verify what
play

Verify what? Navigating the Attack Surface Mark S. Miller, Google - PowerPoint PPT Presentation

Jan 14, 2024 •98 likes •592 views

Verify what? Navigating the Attack Surface Mark S. Miller, Google Formal Methods meets JavaScript Imperial College, March 2018 Risk as Attack Surface a Expected Risk: likelihood * damage Potential damage Likelihood of exploitable

  1. Verify what? Navigating the Attack Surface Mark S. Miller, Google Formal Methods meets JavaScript Imperial College, March 2018

  2. Risk as Attack Surface a

  3. Expected Risk: ∫ likelihood * damage Potential damage Likelihood of exploitable vulnerability a

  4. Expected Risk: ∫ likelihood * damage Resources to damage Fallible agents a

  5. Access Matrix Permission or Authority? Resources to damage Fallible agents a

  6. Hollow Out the Attack Surface! /etc/passwd Alan’s stu ff Barb’s stu ff Doug’s stu ff Kernel + root OS’s TCB ~alan ~barb ~doug a

  7. Decouple accounts /etc/passwd Alan’s stu ff Barb’s stu ff Doug’s stu ff Kernel + root OS’s TCB ~alan ~barb ~doug a

  8. a

  9. Decouple applications contact info pgp keyring calc.xls Net access Shell, Desktop Browser Spreadsheet Email client a

  10. Decouple apps contact info pgp keyring calc.xls Net access MobileOS Doug’s TCB Browser app Spreadsheet doc Mail a app

  11. Decouple apps contact info pgp keyring calc.xls Net access MobileOS Doug’s TCB Browser app Spreadsheet doc Mail a app

  12. Substrate Historical System System CMNM, Plessey 250, C.mmp, CM*, Hardware Crash-SAFE, CHERI, Risc-V CAP, Flex, IBM System/38, Intel 432 DVH, Hydra, StarOS, RATS, Capsicum, CloudABI, Genode, 
 OS Cal-TSS, PSOS, NLTSS, Spring Barrelfish, Fuchsia Gnosis, KeyKOS, GuardOS, KeyKOS family OS seL4 EROS, CapROS, Coyotos Distributed OS Ameoba, Mach, Midori Gedanken, W7, J-Kernel, Joe-E, Emily, Monte, Frozen Realms, Language CaPerl, Caja, Tamed Pict, Plash shill, Wyvern, wasm-gc Act-1, Eden, Emerald, 
 Distributed Language Pony, Kappa, Dr.SES Vulcan, Joule, E, Oz-E, M# Distributed Storage Scoopfs Tahoe-LAFS DCCS, CapTP, Foolscap, Crypto Protocol COAST, Cap’n Proto Client Utility, Waterken Offline Certs SPKI/SDSI, E-Speak, CapCert Macaroons, ld-ocap Gravity, Dfinity, RChain, Cosmos, Blockchain Veres One, Sovrin, Agoric Systems User Interface CapDesk, Scoopfs, Belay Sandstorm

  13. Substrate Historical System System CMNM, Plessey 250, C.mmp, CM*, Hardware Crash-SAFE, CHERI, Risc-V CAP, Flex, IBM System/38, Intel 432 DVH, Hydra, StarOS, RATS, Capsicum, CloudABI, Genode, 
 OS Cal-TSS, PSOS, NLTSS, Spring Barrelfish, Fuchsia Gnosis, KeyKOS, GuardOS, KeyKOS family OS seL4 EROS, CapROS, Coyotos Distributed OS Ameoba, Mach, Midori Gedanken, W7, J-Kernel, Joe-E, Emily, Monte, Frozen Realms , Language CaPerl, Caja , Tamed Pict, Plash shill, Wyvern, wasm-gc Act-1, Eden, Emerald, 
 Distributed Language Pony, Kappa, Dr.SES Vulcan, Joule, E, Oz-E, M# Distributed Storage Scoopfs Tahoe-LAFS DCCS, CapTP, Foolscap, Crypto Protocol COAST, Cap’n Proto Client Utility, Waterken Offline Certs SPKI/SDSI, E-Speak, CapCert Macaroons, ld-ocap Gravity, Dfinity, RChain , Cosmos , Blockchain Veres One , Sovrin , Agoric Systems User Interface CapDesk, Scoopfs, Belay Sandstorm

