Transcript Slides

Retrofitting Legacy Code with
Authorization Mechanisms
Vinod Ganapathy
Rutgers University
[email protected]
Principle of Design for Security
To create a secure system, design
it to be secure from the ground up
 Historic example:
• MULTICS [Corbato et al. ‘65]
 More recent examples:
• Operating systems
• Database servers
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
2
Relevance of the Principle today
Most deployed software is
not designed for security
 Deadline-driven software development
• Design.Build.(Patch)* is here to stay
• Few people have expertise with a single large
codebase.
• Tedious to sift through large codebases and
reason about security.
• Diverse/Evolving security requirements
o MULTICS security study [Karger and Schell, ‘72]
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
3
Retrofitting legacy code
Need systematic techniques to
retrofit legacy code for security
Legacy
code
INSECURE
Vinod Ganapathy
Retrofitted
code
SECURE
Retrofitting Legacy Code for Authorization Policy Enforcement
4
Retrofitting legacy code
Need systematic techniques to
retrofit legacy code for security
 Enforcing type safety
• CCured [Necula et al. ’02]
 Partitioning for privilege separation
• PrivTrans [Brumley and Song, ’04]
 Enforcing authorization policies
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
5
Enforcing authorization policies
Resource user
Operation request
Response
Resource manager
Reference monitor
Allowed?
YES/NO
policy
‹Alice, Authorization
/etc/passwd, File_Read
›
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
6
Retrofitting for authorization
 Mandatory access control for Linux
• Linux Security Modules [Wright et al.,’02]
• SELinux [Loscocco and Smalley,’01]
 Secure
windowingmanual
systems procedure
Painstaking,
• Trusted X, Compartmented-mode workstation,
X11/SELinux [Epstein et al.,’90][Berger et al.,’90][Kilpatrick et al.,’03]
 Java Virtual Machine/SELinux [Fletcher,‘06]
 IBM Websphere/SELinux [Hocking et al.,‘06]
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
7
This tutorial
Three program analysis and transformation
techniques (in increasing order of sophistication)
to retrofit legacy code with reference monitors
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
8
Contents of the tutorial
Analyses and transformations for
authorization policy enforcement
 Fingerprints: A new representation for
security-sensitive operations
 Three algorithms to mine fingerprints
 Results: Reduced effort to retrofit legacy
code for authorization policy enforcement
• Manual effort needed reduces to a few hours
• Applied to X server, Linux kernel, etc.
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
9
Outline
 Motivation
 Problem
• Example
• Retrofitting legacy code: Lifecycle
 Solutions
• Dynamic fingerprint mining
• Static mining with concept analysis
• Static mining leveraging user choice
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
10
X server with multiple X clients
REMOTE
LOCAL
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
11
Malicious remote X client
REMOTE
LOCAL
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
12
Undesirable information flow
REMOTE
LOCAL
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
13
Desirable information flow
REMOTE
LOCAL
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
14
Other policies to enforce
 Prevent unauthorized
• Copy and paste
• Modification of inputs meant for other clients
• Changes to window settings of other clients
• Retrieval of bitmaps: Screenshots
[Berger et al., ’90]
[Epstein et al., ‘90]
[Kilpatrick et al., ‘03]
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
15
Security is not a ‘blocker’
 Security by design, in practice
“It isn't clear this qualifies as a blocker under any
circumstances. The importance of security increases only as
we are into serious deployment and start becoming a target.
First things, first....”
- https://dev.laptop.org/ticket/260 Need a way to protect against applications sniffing each
other's keystrokes, which X permits by default.
16
X server with authorization
X client
Operation request
Response
X server
Reference monitor
Allowed?
YES/NO
Authorization policy
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
17
Outline
 Motivation
 Problem
• Example
• Retrofitting legacy code: Lifecycle
 Solution
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
18
Retrofitting lifecycle
1. Identify security-sensitive operations
2. Locate where they are performed in code
3. Instrument these locations
Security-sensitive
operations
Input_Event
Create
Destroy
Copy
Paste
Map
Vinod Ganapathy
Source Code
Policy checks
Can the client
receive this
Input_Event?
