Title: Software Security Monitors: Theory
1Software Security MonitorsTheory Practice
- David Walker
- Princeton University
- (joint work with Lujo Bauer and Jay Ligatti)
2Extensible Systems
Web Browser
Mail Script
Plug-in
Mail Server
Active Router
Servlet
Web Server
protocol
3Securing Extensible Systems
- Compile-time/link-time security
- policies memory safety, type safety
- tools type systems, proof-carrying code, model
checking - Run-time security
- policies access control, resource bounds
- tools access control lists, capabilities, stack
inspection
4Run-time Security
- In general, run-time security properties are
enforced by program monitors - Abstractly, a program monitor is a process that
runs in parallel with an untrusted application - monitors examine application actions
- decide to allow/disallow application actions
- may terminate an application, log application
actions, reinterpret application actions, etc. - monitors detect, prevent, and recover from
erroneous or malicious behavior at run time - generalizes specific enforcement mechanisms such
as access control lists, stack inspection, etc.
5Securing Extensible Systems
- Many questions
- Our application requires property X. Can we
enforce it precisely or will we have to get by
with an approximation? - How do we write down our policy succinctly and
unambiguously? - What specific mechanism will we need to enforce
our property? - How do we implement the mechanism?
6Talk Outline
- Theory
- What is a software security monitor?
- What is a security policy and what does it mean
to enforce one? - What policies can software security monitors
enforce? - Language design
- Programming simple policies
- Programming complex policies
- Summary, related work and conclusions
7What is a program monitor?
- Monitors analyze transform untrusted
application actions
Monitor
Input Stream
Output Stream
a3
a1
a2
a2
a4
a2
a2
a1
Application generates actions to be input into
monitor
Machine executes actions output by monitor
8Possible Monitor Actions
- Accept the action
- Halt the application
- Suppress (skip) the operation
- Insert some computation
- Some combination of these
9Formalizing security monitors
- Program monitors gt formal automata that
transform a stream of program actions - Given a set of possible program actions A
- Monitors are deterministic state machines (Q,
q0, T) where - Q state set
- q0 start state
- T transition function
10Operational Semantics
- Single step (determined by T)
- (Sin, q) ? (Sin, q)
- Multi-step (reflexive, transitive closure of T)
- (Sin, q) ? (Sin, q)
- Output sequence is observable
- Input sequences are not observable
So
So
11A Hierarchy of Security Monitors
We classify monitors based on their
transformational abilities (ie based on T).
Insert Suppress OK
Halt Truncation Suppression Insertion Edit
?
?
?
?
?
?
?
?
?
?
?
?
12An Example E-Banana.com
- Set of application actions A take(n),
// take n bananas pay(n), // pay for n
bananas browse, // browse for bananas
receipt // commit - Edit Automaton
-
take(n)
pay(n)
pn
browse
browse
pay(n)
take(n)
start
tpn
init
tn
receipt
pay(n)take(n)receipt
13Edit Automata
- Definition (Q,q0,T)
- where T (t,e,i)
- State transition function t
- t action x state ? state
- Emission function e
- e action x state ? ,-
- Insertion function i
- i action x state ? action sequence x state
14Edit Automata
- Operational Semantics
- (S, q) ? (S, q)if SaS and t(a,q)q and
e(a,q) - (S, q) ? (S, q)if SaS and t(a,q)q and
e(a,q) - - (S, q) ? (S, q)if SaS and i(a,q)(Sins, q)
- (S, q) ? (empty, q)otherwise
a
(E-Accept)
(E-Suppress)
Sins
(E-Insert)
(E-Halt)
15Talk Outline
- Theory
- What is a software security monitor?
- What is a security policy and what does it mean
to enforce one? - What policies can software security monitors
enforce? - Language design
- Programming simple policies
- Programming complex policies
- Summary, related work and conclusions
16Security Policies
- A Security Policy is a predicate P over sequences
of actions. - Example Policies
- In any program execution, bananas taken equal
bananas paid for - Access control, resource bounds policies are
properties - Non-policies (for our purposes)
- Cryptographic uniformity property The set of
all possible outputs of the cryptographic key
generation algorithm forms a uniform distribution
over the integers - Information-flow policies
17What does it mean to enforce a policy?
