micro policies
play

Micro-Policies Formally Verified, Tag-Based Security Monitors - PowerPoint PPT Presentation

Oct 17, 2023 •96 likes •900 views

Micro-Policies Formally Verified, Tag-Based Security Monitors Arthur Azevedo de Amorim Maxime Dns Nick Giannarakis Ctlin Hricu Benjamin C. Pierce Antal Spector-Zabusky Andrew Tolmach May 20, 2015 1 How can we design secure

  1. Micro-Policies Formally Verified, Tag-Based Security Monitors Arthur Azevedo de Amorim Maxime Dénès Nick Giannarakis Cătălin Hrițcu Benjamin C. Pierce Antal Spector-Zabusky Andrew Tolmach May 20, 2015 1

  2. How can we design secure systems? 2

  3. One approach: reference monitors 3

  4. ! 4

  5. ! 4

  6. ! 4

  7. ! 4

  8. ! 4

  9. ! OK 4

  10. ! 4

  11. ! 4

  12. ! 4

  13. But there is a problem… 5

  14. …they are slow 6

  15. Idea: hardware support for reference monitors 7

  16. But… 8

  17. But… 8

  18. But… 8

  19. But… 8

  20. But… 8

  21. !’ What if a new threat appears? 9

  22. Micro-Policies 10

  23. 11

  24. Micro-policy specification Compartments CFI Micro-policy programming model Memory Sealing safety 12

  25. Micro-policy specification Compartments CFI Micro-policy programming model Memory Sealing safety 12

  26. Micro-policy specification Compartments CFI Micro-policy programming model Memory Sealing safety 12

  27. Micro-policy specification Compartments CFI Micro-policy programming model Memory Sealing safety 12

  28. Micro-policy specification Compartments CFI Micro-policy programming model Memory Sealing safety 12

  29. Micro-policy specification Compartments CFI Micro-policy programming model Memory Sealing safety 12

  30. Micro-policy specification Compartments CFI machine-checked proof Micro-policy programming model Memory Sealing safety 12

  31. Micro-policy specification Compartments CFI Micro-policy programming model Memory Sealing safety 12

  32. Micro-policy specification Compartments CFI Micro-policy programming model supported by Memory Sealing safety PUMP (Programmable Unit for Metadata Processing) 12

  33. Micro-policy specification typically < 10% runtime overhead Compartments CFI (ASPLOS ’15) Micro-policy programming model supported by Memory Sealing safety PUMP (Programmable Unit for Metadata Processing) 12

  34. Programming model 13

  35. …but too powerful for efficient support General monitors Inspect program state arbitrarily 14

  36. General monitors Inspect program state arbitrarily …but too powerful for efficient support 14

  37. Insight: monitors as computation on metadata 15

  38. r0 42 r1 add r1 r2 r3 r2 add r3 r3 r3 r3 nop Memory r4 bnz r4 ff32 r5 ??? r6 pc r7 tag payload Registers 16

  39. r0 42 r1 add r1 r2 r3 r2 add r3 r3 r3 r3 nop r4 bnz r4 ff32 r5 ??? r6 pc r7 tag payload 16

  40. r0 42 r1 add r1 r2 r3 r2 add r3 r3 r3 r3 nop r4 bnz r4 ff32 r5 ??? r6 pc r7 tag payload 16

  41. r0 42 r1 add r1 r2 r3 r2 add r3 r3 r3 r3 nop r4 bnz r4 ff32 r5 ??? r6 pc r7 tag Chosen by payload policy designer 16

  42. r0 42 r1 add r1 r2 r3 r2 add r3 r3 r3 r3 nop r4 bnz r4 ff32 r5 ??? r6 pc r7 Arbitrarily complex tag Chosen by payload (e.g. pointers to policy designer data structures) 16

  43. r0 42 r1 add r1 r2 r3 r2 add r3 r3 r3 r3 nop r4 bnz r4 ff32 r5 ??? r6 pc r7 tag payload 16

  44. r0 42 r1 add r1 r2 r3 r2 add r3 r3 r3 r3 nop r4 bnz r4 ff32 r5 ??? r6 pc r7 tag payload 16

  45. r0 42 r1 add r1 r2 r3 r2 add r3 r3 r3 r3 nop r4 bnz r4 ff32 r5 ??? r6 pc r7 tag payload 16

  46. r0 42 r1 add r1 r2 r3 r2 add r3 r3 r3 r3 nop r4 bnz r4 ff32 r5 ??? r6 pc r7 tag payload 16

  47. r0 42 r1 add r1 r2 r3 r2 add r3 r3 r3 r3 nop r4 bnz r4 ff32 r5 ??? r6 pc r7 tag payload 16

  48. r0 42 r1 add r1 r2 r3 r2 add r3 r3 r3 r3 nop r4 bnz r4 ff32 r5 ??? r6 pc r7 tag payload 16

  49. r0 42 r1 add r1 r2 r3 r2 add r3 r3 r3 r3 nop r4 bnz r4 ff32 r5 ??? r6 pc r7 tag payload 16

  50. r0 42 r1 add r1 r2 r3 r2 add r3 r3 r3 r3 nop r4 bnz r4 ff32 r5 ??? r6 pc r7 tag payload 16

  51. Is it flexible? 17

  52. Control-flow integrity Compartmentalization (à la Wahbe et al.’s SFI) Heap memory safety Dynamic sealing 18

  53. Example: CFI 19

  54. 1729 Data add r1 r2 r3 Code bnz r3 8 Code jump r4 Code bnz r5 8 Code sub r1 r2 r1 Code add r3 r4 r4 Code {InstTag = Data } → {Inst = Store , Mem = Code } → 20

  55. 1729 Data add r1 r2 r3 Code bnz r3 8 Code jump r4 Code bnz r5 8 Code sub r1 r2 r1 Code add r3 r4 r4 Code {InstTag = Data } → {Inst = Store , Mem = Code } → 20

  56. 1729 Data 1 add r1 r2 r3 Code bnz r3 8 Code jump r4 Code 2 4 {Pc = 4 , InstTag = Code 5 } → OK bnz r5 8 Code {Pc = 1 , InstTag = Code 5 } → sub r1 r2 r1 Code 3 5 add r3 r4 r4 Code 6 CFG pc 1 20

  57. 1729 Data 1 add r1 r2 r3 Code 1 bnz r3 8 Code 2 jump r4 Code 3 2 4 {Pc = 4 , InstTag = Code 5 } → OK bnz r5 8 Code 4 {Pc = 1 , InstTag = Code 5 } → sub r1 r2 r1 Code 5 3 5 add r3 r4 r4 Code 6 6 pc 1 20

  58. 1729 Data 1 add r1 r2 r3 Code 1 bnz r3 8 Code 2 jump r4 Code 3 2 4 {Pc = 4 , InstTag = Code 5 } → OK bnz r5 8 Code 4 {Pc = 1 , InstTag = Code 5 } → sub r1 r2 r1 Code 5 3 5 add r3 r4 r4 Code 6 Previous instruction id 6 pc 1 20

  59. 1729 Data 1 add r1 r2 r3 Code 1 bnz r3 8 Code 2 jump r4 Code 3 2 4 {Pc = 4 , InstTag = Code 5 } → OK bnz r5 8 Code 4 {Pc = 1 , InstTag = Code 5 } → sub r1 r2 r1 Code 5 3 5 add r3 r4 r4 Code 6 6 pc 1 20

  60. Is it secure? 21

  61. Inductive cfi_tag := Inductive value := | Data : cfi_tag | Int : int → value | Code : id → cfi_tag. | Ptr : region → int → value. Variable cfg : id → id → bool. Definition add v1 v2 := Memory-safe Abadi et al.’s match v1, v2 with Definition cfi_monitor tags := abstract machine | Int n, Int m ⇒ Some (Int (n + m)) match pc_tag tags, ci_tag tags with CFI property Higher-level | Ptr r off, Int n | n, Code m ⇒ if cfg n m then Some m Inductive nat := Micro-policy specification abstract machine | Int n, Ptr r off ⇒ Some (Ptr r (off + n)) else None | O : nat Model of simplified | _, _ ⇒ None | _, _ ⇒ None | S : nat → nat. Micro-policy programming model RISC processor end. end. Fixpoint add n m := match n with Lemma addn0 : ∀ n, add n O = n. | O ⇒ m Proof. (* ... *) Qed. | S n ⇒ S (add n m) end. Memory CFI safety Threat model Not modeled Attacker controls DMA, virtual input, but has no memory, timing, physical access … 22

  62. Inductive cfi_tag := Inductive value := | Data : cfi_tag | Int : int → value | Code : id → cfi_tag. | Ptr : region → int → value. Variable cfg : id → id → bool. Definition add v1 v2 := Memory-safe Abadi et al.’s match v1, v2 with Definition cfi_monitor tags := abstract machine | Int n, Int m ⇒ Some (Int (n + m)) match pc_tag tags, ci_tag tags with CFI property Higher-level | Ptr r off, Int n | n, Code m ⇒ if cfg n m then Some m Inductive nat := Micro-policy specification abstract machine | Int n, Ptr r off ⇒ Some (Ptr r (off + n)) else None | O : nat Model of simplified | _, _ ⇒ None | _, _ ⇒ None | S : nat → nat. Micro-policy programming model RISC processor end. end. Fixpoint add n m := match n with Lemma addn0 : ∀ n, add n O = n. | O ⇒ m Proof. (* ... *) Qed. | S n ⇒ S (add n m) end. Memory CFI safety Threat model Not modeled Attacker controls DMA, virtual …and proofs input, but has no Mathematical memory, timing, about them physical access definitions… … 22

  63. Inductive cfi_tag := Inductive value := | Data : cfi_tag | Int : int → value | Code : id → cfi_tag. | Ptr : region → int → value. Variable cfg : id → id → bool. Definition add v1 v2 := Memory-safe Abadi et al.’s match v1, v2 with Definition cfi_monitor tags := abstract machine | Int n, Int m ⇒ Some (Int (n + m)) match pc_tag tags, ci_tag tags with CFI property Higher-level | Ptr r off, Int n | n, Code m ⇒ if cfg n m then Some m Inductive nat := Micro-policy specification abstract machine | Int n, Ptr r off ⇒ Some (Ptr r (off + n)) else None | O : nat Model of simplified | _, _ ⇒ None | _, _ ⇒ None | S : nat → nat. Micro-policy programming model RISC processor end. end. Fixpoint add n m := match n with Lemma addn0 : ∀ n, add n O = n. | O ⇒ m Proof. (* ... *) Qed. | S n ⇒ S (add n m) end. Memory CFI safety Threat model Not modeled Attacker controls DMA, virtual input, but has no memory, timing, physical access … 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

From Tap Water to Marine Organisms: a Micro-Spectroscopic Approach to Micro-Plastic

From Tap Water to Marine Organisms: a Micro-Spectroscopic Approach to Micro-Plastic

From Tap Water to Marine Organisms: a Micro-Spectroscopic Approach to Micro-Plastic Characterization The world leader in serving science Proprietary &amp; Confidential Micro-Plastics What are they? A micro-plastic is a small piece of

319 views • 31 slides
Trading Space for Place Micro-Loft Case Studies WHAT IS A MICRO-LOFT? Micro-Lofts are rental or

Trading Space for Place Micro-Loft Case Studies WHAT IS A MICRO-LOFT? Micro-Lofts are rental or

CANADIAN APARTMENT INVESTMENT CONFERENCE Trading Space for Place Micro-Loft Case Studies WHAT IS A MICRO-LOFT? Micro-Lofts are rental or condominium homes that are smaller than typical for a given market. Apart from the small unit size,

551 views • 34 slides
MICRO STANDING OFFER PROGRAM (MICRO-SOP) JUNE 9 VANCOUVER MEETING AND JUNE 10 WEBINAR June 9

MICRO STANDING OFFER PROGRAM (MICRO-SOP) JUNE 9 VANCOUVER MEETING AND JUNE 10 WEBINAR June 9

MICRO STANDING OFFER PROGRAM (MICRO-SOP) JUNE 9 VANCOUVER MEETING AND JUNE 10 WEBINAR June 9 /10, 2014 MICRO-SOP OVERVIEW AGENDA BC Hydro Offers for Small, Clean Energy Projects What is the Micro-SOP? Engagement Overview Key

565 views • 19 slides
Micro-architectural Attacks Chester Rebeiro IIT Madras 1 Things we thought gave us security!

Micro-architectural Attacks Chester Rebeiro IIT Madras 1 Things we thought gave us security!

Micro-architectural Attacks Chester Rebeiro IIT Madras 1 Things we thought gave us security! Cryptography Passwords Information Flow Policies Privileged Rings ASLR Virtual Machines and confinement Javascript

891 views • 59 slides
The Anatomy Of An API MacSysAdmin 2020 Charles Edge Software Is Just A Collection of

The Anatomy Of An API MacSysAdmin 2020 Charles Edge Software Is Just A Collection of

The Anatomy Of An API MacSysAdmin 2020 Charles Edge Software Is Just A Collection of Interconnected API Endpoints Microservices Monoliths Data UI Access Layer Business Logic Microservices UI Micro- Micro- Micro- Micro- Micro-

541 views • 53 slides
SiPINTAR - A Case Study of Hybrid Product between Asuransiku (Micro Insurance) and Emasku (Micro

SiPINTAR - A Case Study of Hybrid Product between Asuransiku (Micro Insurance) and Emasku (Micro

SiPINTAR - A Case Study of Hybrid Product between Asuransiku (Micro Insurance) and Emasku (Micro Investment) as Part of National Strategy for Financial Inclusion in Indonesia Jakub Nugraha Micro Insurance Division and Agriculture Insurance Dept

618 views • 25 slides
09/06/2017 Micro-structure and micro-mechanics of Disclosures and acknowledgements breast

09/06/2017 Micro-structure and micro-mechanics of Disclosures and acknowledgements breast

09/06/2017 Micro-structure and micro-mechanics of Disclosures and acknowledgements breast density James McConnell Charles Streuli Mike Sherratt, University of Manchester Sue Astley Contents X-rays 1. Physics of X-ray/tissue interaction a.

309 views • 15 slides
BBC micro:bit challenges for implementing Digital Technologies in primary years About the

BBC micro:bit challenges for implementing Digital Technologies in primary years About the

BBC micro:bit challenges for implementing Digital Technologies in primary years About the BBC:microbit The micro:bit is a handheld, small, fully programmable Physical BBC micro:bit computer that you can use to create simple games, sense the

469 views • 15 slides
Introduction to writing and debugging micro- services mwan@diceresearch.org 1 Micro-service

Introduction to writing and debugging micro- services mwan@diceresearch.org 1 Micro-service

Introduction to writing and debugging micro- services mwan@diceresearch.org 1 Micro-service Input/output parameters Prototype of a micro-service int findObjType ( msParam_t *objInput , msParam_t *typeOutput , ruleExecInfo_t *rei );

498 views • 16 slides
A Micro Crowdsourcing Architecture to Localize A Micro Crowdsourcing Architecture to Localize Web

A Micro Crowdsourcing Architecture to Localize A Micro Crowdsourcing Architecture to Localize Web

A Micro Crowdsourcing Architecture to Localize A Micro Crowdsourcing Architecture to Localize Web Content for Less-Resourced Languages Asanka Wasala Chris Exton Ruvan Weerasinghe Reinhard Schler Adapted from:

504 views • 31 slides
Micro-frontends Architecture @lucamezzalira 1 Ciao :) Luca Mezzalira VP of Architecture at

Micro-frontends Architecture @lucamezzalira 1 Ciao :) Luca Mezzalira VP of Architecture at

Micro-frontends Architecture @lucamezzalira 1 Ciao :) Luca Mezzalira VP of Architecture at DAZN Google Developer Expert London Javascript Community Manager 2 Agenda 1. From monolith to micro 2. What is a Micro-frontend? 3. Technical

687 views • 37 slides
Micro Content, Chatbots, and Machine Learning What do they mean for Technical Authoring?

Micro Content, Chatbots, and Machine Learning What do they mean for Technical Authoring?

Micro Content, Chatbots, and Machine Learning What do they mean for Technical Authoring? PRESENTED BY Mike Hamilton V.P. Product Evangelism MadCap Software Agenda Micro Content Definition Attributes A Micro Content Strategy

816 views • 48 slides
iRODS Micro-Services Reagan Moore {moore, sekar, mwan, schroeder, bzhu, ptooby, antoine,

iRODS Micro-Services Reagan Moore {moore, sekar, mwan, schroeder, bzhu, ptooby, antoine,

iRODS Micro-Services Reagan Moore {moore, sekar, mwan, schroeder, bzhu, ptooby, antoine, sheauc}@diceresearch.org {chienyi, marciano, michael_conway}@email.unc.edu 1 Implications iRODS policies are enforced at the remote storage location

151 views • 14 slides
Micro Markets The New Breakroom Experience Outline What is a Micro Market? Employee Benefits

Micro Markets The New Breakroom Experience Outline What is a Micro Market? Employee Benefits

Micro Markets The New Breakroom Experience Outline What is a Micro Market? Employee Benefits Unique Features Customizable Layouts Basic Requirements Your Workplace Deserves A Better Breakroom Did You Know? A well-stocked break room leads to

428 views • 19 slides
An Integrated micro-macro firms distress model based on payments network Micro Financial

An Integrated micro-macro firms distress model based on payments network Micro Financial

Outline Introduction Micro-financial stress test A preliminary analysis An Integrated micro-macro firms distress model based on payments network Micro Financial Stress Test Guy Kelman 1 Marco Lamieri 2 Volker Nannen 3 Sorin Solomon 1 1

494 views • 27 slides
Pollution, fertility and public policies Luca Gori * and Mauro Sodini * Kyiv, Ukraine, NED 2019,

Pollution, fertility and public policies Luca Gori * and Mauro Sodini * Kyiv, Ukraine, NED 2019,

Pollution, fertility and public policies Luca Gori * and Mauro Sodini * Kyiv, Ukraine, NED 2019, September 09 th , 2016 * University of Pisa Motivations Micro and Macro founded model to study the relationship between (some) economic and

833 views • 24 slides
Luca Cardelli and the Early Evolution of ML David MacQueen Abstract Luca Cardelli has made an

Luca Cardelli and the Early Evolution of ML David MacQueen Abstract Luca Cardelli has made an

Luca Cardelli and the Early Evolution of ML David MacQueen Abstract Luca Cardelli has made an enormous range of contributions, but the focus of this paper is the beginning of his career and, in particular, his role in the early development of

746 views • 13 slides
Attempts to A means of formal and exact communication define a between humans Programming

Attempts to A means of formal and exact communication define a between humans Programming

A tool for humans to tell the computer what to do Attempts to A means of formal and exact communication define a between humans Programming A way of describing an abstract machine Language A way of describing computation that

478 views • 10 slides
A Functional Correspondence between Evaluators and Abstract Machines Mads Sig Ager, Dariusz

A Functional Correspondence between Evaluators and Abstract Machines Mads Sig Ager, Dariusz

A Functional Correspondence between Evaluators and Abstract Machines Mads Sig Ager, Dariusz Biernacki, Olivier Danvy , and Jan Midtgaard BRICS, University of Aarhus, Denmark BRICS Nottingham, March 28, 2003 1 Our message A correspondence

560 views • 27 slides
An Abstract Machine for Concurrent Haskell with Futures David Sabel Goethe-University, Frankfurt

An Abstract Machine for Concurrent Haskell with Futures David Sabel Goethe-University, Frankfurt

An Abstract Machine for Concurrent Haskell with Futures David Sabel Goethe-University, Frankfurt am Main, Germany ATPS12, Berlin, Germany 1 Introduction Calculus CHF Equivalence Abstract Machines Conclusion Motivation Concurrent

423 views • 21 slides
1 Model of OO Computation: Transitions Model of OO Computation: Transitions cont. Let cs = (sh,

1 Model of OO Computation: Transitions Model of OO Computation: Transitions cont. Let cs = (sh,

Eiffel Approach to @pre/old Restrict post-conditions to formulas of the form: t [ (t 1 )@pre/x 1 ,..., (t n )@pre/x n ] An Abstract Machine for the Old Compute and save values of t 1 ,..., t n when the constrained Value Retrieval method

244 views • 3 slides
AM A O SAbstract Machine for Xcerpt Principles Architecture PPSWR 06, Budva,

AM A O SAbstract Machine for Xcerpt Principles Architecture PPSWR 06, Budva,

AM A O SAbstract Machine for Xcerpt Principles Architecture PPSWR 06, Budva, Montenegro, June 11th, 2006 Franois Bry, Tim Furche , Benedikt Linse Abstract Machine(s) Definition and Variants abstract machine :=

339 views • 21 slides
Construction of a Semantic Model Construction of a Semantic Model for a Typed Assembly Language

Construction of a Semantic Model Construction of a Semantic Model for a Typed Assembly Language

Construction of a Semantic Model Construction of a Semantic Model for a Typed Assembly Language Gang Tan, Andrew Appel, Kedar Swadi and Dinghao Wu Princeton University Jan 11, 2004 Extensible systems Extensible systems code extensions host

228 views • 22 slides
Refunctionalization at Work Olivier Danvy University of Aarhus, Denmark (danvy@daimi.au.dk)

Refunctionalization at Work Olivier Danvy University of Aarhus, Denmark (danvy@daimi.au.dk)

Refunctionalization at Work Olivier Danvy University of Aarhus, Denmark (danvy@daimi.au.dk) MPC06 July 3, 2006 1 Defunctionalization: a change of representation Enumerate inhabitants of function space. Represent function space as

920 views • 69 slides

More recommend