browsers critical infrastructure
play

Browsers: Critical Infrastructure Ubiquitous: many platforms, - PowerPoint PPT Presentation

Mar 14, 2024 •119 likes •862 views

Browser Security Guarantees through Formal Shim Verification Zachary Tatlock Dongseok Jang Sorin Lerner UC San Diego Browsers: Critical Infrastructure Ubiquitous: many platforms, sensitive apps Vulnerable: Pwn2Own, just a click to

  1. Browser Security Guarantees through Formal Shim Verification Zachary Tatlock Dongseok Jang Sorin Lerner UC San Diego

  2. Browsers: Critical Infrastructure Ubiquitous: many platforms, sensitive apps Vulnerable: Pwn2Own, just a click to exploit Reactive Defenses: many ad hoc, bug triage, regressions

  3. Fully Formal Verification Code in language that eases reasoning Develop correctness proof in synch Fully formal, machine checkable proof

  4. Fully Formal Verification Success story: CompCert C compiler Compiler Bugs Found GCC 122 LLVM 181 0 CompCert [Yang et al. PLDI 11 ] OS (seL4), RDBMS & HTTPD (YNot) realistic implementations guaranteed bug free

  5. Fully Formal Verification Success story: CompCert C compiler The Catch Compiler Bugs Found Throw away all your code GCC 100 Rewrite in unfamiliar language LLVM 150 Formally specify correctness 0 CompCert ? [Yang et al. PLDI 11 ] Prove every detail correct OS (seL4), DB, HTTPD (YNot) Heroic effort realistic implementations guaranteed bug free

  6. Formally Verify a Browser?! Resources Complex parts Subtle interactions JPEG Loose access policy HTML Decoder Renderer Constant evolution JavaScript Interpreter

  7. Formal Shim Verification Formally Verify a Browser?! Resources Isolate sandbox untrusted code ✔ Shim Insert shim guards resource access JPEG HTML Decoder Renderer Verify shim prove security props JavaScript Interpreter

  8. Formal Shim Verification Formally Verify a Browser?! Q UARK Resources formally verified browser ✔ Shim Security Props 1. Tab isolation 2. Cookie integrity JPEG HTML Decoder Renderer 3. Addr bar correctness Prove code correct JavaScript Interpreter machine checkable proof

  9. Fully Formal Verification

  10. Fully Formal Verification Code in language supporting reasoning

  11. Fully Formal Verification Code Spec logical properties characterizing correctness

  12. Fully Formal Verification Coq Theorem Prover Code Proof Assistant Spec

  13. Fully Formal Verification Coq Theorem Prover Code Proof Assistant Spec interactively show code satisfies specification

  14. Fully Formal Verification Code Proof ML x86 Assistant compile down to Spec machine code

  15. Fully Formal Verification Code Proof ML x86 Assistant Spec Extremely strong guarantees about actual system!

  16. Fully Formal Verification Rewrite entire system! Code Proof ML x86 Assistant Spec

  17. Fully Formal Verification Rewrite entire system! Code Proof ML x86 Assistant Spec Prove every detail correct

  18. Formal Shim Verification Resources ✔ Shim JPEG HTML Decoder Renderer JavaScript Interpreter

  19. Formal Shim Verification Adapt to sandbox Resources request access via shim ✔ Write shim Shim design effective interface Sandbox.. Formally verify shim Untrusted ensure accesses secure Code

  20. Formal Shim Verification Adapt to sandbox Resources request access via shim Key Insight Guarantee sec props for entire system ✔ Write shim Shim design effective interface Only reason about small shim Sandbox.. Radically ease verification burden Formally verify shim Untrusted ensure accesses secure Prove actual code correct Code

  21. Quark: Verified Browser Resources ✔ Shim Sandbox.. Untrusted Code

  22. Quark: Verified Browser Resources ✔ Shim Sandbox.. Untrusted Code

  23. Quark: Verified Browser Resources Net network persistent storage ✔ Shim user interface Sandbox.. Untrusted Code

  24. Quark: Verified Browser Resources Net ✔ Shim Sandbox.. Untrusted Code

  25. Quark: Verified Browser Resources Shim Net Quark browser kernel Quark Kernel ✔ ✔ code, spec, proof in Coq Sandbox.. Untrusted Code

