browsers critical infrastructure
play

Browsers: Critical Infrastructure Ubiquitous: many platforms, - PowerPoint PPT Presentation

Mar 14, 2024 •119 likes •862 views

Browser Security Guarantees through Formal Shim Verification Zachary Tatlock Dongseok Jang Sorin Lerner UC San Diego Browsers: Critical Infrastructure Ubiquitous: many platforms, sensitive apps Vulnerable: Pwn2Own, just a click to

  1. Browser Security Guarantees through Formal Shim Verification Zachary Tatlock Dongseok Jang Sorin Lerner UC San Diego

  2. Browsers: Critical Infrastructure Ubiquitous: many platforms, sensitive apps Vulnerable: Pwn2Own, just a click to exploit Reactive Defenses: many ad hoc, bug triage, regressions

  3. Fully Formal Verification Code in language that eases reasoning Develop correctness proof in synch Fully formal, machine checkable proof

  4. Fully Formal Verification Success story: CompCert C compiler Compiler Bugs Found GCC 122 LLVM 181 0 CompCert [Yang et al. PLDI 11 ] OS (seL4), RDBMS & HTTPD (YNot) realistic implementations guaranteed bug free

  5. Fully Formal Verification Success story: CompCert C compiler The Catch Compiler Bugs Found Throw away all your code GCC 100 Rewrite in unfamiliar language LLVM 150 Formally specify correctness 0 CompCert ? [Yang et al. PLDI 11 ] Prove every detail correct OS (seL4), DB, HTTPD (YNot) Heroic effort realistic implementations guaranteed bug free

  6. Formally Verify a Browser?! Resources Complex parts Subtle interactions JPEG Loose access policy HTML Decoder Renderer Constant evolution JavaScript Interpreter

  7. Formal Shim Verification Formally Verify a Browser?! Resources Isolate sandbox untrusted code ✔ Shim Insert shim guards resource access JPEG HTML Decoder Renderer Verify shim prove security props JavaScript Interpreter

  8. Formal Shim Verification Formally Verify a Browser?! Q UARK Resources formally verified browser ✔ Shim Security Props 1. Tab isolation 2. Cookie integrity JPEG HTML Decoder Renderer 3. Addr bar correctness Prove code correct JavaScript Interpreter machine checkable proof

  9. Fully Formal Verification

  10. Fully Formal Verification Code in language supporting reasoning

  11. Fully Formal Verification Code Spec logical properties characterizing correctness

  12. Fully Formal Verification Coq Theorem Prover Code Proof Assistant Spec

  13. Fully Formal Verification Coq Theorem Prover Code Proof Assistant Spec interactively show code satisfies specification

  14. Fully Formal Verification Code Proof ML x86 Assistant compile down to Spec machine code

  15. Fully Formal Verification Code Proof ML x86 Assistant Spec Extremely strong guarantees about actual system!

  16. Fully Formal Verification Rewrite entire system! Code Proof ML x86 Assistant Spec

  17. Fully Formal Verification Rewrite entire system! Code Proof ML x86 Assistant Spec Prove every detail correct

  18. Formal Shim Verification Resources ✔ Shim JPEG HTML Decoder Renderer JavaScript Interpreter

  19. Formal Shim Verification Adapt to sandbox Resources request access via shim ✔ Write shim Shim design effective interface Sandbox.. Formally verify shim Untrusted ensure accesses secure Code

  20. Formal Shim Verification Adapt to sandbox Resources request access via shim Key Insight Guarantee sec props for entire system ✔ Write shim Shim design effective interface Only reason about small shim Sandbox.. Radically ease verification burden Formally verify shim Untrusted ensure accesses secure Prove actual code correct Code

  21. Quark: Verified Browser Resources ✔ Shim Sandbox.. Untrusted Code

  22. Quark: Verified Browser Resources ✔ Shim Sandbox.. Untrusted Code

  23. Quark: Verified Browser Resources Net network persistent storage ✔ Shim user interface Sandbox.. Untrusted Code

  24. Quark: Verified Browser Resources Net ✔ Shim Sandbox.. Untrusted Code

  25. Quark: Verified Browser Resources Shim Net Quark browser kernel Quark Kernel ✔ ✔ code, spec, proof in Coq Sandbox.. Untrusted Code

