code for security
play

Code for Security Somesh Jha University of Wisconsin (Mar 3, 2011) - PowerPoint PPT Presentation

Jan 25, 2023 •174 likes •752 views

Thoughts on Retrofitting Legacy Code for Security Somesh Jha University of Wisconsin (Mar 3, 2011) Science of Security, ITI (April 2, 2015) Kaminsky scores 23, No. 5 Wisconsin beats Illinois 68-49 Feb 15, 2015 Somesh Jha Retrofitting

  1. Thoughts on Retrofitting Legacy Code for Security Somesh Jha University of Wisconsin (Mar 3, 2011) Science of Security, ITI (April 2, 2015)

  2. Kaminsky scores 23, No. 5 Wisconsin beats Illinois 68-49 Feb 15, 2015 Somesh Jha Retrofitting Legacy Code for Security 2

  3. Somesh Jha Retrofitting Legacy Code for Security 3

  4. Threat Landscape: Summary of Symantec Threat Report 2014

  5. Key Findings  91% increase in targeted attacks campaigns in 2013  62% increase in the number of breaches in 2013  Over 552M identities were exposed via breaches in 2013  23 zero-day vulnerabilities discovered  38% of mobile users have experienced mobile cybercrime in past 12 months Somesh Jha Retrofitting Legacy Code for Security 5

  6. Key Findings (Contd.)  Spam volume dropped to 66% of all email traffic  1 in 392 emails contain a phishing attacks  Web-based attacks are up 23%  1 in 8 legitimate websites have a critical vulnerability Somesh Jha Retrofitting Legacy Code for Security 6

  7. What I feel like? Somesh Jha Retrofitting Legacy Code for Security 7

  8. News is Grim  See talks at • DARPA Cyber Colloqium • http://www.darpa.mil/Cyber_Colloqium_Prese ntations.aspx  What do we do? Somesh Jha Retrofitting Legacy Code for Security 8

  9. Clean-slate Design  Rethink the entire system stack  Networks • NSF program o See http://cleanslate.stanford.edu • See DARPA Mission Resilient Clouds (MRC) program  Hosts • DARPA CRASH program Somesh Jha Retrofitting Legacy Code for Security 9

  10. Some Interesting Systems  Operating systems with powerful capabilities • Asbestos, HiStar, Flume • Capsicum • ….  Virtual-machine based • Proxos • Overshadow  Possible to build applications with strong guarantees • Web server : No information flow between threads handling different requests Somesh Jha Retrofitting Legacy Code for Security 10

  11. Two Guiding Principles  Provide powerful primitives at lower levels in the “system stack” • Example: HiStar (information flow labels at the OS level)  Systems will be compromised, but limit the damage • Example: Process can be compromised, but sensitive data cannot be exfiltrated Somesh Jha Retrofitting Legacy Code for Security 11

  12. What happens to all the code?  Should we implement all the code from scratch?  Can we help programmers adapt their code for these new platforms?  Analogy • We have strong foundation • Can we build a strong house on top of it? Somesh Jha Retrofitting Legacy Code for Security 12

  13. Ideal Functionality  Input: functionality/security policy • Output: functional/secure code  Proving safety is “undecidable” • Rice’s theorem (proving any non -trivial property is undecidable)  I think • Synthesis is “relatively hard” o Even if provided with an oracle to prove safety Somesh Jha Retrofitting Legacy Code for Security 13

  14. Retrofitting legacy code Need systematic techniques to retrofit legacy code for security Legacy Retrofitted code code INSECURE SECURE Somesh Jha Retrofitting Legacy Code for Security 14

  15. Premise  Techniques and ideas from • Verification • Static Analysis • …  Can help with this problem Somesh Jha Retrofitting Legacy Code for Security 15

  16. Collaborators and Funding Somesh Jha Retrofitting Legacy Code for Security 16

  17. The Problem Somesh Jha Retrofitting Legacy Code for Security 17

  18. Rewriting Programs for a Capability System [Harris et. al., Oakland 2013]  Basic problem: take an insecure program and a policy, instrument program to invoke OS primitives to satisfy the policy  Key technique: reduce to safety game between program and instrumentation Somesh Jha Retrofitting Legacy Code for Security 18