  26. Quark: Verified Browser Resources Shim Net Quark Kernel ✔ ✔ Sandbox.. Untrusted Code

  27. Quark: Verified Browser Resources Shim Net Untrusted Code Quark Kernel ✔ ✔ browser components run as separate procs Sandbox.. strictly sandboxed Untrusted Code

  28. Quark: Verified Browser Resources Shim Net Untrusted Code Quark Kernel ✔ ✔ browser components run as separate procs Sandbox.. strictly sandboxed Untrusted Code talk to kernel over pipe

  29. Quark: Verified Browser Resources Shim Net Untrusted Code Quark Kernel ✔ ✔ two component types Sandbox.. Untrusted Code

  30. Quark: Verified Browser Resources Shim Net Untrusted Code Quark Kernel ✔ ✔ two component types WebKit modified WebKit, Tab intercept accesses

  31. Quark: Verified Browser Resources Shim Net Untrusted Code Quark Kernel ✔ ✔ two component types WebKit Tab

  32. Quark: Verified Browser Resources Shim Net Untrusted Code Quark Kernel ✔ ✔ two component types written in Python, WebKit Cookie manages single domain Manager Tab

  33. Quark: Verified Browser Resources Shim Net Untrusted Code Quark Kernel ✔ ✔ two component types WebKit tabs cookie managers WebKit Cookie Tab Manager

  34. Quark: Verified Browser Resources Shim Net Untrusted Code Quark Kernel ✔ ✔ two component types WebKit tabs cookie managers WebKit Cookie WebKit Cookie WebKit Tab Manager Tab Manager Tab several instances each

  35. Quark: Verified Browser Net Quark Kernel ✔ ✔ WebKit Cookie WebKit Cookie WebKit Tab Manager Tab Manager Tab

  36. Quark Kernel: Code, Spec, Proof Quark Kernel ✔

  37. Quark Kernel: Code , Spec, Proof

  38. Quark Kernel: Code , Spec, Proof Definition kstep ...

  39. Quark Kernel: Code , Spec, Proof Definition kstep(focused_tab, tabs) := ... kernel state

  40. Quark Kernel: Code , Spec, Proof Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); ... Unix-style select to find a component pipe ready to read

  41. Quark Kernel: Code , Spec, Proof Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); match f with case: f is user input | Stdin => ... | Tab t => case: f is tab pipe ...

  42. Quark Kernel: Code , Spec, Proof Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); match f with | Stdin => cmd <- read_cmd(stdin); ... read command from user over stdin | Tab t => ...

  43. Quark Kernel: Code , Spec, Proof Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); match f with | Stdin => cmd <- read_cmd(stdin); match cmd with | AddTab => ... user wants to create and focus a new tab | ... | Tab t => ...

  44. Quark Kernel: Code , Spec, Proof Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); match f with | Stdin => cmd <- read_cmd(stdin); match cmd with | AddTab => t <- mk_tab(); ... create a new tab | ... | Tab t => ...

  45. Quark Kernel: Code , Spec, Proof Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); match f with | Stdin => cmd <- read_cmd(stdin); match cmd with | AddTab => t <- mk_tab(); write_msg(t, Render); ... | ... tell new tab to | Tab t => render itself ...

  46. Quark Kernel: Code , Spec, Proof Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); match f with | Stdin => cmd <- read_cmd(stdin); match cmd with | AddTab => t <- mk_tab(); write_msg(t, Render); return (t, t::tabs) | ... | Tab t => return updated state ...

  47. Quark Kernel: Code , Spec, Proof Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); match f with | Stdin => cmd <- read_cmd(stdin); match cmd with | AddTab => t <- mk_tab(); write_msg(t, Render); return (t, t::tabs) | ... handle other | Tab t => user commands ...

  48. Quark Kernel: Code , Spec, Proof Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); match f with | Stdin => cmd <- read_cmd(stdin); match cmd with | AddTab => t <- mk_tab(); write_msg(t, Render); return (t, t::tabs) handle requests | ... from tabs | Tab t => ...