  26. Quark: Verified Browser Resources Shim Net Quark Kernel ✔ ✔ Sandbox.. Untrusted Code

  27. Quark: Verified Browser Resources Shim Net Untrusted Code Quark Kernel ✔ ✔ browser components run as separate procs Sandbox.. strictly sandboxed Untrusted Code

  28. Quark: Verified Browser Resources Shim Net Untrusted Code Quark Kernel ✔ ✔ browser components run as separate procs Sandbox.. strictly sandboxed Untrusted Code talk to kernel over pipe

  29. Quark: Verified Browser Resources Shim Net Untrusted Code Quark Kernel ✔ ✔ two component types Sandbox.. Untrusted Code

  30. Quark: Verified Browser Resources Shim Net Untrusted Code Quark Kernel ✔ ✔ two component types WebKit modified WebKit, Tab intercept accesses

  31. Quark: Verified Browser Resources Shim Net Untrusted Code Quark Kernel ✔ ✔ two component types WebKit Tab

  32. Quark: Verified Browser Resources Shim Net Untrusted Code Quark Kernel ✔ ✔ two component types written in Python, WebKit Cookie manages single domain Manager Tab

  33. Quark: Verified Browser Resources Shim Net Untrusted Code Quark Kernel ✔ ✔ two component types WebKit tabs cookie managers WebKit Cookie Tab Manager

  34. Quark: Verified Browser Resources Shim Net Untrusted Code Quark Kernel ✔ ✔ two component types WebKit tabs cookie managers WebKit Cookie WebKit Cookie WebKit Tab Manager Tab Manager Tab several instances each

  35. Quark: Verified Browser Net Quark Kernel ✔ ✔ WebKit Cookie WebKit Cookie WebKit Tab Manager Tab Manager Tab

  36. Quark Kernel: Code, Spec, Proof Quark Kernel ✔

  37. Quark Kernel: Code , Spec, Proof

  38. Quark Kernel: Code , Spec, Proof Definition kstep ...

  39. Quark Kernel: Code , Spec, Proof Definition kstep(focused_tab, tabs) := ... kernel state

  40. Quark Kernel: Code , Spec, Proof Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); ... Unix-style select to find a component pipe ready to read

  41. Quark Kernel: Code , Spec, Proof Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); match f with case: f is user input | Stdin => ... | Tab t => case: f is tab pipe ...

  42. Quark Kernel: Code , Spec, Proof Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); match f with | Stdin => cmd <- read_cmd(stdin); ... read command from user over stdin | Tab t => ...

  43. Quark Kernel: Code , Spec, Proof Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); match f with | Stdin => cmd <- read_cmd(stdin); match cmd with | AddTab => ... user wants to create and focus a new tab | ... | Tab t => ...

  44. Quark Kernel: Code , Spec, Proof Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); match f with | Stdin => cmd <- read_cmd(stdin); match cmd with | AddTab => t <- mk_tab(); ... create a new tab | ... | Tab t => ...

  45. Quark Kernel: Code , Spec, Proof Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); match f with | Stdin => cmd <- read_cmd(stdin); match cmd with | AddTab => t <- mk_tab(); write_msg(t, Render); ... | ... tell new tab to | Tab t => render itself ...

  46. Quark Kernel: Code , Spec, Proof Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); match f with | Stdin => cmd <- read_cmd(stdin); match cmd with | AddTab => t <- mk_tab(); write_msg(t, Render); return (t, t::tabs) | ... | Tab t => return updated state ...

  47. Quark Kernel: Code , Spec, Proof Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); match f with | Stdin => cmd <- read_cmd(stdin); match cmd with | AddTab => t <- mk_tab(); write_msg(t, Render); return (t, t::tabs) | ... handle other | Tab t => user commands ...

  48. Quark Kernel: Code , Spec, Proof Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); match f with | Stdin => cmd <- read_cmd(stdin); match cmd with | AddTab => t <- mk_tab(); write_msg(t, Render); return (t, t::tabs) handle requests | ... from tabs | Tab t => ...