  14. Substrate Historical System System CMNM, Plessey 250, C.mmp, CM*, Hardware Crash-SAFE, CHERI, Risc-V CAP, Flex, IBM System/38, Intel 432 DVH, Hydra, StarOS, RATS, Capsicum, CloudABI, Genode, 
 OS Cal-TSS, PSOS, NLTSS, Spring Barrelfish, Fuchsia Gnosis, KeyKOS, GuardOS, KeyKOS family OS seL4 EROS, CapROS, Coyotos Distributed OS Ameoba, Mach, Midori Gedanken, W7, J-Kernel, Joe-E, Emily, Monte, Frozen Realms, Language CaPerl, Caja, Tamed Pict, Plash shill, Wyvern, wasm-gc Act-1, Eden, Emerald, 
 Distributed Language Pony, Kappa, Dr.SES Vulcan, Joule, E , Oz-E, M# Distributed Storage Scoopfs Tahoe-LAFS DCCS, CapTP , Foolscap, Crypto Protocol COAST, Cap’n Proto Client Utility, Waterken Offline Certs SPKI/SDSI, E-Speak, CapCert Macaroons, ld-ocap Gravity, Dfinity, RChain, Cosmos, Blockchain Veres One, Sovrin, Agoric Systems User Interface CapDesk , Scoopfs, Belay Sandstorm

  15. Decouple caplets contact info pgp keyring calc.xls Net access E, CapDesk Doug’s TCB DarpaBrowser caplet Excel in Polaris CapMail a caplet

  16. a

  17. Decouple modules contact info pgp keyring calc.xls Net access main() CapMail’s TCB address book gpg plugin SMTP , POP a stacks

  18. Decouple modules contact info pgp keyring calc.xls Net access main() CapMail’s TCB address book gpg plugin SMTP , POP a stacks

  19. s platform ess book

  20. Decouple objects exports (TCB)

  21. Decouple objects exports (TCB)

  22. Defensive Programming

  23. Defense in Depth

  24. Reduce area Mix of strategies /etc/passwd Alan’s stu ff Barb’s stu ff Doug’s stu ff Kernel + root OS’s TCB ~alan ~barb ~doug a

  25. Reduce horizontal space POLA — Principle of Least Authority /etc/passwd Alan’s stu ff Barb’s stu ff Doug’s stu ff Kernel + root OS’s TCB ~alan ~barb ~doug a

  26. Reduce density Apply POLA recursively /etc/passwd Alan’s stu ff Barb’s stu ff Doug’s stu ff Kernel + root OS’s TCB ~alan ~barb ~doug a

  27. Reduce height Minimize+verify each TCB /etc/passwd Alan’s stu ff Barb’s stu ff Doug’s stu ff Verified 𝞶 kernel No root ~alan ~barb lang, desktop ~doug main() a

  28. Reduce width Partition virtualized legacy /etc/passwd Alan’s stu ff Barb’s stu ff Doug’s stu ff ~alan VMM ~barb ~doug Polaris CHERI ffi a

  29. Multiplicative risk reduction Reduce horizontal space POLA Reduce density Composition across scales Reduce height Minimize TCBs: 𝞶 kernel, lang, … Reduce width Compositional virtualization

  30. Choose Verification Battles Reduce horizontal space POLA Patterns limit authority? Reduce density Composition across scales Embedding preserves security? Reduce height Minimize TCBs: 𝞶 kernel, lang, … Formal verification Reduce width Compositional virtualization Impenetrable confinement?

  31. Substrate Historical System System CMNM, Plessey 250, C.mmp, CM*, Hardware Crash-SAFE, CHERI , Risc-V CAP, Flex, IBM System/38, Intel 432 DVH, Hydra, StarOS, RATS, Capsicum , CloudABI, Genode, 
 OS Cal-TSS, PSOS, NLTSS, Spring Barrelfish, Fuchsia Gnosis, KeyKOS, GuardOS, KeyKOS family OS seL4 EROS, CapROS, Coyotos Distributed OS Ameoba, Mach, Midori Gedanken, W7, J-Kernel, Joe-E, Emily, Monte , Frozen Realms , Language CaPerl, Caja , Tamed Pict, Plash shill, Wyvern, wasm-gc Act-1, Eden, Emerald, 
 Distributed Language Pony , Kappa, Dr.SES Vulcan, Joule, E, Oz-E, M# Distributed Storage Scoopfs Tahoe-LAFS DCCS, CapTP, Foolscap, Crypto Protocol COAST, Cap’n Proto Client Utility, Waterken Offline Certs SPKI/SDSI, E-Speak, CapCert Macaroons, ld-ocap Gravity, Dfinity, RChain, Cosmos , Blockchain Veres One, Sovrin , Agoric Systems User Interface CapDesk, Scoopfs, Belay Sandstorm