- Principle of Soundness
- All observable outputs obey the policy ?
sequences Sin . ? state q . ? sequence So - 1. (Sin, q0) ? (empty, q)
- 2. P(So)
- Principle of Transparency
- Semantics of executions that already obey policy
must be preserved 3. P(Sin)?? (Sin ??So)
So
18Some Useful Equivalences
- Remove/Insert unnecessary actions
- fclose(f)fclose(f)?? fclose(f)
- Replace a sequence with equivalent actions
- socket(S)send(S,m)?? socketSend(S,m)
- Permute independent actions
- fopen(f)fopen(g)?? fopen(g)fopen(f)
- Necessary properties
- reflexive, symmetic transitive
- S?? S ?? P(S)?? P(S)
19E-Banana.com
1) (browse S) ? S 2) (S1 take(n) pay(n)
S2) ? (S1 pay(n) take(n) S2)
20Conservative Enforcement
- Enforcer satisfies Soundness but not necessarily
Transparency - ? properties P . (? sequence S . P(S)) ? P can
be conservatively enforced
Conservative
21Effective Enforcement
- Enforcer satisfies Soundness and Transparency
- Valid sequences can be altered
Effective
Conservative
22Precise Enforcement
- Motivation
- In practice, some operations cannot be delayed
- Definition
- Enforcer satisfies Soundness and Transparency
- Enforcer must output actions in lock-step with
application
Precise
Effective
Conservative
23Talk Outline
- Theory
- What is a software security monitor?
- What is a security policy and what does it mean
to enforce one? - What policies can software security monitors
enforce? - Language design
- Programming simple policies
- Programming complex policies
- Summary, related work and conclusions
24What properties can be enforced?
- The enforceable properties depend upon
- the definition of enforcement (conservative,
effective, precise) - the class of automaton (truncation, suppression,
insertion, edit) - the space of possible input programs
- static program analysis (type systems
proof-carrying code) constrain program execution - if the monitor can assume certain bad
executions do not occur, it can enforce more
properties
25Effective Enforcement
- An E-Banana.com policy
- Our edit automaton is an effective enforcer
- It satisfies Soundness
- It satisfies Transparency
- Proofs are by induction over the possible inputs
- Less powerful automata (truncation, suppression
and insertion) cannot enforce the E-Banana
property - Proof by contradiction shows either Soundness or
Transparency will be violated
browse ((take(n)pay(n) pay(n)take(n))
receipt)
26A Simple Theorem
- Theorem Any decideable predicate P on
executions is a property that can be effectively
enforced by some edit automaton - Proof construct a transactional edit automaton
that suppresses and logs program actions when
P(S) and commits (outputs) when P(S)
27Effectively Enforceable Properties
Editing Properties
Insertion Properties
Suppression Properties
Trunc. Prop.
28Talk Outline
- Theory
- What is a software security monitor?
- What is a security policy and what does it mean
to enforce one? - What policies can software security monitors
enforce? - Language design
- Programming simple policies
- Programming complex policies
- Summary, related work and conclusions
29Polymer, the Language
- Polymer
- A domain-specific language for programming
security monitors (edit automata) - Java a couple of simple extensions
- simple policy definitions containing
- a set of security-relevant actions
- security state
- decision procedure that produces security
suggestions (halt, suppress action, insert
action, etc) - complex policy definitions involving
- higher-order policy combinators
30Securing Untrusted Applications
untrusted code
describes security-relevant program points
Java application
policy interface
instrumented application
separately compiled from policy
contains hooks to call monitor
31Securing Untrusted Applications
Java application
implements dynamic security policy
policy interface
policy implementation
instrumented application
combines application and policy
secure application
32Talk Outline
- Theory
- What is a software security monitor?
- What is a security policy?
- What does it mean to enforce a policy?
- What policies can software security monitors
enforce? - Language design
- Programming simple policies
- Programming complex policies
- Summary, related work and conclusions
33A Simple Polymer Policy
new policy definition extends policy class
class limitFiles extends Policy private int
openFiles 0 private int maxOpen 0
limitFiles(int max) maxOpen max
....
private policy state
policy constructor
34A Simple Polymer Policy Continued
class limitFiles extends Policy private int
openFiles ... private int maxOpen ...
public ActionPattern actions new
ActionPattern ltFile
fileOpen(String)gt, ltvoid fileClose(File)gt
....
set of policy- relevant methods
35A Simple Polymer Policy Continued
class limitFiles extends Policy private int
openFiles ... private int maxOpen ...
public ActionPattern actions ...
Suggestion before(Action a) aswitch (a)
case fileOpen(String s) if
(openFiles lt maxOpen) return
Suggestion.OK() else
return Suggestion.Halt() case
fileClose(File f) ...
policy behavior
36A Simple Polymer Policy Continued
class limitFiles extends Policy private int
openFiles ... private int maxOpen ...
public ActionPattern actions ...
Suggestion before(Action a) aswitch (a)
case fileOpen(String s) if
(openFiles lt maxOpen) return
Suggestion.OK() else
return Suggestion.Halt() case
fileClose(File f) ...
37A Simple Polymer Policy Continued
class limitFiles extends Policy public
ActionPattern actions ... private int
openFiles ... private int maxOpen ...