  19. Capsicum Somesh Jha Retrofitting Legacy Code for Security 19

  20. What is Capsicum?  Capsicum is a lightweight OS capability and sandbox framework developed at the University of Cambridge Computer Laboratory • supported by grants from Google, the FreeBSD Foundation, and DARPA. • Capsicum extends the POSIX API, providing several new OS primitives to support object- capability security on UNIX-like operating systems: Somesh Jha Retrofitting Legacy Code for Security 20

  21. Capsicum  https://www.cl.cam.ac.uk/research/security /capsicum/  The FreeBSD implementation of Capsicum, developed by Robert Watson and Jonathan Anderson, ships out of the box in FreeBSD 10.0 (and as an optionally compiled feature in FreeBSD 9.0, 9.1, and 9.2)  Also available on Linux Somesh Jha Retrofitting Legacy Code for Security 21

  22. Running example: gzip compr(in, out) { body; } gzip() { files = parse_cl; for (f in files) public_leak.com (in, out) = open; compr(in, out); } 22

  23. An Informal Policy for gzip When gzip executes body, it should only be able to read from in and write to out. 23

  24. Capsicum: An OS with Capabilities  Two levels of capability: • High Capability (can open files) • Low Capability (cannot open files)  Rules describing capability: 1. Process initially executes with capability of its parent 2. Process can invoke the drop system call to take Low Capability 24

  25. Securing gzip on Capsicum compr(in, out) { drop(); Low Cap. body; gzip() { } files = parse_cl; for (f in files) public_leak.com High Cap. (in, out) = open; compr(in, out); } 25

  26. Securing gzip on Capsicum compr(in, out) { drop(); Low Cap. body; gzip() { } files = parse_cl; High Cap. for (f in files) High Cap. (in, out) = open; High Cap. compr(in, out); High Cap. } 26

  27. Securing gzip on Capsicum compr(in, out) { drop(); body; gzip() { } files = parse_cl; for (f in files) Low Cap. ≠ High Cap. (in, out) = open; Low Cap. compr(in, out); } 27

  28. Securing gzip on Capsicum compr(in, out) { drop(); body; Low Cap. gzip() { } files = parse_cl; High Cap. for (f in files) High Cap. (in, out) = open; fork_compr(in, out); compr(in, out); High Cap. } 28

  29. Securing gzip on Capsicum compr(in, out) { drop(); Low Cap. body; gzip() { } files = parse_cl; for (f in files) High Cap. (in, out) = open; compr(in, out); fork_compr(in, out); } 29

  30. State of the Art in Rewriting gzip should always execute comp() with low cap, but always Insecure Program open files in main with gzip() { high cap … compr(); Secure Program … gzip() { } … fork_compr(); compr (…) { … } … } compr (…) { drop(); … } Somesh Jha Retrofitting Legacy Code for Security 30

  31. Insights Somesh Jha Retrofitting Legacy Code for Security 31

  32. First Key Insight Policies are not instrumented programs , and they should be explicit. Somesh Jha Retrofitting Legacy Code for Security 32

  33. First Key Insight gzip should always execute compr() with low cap, but always Insecure Program open files in main with gzip() { high cap … compr(); Secure Program … gzip() { } … fork_compr(); compr (…) { … } … } Disallowed Executions compr (…) { .* [ compr() with high cap ] drop(); | .* [ open() with low cap ] … } Somesh Jha Retrofitting Legacy Code for Security 33

  34. Second Key Insight From an insecure program and policy, we can automatically write a secure program by a solving a two-player safety game. [Harris et. al., CAV 2012] Somesh Jha Retrofitting Legacy Code for Security 34

  35. Second Key Insight Insecure Program gzip() { … compr(); Secure Program … gzip() { } … fork_compr(); compr (…) { … } capweave … } Disallowed Executions compr (…) { .* [ compr() with high cap ] drop(); | .* [ open() with low cap ] … } Somesh Jha Retrofitting Legacy Code for Security 35