  32. Questions?

  34. Networks of request making Human to Human (econ) Object to Human (ui) Human to Object (ui) Object to Object (software eng)

  35. The Principal-Agent Loop Allow Explain actions request Inspect internals Agent Ince reacts Reward Select Monitor cooperation agent effects

  36. The Principal-Agent Loop Allow Explain actions request Inspect internals Agent Ince reacts Reward Select Monitor cooperation agent effects

  37. The Principal-Agent Loop Allow Explain actions request Inspect internals Agent Ince reacts Reward Select Monitor cooperation agent effects

  38. The Principal-Agent Loop Allow Explain actions request Inspect internals Agent Ince reacts Reward Select Monitor cooperation agent effects

  39. The Elements of Decision Alignment Human to Human to/from Object to Human Object Object Select Trademark App stores Trusted developer agent Chain of custody White and black lists Same origin Inspect Trusted path Types, Verification Accounting controls internals URL bar Open source eyeballs Allow App permissions Security Law, Contracts actions Powerbox Protection patterns Explain Language User interface Abstraction request Reward Economics Machine learning Objective functions cooperation Incentive Alignment Agorics Monitor Reviews, Complaints Contracts, Testing Bug reports effects Word of mouth Backprop

  40. The Elements of Decision Alignment Human to Human to/from Object to Human Object Object Select Trademark App stores Trusted developer agent Chain of custody White and black lists Same origin Types, Verification Inspect Trusted path Accounting controls Open source eyeballs internals URL bar Allow App permissions Security Law, Contracts actions Powerbox Protection patterns Explain Language User interface Abstraction request Reward Economics Machine learning Objective functions cooperation Incentive Alignment Agorics Monitor Reviews, Complaints Contracts, Testing Bug reports effects Word of mouth Backprop

  41. The Elements of Decision Alignment Human to Human to/from Object to Human Object Object Select Trademark App stores Trusted developer agent Chain of custody White and black lists Same origin Inspect Trusted path Types, Verification Accounting controls internals URL bar Open source eyeballs Allow App permissions Security Law, Contracts actions Powerbox Protection patterns Explain Language User interface Abstraction request Reward Economics Machine learning Objective functions cooperation Incentive Alignment Agorics Contracts, Testing Monitor Reviews, Complaints Bug reports Backprop effects Word of mouth

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Trust But Verify Trust But Verify Trust But Verify Trust But Verify What Is CEC Entertainment?

Trust But Verify Trust But Verify Trust But Verify Trust But Verify What Is CEC Entertainment?

Trust But Verify Trust But Verify Trust But Verify Trust But Verify What Is CEC Entertainment? CEC Entertainment, Irving TX Founded by Nolan Bushnell Revenue What Is CEC Entertainment? What Is CEC Entertainment? What Is CEC Entertainment?

305 views • 19 slides
Verify 1099 Data 3 3 1 Verify 1099 Data Verify Vendors that will receive 1099s and their

Verify 1099 Data 3 3 1 Verify 1099 Data Verify Vendors that will receive 1099s and their

2019 CALENDAR YEAR-END CLOSING PROCEDURES 1 USAS-R CYE Procedures Verify 1099 Data Month End Close Calendar Year End Close 1099 Procedures TR1099 Program 2 2 Verify 1099 Data 3 3 1 Verify 1099 Data Verify Vendors

357 views • 8 slides
Trust, but Verify: An Improved Estimating Technique Using the Integrated Master Schedule (IMS)

Trust, but Verify: An Improved Estimating Technique Using the Integrated Master Schedule (IMS)

Trust, but verify is a form of advice given which recommends that while a source of information might be considered reliable, one should perform additional research to verify that such information is accurate, or trustworthy. The original

437 views • 32 slides
verify for NETCONF <draft-cole-netconf-verify-00.txt>

verify for NETCONF <draft-cole-netconf-verify-00.txt>

verify for NETCONF <draft-cole-netconf-verify-00.txt> <draft-cole-netconf-transaction-test-00.txt> Robert G. Cole 1 Dan Romascanu 2 Andy Bierman 3 1 U.S. Army CERDEC 2 Avaya dromasca@avaya.com 3 Netconf Central

87 views • 5 slides
Trust but verify Distinguishing distrust from vigilance via Mark L oczy