  49. Quark Kernel: Code , Spec, Proof Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); match f with | Stdin => cmd <- read_cmd(stdin); match cmd with | AddTab => t <- mk_tab(); write_msg(t, Render); return (t, t::tabs) | ... | Tab t => ...

  50. Quark Kernel: Code, Spec , Proof

  51. Quark Kernel: Code, Spec , Proof Specify correct behavior wrt syscall seqs read(), write(), open(), write(), ...

  52. Quark Kernel: Code, Spec , Proof Specify correct behavior wrt syscall seqs trace: all syscalls made by Quark kernel during execution

  53. Quark Kernel: Code, Spec , Proof Specify correct behavior wrt syscall seqs kstep() kstep() kstep() kstep()

  54. Quark Kernel: Code, Spec , Proof Specify correct behavior wrt syscall seqs structure of produceable traces supports spec & proof

  55. Quark Kernel: Code, Spec , Proof Specify correct behavior wrt syscall seqs structure of produceable traces supports spec & proof Example: address bar correctness

  56. Quark Kernel: Code, Spec , Proof Specify correct behavior wrt syscall seqs structure of produceable traces supports spec & proof Example: address bar correctness forall trace tab domain, ... for any trace, tab, where trace is a and domain sequence of syscalls

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Mapping the Dutch Critical Infrastructure Razvan C. Oprea Fahime Alizade Supervised by Benno

Mapping the Dutch Critical Infrastructure Razvan C. Oprea Fahime Alizade Supervised by Benno

Mapping the Dutch Critical Infrastructure Razvan C. Oprea Fahime Alizade Supervised by Benno Overeinder Wednesday, July 3, 13 The initial question Critical infrastructure sectors What is the network level representation of the critical

392 views • 24 slides
Print Books with Browsers Designing books in browsers using Paged.js Julie Blanc (@julieblancfr)

Print Books with Browsers Designing books in browsers using Paged.js Julie Blanc (@julieblancfr)

Print Books with Browsers Designing books in browsers using Paged.js Julie Blanc (@julieblancfr) Digital Publishing Summit May 26, 2019 Automated typesetting and pagination for print Make PDF outputs of HTML contents from browsers Flux

823 views • 67 slides
Big data in critical infrastructure: Production and failover infrastructure in DWD's central data

Big data in critical infrastructure: Production and failover infrastructure in DWD's central data

Big data in critical infrastructure: Production and failover infrastructure in DWD's central data management Daniel Lee, German Weather Service (DWD) TI12b Sep. 2015 Agenda 1. DWD's goals 2. Operational systems 3. Technical

556 views • 52 slides
Broadband Infrastructure is Critical Infrastructure Jeff Sobotka VP &amp; State Broadband

Broadband Infrastructure is Critical Infrastructure Jeff Sobotka VP &amp; State Broadband

Broadband Infrastructure is Critical Infrastructure Jeff Sobotka VP &amp; State Broadband Director Definition: Broadband is defined as networks of deployed telecommunications equipment and technologies necessary to provide high-speed

268 views • 15 slides
Infrastructure critical to growth, but continent hampered by limited stocks and high costs

Infrastructure critical to growth, but continent hampered by limited stocks and high costs

Infrastructure critical to growth, but continent hampered by limited stocks and high costs Infrastructure contributed about one percentage point of Africas recent growth spurt Improving all countries infrastructure to level of Mauritius

624 views • 34 slides
Critical Information Infrastructure Protection (CIIP) National Knowledge Network (NKN) Annual

Critical Information Infrastructure Protection (CIIP) National Knowledge Network (NKN) Annual

Critical Information Infrastructure Protection (CIIP) National Knowledge Network (NKN) Annual workshop 17 - 19 Oct 2013, IISc, Bangalore Presentation Outline Government Cyber Security Architecture CII Overview &amp; Definitions Critical

517 views • 20 slides
Framework for Improving Critical Infrastructure Cybersecurity Overview and Status Executive

Framework for Improving Critical Infrastructure Cybersecurity Overview and Status Executive