Retrofitting Legacy Code for Authorization Policy Enforcement
19
Problems
Manual
 X11 ~ proposed 2003, implemented 2007,
changing to date. [Kilpatrick et al., ‘03]
 Linux Security Modules ~ 2 years [Wright et al., ’02]
 PostgreSQL: Began in 2006, still not mainline.
At this point, SE-PostgreSQL has taken up a *lot* of community resources, not
to mention an enormous and doubtless frustrating amount of *the lead
developer’s* time and effort, thus far without a single committed patch, or
even a consensus as to what it should (or could) do. Rather than continuing to
blunder into the future, I think we need to do a reality check
- http://archives.postgresql.org/message-id/[email protected]
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
20
Problems
Error-prone
 Violation of complete mediation
 Time-of-check to Time-of-use bugs [Zhang et al.,
‘02][Jaeger et al., ‘04]
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
21
Our approach
Principled
 Fingerprints: A new representation of
security-sensitive operations
Automated
 Legacy code retrofitted using fingerprints
• Use of static and dynamic program analysis
• Must achieve complete mediation
• Ideally, must not place redundant hooks
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
22
Approach overview
Legacy code
Miner
Fingerprints
Matcher
Retrofitted code
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
23
Outline
 Motivation
 Problem
 Solution
•
•
•
•
Fingerprints
Dynamic fingerprint mining
Static fingerprint mining with concept analysis
Static fingerprint mining leveraging user
choice
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
24
What are fingerprints?
Code-level signatures of
security-sensitive operations
 Resource accesses that are unique to a
security-sensitive operation
 Denote key steps needed to perform the
security-sensitive operation on a resource
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
25
Examples of fingerprints
 Input_Event :Cmp xEvent->type == KeyPress
Security-sensitive
operations
Source Code
Input_Event
Create
Destroy
Copy
Paste
Map
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
26
Examples of fingerprints
 Input_Event :Cmp xEvent->type == KeyPress
 Input_Event :Cmp xEvent->type == MouseMove
 Map :Set Window->mapped to True &
Set xEvent->type to MapNotify
 Enumerate :Read Window->firstChild &
Read Window->nextSib &
Cmp Window ≠ 0
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
27
Fingerprint matching
Enumerate :- Read Window->firstChild &
 X server function
MapSubWindows
Read Window->nextSib
&
Cmp Window ≠ 0
MapSubWindows(Window *pParent, Client *pClient) {
Window *pWin;
…
// Run through linked list of child windows
pWin = pParent->firstChild; …
for (;pWin != 0; pWin=pWin->nextSib) {
...
// Code that maps each child window
...
}
}
Performs Enumerate
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
28
Placing authorization checks
 X server function MapSubWindows
MapSubWindows(Window *pParent, Client *pClient) {
Window *pWin;
…
// Run through linked list of child windows
if CHECK(pClient,pParent,Enumerate) == ALLOWED {
pWin = pParent->firstChild; …
for (;pWin != 0; pWin=pWin->nextSib) {
...
// Code that maps each child window
...
