secure programs via game based synthesis
play

Secure Programs via Game-based Synthesis Somesh Jha, Tom Reps, and - PowerPoint PPT Presentation

Apr 03, 2023 •308 likes •2.28k views

Secure Programs via Game-based Synthesis Somesh Jha, Tom Reps, and Bill Harris 1 Tuesday, October 22, 13 One-slide summary Secure programming on a conventional OS is intractable Privilege-aware OSs take secure programming from

  1. Capsicum Challenges Not Appearing in This Talk • Program can construct capability from each UNIX descriptor • Capability has a vector of 63 access rights (~1 for every system call on a descriptor) • Programs can assume new capabilities via a Remote Procedure Call (RPC) 19 Tuesday, October 22, 13

  2. Instrumenting Programs with CapWeave 1. Programmer writes an explicit Amb policy 2. CapWeave instruments program to invoke primitives so that it satisfies the policy 20 Tuesday, October 22, 13

  3. with CapWeave gzip main() { file_nms = parse_cl(); for (f in file_nms): L0: (in, out) = open2(f); L1: compress(in, out); } L0: AMB L1: no AMB 21 Tuesday, October 22, 13

  4. with CapWeave gzip main() { file_nms = parse_cl(); for (f in file_nms): L0: (in, out) = open2(f); L1: compress(in, out); } Policy Cur(p) => (pc[L0](p) => AMB(p) & (pc[L1](p) => !AMB(p)) 21 Tuesday, October 22, 13

  5. main() { file_nms = parse_cl(); for (f in file_nms): L0: (in, out) = open2(f); L1: compress(in, out); } Policy Cur(p) => (pc[L0](p) => AMB(p) & (pc[L1](p) => !AMB(p)) 22 Tuesday, October 22, 13

  6. Policy main() { Cur(p) => (pc[L0](p) => AMB(p) file_nms = parse_cl(); & (pc[L1](p) => !AMB(p)) for (f in file_nms): L0: (in, out) = open2(f); L1: compress(in, out); } 22 Tuesday, October 22, 13

  7. Policy main() { Cur(p) => (pc[L0](p) => AMB(p) file_nms = parse_cl(); & (pc[L1](p) => !AMB(p)) for (f in file_nms): L0: (in, out) = open2(f); L1: compress(in, out); } CapWeave 22 Tuesday, October 22, 13

  8. Policy main() { Cur(p) => (pc[L0](p) => AMB(p) file_nms = parse_cl(); & (pc[L1](p) => !AMB(p)) for (f in file_nms): L0: (in, out) = open2(f); L1: compress(in, out); } CapWeave void main() { L0: open2(...); Instrumented sync_fork(); cap_enter(); Program L1: compress(); sync_join(); } 22 Tuesday, October 22, 13

  9. The Next 700 Policy Weavers Analogous challenges with Decentralized Information Flow Control (DIFC) • Asbestos [Efstathopoulos ‘05] • HiStar [Zeldovich ’06] • Flume [Krohn ‘07] 23 Tuesday, October 22, 13

  10. gzip() { Policy file_nms = parse_cl(); Cur(p) => ... (pc[L0](p) => AMB(p)) & (pc[L1](p) => !AMB(p)) } CapWeave gzip() { file_nms = parse_cl(); sync_fork(); cap_enter(); ... } 24 Tuesday, October 22, 13

  11. Programmer gzip() { Policy file_nms = parse_cl(); Cur(p) => ... (pc[L0](p) => AMB(p)) & (pc[L1](p) => !AMB(p)) } Weaver CapWeave Generator gzip() { file_nms = parse_cl(); sync_fork(); cap_enter(); ... } 24 Tuesday, October 22, 13

  12. Programmer Capsicum Designer gzip() { Policy cap_enter: Amb’(p) := Amb(p) & ... file_nms = parse_cl(); Cur(p) => ... (pc[L0](p) => AMB(p)) & (pc[L1](p) => !AMB(p)) } Weaver CapWeave Generator gzip() { file_nms = parse_cl(); sync_fork(); cap_enter(); ... } 24 Tuesday, October 22, 13

  13. Weaver Generator 25 Tuesday, October 22, 13

  14. HiStar Designer create_cat(&c): Flows’(p, q) := Flows(p, q) || ... Weaver Generator 25 Tuesday, October 22, 13

  15. HiStar Designer create_cat(&c): Flows’(p, q) := Flows(p, q) || ... Weaver HiWeave Generator 25 Tuesday, October 22, 13