Framework for Improving Critical Infrastructure Cybersecurity Overview and Status Executive Order 13636 Improving Critical Infrastructure Cybersecurity Kevin Stine National Institute of Standards and Technology Executive Order 13636:

128 views • 11 slides
The cybersecurity dimension of critical [energy] infrastructure it appears that someone found

The cybersecurity dimension of critical [energy] infrastructure it appears that someone found

The cybersecurity dimension of critical [energy] infrastructure it appears that someone found remote access and started tripping breakers. - Scadasec commentator 2015-12-26 Vytautas Butrimas Views expressed in this presentation

376 views • 15 slides
Critical infrastructure, interconnected risks, and resiliency. Why wo(men) should care? FABRIKAM

Critical infrastructure, interconnected risks, and resiliency. Why wo(men) should care? FABRIKAM

Critical infrastructure, interconnected risks, and resiliency. Why wo(men) should care? FABRIKAM RESIDENCES A little bit about me I identify as South-Asian woman from Mumbai, India. I started off in my computer career as a data entry

997 views • 55 slides
Critical Infrastructure Protection and S E N T A I N V U Y High Confidence Adaptive

Critical Infrastructure Protection and S E N T A I N V U Y High Confidence Adaptive

S T A T D E Critical Infrastructure Protection and S E N T A I N V U Y High Confidence Adaptive Software O H F C F R I A C E E S University Research Initiative Program O E F R N L A A V Welcome to the 3 rd

318 views • 14 slides
Broadband: The Critical Infrastructure for Sustainable Prosperity connect &gt; enable &gt;

Broadband: The Critical Infrastructure for Sustainable Prosperity connect &gt; enable &gt;

Broadband: The Critical Infrastructure for Sustainable Prosperity connect &gt; enable &gt; transform Broadband is the principal tool to address our top societal challenges. Some call it a utility, a civic right. National Applications Energy/

884 views • 13 slides
Executive Order 13636: Improving Critical Infrastructure Cybersecurity Cyber-Dependent

Executive Order 13636: Improving Critical Infrastructure Cybersecurity Cyber-Dependent

FOR OFFICIAL USE ONLY Executive Order 13636: Improving Critical Infrastructure Cybersecurity Cyber-Dependent Infrastructure Identification Working Group (CDIIWG) March 11, 2013 FOR OFFICIAL USE ONLY FOR OFFICIAL USE ONLY Agenda 12:30

217 views • 20 slides
chromozoom.org rethinking the UI of genome browsers Ted Pak Roth Laboratory Donnelly Centre,

chromozoom.org rethinking the UI of genome browsers Ted Pak Roth Laboratory Donnelly Centre,

chromozoom.org rethinking the UI of genome browsers Ted Pak Roth Laboratory Donnelly Centre, University of Toronto Samuel Lunenfeld Research Institute, Mt. Sinai Hospital genome browsers: lots of data small viewable area UCSC, GBrowse,

418 views • 24 slides
A proactive and collaborative DDoS mitigation strategy for the Dutch critical infrastructure

A proactive and collaborative DDoS mitigation strategy for the Dutch critical infrastructure

A proactive and collaborative DDoS mitigation strategy for the Dutch critical infrastructure Cristian Hesselman 1 , Jeroen van der Ham 2 , Roland van Rijswijk 3 , Jair Santanna 2 , Aiko Pras 2 1) SIDN Labs, 2) University of Twente, 3) SURFnet

463 views • 10 slides
Critical Infrastructure Cybersecurity Dean Bickerton Standards Certification ISA New Orleans

Critical Infrastructure Cybersecurity Dean Bickerton Standards Certification ISA New Orleans

Framework for Improving Critical Infrastructure Cybersecurity Dean Bickerton Standards Certification ISA New Orleans Education &amp; Training Publishing April 5, 2016 Conferences &amp; Exhibits 1 A Brief Commercial Interruption

507 views • 31 slides
Critical Infrastructure The Honorable Branko Terzic Confidential. Please do not circulate

Critical Infrastructure The Honorable Branko Terzic Confidential. Please do not circulate

