Compile-time detection of machine image sniping Martin Kellogg - - PowerPoint PPT Presentation

compile time detection of machine image sniping
SMART_READER_LITE
LIVE PREVIEW

Compile-time detection of machine image sniping Martin Kellogg - - PowerPoint PPT Presentation

Feb 23, 2024 189 likes •609 views

Compile-time detection of machine image sniping Martin Kellogg University of Washington 1 What is a machine image? cloud computer 2 What is a machine image? What software to run? cloud computer 3 What is a machine image? What software

slide-1
SLIDE 1

Compile-time detection of machine image sniping

Martin Kellogg

University of Washington

1

slide-2
SLIDE 2

What is a machine image?

2

cloud computer

slide-3
SLIDE 3

What is a machine image?

3

cloud computer

What software to run?

slide-4
SLIDE 4

What is a machine image?

4

cloud computer

What software to run?

“machine image”

slide-5
SLIDE 5

What is a machine image?

5

cloud computer

What software to run? This software!

“machine image”

slide-6
SLIDE 6

How to choose a machine image:

Look it up in a repository.

  • By unique id:

aws ec2 describe-images --imageIds ami-5731123e

  • By owner and name:

aws ec2 describe-images --owners myOrg \

  • -filters "Name=name,Values=ubuntu16.04-*"
  • By name alone:

aws ec2 describe-images \

  • -filters "Name=name,Values=ubuntu16.04-*"

6

slide-7
SLIDE 7

How to choose a machine image:

Look it up in a repository.

  • By unique id:

aws ec2 describe-images --imageIds ami-5731123e

  • By owner and name:

aws ec2 describe-images --owners myOrg \

  • -filters "Name=name,Values=ubuntu16.04-*"
  • By name alone:

aws ec2 describe-images \

  • -filters "Name=name,Values=ubuntu16.04-*"

7

slide-8
SLIDE 8

How to choose a machine image:

Look it up in a repository.

  • By unique id:

aws ec2 describe-images --imageIds ami-5731123e

  • By owner and name:

aws ec2 describe-images --owners myOrg \

  • -filters "Name=name,Values=ubuntu16.04-*"
  • By name alone:

aws ec2 describe-images \

  • -filters "Name=name,Values=ubuntu16.04-*"

8

slide-9
SLIDE 9

How to choose a machine image:

Look it up in a repository.

  • By unique id:

aws ec2 describe-images --imageIds ami-5731123e

  • By owner and name:

aws ec2 describe-images --owners myOrg \

  • -filters "Name=name,Values=ubuntu16.04-*"
  • By name alone:

aws ec2 describe-images \

  • -filters "Name=name,Values=ubuntu16.04-*"

9

X

slide-10
SLIDE 10

This isn’t hypothetical...

10

slide-11
SLIDE 11

This isn’t hypothetical...

11

slide-12
SLIDE 12

This isn’t hypothetical...

DescribeImagesRequest request = new DescribeImagesRequest(); request.withFilters(new Filter("name", "RHEL-7.5_HVM_GA")); api.describeImages(request);

12

slide-13
SLIDE 13

This isn’t hypothetical...

DescribeImagesRequest request = new DescribeImagesRequest(); request.withFilters(new Filter("name", "RHEL-7.5_HVM_GA")); api.describeImages(request);

13

X

slide-14
SLIDE 14

This isn’t hypothetical...

DescribeImagesRequest request = new DescribeImagesRequest(); request.withFilters(new Filter("name", "RHEL-7.5_HVM_GA")); api.describeImages(request);

14

X

Unsafe: returns all images with that name from public repo!

slide-15
SLIDE 15

How to make this client safe?

DescribeImagesRequest request = new DescribeImagesRequest(); request.withFilters(new Filter("name", "RHEL-7.5_HVM_GA")); api.describeImages(request);

15

slide-16
SLIDE 16

How to make this client safe?

DescribeImagesRequest request = new DescribeImagesRequest(); request.withFilters(new Filter("name", "RHEL-7.5_HVM_GA")); request.withOwners(“myOrg”); api.describeImages(request);

16

slide-17
SLIDE 17

How to prove this safe?

17

slide-18
SLIDE 18

How to prove this safe?