  36. The Technique Somesh Jha Retrofitting Legacy Code for Security 36

  37. Weaving as a Game Two steps: 1. Model uninstrumented program, policy, and Capsicum as languages/automata 2. From automata, translate weaving problem to a two-player safety game Somesh Jha Retrofitting Legacy Code for Security 37

  38. Step 1: Model  Program is a language over program instructions (Instrs)  Policy is a language of instructions paired with capability (Instrs x Caps)  Capsicum is a transducer from instructions and primitives to capabilities (Instrs U Prims → Caps) Somesh Jha Retrofitting Legacy Code for Security 38

  39. Step 2: Construct a Game  From models, construct a “game” between insecure program and instrumentation  Program plays instructions (Instrs), instrumentation plays primitives (Prims)  Program wins if it generates an execution that violates the policy Somesh Jha Retrofitting Legacy Code for Security 39

  40. Safety Games: A Primer Two players: Attacker and Defender Play: Attacker and Defender choose actions in alternation Player goals:  Attacker: generate a play accepted by the game  Defender: thwart the Attacker Somesh Jha Retrofitting Legacy Code for Security 40

  41. parse_cl call compr noop drop noop drop body open open body fork noop ret compr join loop 41

  42. parse_cl call compr noop drop noop drop body open open body fork noop ret compr join loop 42

  43. Winning Strategy Winning strategy: choices that a player can make to always win a game

  44. parse_cl call compr noop drop noop drop body open open body fork noop join ret compr loop 44

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Security and the .NET Framework Code Access Security Enforces security policy on code

Security and the .NET Framework Code Access Security Enforces security policy on code

Security and the .NET Framework Code Access Security Enforces security policy on code Regardless of user running the code Regardless of whether the code is in the same application with other code Other code can be more, less, or

695 views • 21 slides
Taken Out of Context: Security Risks with Security Code AutoFill in iOS & macOS Andreas

Taken Out of Context: Security Risks with Security Code AutoFill in iOS & macOS Andreas

Cambridge Innovation Centre Taken Out of Context: Security Risks with Security Code AutoFill in iOS & macOS Andreas Gutmann, Steven J. Mudoch, WAY19 | @kryptoandi PLEASE RAISE YOUR HAND Have you ever received a security code via SMS

289 views • 24 slides
Source Code Analysis for Security through LLVM Lu Zhao HP Fortify lu.zhao@hp.com Static Code

Source Code Analysis for Security through LLVM Lu Zhao HP Fortify lu.zhao@hp.com Static Code

Source Code Analysis for Security through LLVM Lu Zhao HP Fortify lu.zhao@hp.com Static Code Analyzer for Security Static Code Analyzer for Security (HP Fortify SCA) C/C++ Java Vulnerabilities LLVM Language independent Services C/C++ Swift

325 views • 31 slides
Model-based Security Engineering: Models vs. Code Jan Jrjens Department of Computing The

Model-based Security Engineering: Models vs. Code Jan Jrjens Department of Computing The

Model-based Security Engineering: Models vs. Code Jan Jrjens Department of Computing The Open University, GB http://www.umlsec.org Challenge: Security Security is holistic property: Attackers often circumvent (not: break) mechanisms.

639 views • 36 slides
Inject Security into Source Code How 2018 Will Shift Your Security Priorities Panelists F a

Inject Security into Source Code How 2018 Will Shift Your Security Priorities Panelists F a

Inject Security into Source Code How 2018 Will Shift Your Security Priorities Panelists F a rsha d Ab a si, CT O Mira i Se c urity Ja c e k Ma te rna , CT O Asse mb la Je ff Ro use , Dir. Pro duc t Ma na g e me nt Ac tive Sta te Wher e

772 views • 50 slides
80% of Code Red 2 Code Red 2 re-re- Code Red 1 and Code Red 2 Code Red 2 re- cleaned up

80% of Code Red 2 Code Red 2 re-re- Code Red 1 and Code Red 2 Code Red 2 re- cleaned up

