wedge splitting applications into reduced privilege
play

Wedge: Splitting Applications into Reduced-Privilege Compartments - PowerPoint PPT Presentation

May 06, 2023 •235 likes •845 views

Wedge: Splitting Applications into Reduced-Privilege Compartments Andrea Bittau Petr Marchenko Mark Handley Brad Karp University College London April 17, 2008 Vulnerabilities threaten sensitive data Exploits allow running arbitrary code

  1. Wedge: Splitting Applications into Reduced-Privilege Compartments Andrea Bittau Petr Marchenko Mark Handley Brad Karp University College London April 17, 2008

  2. Vulnerabilities threaten sensitive data ◮ Exploits allow running arbitrary code on servers. ◮ An exploited web server can be used to leak sensitive information such as credit card numbers. Have we managed to mitigate or prevent vulnerabilities? 1000 Vulnerabilities per year 800 600 400 200 0 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 Time (years) Source: osvdb.org

  3. Process-based privileges are too coarse-grained Need to keep SSL web server’s RSA private key secret. master (read) (process) (create) network /etc/rsa key worker (file)

  4. Process-based privileges are too coarse-grained Need to keep SSL web server’s RSA private key secret. Apache worker running as root: ◮ Can read any file. ◮ Can invoke any system call. master (read) (process) (create) network /etc/rsa key worker (file)

  5. Process-based privileges are too coarse-grained Need to keep SSL web server’s RSA private key secret. Apache worker running as root: ◮ Can read any file. Fix: run as nobody. ◮ Can invoke any system call. Fix: use systrace, SELinux, . . . master master (read) (read) (process) (process) (create) (create) network network /etc/rsa key /etc/rsa key worker worker (file) (file)

  6. Process-based privileges are too coarse-grained Need to keep SSL web server’s RSA private key secret. Apache worker running as root: ◮ Can read any file. Fix: run as nobody. ◮ Can invoke any system call. Fix: use systrace, SELinux, . . . Are we done protecting the private key? master master (read) (read) (process) (process) (create) (create) network network /etc/rsa key /etc/rsa key worker worker (file) (file)

  7. Process-based privileges are too coarse-grained Need to keep SSL web server’s RSA private key secret. Apache worker running as root: ◮ Can read any file. Fix: run as nobody. ◮ Can invoke any system call. Fix: use systrace, SELinux, . . . Are we done protecting the private key? master (read) (process) (create) network /etc/rsa key worker (file)

  8. Problem: processes grant all code access to all memory Need to keep SSL web server’s RSA private key secret. (worker process) network HTTP parser (code) private key (memory) SSL engine

  9. Problem: processes grant all code access to all memory Need to keep SSL web server’s RSA private key secret. (worker process) network HTTP parser (code) private key (memory) SSL engine (read)

  10. Problem: processes grant all code access to all memory Need to keep SSL web server’s RSA private key secret. (worker process) network HTTP parser (code) private key (memory) SSL engine (read)

  11. Problem: processes grant all code access to all memory Need to keep SSL web server’s RSA private key secret. This talk: how to limit access of code to memory at fine granularity. (worker process) network HTTP parser (code) private key (memory) SSL engine (read)

  12. Old idea: principle of least privilege Principle of least privilege: ◮ Partition code into compartments . ◮ Assign each compartment the minimal privileges it needs for its operation. ◮ Restrict interface and interactions between compartments. How to implement compartments? ◮ Processes?

  13. Why are traditional processes not sufficient? Creating compartments with UNIX, e.g. , fork : ◮ Default grant. Child inherits memory map and file descriptors. Operation of fork private key parent /etc/passwd

  14. Why are traditional processes not sufficient? Creating compartments with UNIX, e.g. , fork : ◮ Default grant. Child inherits memory map and file descriptors. Operation of fork private key parent fork child /etc/passwd

  15. Why are traditional processes not sufficient? Creating compartments with UNIX, e.g. , fork : ◮ Default grant. Child inherits memory map and file descriptors. Operation of fork private key parent fork child /etc/passwd Default-deny: inherit nothing from parent. Closer to least-privilege.