  49. Quark Kernel: Code , Spec, Proof Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); match f with | Stdin => cmd <- read_cmd(stdin); match cmd with | AddTab => t <- mk_tab(); write_msg(t, Render); return (t, t::tabs) | ... | Tab t => ...

  50. Quark Kernel: Code, Spec , Proof

  51. Quark Kernel: Code, Spec , Proof Specify correct behavior wrt syscall seqs read(), write(), open(), write(), ...

  52. Quark Kernel: Code, Spec , Proof Specify correct behavior wrt syscall seqs trace: all syscalls made by Quark kernel during execution

  53. Quark Kernel: Code, Spec , Proof Specify correct behavior wrt syscall seqs kstep() kstep() kstep() kstep()

  54. Quark Kernel: Code, Spec , Proof Specify correct behavior wrt syscall seqs structure of produceable traces supports spec & proof

  55. Quark Kernel: Code, Spec , Proof Specify correct behavior wrt syscall seqs structure of produceable traces supports spec & proof Example: address bar correctness

  56. Quark Kernel: Code, Spec , Proof Specify correct behavior wrt syscall seqs structure of produceable traces supports spec & proof Example: address bar correctness forall trace tab domain, ... for any trace, tab, where trace is a and domain sequence of syscalls

Recommend

Mapping the Dutch Critical Infrastructure Razvan C. Oprea Fahime Alizade Supervised by Benno

Mapping the Dutch Critical Infrastructure Razvan C. Oprea Fahime Alizade Supervised by Benno

Mapping the Dutch Critical Infrastructure Razvan C. Oprea Fahime Alizade Supervised by Benno Overeinder Wednesday, July 3, 13 The initial question Critical infrastructure sectors What is the network level representation of the critical

392 views • 24 slides
Print Books with Browsers Designing books in browsers using Paged.js Julie Blanc (@julieblancfr)

Print Books with Browsers Designing books in browsers using Paged.js Julie Blanc (@julieblancfr)

Print Books with Browsers Designing books in browsers using Paged.js Julie Blanc (@julieblancfr) Digital Publishing Summit May 26, 2019 Automated typesetting and pagination for print Make PDF outputs of HTML contents from browsers Flux

823 views • 67 slides
Big data in critical infrastructure: Production and failover infrastructure in DWD's central data

Big data in critical infrastructure: Production and failover infrastructure in DWD's central data

Big data in critical infrastructure: Production and failover infrastructure in DWD's central data management Daniel Lee, German Weather Service (DWD) TI12b Sep. 2015 Agenda 1. DWD's goals 2. Operational systems 3. Technical

556 views • 52 slides
Broadband Infrastructure is Critical Infrastructure Jeff Sobotka VP &amp; State Broadband

Broadband Infrastructure is Critical Infrastructure Jeff Sobotka VP &amp; State Broadband

Broadband Infrastructure is Critical Infrastructure Jeff Sobotka VP &amp; State Broadband Director Definition: Broadband is defined as networks of deployed telecommunications equipment and technologies necessary to provide high-speed

268 views • 15 slides
Infrastructure critical to growth, but continent hampered by limited stocks and high costs

Infrastructure critical to growth, but continent hampered by limited stocks and high costs

Infrastructure critical to growth, but continent hampered by limited stocks and high costs Infrastructure contributed about one percentage point of Africas recent growth spurt Improving all countries infrastructure to level of Mauritius

625 views • 34 slides
Critical Information Infrastructure Protection (CIIP) National Knowledge Network (NKN) Annual

Critical Information Infrastructure Protection (CIIP) National Knowledge Network (NKN) Annual

Critical Information Infrastructure Protection (CIIP) National Knowledge Network (NKN) Annual workshop 17 - 19 Oct 2013, IISc, Bangalore Presentation Outline Government Cyber Security Architecture CII Overview &amp; Definitions Critical

517 views • 20 slides
Framework for Improving Critical Infrastructure Cybersecurity Overview and Status Executive