Slammer s Bandwidth-Limited Growth 80% of Code Red 2 Code Red 2 re-re- Code Red 1 and Code Red 2 Code Red 2 re- cleaned up due to released Jan 2004 Nimda endemic dies off released with Oct. onset of Blaster (and 2005; not since

450 views • 34 slides
High System-Code Security with Low Overhead Jonas Wagner, Volodymyr Kuznetsov, George Candea, and

High System-Code Security with Low Overhead Jonas Wagner, Volodymyr Kuznetsov, George Candea, and

High System-Code Security with Low Overhead Jonas Wagner, Volodymyr Kuznetsov, George Candea, and Johannes Kinder cole Polytechnique Fdrale Royal Holloway, de Lausanne University of London High System-Code Security? Todays so fu ware

600 views • 35 slides
Small Is Beautiful How to improve security by maintaining less code About Me Natalie Silvanovich

Small Is Beautiful How to improve security by maintaining less code About Me Natalie Silvanovich

Small Is Beautiful How to improve security by maintaining less code About Me Natalie Silvanovich AKA natashenka Project Zero member Previously did mobile security on Android and BlackBerry Defensive-turned-offensive researcher

799 views • 53 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 10 March 2005 What is Malicious Code? What is Malicious Code? Viruses, worms, trojans, Code that breaks your security policy.

1.16k views • 94 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 23 March 2006 What is Malicious Code? What is Malicious Code? Viruses, worms, trojans, Code that breaks your security policy.

707 views • 69 slides
CORE Security and WPI Joint Project Project Goal Take the techniques that make games easy to use

CORE Security and WPI Joint Project Project Goal Take the techniques that make games easy to use

CORE Security and WPI Joint Project Project Goal Take the techniques that make games easy to use and apply them to professional security software. The Team Eric - Code Mike Code AJ - Code - CONFIDENTIAL - Professor Shue Professor

344 views • 18 slides
How to Backdoor Invulnerable Code Josh Schwartz, Director of Offensive Security @Salesforce

How to Backdoor Invulnerable Code Josh Schwartz, Director of Offensive Security @Salesforce

How to Backdoor Invulnerable Code Josh Schwartz, Director of Offensive Security @Salesforce Bio Offensive Security aka Red Team at Salesforce Realistic Adversary Simulation Security Change Catalyst Im a hacker, rule

1.03k views • 84 slides
Security and Privacy Why Security is Difficult 12A. Operating Systems and Security complexity

Security and Privacy Why Security is Difficult 12A. Operating Systems and Security complexity

5/18/2018 Security and Privacy Why Security is Difficult 12A. Operating Systems and Security complexity of our software and systems 12B. Authentication millions of lines of code, thousands of developers rich and powerful protocols

374 views • 9 slides
Security and Privacy Why Security is Difficult 12A. Operating Systems and Security complexity

Security and Privacy Why Security is Difficult 12A. Operating Systems and Security complexity

5/24/2017 Security and Privacy Why Security is Difficult 12A. Operating Systems and Security complexity of our software and systems 12B. Authentication millions of lines of code, thousands of developers rich and powerful protocols

533 views • 14 slides
An Empirical Security Study of An Empirical Security Study of the Native Code in the JDK the

An Empirical Security Study of An Empirical Security Study of the Native Code in the JDK the

An Empirical Security Study of An Empirical Security Study of the Native Code in the JDK the Native Code in the JDK Gang Tan, Boston College Lehigh University Jason Croft Boston College Jason Croft, Boston College J Java Security S i

817 views • 29 slides
Cryptographic Security for Mobile Code Sean Kugele CS 6204, Spring 2005 1 Mobile Code A

Cryptographic Security for Mobile Code Sean Kugele CS 6204, Spring 2005 1 Mobile Code A

Cryptographic Security for Mobile Code Sean Kugele CS 6204, Spring 2005 1 Mobile Code A program produced by one entity, called the originator, and transferred to a different entity, called the host, where it is immediately executed