}
} else { HANDLE_FAILURE }
}
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
29
Fingerprint matching
 Currently employ simple pattern matching
 More sophisticated matching possible
• Metacompilation [Engler et al., ‘01]
• MOPS [Chen and Wagner, ‘02]
 Inserting authorization checks is akin to
static aspect-weaving [Kiczales et al., ’97]
 Other aspect-weaving techniques possible
• Runtime aspect-weaving
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
30
Outline
 Motivation
 Problem
 Solution
•
•
•
•
Fingerprints
Dynamic fingerprint mining
Static fingerprint mining with concept analysis
Static fingerprint mining leveraging user
choice
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
31
Dynamic fingerprint mining
Security-sensitive
operations
Source Code
Input_Event
Create
Destroy
Copy
Paste
Map
Output: Fingerprints
Input_Event :-
Cmp xEvent->type == KeyPress
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
32
Dynamic fingerprint mining
 Security-sensitive operations
Input_Event
Create
Destroy
Map
[NSA’03]
Input to window from device
Create new window
Destroy existing window
Map window to console
 Use this information to induce the program
to perform security-sensitive operations
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
33
Problem definition
 S: Set of security-sensitive operations
 D: Descriptions of operations in S
 R: Set of resource accesses
• Read/Set/Cmp of Window/xEvent
 Each s є S has a fingerprint
• A fingerprint is a subset of R
• Contains a resource access unique to s
 Problem: Find fingerprints for each
security-sensitive operation in S using D
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
34
Traces contain fingerprints
Security-sensitive
operations
Source Code
Runtime trace
Input_Event
Create
Destroy
Copy
Paste
Map
 Induce security-sensitive operation
• Typing to window will induce Input_Event
 Fingerprint must be in runtime trace
• Cmp xEvent->type == KeyPress
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
35
Compare traces to localize
Security-sensitive
operations
Source Code
Runtime trace
Input_Event
Create
Destroy
Copy
Paste
Map
 Localize fingerprint in trace
• Trace difference and intersection
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
36
Runtime traces
 Trace the program and record reads/writes
to resource data structures
• Window and xEvent in our experiments
 Example: from X server startup
(In function SetWindowtoDefaults)
Set Window->prevSib to 0
Set Window->firstChild to 0
Set Window->lastChild to 0
…
about 1400 such resource accesses
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
37
Using traces for fingerprinting
 Obtain traces for each security-sensitive
operation
• Series of controlled tracing experiments
 Examples
•
•
•
•
Typing to keyboard generates Input_Event
Creating new window generates Create
Creating window also generates Map
Closing existing window generates Destroy
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
38
Comparison with “diff” and “∩”
Annotation is a manual step
Open
xterm
Close
xterm
Move
xterm
Open
browser
Switch
windows
Create
Destroy
Map
Unmap
Input_Event
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
39
Comparison with “diff” and “∩”
Perform same set operations on resource accesses
Open
xterm
Close
xterm
Move
xterm
Open
browser
Switch
windows
Create
Destroy
Map
Unmap
Input_Event
Create = Open xterm ∩ Open browser - Move xterm
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
40
Set equations
 Each trace has a set of labels
• Open xterm: {Create, Map}
• Browser: {Create, Destroy, Map, Unmap}
• Move xterm: {Map, Input_Event}
 Need set equation for {Create}
• Compute an exact cover for this set
• Open xterm ∩ Open browser – Move xterm
 Perform the same set operations on the
set of resource accesses in each trace
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
41
Experimental methodology
Source code
gcc –-enable-logging
Server with logging enabled
Run experiments and collect traces
Raw traces
Localize security-sensitive operation
Relevant portions of traces
Compare traces with “diff” and “∩”
Pruned traces
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
42
Dynamic mining: Results
1,000,000
1,000,000
100,000
54,000
10,000
Each fingerprint localized to
1,000within 126 resource accesses
Size
900
126
100
10
1
Source Code