Trust but verify Distinguishing distrust from vigilance via Mark L oczy

Trust but verify Distinguishing distrust from vigilance via Mark L oczy Livia.Markoczy@ucr.edu The A. Gary Anderson Graduate School of Management University of California, Riverside Trust but verify p.1/31 The problem Trust but

654 views • 31 slides
E-Verify Program Background, Implementation, and Current Status Deborah Larson Employee

E-Verify Program Background, Implementation, and Current Status Deborah Larson Employee

E-Verify Program Background, Implementation, and Current Status Deborah Larson Employee Relations Policies, Programs and Services UC Human Resources August 2009 E-Verify Milestones Executive Order 13465 amended on June 6, 2008, requiring the

294 views • 14 slides
Model verification and tools C. Zingerle ZAMG Why verify? The three most important reasons to

Model verification and tools C. Zingerle ZAMG Why verify? The three most important reasons to

Model verification and tools C. Zingerle ZAMG Why verify? The three most important reasons to verify forecasts are: to monitor forecast quality - how accurate are the forecasts and are they improving over time? to improve forecast

468 views • 20 slides
GEORGIA DEPARTMENT OF AUDITS AND ACCOUNTS E-Verify Compliance and Reporting Requirements

GEORGIA DEPARTMENT OF AUDITS AND ACCOUNTS E-Verify Compliance and Reporting Requirements

GEORGIA DEPARTMENT OF AUDITS AND ACCOUNTS E-Verify Compliance and Reporting Requirements Professional People with Purpose 34 Nov 2018 Agenda Compliance Statistics E-Verify Compliance and Reporting Requirements Reporting System

375 views • 21 slides
Interactive Preview v1.6 E-Verify Self Check Interactive Preview The intent of this Preview is

Interactive Preview v1.6 E-Verify Self Check Interactive Preview The intent of this Preview is

Start Start Interactive Preview v1.6 E-Verify Self Check Interactive Preview The intent of this Preview is to provide an understanding of how a user will experience the E-Verify Self Check service. The Self Check Process Self Check While

581 views • 44 slides
Engineering Test (how are you going to verify Requirement # Importance Description Unit of

Engineering Test (how are you going to verify Requirement # Importance Description Unit of

Engineering Test (how are you going to verify Requirement # Importance Description Unit of Measure Marginal Value satisfaction) Visual Measurement based on Aiming Accuracy and Minimum Angular Error of device ability to point at specified

355 views • 19 slides
A template attack against Verify PIN algorithms Hlne Le Bouder, Thierno Barry, Damien

A template attack against Verify PIN algorithms Hlne Le Bouder, Thierno Barry, Damien

A template attack against Verify PIN algorithms Hlne Le Bouder, Thierno Barry, Damien Courouss, Jean-Louis Lanet and Ronan Lashermes July 27th 2016 A template attack against Verify PIN algorithms Le Bouder et al. July 27th 2016 1/23

590 views • 30 slides
CS 335 Software Development Introduction Jan 13, 2014 Healthcare.gov must verify a would-be

CS 335 Software Development Introduction Jan 13, 2014 Healthcare.gov must verify a would-be

CS 335 Software Development Introduction Jan 13, 2014 Healthcare.gov must verify a would-be applicants eligibility from Homeland Security, IRS and Social Security systems, in real time, plus enroll members electronically to any

346 views • 8 slides
WhatTheStack? Verify your Deployments using Tempest Christian Schwede | @cschwede_de | Nick

WhatTheStack? Verify your Deployments using Tempest Christian Schwede | @cschwede_de | Nick

WhatTheStack? Verify your Deployments using Tempest Christian Schwede | @cschwede_de | Nick Barcet | @nijaba | Juno OpenStack Summit | May 2014 Seamless Build & Delivery of Open Cloud Infrastructures 120+ Montral People

544 views • 27 slides
ATP Hygiene Monitoring What is it? A test method to verify good cleaning wherever you want it,

ATP Hygiene Monitoring What is it? A test method to verify good cleaning wherever you want it,

MASTER CLASS ATP HYGIENE MONITORING & RAPID TESTS FOR COLIFORM/E.COLI/TOTAL COUNT 9TH FOOD SAFETY AND & QUALITY SUMMIT NEW DELHI 2&3 DECEMBER 2014 ATP Hygiene Monitoring What is it? A test method to verify good cleaning

261 views • 25 slides
Atlas Certified provides an automated solution to verify and monitor license and certification

Atlas Certified provides an automated solution to verify and monitor license and certification

Atlas Certified provides an automated solution to verify and monitor license and certification data in an increasingly skill-based and regulated marketplace. The content of this presentation is proprietary and confidential. What is

492 views • 8 slides
How to capture, model, and verify the knowledge of legal, security, and privacy experts: a

How to capture, model, and verify the knowledge of legal, security, and privacy experts: a

Universit degli Studi di Trento How to capture, model, and verify the knowledge of legal, security, and privacy experts: a pattern-based approach L. Compagna, P. El Khoury F. Massacci , N. Zannone R. Thomas Security Research Dept.