  16. But default-deny is difficult to use for legacy code How many permissions do we need to explicitly grant? (worker process) network HTTP parser (code) private key (memory) SSL engine

  17. But default-deny is difficult to use for legacy code How many permissions do we need to explicitly grant? Worker Worker Apache’s client handler uses over 600 memory objects.

  18. Contributions ◮ New system calls for default-deny. ◮ Creating compartments. ◮ Specifying privileges. ◮ Tools to make default-deny usable when partitioning legacy code. ◮ Identifying the privileges for compartments.

  19. Outline 1. Wedge. ◮ New system calls for default-deny. ◮ Crowbar: tool for partitioning legacy code. 2. Wedge applied to Apache+OpenSSL.

  20. sthreads: default-deny compartments private key parent /etc/passwd ◮ Like processes, but default-deny. ◮ Like threads: can easily share pointers and file descriptors. ◮ Programmer must explicitly grant all permissions.

  21. sthreads: default-deny compartments private key parent sthread create child (sthread) /etc/passwd ◮ Like processes, but default-deny. ◮ Like threads: can easily share pointers and file descriptors. ◮ Programmer must explicitly grant all permissions.

  22. Virtual memory { page n char *key, *buffer; char *config; page n+1 key = malloc(16); parser buffer = malloc(80); … config = malloc(128); }

  23. Tagged memory { page n tag = tag_new(); key = malloc(16); page n+1 buffer = parser smalloc(80,tag); … config = smalloc(128,tag); }

  24. How can sthreads use sensitive data? Callgates. Problem: unprivileged code cannot access sensitive data directly but must still use it. private key parser Callgates: an entry-point with predefined privileges. ◮ Callgates are created and invoked at a later time. ◮ At creation, a subset of creator’s privileges is given to callgate. ◮ At invocation, code is run with creation privileges.

  25. How can sthreads use sensitive data? Callgates. Problem: unprivileged code cannot access sensitive data directly but must still use it. session key private key parser Callgates: an entry-point with predefined privileges. ◮ Callgates are created and invoked at a later time. ◮ At creation, a subset of creator’s privileges is given to callgate. ◮ At invocation, code is run with creation privileges.

  26. How can sthreads use sensitive data? Callgates. Problem: unprivileged code cannot access sensitive data directly but must still use it. session key private key setup session key client handler invoke Callgates: an entry-point with predefined privileges. ◮ Callgates are created and invoked at a later time. ◮ At creation, a subset of creator’s privileges is given to callgate. ◮ At invocation, code is run with creation privileges.

  27. How can sthreads use sensitive data? Callgates. Problem: unprivileged code cannot access sensitive data directly but must still use it. session key private key setup session key client handler invoke Callgates: an entry-point with predefined privileges. ◮ Callgates are created and invoked at a later time. ◮ At creation, a subset of creator’s privileges is given to callgate. ◮ At invocation, code is run with creation privileges.

  28. Summary: Wedge applied to Apache session key private key setup session key client handler ◮ Sthreads: default-deny compartments—low privilege. ◮ Callgates: privilege elevation—high privilege. ◮ Tagged memory: naming memory for privilege specification.

  29. Ad-hoc code study? Worker Worker Apache’s client handler needs access to 222 heap objects and 389 globals. Need to read 72 source files (for heap only). 1. Which code is executed? 2. What objects do pointers point to? 3. Where were objects allocated? If privilege is omitted, you get a crash—repeat until no crashes.

  30. Static analysis of memory accesses? Static analysis for C code does not have runtime context ( e.g. , format string for printf ). Consequences: ◮ May fail. e.g., function pointers. ◮ If conservative, may give superset of privileges actually needed. e.g., may follow code paths corresponding to exploits!