A traditional approach: typestate

18

slide-19
SLIDE 19

How to prove this safe?

A traditional approach: typestate

19

* * *

withImageIds() withOwners()

slide-20
SLIDE 20

How to prove this safe?

A traditional approach: typestate

  • create a finite state machine for each object
  • on method calls, transition the state machine
  • only permit certain calls in certain states
  • use alias analysis to ensure all copies are in same state

20

slide-21
SLIDE 21

How to prove this safe?

A traditional approach: typestate

  • create a finite state machine for each object
  • on method calls, transition the state machine
  • only permit certain calls in certain states
  • use alias analysis to ensure all copies are in same state

21

slide-22
SLIDE 22

Advantages of a type system

  • still provides a proof
  • modular ⇒ scalable
  • no alias analysis ⇒ cheap

22

slide-23
SLIDE 23

Specifying describeImages()

DescribeImageResponse describeImages( @CalledMethods("withImageIds || withOwners") DescribeImageRequest request) { … }

23

slide-24
SLIDE 24

Type hierarchy

24

@CalledMethods({}) Object @CalledMethods({“foo”}) Object @CalledMethods({“foo”, “bar”}) Object

slide-25
SLIDE 25

Experimental results

  • No. projects

548 Source LoC 9.2M True positives 14 False positives 3

25

slide-26
SLIDE 26

Example: Netflix/SimianArmy

public List<Image> describeImages(String... imageIds) { DescribeImagesRequest request = new DescribeImagesRequest(); if (imageIds != null) { request.setImageIds(Arrays.asList(imageIds)); } DescribeImagesResult result = ec2client.describeImages(request); return result.getImages(); }

26

slide-27
SLIDE 27

Accumulation analysis

  • Our type system accumulates method calls

27

slide-28
SLIDE 28

Accumulation analysis

  • Our type system accumulates method calls

Insight: can generalize to any analysis that accumulates something

28

slide-29
SLIDE 29

Accumulation analyses

  • machine sniping (this talk!)

29

slide-30
SLIDE 30

Accumulation analyses

  • machine sniping (this talk!)
  • the builder pattern

30

slide-31
SLIDE 31

Accumulation analyses

  • machine sniping (this talk!)
  • the builder pattern
  • dependency injection providers

31

slide-32
SLIDE 32

Contributions

  • Accumulation analysis can detect machine-image

sniping vulnerabilities -- and more

  • Experiments that show:

○ those vulnerabilities exist in practice, and ○ we can find them!

32

slide-33
SLIDE 33

33

slide-34
SLIDE 34

Lombok/AutoValue builders

Lombok and AutoValue generate builder implementations from structs Fields can be marked @NonNull; NPE if the corresponding setter isn’t called

34

slide-35
SLIDE 35

Lombok/AutoValue builders

@Builder public class UserIdentity { private final @NonNull String name; private final @NonNull String displayName; private final @NonNull ByteArray id; }

35

slide-36
SLIDE 36

Lombok/AutoValue builders

UserIdentity identity = UserIdentity.builder() .name(username) .displayName(displayName) .id(generateRandom(32)) .build();

36

slide-37
SLIDE 37

Lombok/AutoValue builders

UserIdentity identity = UserIdentity.builder() .name(username) .displayName(displayName) .id(generateRandom(32)) .build();

37

slide-38
SLIDE 38

Lombok/AutoValue builders

UserIdentity identity = UserIdentity.builder() .name(username) //.displayName(displayName) .id(generateRandom(32)) .build();

38

slide-39
SLIDE 39

Lombok/AutoValue builders

UserIdentity identity = UserIdentity.builder() .name(username) //.displayName(displayName) .id(generateRandom(32)) .build();

X

39

slide-40
SLIDE 40

Lombok user study

6 industrial developers with Java + Lombok experience Task: add a new @NonNull field to a builder, and update all call sites Results:

  • 6/6 succeeded with our tool, only 3/6 without
  • Those who succeeded at both 1.5x faster with our

tool

  • “It was easier to have the tool report issues at compile

time”

40

slide-41
SLIDE 41

Lombok/AutoValue case studies

5 projects: 2 Lombok, 3 AutoValue (~500k sloc) 563 calls verified, 1 true positive (google/gapic-generator) 110 annotations, 19 false positives

41