Vinod Ganapathy
Raw Traces
Relevant
Portions
Retrofitting Legacy Code for Authorization Policy Enforcement
Pruned
Traces
43
Limitations of dynamic mining
Security-sensitive
operations
Source Code
Runtime trace
Input_Event
Create
Destroy
Copy
Paste
Map
1. Incomplete: False negatives
2. High-level description needed
3. Operations are manually induced
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
44
Outline
 Motivation
 Problem
 Solution
•
•
•
•
Fingerprints
Dynamic fingerprint mining
Static fingerprint mining with concept analysis
Static fingerprint mining leveraging user
choice
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
45
Static fingerprint mining
Security-sensitive
operations
Input_Event
Create
Destroy
Copy
Paste
Map
Source Code
Resources
• Window
• xEvent
Output: Candidate Fingerprints
Cmp xEvent->type == KeyPress
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
46
Problem definition
 R: Set of resource accesses
• Read/Set/Cmp of Window/xEvent
 E: Set of entry points into the server
 Goal: Find fingerprints using R and E
Not given an a priori description
of security-sensitive operations
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
47
Straw-man proposal I
Each resource access
in R is a fingerprint





Finest level of granularity
Cmp xEvent->type == KeyPress
Read Window->firstChild
Read Window->nextSib
Cmp Window ≠ 0
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
48
Problem with this proposal
Difficult to write and maintain
policies at this level of granularity




Cmp xEvent->type == KeyPress
Read Window->firstChild
Read Window->nextSib
Cmp Window ≠ 0
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
49
Straw-man proposal II
Each API in E is a fingerprint
 Coarsest level of granularity
 Call MapSubWindows
 Call MapWindow
 Write policies allowing/disallowing the use
of an API call
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
50
Problem with this proposal
Does not reflect actual resource
accesses performed by API call
 Call MapSubWindows
• Enumerates child windows and maps them to
the screen
 Call MapWindows
• Maps a window onto the screen
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
51
Our approach
Cluster resource accesses
that always happen together
 Each API entry point implicitly defines a
set of resource accesses
 Cluster resource accesses based upon the
API entry points that perform them
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
52
Static analysis
 Extract resource accesses potentially
possible via each entry point
 Example from the X server
• Entry point: MapSubWindows(…)
• Resource accesses:
Set xEvent->type To MapNotify
Set Window->mapped To True
Read Window->firstChild
Read Window->nextSib
Cmp Window ≠ 0
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
53
Resource accesses
MapSub
Windows
Map
Window
Keyboard
Input
Set xEvent->type To MapNotify
Set Window->mapped To True
Identify candidate
fingerprints by
270 API functions
Read Window->firstChild
clustering
430
distinctresource
resourceaccesses
accesses
Read Window->nextSib
Cmp Window ≠ 0
Cmp xEvent->type==KeyPress
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
54
Concept analysis
Features
Instances
MapSub
Windows
Map
Window
Keyboard
Input
Set xEvent->type To MapNotify
Set Window->mapped To True
Comparison via
Read Window->firstChild
hierarchical clustering
Read Window->nextSib
Cmp Window ≠ 0
Cmp xEvent->type==KeyPress
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
55
Hierarchical clustering
1
2
3
4
5
6
A
B
C
MapSub
Windows
Map
Window
Keyboard
Input
Set xEvent->type To MapNotify
Set Window->mapped To True
Read Window->firstChild
Read Window->nextSib
Cmp Window ≠ 0
Cmp xEvent->type==KeyPress
{A,B,C}, Ф
{A,B}, {1,2}
{C}, {6}
{A}, {1,2,3,4,5}
Ф, {1,2,3,4,5,6}
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
56
Mining candidate fingerprints
Cand. Fing. 1
Cand. Fing. 2
Cand. Fing. 3
1
2
3
4
5
6
A
B
C
MapSub
Windows
Map
Window
Keyboard
Input
Set xEvent->type To MapNotify
Set Window->mapped To True
Read Window->firstChild
Read Window->nextSib
Cmp Window ≠ 0
Cmp xEvent->type==KeyPress
{A,B,C}, Ф
{A,B}, {1,2}
{C}, {6}
{A}, {1,2,3,4,5}
Ф, {1,2,3,4,5,6}
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
57
Static mining: Results
Benchmark LOC
ext2
4,476
X Server/dix 30,096
PennMUSH 94,014
Cand. Fing.