TeleGroup INFOSEC Cyber Security in Energy Critical Infrastructure The Honorable Branko Terzic Confidential. Please do not circulate outside your organization without permission. Biography Speaker : Dr. h.c. Branko Terzic Managing Director

532 views • 22 slides
Systematics of quark/gluon tagging Deepak Kar (for the q/g team in Les Houches 2015) Based on:

Systematics of quark/gluon tagging Deepak Kar (for the q/g team in Les Houches 2015) Based on:

Systematics of quark/gluon tagging Deepak Kar (for the q/g team in Les Houches 2015) Based on: arXiv:1605.04692 and work-in-progress MPI@LHC, Chiapas, Mexico 27th November - 2nd December, 2016 Discriminate between From Quantum Diaries 2

500 views • 22 slides
Effective Field Theory and EDMs Vincenzo Cirigliano Los Alamos National Laboratory 1 Lecture

Effective Field Theory and EDMs Vincenzo Cirigliano Los Alamos National Laboratory 1 Lecture

ACFI EDM School November 2016 Effective Field Theory and EDMs Vincenzo Cirigliano Los Alamos National Laboratory 1 Lecture III outline EFT approach to physics beyond the Standard Model Standard Model EFT up to dimension 6: guided tour

735 views • 58 slides
Heavy baryon spectrum new heavy exotics and isospin breaking Marek Karliner with B. Keren-Zur,

Heavy baryon spectrum new heavy exotics and isospin breaking Marek Karliner with B. Keren-Zur,

Heavy baryon spectrum new heavy exotics and isospin breaking Marek Karliner with B. Keren-Zur, H.J. Lipkin, J. Rosner and N. Tornqvist Hadron 2011, Munchen, June 17, 2011 Outline spin-spin interaction between quarks color

866 views • 50 slides
K. V. Gayani Krishanthi 419021422 Professional Project Module GDM 406 xxxx Words 05 April 2015

K. V. Gayani Krishanthi 419021422 Professional Project Module GDM 406 xxxx Words 05 April 2015

The influence of Advertising on Consumer Brand Preference: A study on Anti - bacterial Soaps, Sri Lanka K. V. Gayani Krishanthi 419021422 Professional Project Module GDM 406 xxxx Words 05 April 2015 DECLARATION I declare that this Professional

1.89k views • 86 slides
Neutron star equations of state and quark-hadron continuity T oru Kojo QCD ( C entral C hina N

Neutron star equations of state and quark-hadron continuity T oru Kojo QCD ( C entral C hina N

1/21 XQCD2019 Tokyo, June 24, 2019 Neutron star equations of state and quark-hadron continuity T oru Kojo QCD ( C entral C hina N ormal U niv.) collaborators condensed Astro G. Baym, K. Fukushima, S. Furusawa, T. Hatsuda, matter P.

874 views • 56 slides
Quark matter: the high-density frontier Mark Alford Washington University in St. Louis Outline I

Quark matter: the high-density frontier Mark Alford Washington University in St. Louis Outline I

Quark matter: the high-density frontier Mark Alford Washington University in St. Louis Outline I Quarks at high density Confined, quark-gluon plasma, color superconducting II Color superconducting phases Color-flavor locking (CFL), and beyond

334 views • 31 slides
A strongly coupled view of the quark gluon plasma Jorge Casalderrey-Solana QCD Matters A new

A strongly coupled view of the quark gluon plasma Jorge Casalderrey-Solana QCD Matters A new

A strongly coupled view of the quark gluon plasma Jorge Casalderrey-Solana QCD Matters A new phase: Quark Gluon Plasma Filled the universe s after Big Bang Colour is liberated A gas of quark and gluons phase transition

661 views • 42 slides
An Introduction to Standard Model of Particle Physics Muhammad Alhroob University Of Oklahoma 1

An Introduction to Standard Model of Particle Physics Muhammad Alhroob University Of Oklahoma 1

An Introduction to Standard Model of Particle Physics Muhammad Alhroob University Of Oklahoma 1 Elementary Particles Elementary particles cannot be broken down Truly point like particles Form the basic structure of all matter Are the

433 views • 20 slides

More recommend