Static Analysis of Security Propertiesby Abstract Interpretation

École normale supérieure, équipe Abstraction

Mehdi Bouaziz

Friday, May 11 2012

Static Analysis of Security Properties by Abstract Interpretation

−→ course MPRI 2-6:Abstract Interpretation: application to verification and staticanalysis−→ ?

Mehdi Bouaziz, École normale supérieureStatic Analysis of Security Properties by Abstract Interpretation 2/13

Static Analysis

of Security Properties

by Abstract Interpretation

−→ course MPRI 2-6:Abstract Interpretation: application to verification and staticanalysis

−→ ?

Mehdi Bouaziz, École normale supérieureStatic Analysis of Security Properties by Abstract Interpretation 2/13

Static Analysis of

Security Properties

by Abstract Interpretation

−→ course MPRI 2-6:Abstract Interpretation: application to verification and staticanalysis

−→ ?

Mehdi Bouaziz, École normale supérieureStatic Analysis of Security Properties by Abstract Interpretation 2/13

Security?

Mehdi Bouaziz, École normale supérieureIntroduction to Security 3/13

Security?

Information Security?

Mehdi Bouaziz, École normale supérieureIntroduction to Security 3/13

Security?Access ControlAccountabilityAttackAuthenticityAuthorizationAvailabilityBuffer OverflowBugClassificationConfidentialityControl-FlowCovert ChannelsCross-Site ScriptingCryptanalysisCryptographyCryptologyDangling PointerData RaceDeclassification

DeadlockEarthquakeEncryptionFireFirewallFloodingFormat StringImplicit FlowInformation-FlowInput ValidationIntegrityIsolationLanguage-BasedLeast PrivilegeMalicious CodeMemory SafetyNon-InterferenceNon-RepudiationObfuscation

PhishingPolicyPossessionRandomizationReference MonitorRiskRuntime CheckSandboxSQL InjectionStack InspectionStack OverflowSymlink RaceTaintingTheftThreatType SafetyUtilityVulnerabilityWild Jump

Mehdi Bouaziz, École normale supérieureIntroduction to Security 3/13

Key Concepts

I ConfidentialityI IntegrityI Disponibility

I AuthenticityI AccountabilityI PossessionI Non-repudiationI Utility

Ipub

Ipriv

Opub

Opriv

Mehdi Bouaziz, École normale supérieureIntroduction to Security 4/13

Key Concepts

I Confidentiality

I IntegrityI Disponibility

I AuthenticityI AccountabilityI PossessionI Non-repudiationI Utility

Ipriv

Opub

Mehdi Bouaziz, École normale supérieureIntroduction to Security 4/13

Key Concepts

I ConfidentialityI Integrity

I Disponibility

I AuthenticityI AccountabilityI PossessionI Non-repudiationI Utility

Ipub

Opriv

Mehdi Bouaziz, École normale supérieureIntroduction to Security 4/13

Key Concepts

I ConfidentialityI IntegrityI Disponibility

I AuthenticityI AccountabilityI PossessionI Non-repudiationI Utility

Mehdi Bouaziz, École normale supérieureIntroduction to Security 4/13

Key Concepts

I ConfidentialityI IntegrityI Disponibility

I AuthenticityI AccountabilityI PossessionI Non-repudiationI Utility

Mehdi Bouaziz, École normale supérieureIntroduction to Security 4/13

Security Policy

A statement that partition the states of the system into a set ofauthorized (secure) states and a set of unauthorized (nonsecure)states.

Specify who can read/write what data, execute what command,under which condition.

I Natural language (law, documentation)I Encoded text (755 root root /bin)I Code (if (x.isPrivate()) exit(1); //avoid leak)I ∅

Mehdi Bouaziz, École normale supérieureIntroduction to Security 5/13

Security Policy

A statement that partition the states of the system into a set ofauthorized (secure) states and a set of unauthorized (nonsecure)states.

Specify who can read/write what data, execute what command,under which condition.

I Natural language (law, documentation)I Encoded text (755 root root /bin)I Code (if (x.isPrivate()) exit(1); //avoid leak)I ∅

Mehdi Bouaziz, École normale supérieureIntroduction to Security 5/13

Security Policy

A statement that partition the states of the system into a set ofauthorized (secure) states and a set of unauthorized (nonsecure)states.

Specify who can read/write what data, execute what command,under which condition.

I Natural language (law, documentation)I Encoded text (755 root root /bin)

I Code (if (x.isPrivate()) exit(1); //avoid leak)I ∅

Mehdi Bouaziz, École normale supérieureIntroduction to Security 5/13

Security Policy

A statement that partition the states of the system into a set ofauthorized (secure) states and a set of unauthorized (nonsecure)states.

Specify who can read/write what data, execute what command,under which condition.

I Natural language (law, documentation)I Encoded text (755 root root /bin)I Code (if (x.isPrivate()) exit(1); //avoid leak)

I ∅

Mehdi Bouaziz, École normale supérieureIntroduction to Security 5/13

Security Policy

A statement that partition the states of the system into a set ofauthorized (secure) states and a set of unauthorized (nonsecure)states.

Specify who can read/write what data, execute what command,under which condition.