18
115
38
Avg. Size
3.7
3.7
1.4
100,000
Size
10,000
1,000
100
10
1
ext2
Vinod Ganapathy
X server
PennMUSH
Retrofitting Legacy Code for Authorization Policy Enforcement
58
Static mining: Results
Benchmark
Manually identified
Security-sensitive ops
Candidate
fingerprints
ext2
11
18
X Server/dix
22
115
Able to find at least one fingerprint
for each security-sensitive operation
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
59
Static mining: Results
Benchmark
Manually identified
Security-sensitive ops
Candidate
fingerprints
ext2
11
18
X Server/dix
22
115
Identified as part
Identified automatically
in a of
few minutes
multi-year
efforts
Interpretation
takes just
a few hours
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
60
Static mining: Results
Benchmark
Manually identified
Security-sensitive ops
Candidate
fingerprints
ext2
11
18
X Server/dix
22
115
 Associated 59 candidate fingerprints with
security-sensitive operations
 Remaining are likely security-sensitive too
Read Window->DrawableRec->width &
Read Window->DrawableRec->height
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
61
Outline
 Motivation
 Problem
 Solution
•
•
•
•
Fingerprints
Dynamic fingerprint mining
Static fingerprint mining with concept analysis
Static fingerprint mining leveraging user
choice
o Divya Muthukumaran and Trent Jaeger
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
62
Shortcomings that remain
 Identifying security-sensitive objects is still
manual
 Hook placement suggested by fingerprints:
• Are they “minimal”?
• How do they compare to manually-placed
hooks?
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
63
Program
A
User A
Request
Interface
i
Container
O
B
User B
o1
C
o2
v = Lookup(O,i)
o3
D
o4
E
F
K
I
H
L
J
64
Inferring security-sensitive objects
and operations
 Idea: Follow the client-request
• In servers, client-request determines choice.
 “Choice”:
• Determines which objects are selected to be
operated upon.
• Determines which operation is selected to be
performed on objects.
65
Program
A
User A
Request
Interface
i
Container
O
B
User B
o1
o2
C
v = Lookup(O,i)
Tainted
variable
o3
D
Securitysensitive
variable
Control
statement
Predicated on
tainted variable
o4
E
F
K
I
read v
write v
H
L
J
Security-sensitive
operation
Op1.1
Op1.2
Op1.3
66
User
request
Lookup
Function
Global
Reads
B) Identify Securitysensitive
Objects(VS)
Program
A) Identify
Tainted
Variables (VT)
D) Securitysensitive operations
C) User-choice
Operations
67
clientRequest stuff = ReadRequestFromClient();
…
int ChangeWindowProperty(ClientPtr *c, WindowPtr * w)
{
WindowPtr * win;
PropertyPtr * pProp;
err = LookupWindow(&win,stuff->window, c);
rc = LookupProperty(&pProp, win, stuff->property, c);
if (rc == BadMatch)
{/* Op 1*/
pProp->name = property;
pProp->format = format;
pProp->data = data;
pProp->size = len;
}
else
{ /* Op 2 */
if (stuff->mode == REPLACE)
{ /* Op 2.1 */
pProp->data = data;
pProp->size = len;
pProp->format = format;
}
else if (stuff->mode == APPEND)
{/* Op 2.2 */
pProp->data = data;
pProp->size += len;
}
}
}
68
clientRequest stuff = ReadRequestFromClient();
int ChangeWindowProperty(ClientPtr * c, WindowPtr * w)
{
WindowPtr * win;
PropertyPtr * pProp;
err = LookupWindow(&win,stuff->window, c);
rc = LookupProperty(&pProp, win, stuff->property, c);
if (rc == BadMatch)
{/* Op 1*/
pProp->name = property;
pProp->format = format;
pProp->data = data;
pProp->size = len;
}
else
Static Taint analysis
{ /* Op 2 */
if (mode == REPLACE)
{ /* Op 2.1 */
pProp->data = data;
pProp->size = len;
pProp->format = format;
}
else if (mode == APPEND)
{/* Op 2.2 */
pProp->data = data;
pProp->size += len;
}
}
}
69
User
request
Lookup
Function
Global
Reads
B) Identify Securitysensitive
Objects(VS)
Program
Retrieval of objects from containers:
• List access
(*->next pointer)
D) Security• Array access
(pointer
arithmetic)
sensitive
operations
…
A) Identify
Tainted
Variables (VT)
C) User-choice
Operations
70
List Access: LookupProperty
for (prop=win->userProps; prop; prop=prop->next {
if (prop->name == pName)
break;
*p = prop;
}
return p;
Array Access: LookupWindow
Resource res = clientTable[i]
return res;
71
User
request
Lookup
Function
Global
Reads
B) Identify Securitysensitive
Objects(VS)
Program
A) Identify
Tainted
Variables (VT)
D) Securitysensitive operations
C) User-choice
Def 2: A variable
v ∈ VS(P) if any following are true:
Operations
a) If it is assigned a value from a container via a lookup
function using a variable v∈VT(P),
b) If D is true for some v’ ∈ VS(P).
