crosscutting Concerns Nalin Saigal, Jay Ligatti 1/46

IVCon: A GUI-based Tool for Visualizing and Modularizing Crosscutting Concerns Nalin Saigal, Jay Ligatti 1/46

Documents
Qcl 14-v3 best practices-national institute of industrial engineering_chennamsetty srikar

Qcl 14-v3 best practices-national institute of industrial engineering_chennamsetty srikar

Education
h&ALLA REIIBY ft{EBXCAL - Malla Reddy Institute of … I DIVYA REDDY-ilovepdf...MALLA REDDY INSTITUTE OF MEDICAL SCIENCES Director ... Narhe: ".IPPA DIVYA REDDY -IPPA VENKAT REDDY

h&ALLA REIIBY ft{EBXCAL - Malla Reddy Institute of … I DIVYA REDDY-ilovepdf...MALLA REDDY INSTITUTE OF MEDICAL SCIENCES Director ... Narhe: ".IPPA DIVYA REDDY -IPPA VENKAT REDDY

Documents
Scanned by CamScanner · Reddy, Smt.Jakkidi Prashanthi Reddy W/o J. Tirumal Reddy and Sri.J.Tirumal Reddy S/o Late J. Yella Reddy and necessary changes be effected in the Revenue

Scanned by CamScanner · Reddy, Smt.Jakkidi Prashanthi Reddy W/o J. Tirumal Reddy and Sri.J.Tirumal Reddy S/o Late J. Yella Reddy and necessary changes be effected in the Revenue

Documents
Speech Recognition with CMU Sphinx Srikar Nadipally Hareesh Lingareddy

Speech Recognition with CMU Sphinx Srikar Nadipally Hareesh Lingareddy

Documents
Password Less Authentication - Srikar Sagi

Password Less Authentication - Srikar Sagi

Documents
Software Security Monitors: Theory & Practice David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Software Security Monitors: Theory & Practice David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Documents