code for security
play

Code for Security Somesh Jha University of Wisconsin (Mar 3, 2011) - PowerPoint PPT Presentation

Jan 25, 2023 •174 likes •752 views

Thoughts on Retrofitting Legacy Code for Security Somesh Jha University of Wisconsin (Mar 3, 2011) Science of Security, ITI (April 2, 2015) Kaminsky scores 23, No. 5 Wisconsin beats Illinois 68-49 Feb 15, 2015 Somesh Jha Retrofitting

  1. Thoughts on Retrofitting Legacy Code for Security Somesh Jha University of Wisconsin (Mar 3, 2011) Science of Security, ITI (April 2, 2015)

  2. Kaminsky scores 23, No. 5 Wisconsin beats Illinois 68-49 Feb 15, 2015 Somesh Jha Retrofitting Legacy Code for Security 2

  3. Somesh Jha Retrofitting Legacy Code for Security 3

  4. Threat Landscape: Summary of Symantec Threat Report 2014

  5. Key Findings  91% increase in targeted attacks campaigns in 2013  62% increase in the number of breaches in 2013  Over 552M identities were exposed via breaches in 2013  23 zero-day vulnerabilities discovered  38% of mobile users have experienced mobile cybercrime in past 12 months Somesh Jha Retrofitting Legacy Code for Security 5

  6. Key Findings (Contd.)  Spam volume dropped to 66% of all email traffic  1 in 392 emails contain a phishing attacks  Web-based attacks are up 23%  1 in 8 legitimate websites have a critical vulnerability Somesh Jha Retrofitting Legacy Code for Security 6

  7. What I feel like? Somesh Jha Retrofitting Legacy Code for Security 7

  8. News is Grim  See talks at • DARPA Cyber Colloqium • http://www.darpa.mil/Cyber_Colloqium_Prese ntations.aspx  What do we do? Somesh Jha Retrofitting Legacy Code for Security 8

  9. Clean-slate Design  Rethink the entire system stack  Networks • NSF program o See http://cleanslate.stanford.edu • See DARPA Mission Resilient Clouds (MRC) program  Hosts • DARPA CRASH program Somesh Jha Retrofitting Legacy Code for Security 9

  10. Some Interesting Systems  Operating systems with powerful capabilities • Asbestos, HiStar, Flume • Capsicum • ….  Virtual-machine based • Proxos • Overshadow  Possible to build applications with strong guarantees • Web server : No information flow between threads handling different requests Somesh Jha Retrofitting Legacy Code for Security 10

  11. Two Guiding Principles  Provide powerful primitives at lower levels in the “system stack” • Example: HiStar (information flow labels at the OS level)  Systems will be compromised, but limit the damage • Example: Process can be compromised, but sensitive data cannot be exfiltrated Somesh Jha Retrofitting Legacy Code for Security 11

  12. What happens to all the code?  Should we implement all the code from scratch?  Can we help programmers adapt their code for these new platforms?  Analogy • We have strong foundation • Can we build a strong house on top of it? Somesh Jha Retrofitting Legacy Code for Security 12

  13. Ideal Functionality  Input: functionality/security policy • Output: functional/secure code  Proving safety is “undecidable” • Rice’s theorem (proving any non -trivial property is undecidable)  I think • Synthesis is “relatively hard” o Even if provided with an oracle to prove safety Somesh Jha Retrofitting Legacy Code for Security 13

  14. Retrofitting legacy code Need systematic techniques to retrofit legacy code for security Legacy Retrofitted code code INSECURE SECURE Somesh Jha Retrofitting Legacy Code for Security 14

  15. Premise  Techniques and ideas from • Verification • Static Analysis • …  Can help with this problem Somesh Jha Retrofitting Legacy Code for Security 15

  16. Collaborators and Funding Somesh Jha Retrofitting Legacy Code for Security 16

  17. The Problem Somesh Jha Retrofitting Legacy Code for Security 17

  18. Rewriting Programs for a Capability System [Harris et. al., Oakland 2013]  Basic problem: take an insecure program and a policy, instrument program to invoke OS primitives to satisfy the policy  Key technique: reduce to safety game between program and instrumentation Somesh Jha Retrofitting Legacy Code for Security 18

  19. Capsicum Somesh Jha Retrofitting Legacy Code for Security 19

  20. What is Capsicum?  Capsicum is a lightweight OS capability and sandbox framework developed at the University of Cambridge Computer Laboratory • supported by grants from Google, the FreeBSD Foundation, and DARPA. • Capsicum extends the POSIX API, providing several new OS primitives to support object- capability security on UNIX-like operating systems: Somesh Jha Retrofitting Legacy Code for Security 20