c) If it is a global variable and in the set VT(P).
72
int ChangeWindowProperty(ClientPtr * c, WindowPtr * w, int mode)
{
WindowPtr * win;
PropertyPtr * pProp;
err = LookupWindow(&win,stuff->window, c);
rc = LookupProperty(&pProp, win, stuff->property, c);
if (rc == BadMatch)
{/* Op 1*/
pProp->name = property;
pProp->format = format;
pProp->data = data;
pProp->size = len;
}
else
{ /* Op 2 */
Technology
if (mode == REPLACE)
Detecting code patterns
{ /* Op 2.1 */
pProp->data = data;
Static Taint analysis
pProp->size = len;
pProp->format = format;
}
else if (mode == APPEND)
{/* Op 2.2 */
pProp->data = data;
pProp->size += len;
}
}
}
73
User
request
Lookup
Function
Global
Reads
B) Identify Securitysensitive
Objects(VS)
Program
A) Identify
Tainted
Variables (VT)
D) Securitysensitive operations
C) User-choice
Operations
74
int ChangeWindowProperty(ClientPtr * c, WindowPtr * w, int mode)
{
WindowPtr * win;
PropertyPtr * pProp;
err = LookupWindow(&win,stuff->window, c);
rc = LookupProperty(&pProp, win, stuff->property, c);
if (rc == BadMatch)
{/* Op 1*/
pProp->name = property;
pProp->format = format;
pProp->data = data;
pProp->size = len;
}
else
{ /* Op 2 */
if (stuff->mode == REPLACE)
{ /* Op 2.1 */
pProp->data = data;
pProp->size = len;
pProp->format = format;
}
else if (stuff->mode == APPEND)
{/* Op 2.2 */
pProp->data = data;
pProp->size += len;
}
}
}
75
Taken
Not- taken
Taken
A
C
B
D
A
B
Not-taken
C
D
Control Dependence
Graph (CDG)
Control Flow Graph (CFG)
76
Entry
(dixChangeWindowProperty)
(rc==BadMatch)
T
F
Op 2
Op 1.1
(mode==REPLACE)
pProp->name =
property
T
pProp->format =
format
pProp->data =
data
pProp->size =
len
Op 2.1
(mode==APPEND)
T
Op 2.2
pProp->format =
format
pProp->data =
data
pProp->data =
data
pProp->size =
len
pProp->size =
len
Op
Structure member
access to mediate
Connection from outside
this procedure
P
control
statement
Dummy node
Operation
77
User
request
Lookup
Function
Global
Reads
B) Identify Securitysensitive
Objects(VS)
Program
A) Identify
Tainted
Variables (VT)
D) Securitysensitive operations
C) User-choice
Operations
78
Entry
(dixChangeWindowProperty)
(rc==BadMatch)
T
F
Op 2
Op 1.1
(mode==REPLACE)
pProp->name =
property
T
pProp->format =
format
pProp->data =
data
pProp->size =
len
Op 2.1
(mode==APPEND)
T
Op 2.2
pProp->format =
format
pProp->data =
data
pProp->data =
data
pProp->size =
len
pProp->size =
len
Op
Structure member
access to mediate
Connection from outside
this procedure
P
control
statement
Operation
Dummy node
79
Results: Reduction in programmer
effort
Program