Framework for Improving Critical Infrastructure Cybersecurity Overview and Status Executive

Framework for Improving Critical Infrastructure Cybersecurity Overview and Status Executive Order 13636 Improving Critical Infrastructure Cybersecurity Kevin Stine National Institute of Standards and Technology Executive Order 13636:

128 views • 11 slides
The cybersecurity dimension of critical [energy] infrastructure it appears that someone found

The cybersecurity dimension of critical [energy] infrastructure it appears that someone found

The cybersecurity dimension of critical [energy] infrastructure it appears that someone found remote access and started tripping breakers. - Scadasec commentator 2015-12-26 Vytautas Butrimas Views expressed in this presentation

376 views • 15 slides
Critical infrastructure, interconnected risks, and resiliency. Why wo(men) should care? FABRIKAM

Critical infrastructure, interconnected risks, and resiliency. Why wo(men) should care? FABRIKAM

Critical infrastructure, interconnected risks, and resiliency. Why wo(men) should care? FABRIKAM RESIDENCES A little bit about me I identify as South-Asian woman from Mumbai, India. I started off in my computer career as a data entry

997 views • 55 slides
Critical Infrastructure Protection and S E N T A I N V U Y High Confidence Adaptive

Critical Infrastructure Protection and S E N T A I N V U Y High Confidence Adaptive

S T A T D E Critical Infrastructure Protection and S E N T A I N V U Y High Confidence Adaptive Software O H F C F R I A C E E S University Research Initiative Program O E F R N L A A V Welcome to the 3 rd

318 views • 14 slides
Broadband: The Critical Infrastructure for Sustainable Prosperity connect &gt; enable &gt;

Broadband: The Critical Infrastructure for Sustainable Prosperity connect &gt; enable &gt;

Broadband: The Critical Infrastructure for Sustainable Prosperity connect &gt; enable &gt; transform Broadband is the principal tool to address our top societal challenges. Some call it a utility, a civic right. National Applications Energy/

885 views • 13 slides
Executive Order 13636: Improving Critical Infrastructure Cybersecurity Cyber-Dependent

Executive Order 13636: Improving Critical Infrastructure Cybersecurity Cyber-Dependent

FOR OFFICIAL USE ONLY Executive Order 13636: Improving Critical Infrastructure Cybersecurity Cyber-Dependent Infrastructure Identification Working Group (CDIIWG) March 11, 2013 FOR OFFICIAL USE ONLY FOR OFFICIAL USE ONLY Agenda 12:30

217 views • 20 slides
chromozoom.org rethinking the UI of genome browsers Ted Pak Roth Laboratory Donnelly Centre,

chromozoom.org rethinking the UI of genome browsers Ted Pak Roth Laboratory Donnelly Centre,

chromozoom.org rethinking the UI of genome browsers Ted Pak Roth Laboratory Donnelly Centre, University of Toronto Samuel Lunenfeld Research Institute, Mt. Sinai Hospital genome browsers: lots of data small viewable area UCSC, GBrowse,

418 views • 24 slides
A proactive and collaborative DDoS mitigation strategy for the Dutch critical infrastructure

A proactive and collaborative DDoS mitigation strategy for the Dutch critical infrastructure

A proactive and collaborative DDoS mitigation strategy for the Dutch critical infrastructure Cristian Hesselman 1 , Jeroen van der Ham 2 , Roland van Rijswijk 3 , Jair Santanna 2 , Aiko Pras 2 1) SIDN Labs, 2) University of Twente, 3) SURFnet

463 views • 10 slides
Critical Infrastructure Cybersecurity Dean Bickerton Standards Certification ISA New Orleans

Critical Infrastructure Cybersecurity Dean Bickerton Standards Certification ISA New Orleans

Framework for Improving Critical Infrastructure Cybersecurity Dean Bickerton Standards Certification ISA New Orleans Education &amp; Training Publishing April 5, 2016 Conferences &amp; Exhibits 1 A Brief Commercial Interruption

507 views • 31 slides
Critical Infrastructure The Honorable Branko Terzic Confidential. Please do not circulate