  21. Capsicum  https://www.cl.cam.ac.uk/research/security /capsicum/  The FreeBSD implementation of Capsicum, developed by Robert Watson and Jonathan Anderson, ships out of the box in FreeBSD 10.0 (and as an optionally compiled feature in FreeBSD 9.0, 9.1, and 9.2)  Also available on Linux Somesh Jha Retrofitting Legacy Code for Security 21

  22. Running example: gzip compr(in, out) { body; } gzip() { files = parse_cl; for (f in files) public_leak.com (in, out) = open; compr(in, out); } 22

  23. An Informal Policy for gzip When gzip executes body, it should only be able to read from in and write to out. 23

  24. Capsicum: An OS with Capabilities  Two levels of capability: • High Capability (can open files) • Low Capability (cannot open files)  Rules describing capability: 1. Process initially executes with capability of its parent 2. Process can invoke the drop system call to take Low Capability 24

  25. Securing gzip on Capsicum compr(in, out) { drop(); Low Cap. body; gzip() { } files = parse_cl; for (f in files) public_leak.com High Cap. (in, out) = open; compr(in, out); } 25

  26. Securing gzip on Capsicum compr(in, out) { drop(); Low Cap. body; gzip() { } files = parse_cl; High Cap. for (f in files) High Cap. (in, out) = open; High Cap. compr(in, out); High Cap. } 26

  27. Securing gzip on Capsicum compr(in, out) { drop(); body; gzip() { } files = parse_cl; for (f in files) Low Cap. ≠ High Cap. (in, out) = open; Low Cap. compr(in, out); } 27

  28. Securing gzip on Capsicum compr(in, out) { drop(); body; Low Cap. gzip() { } files = parse_cl; High Cap. for (f in files) High Cap. (in, out) = open; fork_compr(in, out); compr(in, out); High Cap. } 28

  29. Securing gzip on Capsicum compr(in, out) { drop(); Low Cap. body; gzip() { } files = parse_cl; for (f in files) High Cap. (in, out) = open; compr(in, out); fork_compr(in, out); } 29

  30. State of the Art in Rewriting gzip should always execute comp() with low cap, but always Insecure Program open files in main with gzip() { high cap … compr(); Secure Program … gzip() { } … fork_compr(); compr (…) { … } … } compr (…) { drop(); … } Somesh Jha Retrofitting Legacy Code for Security 30

  31. Insights Somesh Jha Retrofitting Legacy Code for Security 31

  32. First Key Insight Policies are not instrumented programs , and they should be explicit. Somesh Jha Retrofitting Legacy Code for Security 32

  33. First Key Insight gzip should always execute compr() with low cap, but always Insecure Program open files in main with gzip() { high cap … compr(); Secure Program … gzip() { } … fork_compr(); compr (…) { … } … } Disallowed Executions compr (…) { .* [ compr() with high cap ] drop(); | .* [ open() with low cap ] … } Somesh Jha Retrofitting Legacy Code for Security 33

  34. Second Key Insight From an insecure program and policy, we can automatically write a secure program by a solving a two-player safety game. [Harris et. al., CAV 2012] Somesh Jha Retrofitting Legacy Code for Security 34

  35. Second Key Insight Insecure Program gzip() { … compr(); Secure Program … gzip() { } … fork_compr(); compr (…) { … } capweave … } Disallowed Executions compr (…) { .* [ compr() with high cap ] drop(); | .* [ open() with low cap ] … } Somesh Jha Retrofitting Legacy Code for Security 35

  36. The Technique Somesh Jha Retrofitting Legacy Code for Security 36

  37. Weaving as a Game Two steps: 1. Model uninstrumented program, policy, and Capsicum as languages/automata 2. From automata, translate weaving problem to a two-player safety game Somesh Jha Retrofitting Legacy Code for Security 37

  38. Step 1: Model  Program is a language over program instructions (Instrs)  Policy is a language of instructions paired with capability (Instrs x Caps)  Capsicum is a transducer from instructions and primitives to capabilities (Instrs U Prims → Caps) Somesh Jha Retrofitting Legacy Code for Security 38

  39. Step 2: Construct a Game  From models, construct a “game” between insecure program and instrumentation  Program plays instructions (Instrs), instrumentation plays primitives (Prims)  Program wins if it generates an execution that violates the policy Somesh Jha Retrofitting Legacy Code for Security 39

  40. Safety Games: A Primer Two players: Attacker and Defender Play: Attacker and Defender choose actions in alternation Player goals:  Attacker: generate a play accepted by the game  Defender: thwart the Attacker Somesh Jha Retrofitting Legacy Code for Security 40

  41. parse_cl call compr noop drop noop drop body open open body fork noop ret compr join loop 41

  42. parse_cl call compr noop drop noop drop body open open body fork noop ret compr join loop 42

  43. Winning Strategy Winning strategy: choices that a player can make to always win a game

  44. parse_cl call compr noop drop noop drop body open open body fork noop join ret compr loop 44