601 views • 23 slides
Peter Cramton, Maryland / EUI / Cologne with David MacKay, Axel Ockenfels, and Steven Stoft 14

Peter Cramton, Maryland / EUI / Cologne with David MacKay, Axel Ockenfels, and Steven Stoft 14

Peter Cramton, Maryland / EUI / Cologne with David MacKay, Axel Ockenfels, and Steven Stoft 14 December 2015 Symposium: International Climate Negotiations Cramton, Ockenfels, Stoft (eds.), Gollier, Stiglitz, Tirole, Weitzman Economics of Energy

749 views • 51 slides
Understanding the Limitations and Improving the Relevance of SPICE Simulations in Security

Understanding the Limitations and Improving the Relevance of SPICE Simulations in Security

Understanding the Limitations and Improving the Relevance of SPICE Simulations in Security Evaluations Dina Kamel, Mathieu Renauld, Denis Flandre, Franois-Xavier Standaert UCL Crypto Group PROOFS 2013 Santa Barbara, USA The cryptographic HW

584 views • 22 slides
Navigating Immigration David Wilks February 26, 2020 Fou ounded ded A BOUT H ODGSON R USS

Navigating Immigration David Wilks February 26, 2020 Fou ounded ded A BOUT H ODGSON R USS

Navigating Immigration David Wilks February 26, 2020 Fou ounded ded A BOUT H ODGSON R USS 1817 1817 Two Centuries of Experience Offices throughout New York State, as well as in Toronto and Florida Seven dedicated immigration

417 views • 26 slides
The 2014 CAP Undergraduate Lecture Tour Celebrating and promoting: Current developments in

The 2014 CAP Undergraduate Lecture Tour Celebrating and promoting: Current developments in

The Canadian Association of L'Association canadienne des Physicists physiciens et physiciennes The 2014 CAP Undergraduate Lecture Tour Celebrating and promoting: Current developments in physics Physics research and education in

1.27k views • 116 slides
CONSOLIDATED ANNUAL PERFORMANCE AND EVALUATION REPORT (CAPER) Public Hearing May 23, 2019,

CONSOLIDATED ANNUAL PERFORMANCE AND EVALUATION REPORT (CAPER) Public Hearing May 23, 2019,

CONSOLIDATED ANNUAL PERFORMANCE AND EVALUATION REPORT (CAPER) Public Hearing May 23, 2019, 10:00 am Harris County Community Services Department (HCCSD) WHAT IS THE CAPER Consolidated Annual Performance and Evaluation Report (CAPER) is

305 views • 5 slides
2018 NC ESG QPR Tutorial Introduction Rec ecurrin ing Q uarterly Kim Cra Crawford P

2018 NC ESG QPR Tutorial Introduction Rec ecurrin ing Q uarterly Kim Cra Crawford P

2018 NC ESG QPR Tutorial Introduction Rec ecurrin ing Q uarterly Kim Cra Crawford P erformance Ch Chris is Ba Battle Eva valuativ ive R eport Co Consis istent Be Ben Bra Bradley Project Specialist Goals Quarterly Perf

606 views • 22 slides
Plan for HUD Entitlement Funding 2017 Draft Action Plan for HUD Entitlement Funds 1 st Public

Plan for HUD Entitlement Funding 2017 Draft Action Plan for HUD Entitlement Funds 1 st Public

Mount Vernon Draft Annual Action Plan for HUD Entitlement Funding 2017 Draft Action Plan for HUD Entitlement Funds 1 st Public Hearing July 29, 2017 Mount Vernon Public Library 1 2017 Action Plan for HUD Entitlement Funds What is the Purpose

261 views • 10 slides
Whats Working? Affordable Housing Systems in Washington County Consolidated Plan 2020-2024

Whats Working? Affordable Housing Systems in Washington County Consolidated Plan 2020-2024

Whats Working? Affordable Housing Systems in Washington County Consolidated Plan 2020-2024 The Consolidated Plan is a planning mechanism designed to help States and local governments to assess their affordable housing and community

297 views • 15 slides

More recommend