  31. Crowbar: runtime analysis of memory accesses Dynamic analysis yields least privilege: private key GET URL POST data parser Server uses minimal privileges to execute an innocuous request. 1. Use runtime instrumentation to produce memory trace. 2. Train using benign requests. Need to ensure high trace coverage, e.g. , with test suite.

  32. Crowbar: runtime analysis of memory accesses Dynamic analysis yields least privilege: private key GET URL POST data parser Server uses minimal privileges to execute an innocuous request. 1. Use runtime instrumentation to produce memory trace. 2. Train using benign requests. Need to ensure high trace coverage, e.g. , with test suite.

  33. Crowbar: runtime analysis of memory accesses Dynamic analysis yields least privilege: private key GET URL POST data parser Server uses minimal privileges to execute an innocuous request. 1. Use runtime instrumentation to produce memory trace. 2. Train using benign requests. Need to ensure high trace coverage, e.g. , with test suite.

  34. Outline 1. Wedge. ◮ New system calls for default-deny. ◮ Crowbar: tool for partitioning legacy code. 2. Wedge applied to Apache+OpenSSL.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Wedge Probe Cards PCBs, Connectors, Applications HTT High Tech Trade GmbH HTT Wedge Probe Cards

Wedge Probe Cards PCBs, Connectors, Applications HTT High Tech Trade GmbH HTT Wedge Probe Cards

Wedge Probe Cards PCBs, Connectors, Applications HTT High Tech Trade GmbH HTT Wedge Probe Cards Dresden Location Hartmut Wauer, Rev1.0, January 2014 Zur Wetterwarte 50, Haus 337b Page 1 D-01109 Dresden Wedge Probe Cards made by HTT Probe Card

249 views • 14 slides
Wedge http://patrickbaudisch.com/projects/wedge/ To overcome display limitations of small-screen

Wedge http://patrickbaudisch.com/projects/wedge/ To overcome display limitations of small-screen

Wedge http://patrickbaudisch.com/projects/wedge/ To overcome display limitations of small-screen devices, researchers have proposed techniques that point users to objects located off-screen. Arrow- based techniques such as City Lights convey

332 views • 21 slides
Privilege: An Update Litigation Privilege: a brief definition Confidential Made for

Privilege: An Update Litigation Privilege: a brief definition Confidential Made for

Privilege: An Update Litigation Privilege: a brief definition Confidential Made for dominant purpose of civil or criminal litigation Relate to litigation which is pending, reasonably contemplated, or existing Legal Advice Privilege:

532 views • 20 slides
Least privilege and privilege separation Deian Stefan Slides adopted from John Mitchell, Dan

Least privilege and privilege separation Deian Stefan Slides adopted from John Mitchell, Dan

CSE 127: Computer Security Least privilege and privilege separation Deian Stefan Slides adopted from John Mitchell, Dan Boneh, and Stefan Savage This week How to build secure systems Least privilege and privilege separation

578 views • 46 slides
Bremsstrahlung Splitting Overview Jane Tinslay, SLAC Overview & Applications Biases by

Bremsstrahlung Splitting Overview Jane Tinslay, SLAC Overview & Applications Biases by

March 2007 Bremsstrahlung Splitting Overview Jane Tinslay, SLAC Overview & Applications Biases by enhancing secondary production Aim to increase statistics in region of interest while reducing time spent tracking electrons

134 views • 12 slides
Decomposition by operator-splitting methods and applications in image deblurring Daniel

Decomposition by operator-splitting methods and applications in image deblurring Daniel

Decomposition by operator-splitting methods and applications in image deblurring Daniel OConnor (Department of Mathematics, UCLA) Lieven Vandenberghe (Electrical Engineering, UCLA) Workshop on Optimization for Modern Computation BICMR,

509 views • 34 slides
Douglas-Rachford Splitting for Infeasible, Unbounded, and Pathological Problems Yanli Liu, Ernest

Douglas-Rachford Splitting for Infeasible, Unbounded, and Pathological Problems Yanli Liu, Ernest

Douglas-Rachford Splitting for Infeasible, Unbounded, and Pathological Problems Yanli Liu, Ernest Ryu, Wotao Yin UCLA Math US-Mexico Workshop Optimization and its Applications Jan 812, 2018 1 / 30 Background What is splitting?