357 views • 14 slides
A Widely Used Machine Translation Service and its Migration to a Free/Open-Source Solution: the

A Widely Used Machine Translation Service and its Migration to a Free/Open-Source Solution: the

A Widely Used Machine Translation Service and its Migration to a Free/Open-Source Solution: the Case of Softcatal Xavier Ivars-Ribes Victor M. Snchez-Cartagena II FreeRBMT (Barcelona) January 21, 2011 Table of Contents Brief History of

417 views • 23 slides
JavaScript Security: Lets Fix It Brendan Eich CTO, Mozilla Corporation (We could bundle it)

JavaScript Security: Lets Fix It Brendan Eich CTO, Mozilla Corporation (We could bundle it)

JavaScript Security: Lets Fix It Brendan Eich CTO, Mozilla Corporation (We could bundle it) bugs to fix <script> injection: perl.com pr0n.com (http://radar.oreilly.com/2008/01/dangers-of-remote-javascript.html) lure.org

345 views • 17 slides
The Web of Confusion Douglas Crockford Yahoo! Inc. http://crockford.com/codecamp/confusion.ppt

The Web of Confusion Douglas Crockford Yahoo! Inc. http://crockford.com/codecamp/confusion.ppt

The Web of Confusion Douglas Crockford Yahoo! Inc. http://crockford.com/codecamp/confusion.ppt Web 2.0 Security and Privacy The problems started in 1995. We have made no progress on the fundamental problems since then. Will the web ever

585 views • 39 slides
The Future of JavaScript I mean ECMAScript Douglas Crockford Yahoo! Welcome to the Future!

The Future of JavaScript I mean ECMAScript Douglas Crockford Yahoo! Welcome to the Future!

The Future of JavaScript I mean ECMAScript Douglas Crockford Yahoo! Welcome to the Future! Such as it is. The Worlds Most Popular Programming Language The Worlds Most Popular Programming Language The Worlds Most Unpopular

716 views • 58 slides
Object Capabilities and Isolation of Untrusted Web Applications Ankur Taly Dept. of Computer

Object Capabilities and Isolation of Untrusted Web Applications Ankur Taly Dept. of Computer

Isolation problem for Web Mashups Formal definition of Capability Safe languages Solving the Isolation problem using Capabilit Object Capabilities and Isolation of Untrusted Web Applications Ankur Taly Dept. of Computer Science, Stanford

1.01k views • 43 slides
CLICK HERE.exe XSS & CSRF Security Meetup Month 2 of 12 (February) Last month: SQL

CLICK HERE.exe XSS & CSRF Security Meetup Month 2 of 12 (February) Last month: SQL

CLICK HERE.exe XSS & CSRF Security Meetup Month 2 of 12 (February) Last month: SQL Injections This month: XSS / CSRF Next month: DDoS / DoS Meetup Group for times/dates https://www.meetup.com/CLICK_HERE-exe/ Plan of Attack

1.76k views • 58 slides
Finance, Growth and Fragility: The Role of Government Thorsten Beck Maxwell Fry Lecture 2012

Finance, Growth and Fragility: The Role of Government Thorsten Beck Maxwell Fry Lecture 2012

Finance, Growth and Fragility: The Role of Government Thorsten Beck Maxwell Fry Lecture 2012 Finance is pro-growth and pro -poor but also fragile Output losses relative to potential output; Source: Laeven and Valencia (2010) Finance,

676 views • 38 slides
CS5412: HOW IT WORKS Lecture II Ken Birman Today: Lets look at some real apps 2 Well

CS5412: HOW IT WORKS Lecture II Ken Birman Today: Lets look at some real apps 2 Well

CS5412 Spring 2012 (Cloud Computing: Birman) 1 CS5412: HOW IT WORKS Lecture II Ken Birman Today: Lets look at some real apps 2 Well focus on two very standard examples Netflix movie player Siri, Apples new digital

917 views • 54 slides

More recommend