Critical Infrastructure The Honorable Branko Terzic Confidential. Please do not circulate

TeleGroup INFOSEC Cyber Security in Energy Critical Infrastructure The Honorable Branko Terzic Confidential. Please do not circulate outside your organization without permission. Biography Speaker : Dr. h.c. Branko Terzic Managing Director

532 views • 22 slides
Internet Science 2 Impact of social behavior for critical infrastructure resilience Ren e

Internet Science 2 Impact of social behavior for critical infrastructure resilience Ren e

Internet Science 2 Impact of social behavior for critical infrastructure resilience Ren e Milzarek Chair for Network Architectures and Services Department for Computer Science Technische Universit at M unchen June 14, 2013 Ren e

506 views • 34 slides
Trusted Browsers for Uncertain Times David Kohlbrenner and Hovav Shacham UC San Diego Building

Trusted Browsers for Uncertain Times David Kohlbrenner and Hovav Shacham UC San Diego Building

Trusted Browsers for Uncertain Times David Kohlbrenner and Hovav Shacham UC San Diego Building a browser that can provably mitigate timing attacks Trusted Browsers Time and web browsers Mitigating attacks for A trusted browser

1.39k views • 85 slides
Security Through Examples Exploring Cyber Security in Critical Infrastructure Tim Yardley,

Security Through Examples Exploring Cyber Security in Critical Infrastructure Tim Yardley,

Security Through Examples Exploring Cyber Security in Critical Infrastructure Tim Yardley, University of Illinois Urbana-Champaign yardley@illinios.edu Introduction Material September 30, 2016 cred-c.org Se Settin ing T The St Stage 1

495 views • 20 slides
Infrastructure for Critical Adaptive Distributed Embedded Systems Alberto Ballesteros Julin

Infrastructure for Critical Adaptive Distributed Embedded Systems Alberto Ballesteros Julin

Towards a Self-Reconfigurable Infrastructure for Critical Adaptive Distributed Embedded Systems Alberto Ballesteros Julin Proenza Manuel Barranco Lus Almeida Pere Palmer 3 th of July 2018 Universitat de les Illes Balears Introduction

665 views • 52 slides
A Critical Conversation: Building Municipal Infrastructure Thursday, February 25th 2010

A Critical Conversation: Building Municipal Infrastructure Thursday, February 25th 2010

A Critical Conversation: Building Municipal Infrastructure Thursday, February 25th 2010 www.cvsrd.org Carleton University, Ottawa, Ontario Welcome! Introduction CURE conducts multi-disciplinary research on: Community governance

744 views • 70 slides
The Effect of Nuclear Electromagnetic Pulse (NEMP) on Critical US Infrastructure Todd Lovelace,

The Effect of Nuclear Electromagnetic Pulse (NEMP) on Critical US Infrastructure Todd Lovelace,

The Effect of Nuclear Electromagnetic Pulse (NEMP) on Critical US Infrastructure Todd Lovelace, K1KVA Utility Power Plant Engineer (Retired) My apologies in advance 50,000 V/M Electric Field There are three distinct time domains of every

1.41k views • 105 slides
Cybersecurity Assurance for Critical Infrastructure Jason Jaskolka Collaborator: John Villasenor

Cybersecurity Assurance for Critical Infrastructure Jason Jaskolka Collaborator: John Villasenor

Introduction Research Problem Methodological Elements Impact &amp; Value Concluding Remarks Cybersecurity Assurance for Critical Infrastructure Jason Jaskolka Collaborator: John Villasenor Center for International Security and Cooperation

457 views • 44 slides
Savannah Harbor Expansion Project Critical Infrastructure Expansion for the United States May 3,

Savannah Harbor Expansion Project Critical Infrastructure Expansion for the United States May 3,

Savannah Harbor Expansion Project Critical Infrastructure Expansion for the United States May 3, 2017 1 SAVAN SA ANNAH AH: #4 AND FASTEST GROWING TOP TOP 1 10 POR ORTS TS: 1 10-YEAR GRO GROWTH RAT RATE CY2006 2006-20 2016 16

400 views • 16 slides

More recommend