CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerCSE 543 - Computer SecurityLecture 17 - Language-based securityOctober 25, 2007URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/1CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerEngineering Disaster?•Millions of Bots•Compromised applications•Programming errors•Enable code insertion•What can we do to fix them?•Just starting to get serious...2CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerBuffer Overflows•One means by which the bad guys take over a host•install root kits•use as SPAM bots•use as zombies•launch other attacks•There are many attacks, but this is most prevalent•It all starts with some programmer mistake•e.g., bad softwareTEXTDATAHEAPSTACK0x000....0xfff....3CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerBuffer Overflows (continued.)•Stack frame•how local variables and program state is stored in most modern programming languages•The Attack•overwrite buffer on stack with new return pointer pointing to adversary code•Return from function lands program counter into bad guys downloaded code•Game over -- they now control that hostSPretabbufmyretevilevilevilevil4CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerBuffer Overflow Prevention•StackGuard•Push a ‘canary’ on the stack between the local vars and the return pointer•Overwrite of canary indicates a buffer overflow•Requires changes to the compiler•Q: Would this solve the problem?•Thorough summary:•www.blackhat.com/presentations/bh-usa-04/bh-us-04-silberman/bh-us-04-silberman-paper.pdf5CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerOther Input Problems•Function Pointers•Overwrite a local function pointer variable•Q: What can be done?•Heap overflow•Overflow a buffer on the heap•Integer Overflow•For signed 8-bit integers•127+1 = ??•Malformed Character Input•What does URL “<ipaddr>/scripts/..%c0%af../winnt/system32” decode to?6CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerJava World•Type Safe Language•No buffer/heap/ptr overflows•No unsafe casts•Still have integer overflows?•Java Virtual Machine•Interpret bytecodes (or compile together)•Security Manager (reference monitor for JVM)•Q: What is the trust model of a Java application?7Page CSE543 Computer and Network Security - Fall 2007 - Professor JaegerCcured•From C to Memory-safe C Translator–Find the minimum number of runtime checks to ensure memory safety•Classify Pointers–Safe –Wild•Need runtime checks for wild pointers•Runtime Checks–Similar to declassifiers in DLM–Written by hand, in general8Page CSE543 Computer and Network Security - Fall 2007 - Professor JaegerC Analysis•Assume Type Safety in Analysis–On what basis?–Trust that the programmer does not subvert•Is this a reasonable assumption?–Unsound analysis•False negatives are possible–Sound analysis•If no unsafe behavior relative to analysis can be assumed•Actually, lots of work in this area•Used in production code: Microsoft 9Page CSE543 Computer and Network Security - Fall 2007 - Professor JaegerSource Code Analysis•Shallow tools for bug finding–Prefix, Prefast -- Microsoft•Companies that will check your code–Coverity -- based on MC•Deep tools for verifying correctness–SLAM -- for device drivers•Add security to legacy code–Generate LSM–Generate reference monitor for X Server•Lots of other topics–Privilege separation–Domain transition–Error reporting10CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerEnforcing security policy•DAC•MAC•certificates•trust management•SELinux•anti-virus•IDS•firewalls•encryption•legal measures11E-StoreSoftware ApplicationCredit card companycredit cardorder formorder formcredit cardE-Storecustomercredit card?? ???credit cardLeak???Security PolicyDo not leak credit card information to E-store local storageLeak???None of these provide end-to-end confidentialityCSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerInformation-flow control12•What is it?•Simple security & ★-property•Why?•Leandro Aragoncillo, e.g.•Problem: Information release•Solution: Information Flow Control•Stronger enforcement than reference monitors{NUC, EUR, US}{NUC, EUR} {NUC, US} {EUR, US}{NUC} {EUR} {US}Access to all compartmentsAccess to no compartmentsCSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerLabel and monitor13•Key: •tag data •monitor flows•RMs tag actual data•all data/processes have label•central security monitor checks op-erations, data access against policy•Security-typed languages use virtual tags•data types are labeled•type checker validates flowsLabel all dataMonitor flowsCSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerBuild on type safety•A type-safe language maintains the semantics of types. E.g. can’t add int’s to Object’s.•Type-safety is compositional. A function promises to maintain type safety.14Example 1Object obj;int i;obj = obj + i;Example 2String proc_obj(Object o);...main(){ Object obj; String s = proc_obj(obj);! ...}XCSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerLabeling types•Key insight:label types with security levels •Security-typing is compositional15Example 1int{high} h1,h2;int{low} l;l = 5;h2 = l;h1 = h2 + 10;l = h2 + l;Example 2String{low} proc(Object{high} o);...main(){ Object{high} obj; String{low} s; s = proc_obj(obj); ...}XCSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerImplicit flows16intLow mydata = 0;intLow mydata2 = 0;if (testHigh) mydata = 1;else mydata = 2;mydata2 = 0;printLow(mydata2);printLow(mydata);…Static (virtual) taggingCauses type error at compile-timemydata contains information about test so it can no longer be Low,but mydata2 is outside the conditional, so it is untainted by testCSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerDeclassification•Noninterference is too restrictive•Examples:•Encryption•Distributed auction•Password check•Solutions:•DLM and selective declassification•Robust declassification•Quantitative security17CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerOpen challenges•System-wide security•Certifying compilation•Abstraction-violating
View Full Document
Unlocking...