micro policies
play

Micro-Policies Formally Verified, Tag-Based Security Monitors - PowerPoint PPT Presentation

Micro-Policies Formally Verified, Tag-Based Security Monitors Arthur Azevedo de Amorim Maxime Dns Nick Giannarakis Ctlin Hricu Benjamin C. Pierce Antal Spector-Zabusky Andrew Tolmach May 20, 2015 1 How can we design secure


  1. Micro-Policies Formally Verified, Tag-Based Security Monitors Arthur Azevedo de Amorim Maxime Dénès Nick Giannarakis Cătălin Hrițcu Benjamin C. Pierce Antal Spector-Zabusky Andrew Tolmach May 20, 2015 1

  2. How can we design secure systems? 2

  3. One approach: reference monitors 3

  4. ! 4

  5. ! 4

  6. ! 4

  7. ! 4

  8. ! 4

  9. ! OK 4

  10. ! 4

  11. ! 4

  12. ! 4

  13. But there is a problem… 5

  14. …they are slow 6

  15. Idea: hardware support for reference monitors 7

  16. But… 8

  17. But… 8

  18. But… 8

  19. But… 8

  20. But… 8

  21. !’ What if a new threat appears? 9

  22. Micro-Policies 10

  23. 11

  24. Micro-policy specification Compartments CFI Micro-policy programming model Memory Sealing safety 12

  25. Micro-policy specification Compartments CFI Micro-policy programming model Memory Sealing safety 12

  26. Micro-policy specification Compartments CFI Micro-policy programming model Memory Sealing safety 12

  27. Micro-policy specification Compartments CFI Micro-policy programming model Memory Sealing safety 12

  28. Micro-policy specification Compartments CFI Micro-policy programming model Memory Sealing safety 12

  29. Micro-policy specification Compartments CFI Micro-policy programming model Memory Sealing safety 12

  30. Micro-policy specification Compartments CFI machine-checked proof Micro-policy programming model Memory Sealing safety 12

  31. Micro-policy specification Compartments CFI Micro-policy programming model Memory Sealing safety 12

  32. Micro-policy specification Compartments CFI Micro-policy programming model supported by Memory Sealing safety PUMP (Programmable Unit for Metadata Processing) 12

  33. Micro-policy specification typically < 10% runtime overhead Compartments CFI (ASPLOS ’15) Micro-policy programming model supported by Memory Sealing safety PUMP (Programmable Unit for Metadata Processing) 12

  34. Programming model 13

  35. …but too powerful for efficient support General monitors Inspect program state arbitrarily 14

  36. General monitors Inspect program state arbitrarily …but too powerful for efficient support 14

  37. Insight: monitors as computation on metadata 15

  38. r0 42 r1 add r1 r2 r3 r2 add r3 r3 r3 r3 nop Memory r4 bnz r4 ff32 r5 ??? r6 pc r7 tag payload Registers 16

  39. r0 42 r1 add r1 r2 r3 r2 add r3 r3 r3 r3 nop r4 bnz r4 ff32 r5 ??? r6 pc r7 tag payload 16

  40. r0 42 r1 add r1 r2 r3 r2 add r3 r3 r3 r3 nop r4 bnz r4 ff32 r5 ??? r6 pc r7 tag payload 16

  41. r0 42 r1 add r1 r2 r3 r2 add r3 r3 r3 r3 nop r4 bnz r4 ff32 r5 ??? r6 pc r7 tag Chosen by payload policy designer 16

  42. r0 42 r1 add r1 r2 r3 r2 add r3 r3 r3 r3 nop r4 bnz r4 ff32 r5 ??? r6 pc r7 Arbitrarily complex tag Chosen by payload (e.g. pointers to policy designer data structures) 16

  43. r0 42 r1 add r1 r2 r3 r2 add r3 r3 r3 r3 nop r4 bnz r4 ff32 r5 ??? r6 pc r7 tag payload 16

  44. r0 42 r1 add r1 r2 r3 r2 add r3 r3 r3 r3 nop r4 bnz r4 ff32 r5 ??? r6 pc r7 tag payload 16

  45. r0 42 r1 add r1 r2 r3 r2 add r3 r3 r3 r3 nop r4 bnz r4 ff32 r5 ??? r6 pc r7 tag payload 16

  46. r0 42 r1 add r1 r2 r3 r2 add r3 r3 r3 r3 nop r4 bnz r4 ff32 r5 ??? r6 pc r7 tag payload 16

  47. r0 42 r1 add r1 r2 r3 r2 add r3 r3 r3 r3 nop r4 bnz r4 ff32 r5 ??? r6 pc r7 tag payload 16

  48. r0 42 r1 add r1 r2 r3 r2 add r3 r3 r3 r3 nop r4 bnz r4 ff32 r5 ??? r6 pc r7 tag payload 16

  49. r0 42 r1 add r1 r2 r3 r2 add r3 r3 r3 r3 nop r4 bnz r4 ff32 r5 ??? r6 pc r7 tag payload 16

  50. r0 42 r1 add r1 r2 r3 r2 add r3 r3 r3 r3 nop r4 bnz r4 ff32 r5 ??? r6 pc r7 tag payload 16

  51. Is it flexible? 17

  52. Control-flow integrity Compartmentalization (à la Wahbe et al.’s SFI) Heap memory safety Dynamic sealing 18

  53. Example: CFI 19

  54. 1729 Data add r1 r2 r3 Code bnz r3 8 Code jump r4 Code bnz r5 8 Code sub r1 r2 r1 Code add r3 r4 r4 Code {InstTag = Data } → {Inst = Store , Mem = Code } → 20

  55. 1729 Data add r1 r2 r3 Code bnz r3 8 Code jump r4 Code bnz r5 8 Code sub r1 r2 r1 Code add r3 r4 r4 Code {InstTag = Data } → {Inst = Store , Mem = Code } → 20

  56. 1729 Data 1 add r1 r2 r3 Code bnz r3 8 Code jump r4 Code 2 4 {Pc = 4 , InstTag = Code 5 } → OK bnz r5 8 Code {Pc = 1 , InstTag = Code 5 } → sub r1 r2 r1 Code 3 5 add r3 r4 r4 Code 6 CFG pc 1 20

  57. 1729 Data 1 add r1 r2 r3 Code 1 bnz r3 8 Code 2 jump r4 Code 3 2 4 {Pc = 4 , InstTag = Code 5 } → OK bnz r5 8 Code 4 {Pc = 1 , InstTag = Code 5 } → sub r1 r2 r1 Code 5 3 5 add r3 r4 r4 Code 6 6 pc 1 20

  58. 1729 Data 1 add r1 r2 r3 Code 1 bnz r3 8 Code 2 jump r4 Code 3 2 4 {Pc = 4 , InstTag = Code 5 } → OK bnz r5 8 Code 4 {Pc = 1 , InstTag = Code 5 } → sub r1 r2 r1 Code 5 3 5 add r3 r4 r4 Code 6 Previous instruction id 6 pc 1 20

  59. 1729 Data 1 add r1 r2 r3 Code 1 bnz r3 8 Code 2 jump r4 Code 3 2 4 {Pc = 4 , InstTag = Code 5 } → OK bnz r5 8 Code 4 {Pc = 1 , InstTag = Code 5 } → sub r1 r2 r1 Code 5 3 5 add r3 r4 r4 Code 6 6 pc 1 20

  60. Is it secure? 21

  61. Inductive cfi_tag := Inductive value := | Data : cfi_tag | Int : int → value | Code : id → cfi_tag. | Ptr : region → int → value. Variable cfg : id → id → bool. Definition add v1 v2 := Memory-safe Abadi et al.’s match v1, v2 with Definition cfi_monitor tags := abstract machine | Int n, Int m ⇒ Some (Int (n + m)) match pc_tag tags, ci_tag tags with CFI property Higher-level | Ptr r off, Int n | n, Code m ⇒ if cfg n m then Some m Inductive nat := Micro-policy specification abstract machine | Int n, Ptr r off ⇒ Some (Ptr r (off + n)) else None | O : nat Model of simplified | _, _ ⇒ None | _, _ ⇒ None | S : nat → nat. Micro-policy programming model RISC processor end. end. Fixpoint add n m := match n with Lemma addn0 : ∀ n, add n O = n. | O ⇒ m Proof. (* ... *) Qed. | S n ⇒ S (add n m) end. