static checking of dynamically varying security policies
play

Static Checking of Dynamically-Varying Security Policies in - PowerPoint PPT Presentation

Oct 10, 2022 •386 likes •595 views

Static Checking of Dynamically-Varying Security Policies in Database-Backed Applications Adam Chlipala OSDI 2010 Beyond Code Injection 1.Injection An application includes an Dependent on application-specific unintended run-time program

  1. Static Checking of Dynamically-Varying Security Policies in Database-Backed Applications Adam Chlipala OSDI 2010

  2. Beyond Code Injection 1.Injection An application includes an Dependent on application-specific unintended run-time program authentication and access control 2.Cross Site Scripting interpreter regimes! 3.Broken Authentication and Session Mgmt. 4.Insecure Direct Object References 5.Cross Site Request Forgery 6.Security Misconfiguration 7.Insecure Cryptographic Storage 2 ....

  3. Authentication Snafus 3

  4. Roads to Security Attack vector #1 Attack vector #2 Audit Resource Surprise attack Audit Security Policy Attack vector #3 Information flow : who can learn what Access control: who can change what 4 Audit

  5. Dynamic Checking Output to User Database Program Variable Sensitive Datum Program Program Variable Variable Store security information with values Check before interaction with environment. Pros ● Easy to add to existing programs ● Flexibility in coding security checks Cons ● Bugs are only found for program paths that are tested. ● Performance overhead 5

  6. Static Checking Sensitive Datum High Security Low Security Output to User Type Database Type Program Variable Type Type Type Program Program Variable Variable Subtyping check Pros ● Checks all program paths at compile time ● No changes to run-time behavior required Cons ● Usually requires extensive program annotation ● Limited policy expressiveness 6

  7. The Best of Both Worlds Like Dynamic Checking: Like Security Typing: The ● No program annotations ● Checks all program paths UrFlow required statically analysis ● Flexible and ● No run-time overhead programmer-accessible policy language (SQL) for the Ur/Web programming language 7

  8. A Word About Ur/Web Integrated parsing and queryX (SELECT * FROM t) type-checking of SQL (fn row => <xml><tr> and HTML <td>{[row.T.A]}</td> <td>{[row.T.B]}</td> <td>{[row.T.C]}</td> <td>{[row.T.D]}</td> <td><form><submit action={delete row.T.A} value="Delete"/> </form></td> </tr></xml>); 8

  9. Simple Policies Secrets Id Name Secret Client may learn anything this query could return. policy sendClient (SELECT Id, Name FROM Secrets) 9

  10. Reasoning About Knowledge Secrets Id Name Secret Code policy sendClient (SELECT * FROM Secrets WHERE known(Code)) 10

  11. What is “known”? App source Web page that generated this request Cookies AUTH “foo” n (Username, Password) v 42 = ( U , P ) known: “foo” n v (U, P) 42 ( “foo” , n ) ( 42 , v ) U P 11 (( 42 , v ), P)

  12. Multi-Table Policies Secrets Users Id Name Secret Owner Id Name Password policy sendClient (SELECT Secret FROM Secrets, Users WHERE Owner = Users.Id AND known(Password)) 12

  13. Understanding SQL Usage Program Execution ... ... (U, P) = readCookie(AUTH); known (U, P) pass = SELECT Password FROM Users WHERE Id = U; if (pass != P) abort(); ... ∃ u ∈ Users. u.Id = U ∧ u.Password = P ... ... rows = SELECT Secret FROM Secrets WHERE Owner = U; // Send rows to client.... ∀ v. mightSend(v) ⇒ ∃ s ∈ Secrets. ... 13 s.Owner = U ∧ v = s.Secret

  14. Understanding SQL Usage policy sendClient Prove: (SELECT Secret ∀ v. mightSend(v) FROM Secrets, Users ⇒ allowed(v) WHERE Owner = Users.Id known (U, P) AND known(Password)) ∀ s ∈ Secrets. ∀ u ∈ Users. s.Owner = u.Id ∧ known(u.Password) ⇒ allowed(s.Secret) ∃ u ∈ Users. u.Id = U ∧ u.Password = P ∧ ∧ ∧ ∀ v. mightSend(v) ⇒ ∃ s ∈ Secrets. 14 s.Owner = U ∧ v = s.Secret

  15. UrFlow Sketch Program Code Policies (SQL) Policies Finite set of (First-Order Logic) execution paths Symbolic executions Automated Theorem-Prover State: Check: P1 P2 Q1 P3 Q2 ... ... 15 PN P2 /\ policies => Q1

  16. Fancier Policies Messages ACL Users Forum Body Forum User Level Id Password policy sendClient (SELECT Body FROM Messages, ACL, Users WHERE ACL.Forum = Messages.Forum AND ACL.User = User.Id AND known(Password) 16 AND Level >= 42)

  17. Write Policies Secrets Users Id Name Secret Owner Id Name Password policy mayInsert (SELECT * FROM Secrets AS New, Users WHERE New.Owner = Users.Id AND known(Password) AND known(New.Secret)) 17

  18. Case Studies 18

  19. Progress Imperative programs are too hard to analyze! Just use declarative languages, and your life will be so much easier. Maybe later. I'm going to get back to Programming coding my web application, which Languages Practitioners does almost nothing besides SQL Researchers queries. App Database 19 UrFlow

  20. Ur/Web Available At: http://www.impredicative.com/ur/ Including online demos with syntax-highlighted source code 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Extended Static Checking Extended Static Checking Greg Nelson MJ 6 James B. Saxe MJ 6

Extended Static Checking Extended Static Checking Greg Nelson MJ 6 James B. Saxe MJ 6

Authors Authors Author Defn. Num.* K. Rustan M. Leino MJS 13 Extended Static Checking Extended Static Checking Greg Nelson MJ 6 James B. Saxe MJ 6 Wolfram Schulte S 3 David Detlefs M 2 Raymie Stata J 2 Mike Barnett S 2

239 views • 5 slides
Gatekeeper Mostly Static Enforcement of Security &amp; Reliability Policies for JavaScript Code

Gatekeeper Mostly Static Enforcement of Security &amp; Reliability Policies for JavaScript Code

Gatekeeper Mostly Static Enforcement of Security &amp; Reliability Policies for JavaScript Code Salvatore Guarnieri, University of Washington Ben Livshits, Microsoft Research 1 alert (hi); program malicious Catch me if you can dont

828 views • 26 slides
Linking Today Static linking Object files Static &amp; dynamically linked libraries

Linking Today Static linking Object files Static &amp; dynamically linked libraries

Linking Today Static linking Object files Static &amp; dynamically linked libraries Next time Exceptional control flows Chris Riesbeck, Fall 2011 Original: Fabian Bustamante Wednesday, November 16, 2011 Checkpoint Wednesday,

507 views • 29 slides
Evaluating access control policies through model-checking IFIP 1.3, Sept. 05 Information Security

Evaluating access control policies through model-checking IFIP 1.3, Sept. 05 Information Security

Evaluating access control policies through model-checking IFIP 1.3, Sept. 05 Information Security Conf , Sept. 05 Mark Ryan Dimitar Guelev Nan Zhang School of Computer Science, University of Birmingham Section of Logic, Institute of

478 views • 21 slides
Static Analysis of Dynamically Typed Languages made Easy Yin

Static Analysis of Dynamically Typed Languages made Easy Yin

Static Analysis of Dynamically Typed Languages made Easy Yin Wang School of Informatics and Computing Indiana University Overview Work done as two internships at

797 views • 65 slides
Dynamically checking types, bounds and maybe even more (or: some were meant for C) Stephen

Dynamically checking types, bounds and maybe even more (or: some were meant for C) Stephen

Dynamically checking types, bounds and maybe even more (or: some were meant for C) Stephen Kell stephen.kell@cl.cam.ac.uk Computer Laboratory University of Cambridge 1 Tool wanted (how it all started) if (obj &gt; type == OBJ