Suggestion before(Action a) aswitch (a)
case fileOpen(String s) if
(openFiles lt maxOpen) return
Suggestion.OK() else
return Suggestion.Halt() case
fileClose(File f) ...
38Talk Outline
- Theory
- What is a software security monitor?
- What is a security policy?
- What does it mean to enforce a policy?
- What policies can software security monitors
enforce? - Language design
- Programming simple policies
- Programming complex policies
- Summary, related work and conclusions
39Complex Monitors
- Combine simple policies defined over a variety of
different resources - eg sample applet policy
- file system access control
- bounds on bytes written and number of files
opened - restricted network access
- no network access after local file is read
- communication with applet source only
40Policy Combinators
- Programmers may write parameterized policy
combinators - And, Or, Forall, Exists, Chinese wall,...
P1
P2
AndPolicy
?
s2
s1
s
41Policy Combinators
- class AndPolicy extends Policy
- private Policy p1
- private Policy p2
-
- AndPolicy(Policy pol1, Policy pol2)
- p1 pol1
- p2 pol2
- ...
-
-
first-class policies
42Policy Combinators
- class AndPolicy extends Policy
- ...
- Suggestion before(Action a)
- Suggestion s1 p1.before(a)
- Suggestion s2 p2.before(a)
- if (s1.isOK() s2.isOK())
- return Suggestion.OK()
- else ...
-
using suggestions
system interprets suggestions at the top level
43Talk Outline
- Theory
- What is a software security monitor?
- What is a security policy?
- What does it mean to enforce a policy?
- What policies can software security monitors
enforce? - Language design
- Programming simple policies
- Programming complex policies
- Summary, related work and conclusions
44Future Work
- Theory
- infinite sequences gt coinductive proof
techniques - resource-bounded programs monitors
- time, space and randomness
- Practice
- complete Polymer 1.0 (end of summer)
- Polymer evaluation
- next up transactional policies
45Related Work
- Enforceable security policies
- Schneider 00 HMS 02
- Monitoring languages
- Naccio ET 99 Poet and Pslang ES 99, ES 00
others - New polymer features first-class policies
policy combinators, suggestions, abstract
actions, formal semantics - Aspect-oriented Programming
- AspectJ HyperJ
- New polymer features as above
- With Dan Dantas, we are developing AspectML
46Summary
- A general framework for formal reasoning about
security monitors - defined a hierarchy of security monitors
- gave meaning to the word enforceable
- developed rigorous proofs concerning enforceable
properties - Polymer A programming language for composing
security monitors - techniques for modular monitor design
composition - formal semantics as an extension of FeatherWeight
Java
47Conclusions
- Technology for securing extensible systems is in
high demand - Software security monitors are one part of the
solution - For more information, see
- Edit Automata Enforcement Mechanisms for
Run-time Security Policies. IJIS 2003. - Types and effects for non-interfering program
monitors. ISSS 2002 LNCS 2609. - More Enforceable Security Policies. FCS 2002.
- www.cs.princeton.edu/sip/projects/polymer/
48End
49Realistic Monitors
- Protect complex system interfaces
- interfaces replicate functionality in many
different places - method parameters communicate information in
different forms - eg Java file system interface
- 9 different methods to open files
- 4 different methods to close files
- filename strings, file objects, self used to
identify files
50Abstract Action Definitions
java.lang.io
FileReader(String fileName) FileReader(File
file) RandomAccessFile(...) ... FileReader.clos
e() RandomAccessFile.close() ...
fileOpen(String n) fileClose()
51Abstract Action Definitions
class fileOpen extends ActionSig boolean
canMatch(Action a) aswitch (a)
case FileReader(_) return true case
RandomAccessFile () return true ...
String parameter1(Action a) ....
52Abstract Action Pattern Matching
class limitFiles extends Policy ...
Suggestion step(Action a) aswitch (a)
case fileOpen(String s) ...
case fileClose() ...
fileOpen.parameter1(a)
fileOpen.canMatch(a)
53Taxonomy of Precisely Enforceable Properties
54Secure Application
Untrusted application
Host System (Java)
Program Monitor Definition
Polymer language extensions
Java core
55Policy Architecture Simple Policies
system interface
Simple Policy Def.
Host System (Java)
Polymer language extensions
Java core
56Policy Architecture Abstract Actions
abstract system interface
Host System (Java)
Simple Policy Def.
Abstract Action Def.
Polymer language extensions
concrete system interface
Java core
57Policy ArchitectureComplex Policies
Complex, System-specific Policy
abstract system interface
Simple Policy Def.
Policy Comb. Def.
Abstract Action Def.
Host System (Java)
Polymer language extensions
concrete system interface
Java core