  16. Programmer HiStar Designer wrapper() { create_cat(&c): Policy exec(...); Flows’(p, q) := Flows(p, q) || ... forall w, s. ... Flows(w, s) => ... } Weaver HiWeave Generator 25 Tuesday, October 22, 13

  17. Programmer HiStar Designer wrapper() { create_cat(&c): Policy exec(...); Flows’(p, q) := Flows(p, q) || ... forall w, s. ... Flows(w, s) => ... } Weaver HiWeave Generator scanner() { create_cat(&c); exec(...); ... } 25 Tuesday, October 22, 13

  18. Outline 1. Motivation, problem statement 2. Previous work: Capsicum 2. Previous work: Capsicum 3. Ongoing work: HiStar 4. Open challenges 26 Tuesday, October 22, 13

  19. Outline 2. Previous work: Capsicum 26 Tuesday, October 22, 13

  20. CapWeave Algorithm 27 Tuesday, October 22, 13

  21. CapWeave Algorithm Inputs: Program P , Amb Policy Q 27 Tuesday, October 22, 13

  22. CapWeave Algorithm Inputs: Program P , Amb Policy Q Output: Instrumentation of P that always satisfies Q 27 Tuesday, October 22, 13

  23. CapWeave Algorithm Inputs: Program P , Amb Policy Q Output: Instrumentation of P that always satisfies Q 1. Build finite IP# ⊇ instrumented runs that violate Q 27 Tuesday, October 22, 13

  24. 1. Building IP#: Inputs Program Amb Policy L0 : Amb main() { L1 : no Amb file_nms = parse_cl(); for (f in file_nms): L0: (in, out) = open2(f); L1: compress(in, out); } 28 Tuesday, October 22, 13

  25. 1. Building IP#: Output parse_cl cap_enter noop L0:open2() L0:open2() sync_join() noop sync_fork() noop noop noop noop cap_enter() cap_enter() L1:compress() L1:compress() L1:compress() L1:compress() noop L0:open2() 29 Tuesday, October 22, 13

  26. 1. Building IP#: Output parse_cl cap_enter noop L0:open2() L0:open2() sync_join() noop sync_fork() noop noop noop noop cap_enter() cap_enter() L1:compress() L1:compress() L1:compress() L1:compress() noop L1 : no Amb L0:open2() 29 Tuesday, October 22, 13

  27. 1. Building IP#: Output parse_cl cap_enter noop L0:open2() L0:open2() sync_join() noop sync_fork() noop noop noop noop cap_enter() cap_enter() L1:compress() L1:compress() L1:compress() L1:compress() noop L0:open2() 30 Tuesday, October 22, 13

  28. 1. Building IP#: Output parse_cl cap_enter noop L0:open2() L0:open2() sync_join() noop sync_fork() noop noop noop noop cap_enter() cap_enter() L1:compress() L1:compress() L1:compress() L1:compress() noop L0:open2() L0 : Amb 30 Tuesday, October 22, 13

  29. Building IP# Basic idea: construct IP# as a forward exploration of an abstract state space 31 Tuesday, October 22, 13

  30. 1(a). IP#: Define Abstract State-space Q 32 Tuesday, October 22, 13

  31. 1(a). IP#: Define Abstract State-space Q# Q 32 Tuesday, October 22, 13

  32. 1(a). IP#: Define Abstract State-space Q# 𝛽 Q 32 Tuesday, October 22, 13

  33. 1(a). IP#: Define Abstract State-space Q# 𝛽 Q 32 Tuesday, October 22, 13

  34. 1(b). IP#: Define Abstract Transformers Q# 𝛽 Q 33 Tuesday, October 22, 13

  35. 1(b). IP#: Define Abstract Transformers Q# 𝛽 Q 𝜐 [cap_enter] 33 Tuesday, October 22, 13

  36. 1(b). IP#: Define Abstract Transformers 𝜐 [cap_enter]# Q# 𝛽 Q 𝜐 [cap_enter] 33 Tuesday, October 22, 13

  37. 1(c). Explore Abstract State Space Q# Q 34 Tuesday, October 22, 13

  38. 1(c). Explore Abstract State Space Q# 𝛽 Q L0 init 34 Tuesday, October 22, 13

  39. 1(c). Explore Abstract State Space 𝜐 [cap_enter]# ... 𝜐 [parse_cl]# Q# .. 𝛽 𝜐 [noop]# cap_enter ... parse_cl Q L0’ L0 init noop ... 34 Tuesday, October 22, 13

  40. 𝜐 [parse_cl]# 35 Tuesday, October 22, 13

  41. 𝜐 [parse_cl]# 35 Tuesday, October 22, 13

  42. parse_cl cap_enter noop L0:open2() L0:open2() sync_join() noop sync_fork() noop noop noop noop cap_enter() cap_enter() L1:compress() L1:compress() L1:compress() L1:compress() noop L0:open2() 35 Tuesday, October 22, 13

  43. State-Structure Exploration If a concrete state is a logical structure, ... Q 36 Tuesday, October 22, 13

  44. State-Structure Exploration If a concrete state is a logical structure, ... ≡ { } A A D Q B B C 36 Tuesday, October 22, 13

  45. State-Structure Exploration properties are FOL formulas, ... ∀ p. A(p) ⇒ ((B(p) ⇒ C(p)) ⋀ (D(p) ⇒ ¬ C(p))) 37 Tuesday, October 22, 13

  46. State-Structure Exploration ...and semantics is given as predicate updates, ... A’(x) = A(x) ⋁ ∃ y. C(y) ⋀ B(q, p) 𝜐 [action] ≡ B’(x, y) = B(x, y) ⋁ (C(x) ⋀ D(y)) C’(x) = ... D’(x) = ... 38 Tuesday, October 22, 13

  47. State-Structure Exploration ...then abstract space and transformers can be generated automatically [Sagiv ’99] Q 39 Tuesday, October 22, 13

  48. State-Structure Exploration ...then abstract space and transformers can be generated automatically [Sagiv ’99] 𝜐 [action]# Q# 𝛽 𝛽 𝜐 [action] Q 39 Tuesday, October 22, 13

  49. Capsicum Semantics A A D Q ≡ 1. B B C A’(x) = A(x) ⋁ ∃ y. C(y) ⋀ B(q, p) 𝜐 [action] ≡ 2. B’(x, y) = B(x, y) ⋁ (C(x) ⋀ D(y)) C’(x) = ... D’(x) = ... 40 Tuesday, October 22, 13

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Symbolic synthesis of state based reactive programs Diploma Thesis Nico Wallmeier 18.03.03

Symbolic synthesis of state based reactive programs Diploma Thesis Nico Wallmeier 18.03.03

Symbolic synthesis of state based reactive programs Diploma Thesis Nico Wallmeier 18.03.03 Structure 1. Background 2. Infinite games over a finite game graph 3. Transformation to the symbolic state space 4. Applications 18.03.03 Nico

962 views • 36 slides
Game Bot Identification Game Bot Identification based on Manifold Learning based on Manifold

Game Bot Identification Game Bot Identification based on Manifold Learning based on Manifold

Game Bot Identification Game Bot Identification based on Manifold Learning based on Manifold Learning Kuan Ta Chen Academia Sinica Hsing Kuo Pao NTUST Hong Chung Chang NTUST ACM NetGames 2008 Game Bots Game bots: automated AI programs

371 views • 36 slides
PHYSICS-BASED SOUND SYNTHESIS FOR VIDEO GAME ENVIRONMENTS E RIN B RYSON M ENTORS : E DGAR B

PHYSICS-BASED SOUND SYNTHESIS FOR VIDEO GAME ENVIRONMENTS E RIN B RYSON M ENTORS : E DGAR B

PHYSICS-BASED SOUND SYNTHESIS FOR VIDEO GAME ENVIRONMENTS E RIN B RYSON M ENTORS : E DGAR B ERDAHL & M ARC A UBANEL J ULY 26, 2016 CCT REU PROJECT OVERVIEW Traditionally, sound effects in video games consist of pre-recorded sounds

107 views • 10 slides
Logic-based inductive synthesis of efficient programs Andrew Cropper Imperial College London

Logic-based inductive synthesis of efficient programs Andrew Cropper Imperial College London

Logic-based inductive synthesis of efficient programs Andrew Cropper Imperial College London String transformations Outpu Input t Computer Aided Verification CAV Principles Of Programming Languages POPL International Conference on

334 views • 12 slides
Verification and Synthesis of Reactive Programs Overview of System Synthesis. Amir Pnueli

Verification and Synthesis of Reactive Programs Overview of System Synthesis. Amir Pnueli

Lecture 1: Overview of System Synthesis A. Pnueli Lectures Outline Verification and Synthesis of Reactive Programs Overview of System Synthesis. Amir Pnueli Fair Discrete Systems and their Computations. Model Checking Invariance and

309 views • 19 slides
Rally-Owl Overview of Rally-Owl Game This game is based off of Rally-X The goal of the game is

Rally-Owl Overview of Rally-Owl Game This game is based off of Rally-X The goal of the game is

Rally-Owl Overview of Rally-Owl Game This game is based off of Rally-X The goal of the game is to collect all 10 flags before losing all your lives The game makes use of a horizontally and vertically scrolling map This game implements a

101 views • 8 slides
Text-to-Image Generation Yu Cheng Text-to-Image Synthesis Text-to-Image Synthesis

Text-to-Image Generation Yu Cheng Text-to-Image Synthesis Text-to-Image Synthesis

Text-to-Image Generation Yu Cheng Text-to-Image Synthesis Text-to-Image Synthesis StackGAN, AttnGAN, TAGAN, ObjGAN Text-to-Video Synthesis GAN-based methods, VAE-based methods, StoryGAN Dialogue-based Image Synthesis

827 views • 45 slides
Solving (Quantified) Horn Constraints for Program Verification and Synthesis Andrey Rybalchenko

Solving (Quantified) Horn Constraints for Program Verification and Synthesis Andrey Rybalchenko

Solving (Quantified) Horn Constraints for Program Verification and Synthesis Andrey Rybalchenko (Microsoft Research) September 30, 2015 1 / 32 Programs vs/as Equations Execution of rule-based programs Solving of equations in form of

996 views • 44 slides
Programs Synthesis from Polymorphic Refinement Types Nadia Polikarpova Ivan Kuraj Armando

Programs Synthesis from Polymorphic Refinement Types Nadia Polikarpova Ivan Kuraj Armando

Programs Synthesis from Polymorphic Refinement Types Nadia Polikarpova Ivan Kuraj Armando Solar-Lezama Program synthesis Make a list with n copies of x declarative specification Synthesizer ? 2 50 replicate n x = if if n 0

651 views • 41 slides
Genetics-based Machine Learning and Behaviour Based Robotics: A New Synthesis

Genetics-based Machine Learning and Behaviour Based Robotics: A New Synthesis

Genetics-based Machine Learning and Behaviour Based Robotics: A New Synthesis Genetics-based Machine Learning and Behavior Based Robotics: A New Synthesis, Marco Dorigo, Uwe Schnepf, IEEE Transactions on System, MAn, and Cybernetics,

348 views • 34 slides
Set 4: Game-Playing ICS 271 Fall 2016 Kalev Kask Overview Computer programs that play

Set 4: Game-Playing ICS 271 Fall 2016 Kalev Kask Overview Computer programs that play

Set 4: Game-Playing ICS 271 Fall 2016 Kalev Kask Overview Computer programs that play 2-player games game-playing as search with the complication of an opponent General principles of game-playing and search game tree

1.02k views • 77 slides
Academic AI vs. Game AI Based on the book "Programming Game AI by Example Presented at

Academic AI vs. Game AI Based on the book "Programming Game AI by Example Presented at

Academic AI vs. Game AI Based on the book "Programming Game AI by Example Presented at the GTMSSIG Meeting on 08/07/2013 Peer-Olaf Siebers pos@cs.nott.ac.uk Academic AI vs. Game AI Academic researchers: Try to solve a problem

197 views • 7 slides
Game Loops CIS 580 - Fundamentals of Game Programming Hangman Game Phases Game Loop

Game Loops CIS 580 - Fundamentals of Game Programming Hangman Game Phases Game Loop

Game Loops CIS 580 - Fundamentals of Game Programming Hangman Game Phases Game Loop Turn-based vs. Real-Time Turn-Based Real-Time Fixed-Timestep vs. Variable Timestep Example - Ballistic Motion x (delta t/timestep) Hybrid Game Loop

332 views • 20 slides
Automata-Based Analysis of Recursive Concurrent Programs Markus Mller-Olm Westflische

Automata-Based Analysis of Recursive Concurrent Programs Markus Mller-Olm Westflische

Automata-Based Analysis of Recursive Concurrent Programs Markus Mller-Olm Westflische Wilhelms-Universitt Mnster, Germany 2nd Tutorial of SPP RS3: Reliably Secure Software Systems Schloss Buchenau, September 3-6, 2012 Introduction

842 views • 39 slides
Moving Forward: A Non-Search Based Synthesis Method towards Efficient CNOT-Based Quantum Circuit

Moving Forward: A Non-Search Based Synthesis Method towards Efficient CNOT-Based Quantum Circuit

Moving Forward: A Non-Search Based Synthesis Method towards Efficient CNOT-Based Quantum Circuit Synthesis Algorithms Mehdi Saeedi, Morteza Saheb Zamani, Mehdi Sedighi Email: {msaeedi, szamani, msedighi}@ aut.ac.ir Quantum Design Automation

529 views • 38 slides
Synthesis of graphene-based nanomaterials: their applications in electrochemical detection of

Synthesis of graphene-based nanomaterials: their applications in electrochemical detection of

Synthesis of graphene-based nanomaterials: their applications in electrochemical detection of organic molecules Stela Pruneanu INCDTIM Cluj-Napoca NANOGENTOOLS Autumn School October 2017 TOPICS 1. Graphene synthesis TEM/HRTEM

741 views • 34 slides
Connecting the Dot Dots Model Checking Concurrency in Capsicum ASA-4 21 July 2010 Robert N. M.