863 views • 29 slides
Using Static Checking To Find Security Vulnerabilities In The Linux Kernel Linuxcon Europe 2016

Using Static Checking To Find Security Vulnerabilities In The Linux Kernel Linuxcon Europe 2016

Using Static Checking To Find Security Vulnerabilities In The Linux Kernel Linuxcon Europe 2016 Vaishali Thakkar (vaishali.thakkar@oracle.com) 1 Self Introduction Linux Kernel developer at Oracle Working in kernel security engineering group

659 views • 46 slides
Preemptive type checking in dynamically typed programs Neville Grech, Julian Rathke, Bernd

Preemptive type checking in dynamically typed programs Neville Grech, Julian Rathke, Bernd

Preemptive type checking in dynamically typed programs Neville Grech, Julian Rathke, Bernd Fischer n.grech@ecs.soton.ac.uk Dynamically-typed languages Principal type of a variable is mutated through assignments: def plus2(a): if

1.47k views • 109 slides
Static code checking In the Linux kernel Presented by Arnd Bergmann Date April 6, 2016 Event

Static code checking In the Linux kernel Presented by Arnd Bergmann Date April 6, 2016 Event

Static code checking In the Linux kernel Presented by Arnd Bergmann Date April 6, 2016 Event Embedded Linux Conference Static code checking in the Linux kernel 1. Overview 2. Randconfig issues 3. Checking tools 4. Automated checking

586 views • 48 slides
Outline Security Principles and Policies Security terms and concepts CS 239 Security

Outline Security Principles and Policies Security terms and concepts CS 239 Security

Outline Security Principles and Policies Security terms and concepts CS 239 Security policies Computer Security Basic concepts Peter Reiher Security policies for real systems January 13, 2005 Lecture 2 Lecture 2 Page 1

347 views • 9 slides
Dynamically checking types and bounds with libcrunch Stephen Kell stephen.kell@cl.cam.ac.uk

Dynamically checking types and bounds with libcrunch Stephen Kell stephen.kell@cl.cam.ac.uk

Dynamically checking types and bounds with libcrunch Stephen Kell stephen.kell@cl.cam.ac.uk Computer Laboratory University of Cambridge 1 Tool wanted if (obj &gt; type == OBJ COMMIT) { if (process commit(walker, ( struct commit )obj))

641 views • 62 slides
Dynamically checking type-correctness of whole programs (work newly in-progress). Stephen Kell

Dynamically checking type-correctness of whole programs (work newly in-progress). Stephen Kell

Dynamically checking type-correctness of whole programs (work newly in-progress). Stephen Kell stephen.kell@cl.cam.ac.uk Computer Laboratory University of Cambridge libcrunch . . . p.1/22 Wanted (naive version): check this! if (obj

281 views • 26 slides
Type checking privacy policies in the

Type checking privacy policies in the

Type checking privacy policies in the -calculus Anna Philippou University of Cyprus Joint work with Dimitrios

572 views • 28 slides
Security Policies Security Policies for Large Who is allowed to do what when Systems

Security Policies Security Policies for Large Who is allowed to do what when Systems

Security Policies Security Policies for Large Who is allowed to do what when Systems And what happens if they do CS 239 something else Security for Networks and And whos responsible for making sure System Software thats

245 views • 3 slides
Static verification framework for Go Overview 2 Model checking Behavioural mCRL2 model checker

Static verification framework for Go Overview 2 Model checking Behavioural mCRL2 model checker

Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary Static verification framework for Go Overview 2 Model checking Behavioural mCRL2 model checker Types Transform Check safety and

681 views • 67 slides
Experiences on how to p contact with end-users (policies and ISO security (policies and ISO

Experiences on how to p contact with end-users (policies and ISO security (policies and ISO

Experiences on how to p contact with end-users (policies and ISO security (policies and ISO security standards at campuses) p ) Brian OHora, BSc (Hons) &amp; MBA Technology Management Information Systems Services, TCD TERENA E2E

325 views • 15 slides
Infrared Divergences in Quantum Gravity General reference: Herbert W. Hamber Quantum

Infrared Divergences in Quantum Gravity General reference: Herbert W. Hamber Quantum

Infrared Divergences in Quantum Gravity General reference: Herbert W. Hamber Quantum Gravitation (Springer Tracts in Modern Physics, 2009). IHES, Sep.15 2011 Outline QFT Treatment of Gravity (PT and non-PT) QFT/RG Motivations for

782 views • 75 slides
Critical Phenomena, Finite Size Scaling and Monte Carlo Simulations of Spin Models Martin

Critical Phenomena, Finite Size Scaling and Monte Carlo Simulations of Spin Models Martin

Critical Phenomena, Finite Size Scaling and Monte Carlo Simulations of Spin Models Martin Hasenbusch Institut f ur Physik, Humboldt-Universit at zu Berlin EMMI workshop, 18 February 2009 Critical Phenomena, Finite Size Scaling and Monte

1.06k views • 23 slides
MIZAR in MathWiki Adam Naumowicz adamn@mizar.org Institute of Computer Science University of

MIZAR in MathWiki Adam Naumowicz adamn@mizar.org Institute of Computer Science University of

MIZAR in MathWiki Adam Naumowicz adamn@mizar.org Institute of Computer Science University of Bialystok, Poland MathWiki task inventory MathWiki TYPES Workshop, Edinburgh, November 1, 2007 Adam Naumowicz, Institute of Comp. Sci., University of

497 views • 36 slides
Disclosures Assessing Septic Arthritis Outcomes and Prognostic Factors in Culture Positive and

Disclosures Assessing Septic Arthritis Outcomes and Prognostic Factors in Culture Positive and

Disclosures Assessing Septic Arthritis Outcomes and Prognostic Factors in Culture Positive and Culture Negative Patients I have nothing to disclose Shaina Lipa, MS4 UCSF SOM PROF-PATH Research Fellow PI - Dr. Saam Morshed, MD, PhD Study

414 views • 6 slides
EE-559 Deep learning 8. Under the hood Fran cois Fleuret https://fleuret.org/dlc/

EE-559 Deep learning 8. Under the hood Fran cois Fleuret https://fleuret.org/dlc/

EE-559 Deep learning 8. Under the hood Fran cois Fleuret https://fleuret.org/dlc/ [version of: June 5, 2018] COLE POLYTECHNIQUE FDRALE DE LAUSANNE Understanding a networks behavior Fran cois Fleuret EE-559 Deep

2.38k views • 197 slides
Regulatory Spillover: Evidence from Classifying Municipal Bonds as High-Quality Liquid Assets 1

Regulatory Spillover: Evidence from Classifying Municipal Bonds as High-Quality Liquid Assets 1

Regulatory Spillover: Evidence from Classifying Municipal Bonds as High-Quality Liquid Assets 1 Jacob Ott, University of Minnesota Discussant: Ivan Ivanov, Federal Reserve Board 07/08/2020 1The views expressed herein are those of the authors and

403 views • 6 slides
Who We Are Our mission at CFED is to make it possible for

Who We Are Our mission at CFED is to make it possible for

Who We Are Our mission at CFED is to make it possible for millions of people to achieve financial security and contribute to an opportunity economy. How do we do it We push to expand innovative

562 views • 28 slides
Discussion of Chiu, Meh and Wright Nancy L. Stokey University of Chicago November 19, 2009

Discussion of Chiu, Meh and Wright Nancy L. Stokey University of Chicago November 19, 2009

Discussion of Chiu, Meh and Wright Nancy L. Stokey University of Chicago November 19, 2009 Macro Perspectives on Labor Markets Stokey - Discussion (University of Chicago) November 19, 2009 11/2009 1 / 21 Motivation This paper develops a

394 views • 21 slides

More recommend