X Server
postgres
pennmush
memcached
LOC
28k
49k
78k
9k
Total variables
7795
12350
24372
2350
Tainted
variables
2975 (38%)
5100 (41%)
4168 (17%)
490 (20%)
Security sensitive
variables
823 (9%)
402 (3%)
1573 (6%)
82 (3%)
Data Structures
404
278
311
41
Sensitive
Data structures
61
(15%)
30
(10%)
38
(12%)
7
(17%)
User-choice
Operations
4760
5063
6485
996
Sensitive operations
1382
(29%)
1378
(27%)
1382
(21%)
203
(20%)
80
Results: Reduction in programmer
effort
Program
X Server
postgres
pennmush
memcached
LOC
28k
49k
78k
9k
Total variables
7795
12350
24372
2350
Tainted
variables
2975 (38%)
5100 (41%)
4168 (17%)
490 (20%)
Security sensitive
variables
823 (9%)
402 (3%)
1573 (6%)
82 (3%)
Data Structures
404
278
311
41
Sensitive
Data structures
61
(15%)
30
(10%)
38
(12%)
7
(17%)
User-choice
Operations
4760
5063
6485
996
Sensitive operations
1382
(29%)
1382
(21%)
203
(20%)
41
22
1378
(27%)
81
Results: Reduction in programmer
effort
Program
X Server
postgres
pennmush
memcached
LOC
28k
49k
78k
9k
Total variables
7795
12350
24372
2350
Tainted
variables
2975 (38%)
5100 (41%)
4168 (17%)
490 (20%)
Security sensitive
variables
823 (10%)
402 (3%)
1573 (6%)
82 (3%)
< 95%
Data Structures
404
278
311
41
Sensitive
Data structures
61(15%)
30
(10%)
38
(12%)
7
(17%)
User-choice
Operations
4760
5063
6485
996
Sensitive operations
1382 (29%)
1378 (27%)
1382
(21%)
203
(20%)
82
Entry
(dixChangeWindowProperty)
write(pProp->size)
write(pProp->data)
(rc==BadMatch)
T
F
write(pProp->name)
write(pProp->format)
Op 2
Op 1.1
(mode==REPLACE)
pProp->name =
property
pProp->format =
format
pProp->data =
data
pProp->size =
len
T
(mode==APPEND)
T
write(pProp->format)
Op 2.1
Op 2.2
pProp->format =
format
pProp->data =
data
pProp->data =
data
pProp->size =
len
pProp->size =
len
Op
Structure member
access to mediate
Connection from outside
this procedure
P
control
statement
Dummy node
Operation
83
Results
 Two sets of programs:
 a) With manually placed hooks: X server,
postgres.
 B) No manual hooks: pennmush,
memcached.
84
Results: Reduction in programmer
effort
Program
X Server
postgres
pennmush
memcached
LOC
28k
49k
78k
9k
Security sensitive
variables
823 (10%)
402 (3%)
1573 (6%)
82 (3%)
Sensitive operations
1382 (29%)
1378 (27%)
1382
(21%)
203
(20%)
Hooks
532
(11%)
714
(11%)
56
(5%)
<
61%
579
(11%)
85
Comparing with manual hooks
 X Server:
• Manual: ~200 hooks
• Automated: ~530 hooks
 Postgres:
• Manual: ~370
• Automated: ~570
What does this mean?
86
Criteria for comparing hooks
87
Hooks
Criteria
 Control dominance
 Data dominance
<O1,Op1>
....
....