457 views • 34 slides
Reduced-Order Modeling for PDEs with bifurcating solutions: applications in CFD Annalisa Quaini

Reduced-Order Modeling for PDEs with bifurcating solutions: applications in CFD Annalisa Quaini

Introduction Model and Applications Methodology Numerical results Conclusions Reduced-Order Modeling for PDEs with bifurcating solutions: applications in CFD Annalisa Quaini Department of Mathematics, University of Houston Joint work with:

539 views • 30 slides
Legal Privilege, Client Communication and Discovery Cayman Islands Legal Practitioners

Legal Privilege, Client Communication and Discovery Cayman Islands Legal Practitioners

Legal Privilege, Client Communication and Discovery Cayman Islands Legal Practitioners Association Adam Huckle 27 March 2019 Overview What is Privilege? Types: Legal Advice Privilege Litigation Privilege Recent cases

226 views • 18 slides
New Foreign Tax Credit and FTC Splitting Regulations and FTC Splitting Regulations Mastering

New Foreign Tax Credit and FTC Splitting Regulations and FTC Splitting Regulations Mastering

Presenting a live 110 minute teleconference with interactive Q&A New Foreign Tax Credit and FTC Splitting Regulations and FTC Splitting Regulations Mastering Section 909 and 901 Rules to Maximize Efficiencies in Complex FTC Planning

915 views • 66 slides
Privilege Escala-on Manual privilege escala/on techniques on Unix

Privilege Escala-on Manual privilege escala/on techniques on Unix

Privilege Escala-on Manual privilege escala/on techniques on Unix and Windows Michal Knapkiewicz, May 2016 whoami Senior Consultant at Advanced Security

884 views • 51 slides
+ The Primacy of Client Privilege: Designing a Statutory Advice Privilege for Accredited

+ The Primacy of Client Privilege: Designing a Statutory Advice Privilege for Accredited

+ The Primacy of Client Privilege: Designing a Statutory Advice Privilege for Accredited Non-Lawyer Tax Advisors Nicole Wilson-Rogers, Annette Morgan and Dale Pinto + Structure Snapshot: Argument advanced in the paper Current Privileges

422 views • 17 slides
Attorney-Client Privilege Between Affiliated Entities: Who Owns the Privilege When Interests

Attorney-Client Privilege Between Affiliated Entities: Who Owns the Privilege When Interests

Presenting a live 90-minute webinar with interactive Q&A Attorney-Client Privilege Between Affiliated Entities: Who Owns the Privilege When Interests Diverge? Navigating the Complexities of Joint Representations During Litigation, Spinoffs,

889 views • 42 slides
Short, Invertible Elements in Partially Splitting Cyclotomic Rings and Applications to

Short, Invertible Elements in Partially Splitting Cyclotomic Rings and Applications to

Short, Invertible Elements in Partially Splitting Cyclotomic Rings and Applications to Lattice-Based Zero-Knowledge Proofs Vadim Lyubashevsky Gregor Seiler IBM Research Zurich April 30, 2018 Motivation: Lattice-Based Zero-Knowledge Proofs

790 views • 42 slides
With Splitting Steepest Descent Splitting yields adaptive net structure optimization Questions

With Splitting Steepest Descent Splitting yields adaptive net structure optimization Questions

Energy-Aware Neural Architecture Optimization With Splitting Steepest Descent Splitting yields adaptive net structure optimization Questions Why splitting? What neurons should be split first? How to split a neuron optimally?