Recommend

Security and the .NET Framework Code Access Security Enforces security policy on code

Security and the .NET Framework Code Access Security Enforces security policy on code

Security and the .NET Framework Code Access Security Enforces security policy on code Regardless of user running the code Regardless of whether the code is in the same application with other code Other code can be more, less, or

695 views • 21 slides
Taken Out of Context: Security Risks with Security Code AutoFill in iOS & macOS Andreas

Taken Out of Context: Security Risks with Security Code AutoFill in iOS & macOS Andreas

Cambridge Innovation Centre Taken Out of Context: Security Risks with Security Code AutoFill in iOS & macOS Andreas Gutmann, Steven J. Mudoch, WAY19 | @kryptoandi PLEASE RAISE YOUR HAND Have you ever received a security code via SMS

289 views • 24 slides
Source Code Analysis for Security through LLVM Lu Zhao HP Fortify lu.zhao@hp.com Static Code

Source Code Analysis for Security through LLVM Lu Zhao HP Fortify lu.zhao@hp.com Static Code

Source Code Analysis for Security through LLVM Lu Zhao HP Fortify lu.zhao@hp.com Static Code Analyzer for Security Static Code Analyzer for Security (HP Fortify SCA) C/C++ Java Vulnerabilities LLVM Language independent Services C/C++ Swift

325 views • 31 slides
Model-based Security Engineering: Models vs. Code Jan Jrjens Department of Computing The

Model-based Security Engineering: Models vs. Code Jan Jrjens Department of Computing The

Model-based Security Engineering: Models vs. Code Jan Jrjens Department of Computing The Open University, GB http://www.umlsec.org Challenge: Security Security is holistic property: Attackers often circumvent (not: break) mechanisms.

639 views • 36 slides
Inject Security into Source Code How 2018 Will Shift Your Security Priorities Panelists F a

Inject Security into Source Code How 2018 Will Shift Your Security Priorities Panelists F a

Inject Security into Source Code How 2018 Will Shift Your Security Priorities Panelists F a rsha d Ab a si, CT O Mira i Se c urity Ja c e k Ma te rna , CT O Asse mb la Je ff Ro use , Dir. Pro duc t Ma na g e me nt Ac tive Sta te Wher e

772 views • 50 slides
80% of Code Red 2 Code Red 2 re-re- Code Red 1 and Code Red 2 Code Red 2 re- cleaned up

80% of Code Red 2 Code Red 2 re-re- Code Red 1 and Code Red 2 Code Red 2 re- cleaned up

Slammer s Bandwidth-Limited Growth 80% of Code Red 2 Code Red 2 re-re- Code Red 1 and Code Red 2 Code Red 2 re- cleaned up due to released Jan 2004 Nimda endemic dies off released with Oct. onset of Blaster (and 2005; not since

450 views • 34 slides
High System-Code Security with Low Overhead Jonas Wagner, Volodymyr Kuznetsov, George Candea, and

High System-Code Security with Low Overhead Jonas Wagner, Volodymyr Kuznetsov, George Candea, and

High System-Code Security with Low Overhead Jonas Wagner, Volodymyr Kuznetsov, George Candea, and Johannes Kinder cole Polytechnique Fdrale Royal Holloway, de Lausanne University of London High System-Code Security? Todays so fu ware

600 views • 35 slides
Small Is Beautiful How to improve security by maintaining less code About Me Natalie Silvanovich

Small Is Beautiful How to improve security by maintaining less code About Me Natalie Silvanovich

Small Is Beautiful How to improve security by maintaining less code About Me Natalie Silvanovich AKA natashenka Project Zero member Previously did mobile security on Android and BlackBerry Defensive-turned-offensive researcher

799 views • 53 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 10 March 2005 What is Malicious Code? What is Malicious Code? Viruses, worms, trojans, Code that breaks your security policy.

1.16k views • 94 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 23 March 2006 What is Malicious Code? What is Malicious Code? Viruses, worms, trojans, Code that breaks your security policy.

707 views • 69 slides
CORE Security and WPI Joint Project Project Goal Take the techniques that make games easy to use

CORE Security and WPI Joint Project Project Goal Take the techniques that make games easy to use

CORE Security and WPI Joint Project Project Goal Take the techniques that make games easy to use and apply them to professional security software. The Team Eric - Code Mike Code AJ - Code - CONFIDENTIAL - Professor Shue Professor

344 views • 18 slides
How to Backdoor Invulnerable Code Josh Schwartz, Director of Offensive Security @Salesforce

How to Backdoor Invulnerable Code Josh Schwartz, Director of Offensive Security @Salesforce

How to Backdoor Invulnerable Code Josh Schwartz, Director of Offensive Security @Salesforce Bio Offensive Security aka Red Team at Salesforce Realistic Adversary Simulation Security Change Catalyst Im a hacker, rule

1.03k views • 84 slides
Security and Privacy Why Security is Difficult 12A. Operating Systems and Security complexity

Security and Privacy Why Security is Difficult 12A. Operating Systems and Security complexity

5/18/2018 Security and Privacy Why Security is Difficult 12A. Operating Systems and Security complexity of our software and systems 12B. Authentication millions of lines of code, thousands of developers rich and powerful protocols

374 views • 9 slides
Security and Privacy Why Security is Difficult 12A. Operating Systems and Security complexity

Security and Privacy Why Security is Difficult 12A. Operating Systems and Security complexity

5/24/2017 Security and Privacy Why Security is Difficult 12A. Operating Systems and Security complexity of our software and systems 12B. Authentication millions of lines of code, thousands of developers rich and powerful protocols

533 views • 14 slides
An Empirical Security Study of An Empirical Security Study of the Native Code in the JDK the

An Empirical Security Study of An Empirical Security Study of the Native Code in the JDK the

An Empirical Security Study of An Empirical Security Study of the Native Code in the JDK the Native Code in the JDK Gang Tan, Boston College Lehigh University Jason Croft Boston College Jason Croft, Boston College J Java Security S i

817 views • 29 slides
Cryptographic Security for Mobile Code Sean Kugele CS 6204, Spring 2005 1 Mobile Code A

Cryptographic Security for Mobile Code Sean Kugele CS 6204, Spring 2005 1 Mobile Code A

Cryptographic Security for Mobile Code Sean Kugele CS 6204, Spring 2005 1 Mobile Code A program produced by one entity, called the originator, and transferred to a different entity, called the host, where it is immediately executed

601 views • 23 slides
Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code Karthikeyan Bhargavan INRIA IIT Delhi, Fall 2010 Lecture 1: WriCng Secure Web ApplicaCons

472 views • 25 slides
Software In-Security Buffer overflows Overview Web Application security Malware OS

Software In-Security Buffer overflows Overview Web Application security Malware OS

Lecture overview Table of contents: Introduction to SW security Software In-Security Buffer overflows Overview Web Application security Malware OS security topics Code scanning Emmanuel Benoist Taught by Ulrich

479 views • 13 slides
Verifying Authentication Properties of C Protocol Code Using VCC Franois Dupressoir (Open

Verifying Authentication Properties of C Protocol Code Using VCC Franois Dupressoir (Open

Verifying Authentication Properties of C Protocol Code Using VCC Franois Dupressoir (Open University) Andrew D. Gordon (MSR Cambridge) Jan Jrjens (TU Dortmund) Verifying Security Code Assume a security API specification.

397 views • 24 slides
deel 2 sws1 1 Software and Web Security - 1 & 2 Software is the main source of security

deel 2 sws1 1 Software and Web Security - 1 & 2 Software is the main source of security

Software and Web Security deel 2 sws1 1 Software and Web Security - 1 & 2 Software is the main source of security vulnerabilities esp in systems accessible via a network part 1 security problems in machine code, compiled from C(++)

1.35k views • 67 slides
CSc 337 LECTURE 24: SECURITY Our current view of security until now, we have assumed:

CSc 337 LECTURE 24: SECURITY Our current view of security until now, we have assumed:

CSc 337 LECTURE 24: SECURITY Our current view of security until now, we have assumed: valid user input non-malicious users nothing will ever go wrong this is unrealistic! The real world in order to write secure code, we

211 views • 18 slides
CSE 154 LECTURE 26: WEB SECURITY Our current view of security until now, we have assumed:

CSE 154 LECTURE 26: WEB SECURITY Our current view of security until now, we have assumed:

CSE 154 LECTURE 26: WEB SECURITY Our current view of security until now, we have assumed: valid user input non-malicious users nothing will ever go wrong this is unrealistic! The real world in order to write secure code,

210 views • 18 slides
CSE 154 LECTURE 25: WEB SECURITY Our current view of security until now, we have assumed:

CSE 154 LECTURE 25: WEB SECURITY Our current view of security until now, we have assumed:

CSE 154 LECTURE 25: WEB SECURITY Our current view of security until now, we have assumed: valid user input non-malicious users nothing will ever go wrong this is unrealistic! The real world in order to write secure code,

445 views • 18 slides
Mobile Application Security Testing ASSES SESSMENT NT & CODE REVIEW EW st 2014 Sept. t.

Mobile Application Security Testing ASSES SESSMENT NT & CODE REVIEW EW st 2014 Sept. t.

Mobile Application Security Testing ASSES SESSMENT NT & CODE REVIEW EW st 2014 Sept. t. 31 31 st Presenters ITAC 2014 Bishop Fox Francis Brown Partner Joe DeMesy Security Associate 2 2 Int ntrodu roductions ctions

1.32k views • 86 slides

More recommend