Connecting the Dot Dots Model Checking Concurrency in Capsicum ASA-4 21 July 2010 Robert N. M.

Connecting the Dot Dots Model Checking Concurrency in Capsicum ASA-4 21 July 2010 Robert N. M. Watson Jonathan Anderson Introduction UNIX File System (UFS) Capsicum: practical capabilities for UNIX Whoops, a concurrency

548 views • 31 slides
Capsicum Capability-Based Sandboxing David Drysdale Google UK Features Current LXC uses the

Capsicum Capability-Based Sandboxing David Drysdale Google UK Features Current LXC uses the

Capsicum Capability-Based Sandboxing David Drysdale Google UK Features Current LXC uses the following kernel features to contain processes: Kernel namespaces (ipc, uts, mount, pid, network and user) Apparmor and SELinux profiles

521 views • 30 slides
Synthesis of Esters of 6-(2,5-Dioxopyrrolidin-1-yl)-2- (morpholin-4-yl)hexanoic Acid as

Synthesis of Esters of 6-(2,5-Dioxopyrrolidin-1-yl)-2- (morpholin-4-yl)hexanoic Acid as

[c010] Synthesis of Esters of 6-(2,5-Dioxopyrrolidin-1-yl)-2- (morpholin-4-yl)hexanoic Acid as Potential Transdermal Penetration Enhancers Katerina Brychtova 1 *, Sylva Dittrichova 1 , Barbora Slaba 1,2 , Lukas Placek 1,2 , Radka

210 views • 6 slides
Microwave assisted synthesis of tripodal triazines from 1,3,5-tris(2-

Microwave assisted synthesis of tripodal triazines from 1,3,5-tris(2-

[E006] Microwave assisted synthesis of tripodal triazines from 1,3,5-tris(2- hydroxyethyl)-1,3,5-triazinane-2,4,6-trione and fatty acids Jos Crecente-Campo, Silvia Fernndez-Snchez, Julio A. Seijas,* M. Pilar Vzquez- Tato* Departamento

162 views • 5 slides
capabilities / virtual machines 1 Changelog Changes not seen in fjrst lecture: 23 April 2020:

capabilities / virtual machines 1 Changelog Changes not seen in fjrst lecture: 23 April 2020:

capabilities / virtual machines 1 Changelog Changes not seen in fjrst lecture: 23 April 2020: add index slides re: cases for priviliged instruction handling and introduction explaining syscalls as special case 1 last time (1) network fjle

1.71k views • 120 slides
virtual machines 1 Changelog Changes made in this version not seen in fjrst lecture: 23 April

virtual machines 1 Changelog Changes made in this version not seen in fjrst lecture: 23 April

virtual machines 1 Changelog Changes made in this version not seen in fjrst lecture: 23 April 2019: rearrange slide order to better match lecture order 23 April 2019: change real page table to shadow page table in some places 23

1.39k views • 113 slides
FreeBSD/VPC Virtual Private Cloud support (fka SDN) Virtualization Status bhyve(4) is a

FreeBSD/VPC Virtual Private Cloud support (fka SDN) Virtualization Status bhyve(4) is a

FreeBSD/VPC Virtual Private Cloud support (fka SDN) Virtualization Status bhyve(4) is a stable, performant hypervisor Network isolation is not core to bhyve(4) today Use of VNET(9) for manipulating FIBS for tap(4) interfaces is

445 views • 18 slides
CloudABI: Pure capability-based security for UNIX Speaker: Ed Schouten, ed@nuxi.nl Overview

CloudABI: Pure capability-based security for UNIX Speaker: Ed Schouten, ed@nuxi.nl Overview

32C3, Hamburg 2015-12-28 CloudABI: Pure capability-based security for UNIX Speaker: Ed Schouten, ed@nuxi.nl Overview Whats wrong with UNIX? Introducing CloudABI Developing CloudABI software Starting CloudABI processes Use

849 views • 40 slides

More recommend