197 views • 6 slides
Reduced basis methods and high performance computing. Applications to non-linear multi-physics

Reduced basis methods and high performance computing. Applications to non-linear multi-physics

Motivations and Framework Non Linear & MultiPhysics RB Applications Conclusions References Reduced basis methods and high performance computing. Applications to non-linear multi-physics problems Christophe Prudhomme

1.08k views • 68 slides
Earnings Conference Call 2 nd Quarter 2009 July 24, 2009 July 24, 2009 Forward-Looking

Earnings Conference Call 2 nd Quarter 2009 July 24, 2009 July 24, 2009 Forward-Looking

Earnings Conference Call 2 nd Quarter 2009 July 24, 2009 July 24, 2009 Forward-Looking Statements This press release includes forward-looking statements within the meaning of the Private Securities Litigation Reform Act of 1995, that are

601 views • 38 slides
Solving Hamilton-Jacobi-Bellman equations by combining a max-plus linear approximation and a

Solving Hamilton-Jacobi-Bellman equations by combining a max-plus linear approximation and a

Solving Hamilton-Jacobi-Bellman equations by combining a max-plus linear approximation and a probabilistic numerical method Marianne Akian INRIA Saclay - Ile-de-France and CMAP Ecole polytechnique CNRS RICAM Workshop: Numerical methods

276 views • 24 slides
Andreev and Majorana bound states in quantum dots Alfredo Levy Yeyati In collaboration with:

Andreev and Majorana bound states in quantum dots Alfredo Levy Yeyati In collaboration with:

Andreev and Majorana bound states in quantum dots Alfredo Levy Yeyati In collaboration with: Alvaro Martn-Rodero, Bernd Braunecker (UAM) Reinhold Egger, Alex Zazunov, Roland Htzen (Dusseldorf) Exp results: Philippe Joyez (Saclay)

762 views • 28 slides
Ou Outline In Introduct ction to RNA RNA-se seq Sa Samp mple preparation Qu

Ou Outline In Introduct ction to RNA RNA-se seq Sa Samp mple preparation Qu

Ou Outline In Introduct ction to RNA RNA-se seq Sa Samp mple preparation Qu Quality y control Tr Transcript assembly Re Read alignment Di Differ eren ential g gen ene e e expres ession Da Data v

521 views • 19 slides
Security dangers of the NIST curves Daniel J. Bernstein, Tanja Lange http://xkcd.com/927

Security dangers of the NIST curves Daniel J. Bernstein, Tanja Lange http://xkcd.com/927

Security dangers of the NIST curves Daniel J. Bernstein, Tanja Lange http://xkcd.com/927 http://xkcd.com/927 But our goal today isnt unification; its security. We come to bury the standard, not to praise it. Why do people choose

572 views • 31 slides
19 big enough? What marketing says Generate public keys 56-bit crypto: Broken. on a

19 big enough? What marketing says Generate public keys 56-bit crypto: Broken. on a

Is 2 255 19 big enough? What marketing says Generate public keys 56-bit crypto: Broken. on a strong elliptic curve 128-bit crypto: Okay. over the field Z (2 255 19). 256-bit crypto: High security! Is that safe? 512-bit

121 views • 11 slides
your business your future Limited by Guarantee. Registered in England. Registration No 37818.

your business your future Limited by Guarantee. Registered in England. Registration No 37818.

The Sheep Centre, Malvern, Worcestershire, WR13 6PH, enquiries@nationalsheep.org.uk, www.nationalsheep.org.uk A company your business your future Limited by Guarantee. Registered in England. Registration No 37818. Registered charity in England and

100 views • 7 slides
Algebras of Generalized Functions and Nonstandard Analysis Hans Vernaeve (joint work with Todor

Algebras of Generalized Functions and Nonstandard Analysis Hans Vernaeve (joint work with Todor

Algebras of Generalized Functions and Nonstandard Analysis Hans Vernaeve (joint work with Todor Todorov) University of Innsbruck June 2008 Generalized Functions and N.S.A. . (Hans Vernaeve) 1 / 15 Generalized functions: introduction and

380 views • 21 slides

More recommend