I Natural language (law, documentation)I Encoded text (755 root root /bin)I Code (if (x.isPrivate()) exit(1); //avoid leak)I ∅

Mehdi Bouaziz, École normale supérieureIntroduction to Security 5/13

Information Security Controls

I Access ControlI Information-Flow ControlI Control-Flow IntegrityI Encryption

−→ coursesMPRI 1-13: Initiation to cryptologyMPRI 2-12-1: CryptanalysisMPRI 2-12-2: Arithmetic algorithms for cryptologyMPRI 2-13-2: Error correcting codes and applications to cryptographyMPRI 2-30: Cryptographic protocols: computational and symbolic proofs

Mehdi Bouaziz, École normale supérieureIntroduction to Security 6/13

Information Security Controls

I Access ControlI Information-Flow ControlI Control-Flow IntegrityI Encryption

−→ coursesMPRI 1-13: Initiation to cryptologyMPRI 2-12-1: CryptanalysisMPRI 2-12-2: Arithmetic algorithms for cryptologyMPRI 2-13-2: Error correcting codes and applications to cryptographyMPRI 2-30: Cryptographic protocols: computational and symbolic proofs

Mehdi Bouaziz, École normale supérieureIntroduction to Security 6/13

Information Security Controls

I Access ControlI Information-Flow ControlI Control-Flow IntegrityI Encryption

−→ coursesMPRI 1-13: Initiation to cryptologyMPRI 2-12-1: CryptanalysisMPRI 2-12-2: Arithmetic algorithms for cryptologyMPRI 2-13-2: Error correcting codes and applications to cryptographyMPRI 2-30: Cryptographic protocols: computational and symbolic proofs

Mehdi Bouaziz, École normale supérieureIntroduction to Security 6/13

Information Security Controls

I Access ControlI Information-Flow ControlI Control-Flow IntegrityI Encryption

−→ coursesMPRI 1-13: Initiation to cryptologyMPRI 2-12-1: CryptanalysisMPRI 2-12-2: Arithmetic algorithms for cryptologyMPRI 2-13-2: Error correcting codes and applications to cryptographyMPRI 2-30: Cryptographic protocols: computational and symbolic proofs

Mehdi Bouaziz, École normale supérieureIntroduction to Security 6/13

ThreatsI Physical: Earthquake, Fire, Flooding, TheftI In the code:

I Memory Safety:I Buffer OverrunsI Stack OverflowI Dangling pointers

I Concurrency:I DeadlocksI Data racesI Symlink races

I Input Validation:I SQL injectionI Cross-Site Scripting (XSS)I Format String

I Control/Data-Flow:I Type SafetyI Wild JumpsI Self Modifying Code

Mehdi Bouaziz, École normale supérieureIntroduction to Security 7/13

Language-Based Mechanisms

I Runtime Checks: Reference Monitor (OS, Interpreter,Firewall), Inlined Reference Monitor

I Programming Languages: Type-Safe Languages, TypedAssembly Language (TAL)

I Executing Model: Isolation, Sandboxing, Stack Inspection

I Static Analysis: Information-Flow Typing, AbstractInterpretation

I Exotic: Obfuscation, Randomization

Mehdi Bouaziz, École normale supérieureIntroduction to Security 8/13

Security Policy (2)

I Authorization

I History-Based

I Control-Flow

I Information-Flow

I Classification (private/public)

I Declassification (when, where, by who and what private informationcan be considered public)

Mehdi Bouaziz, École normale supérieureIntroduction to Security 9/13

Information-Flow Security

Non-Interference: No two executions are observably different if theydiffer solely by confidential inputs.

Explicit Flows: from assignments

Implicit Flows: from Indirect Flows and Covert Channels:I Termination ChannelI Timing ChannelI Probabilistic ChannelI Resource Exhaustion ChannelI Power Channel

Mehdi Bouaziz, École normale supérieureIntroduction to Security 10/13

Information-Flow Security Type System

` exp : high

h /∈ V ars(exp)

` exp : low

[pc] ` skip [pc] ` h := exp

` exp : low

[low] ` l := exp

[pc] ` C1 [pc] ` C2

[pc] ` C1;C2

` exp : pc [pc] ` C

[pc] ` while exp do C

` exp : pc [pc] ` C1 [pc] ` C2

[pc] ` if exp then C1 else C2

[high] ` C

[low] ` C

Mehdi Bouaziz, École normale supérieureIntroduction to Security 11/13

Issues

Non-interference is too restrictive. Most real-world programs needexceptions to non-interference: declassification.

Examples?

Other issues:I Expressiveness: first-class functions, exceptions, objectsI Concurrency: threads, nondeterminism, distributionI Covert channels: termination, timing, probabilityI Security policies: declassification, quantitative security,

dynamic policiesI Certification: proven compilers, proof-carrying codes

Mehdi Bouaziz, École normale supérieureIntroduction to Security 12/13

Issues

Non-interference is too restrictive. Most real-world programs needexceptions to non-interference: declassification.

Examples?

Other issues:I Expressiveness: first-class functions, exceptions, objectsI Concurrency: threads, nondeterminism, distributionI Covert channels: termination, timing, probabilityI Security policies: declassification, quantitative security,

dynamic policiesI Certification: proven compilers, proof-carrying codes

Mehdi Bouaziz, École normale supérieureIntroduction to Security 12/13

Thank you for listening

Questions are welcome

Mehdi Bouaziz, École normale supérieureIntroduction to Security 13/13