<O2,Op2>
Comparison of manual and
automated hook placements
50
45
40
35
Frequency
30
25
20
15
10
5
0
1
2
3
4
5
6
8
9 10 11 12 13 14 15 16 18 19 22 23 26 29 32 39 49 51 53 55 56 57 73 95
No. of Dominated Automated Hooks
88
Summary
Fingerprints
Mining
Input_Event
Create
Destroy
Copy
Paste
Map
Vinod Ganapathy
Matching
Can the client
receive this
Input_Event?
Retrofitting Legacy Code for Authorization Policy Enforcement
89
Lessons for the future
Modifying legacy code is non-trivial
 Modifications may break software
 Modifying executables is challenging
Low-overhead runtime system for policy
enforcement on unmodified code
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
90
Lessons for the future
Soundness/completeness
hard to achieve for C
 Type-safety violations the main problem
Provable guarantees with
additional runtime checks?
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
91
Lessons for the future
Difficult to automate failure handling
 Failure handling is a crosscutting-concern
 Handling failure gracefully is the main
challenge
Aspect-oriented solution?
Checkpoint and rollback?
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
92
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
94
Example: X Server
Remote Client A
Remote Client A
Remote Client B
Remote Client B
95
Example: X Server
 Confidentiality violation
Remote Client A
GetScreen,WinA
Getscreen,WinB
WinA
GetScreen
GetScreen
WinB
Remote Client B
96
Example: X Server
 Confidentiality violation
 Integrity violation
Remote Client A
ChangeProp, WinA
ChangeProp, WinA
Remote Client A
ChangeProp
ChangeProp
Remote Client B
Remote Client B
97
Policy:
(clientA, WinA, ChangeProp)
(clientB, WinB, ChangeProp)
…
Example: X Server
 Confidentiality violation
 Integrity violation
Remote Client A
ChangeProp, WinA
ChangeProp, WinA
Remote Client A
ChangeProp
ChangeProp
Remote Client B
Remote Client B
98
Errors in labeling traces (I)
Open
xterm
Close
xterm
Move
xterm
Open
browser
Switch
windows
CREATE
DESTROY
MAP
UNMAP
INPUTEVENT
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
99
Errors in labeling traces (I)
Open
xterm
Close
xterm
Move
xterm
Open
browser
Switch
windows
CREATE
DESTROY
MAP
UNMAP
INPUTEVENT
CREATE = Trace1 – Trace3
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
100
Errors in labeling traces (II)
Open
xterm
Close
xterm
Move
xterm
Open
browser
Switch
windows
CREATE
DESTROY
MAP
UNMAP
INPUTEVENT
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
101
Dealing with errors in labeling
 Missing labels from traces:
• “∩” operation will not discard fingerprint
• “diff” operation may erroneously eliminate a
fingerprint
 Extra labels on traces:
• May erroneously eliminate a fingerprint
 Trial-and-error
• Relabel and recompute set-equations
 Empirically: tolerance of about 15% errors
Vinod Ganapathy
Retrofitting Legacy Code for Authorization Policy Enforcement
102
Comparing with manual hooks
 Observation 1: Automated hooks tend to
be finer grained
• Finer-grained operations
• Finer-grained objects
103
Finer-grained operations
read(pgcSrc)
read(pgcSrc->planemask)
read(pgcSrc->fgPixel)
read(pgcSrc->alu)
...
read(pgcSrc->bgPixel)
104
Comparing with manual hooks
 Observation 1: Automated hooks tend to
be finer grained
• Finer-grained operations
• Finer-grained objects
105
Finer-grained objects
Resource res = ClientTable[i]
WindowPtr * pWin = (WindowPtr *) res
read(pWin->firstChild->nextSib)
WindowPtr * pChild =
pWin->firstChild->nextSib
write(pChild->mapped)
pChild->mapped = True
106
Comparison of manual and
automated hook placements
50
45
40
35
Frequency
30
25
20
15
10
5
0
1
2
3
4
5
6
8
9 10 11 12 13 14 15 16 18 19 22 23 26 29 32 39 49 51 53 55 56 57 73 95
No. of Dominated Automated Hooks
107