DOC PREVIEW
UVA CS 588 - Lecture 18: Malcode Countermeasures

This preview shows page 1-2-3-24-25-26-27-49-50-51 out of 51 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 51 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 51 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 51 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 51 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 51 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 51 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 51 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 51 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 51 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 51 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 51 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

PowerPoint PresentationMenuMalcode DefensesProgram ExecutionSlide 5Ideal Reference MonitorSlide 7Operating SystemsReference Monitor as Finite State Automaton [Schneider99]What policies can be enforced?What’s a Security Policy?More Formally...Reference Monitors cannot enforce all Security PoliciesSafety PoliciesJava Security Real or Decaf?What is Java?Java : Programming LanguageWhat is a secure language?Safe Programming LanguagesJava SafetyMalicious CodeSafe Languages?JVMLDoes JVML satisfy Java’s safety properties?Bytecode VerifierSlide 26Are Java Bytecode Verifiers Complicated?JavaJavaVMJavaVM Policy Enforcmentjava.lang.SecurityManagerSecurity ManagerHotJava’s Policy (JDK 1.1.7)AppletSecurity.checkWrite (some exception handling code removed)inAppletcurrentClassLoaderRecapJDK 1.0 Trust ModelJDK EvolutionWhat can go wrong?Hostile AppletsProof-Carrying CodeSlide 43Slide 44Slide 45Have we seen anything like this?Fortune CookieReasons you might prefer PCCFeedback SlipsSlide 50MovieDavid Evanshttp://www.cs.virginia.edu/~evansCS588: Security and PrivacyUniversity of VirginiaComputer ScienceLecture 18: MalcodeCountermeasures19 Nov 2001 University of Virginia CS 588 2Menu•Reference Monitors•Java Security•Proof-Carrying Code (time permitting)•Monday: Firewalls, Intrusion DetectionMovie – make sure I stop by 3:00!19 Nov 2001 University of Virginia CS 588 3Malcode Defenses•Constrain program behavior–Reference Monitors•In-line Reference Monitors•Prevent possibly harmful code from running–Safe Languages–Proof-Carrying Code19 Nov 2001 University of Virginia CS 588 4Program ExecutionProgramMonitorSpeakersSuperSoaker 2000DiskMemoryNetwork19 Nov 2001 University of Virginia CS 588 5Program ExecutionProgramMonitorSpeakersSuperSoaker 2000DiskMemoryNetworkReference Monitor19 Nov 2001 University of Virginia CS 588 6Ideal Reference Monitor1. Sees everything a program is about to do before it does it2. Can instantly and completely stop program execution (or prevent action)3. Has no other effect on the program or systemCan we build this? Probably not unless we can build a time machine...19 Nov 2001 University of Virginia CS 588 7Ideal Reference Monitor1. Sees everything a program is about to do before it does it2. Can instantly and completely stop program execution (or prevent action)3. Has no other effect on the program or systemRealmost thingslimited19 Nov 2001 University of Virginia CS 588 8Operating Systems•Provide reference monitors for most security-critical resources–When a program opens a file in Unix or Windows, the OS checks that the principal running the program can open that file•Doesn’t allow different policies for different programs•No flexibility over what is monitored–OS decides for everyone–Hence, can’t monitor inexpensive operations19 Nov 2001 University of Virginia CS 588 9Reference Monitor as Finite State Automaton [Schneider99]01All other instructionsAimFireFireSTOPPolicy Violation2All other instructionsAimAll other instructionsAim19 Nov 2001 University of Virginia CS 588 10What policies can be enforced?•Assume:–Security Automaton can see entire state of world, everything about instruction about to execute–Security Automaton has unlimited memory, can do unlimited computation•Are there interesting policies that still can’t be enforced?19 Nov 2001 University of Virginia CS 588 11What’s a Security Policy?•What’s a program?–A set of possible executions•What’s an execution?–A sequence of states•What’s a security policy?–A predicate on a set of executions19 Nov 2001 University of Virginia CS 588 12More Formally... : set of all possible executions (can be infinite)S: set of executions possible by target program S•P: security policy set of executions  BooleanS is safe iff P (S ) is true.19 Nov 2001 University of Virginia CS 588 13Reference Monitors cannot enforce all Security Policies•Some policies depend on:–Knowing about the future•If the program charges the credit card, it must eventually ship the goods–Knowing about all possible executions•Information flow – can’t tell if a program reveals secret information without knowing about other possible executions•Reference Monitors can only know about past of this particular execution19 Nov 2001 University of Virginia CS 588 14Safety Policies•Reference monitors can only enforce safety policies •Safety policy is a predicate on a prefix of states (see Schneider98 for more formal definition)–Cannot depend on future: prefix means once it is false, it is always false–Cannot depend on other possible executions19 Nov 2001 University of Virginia CS 588 15Java SecurityReal or Decaf?19 Nov 2001 University of Virginia CS 588 16What is Java?A. Island in IndonesiaB. A Programming Language (Java)C. A Portable Low-Level Language (JVML)D. A Platform (JavaVM)E. A (semi-)successful marketing strategy–JavaScript is not related to Java or Java F. Work on your projectsG. All of the above19 Nov 2001 University of Virginia CS 588 17Java : Programming Language“A simple, object-oriented, distributed, interpreted, robust, secure, architecture neutral, portable, high-performance, multithreaded, and dynamic language.”[Sun95]19 Nov 2001 University of Virginia CS 588 18What is a secure language?1. Language is designed so it cannot express certain computations considered insecure.2. Language is designed so that (accidental) program bugs are likely to be caught by the compiler or run-time environment instead of leading to security vulnerabilities.A few attempt to do this: PLAN, packet filters19 Nov 2001 University of Virginia CS 588 19Safe Programming Languages•Type Safety–Compiler and run-time environment ensure that bits are treated as the type they represent•Memory Safety–Compiler and run-time environment ensure that program cannot access memory outside defined storage•Control Flow Safety–Can’t jump to arbitrary addressesWhich of these does C++ have?Not a new idea: LISP had these in 1960!19 Nov 2001 University of Virginia CS 588 20Java Safety•Type Safety–Most types checked statically–Coercions, array assignments type checked at run time•Memory Safety–No direct memory access (e.g., pointers)–Primitive array type with mandatory run-time bounds checking•Control Flow Safety–Structured control flow, no arbitrary jumps19 Nov 2001 University of Virginia CS 588 21Malicious CodeCan a safe programming language


View Full Document

UVA CS 588 - Lecture 18: Malcode Countermeasures

Download Lecture 18: Malcode Countermeasures
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Lecture 18: Malcode Countermeasures and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Lecture 18: Malcode Countermeasures 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?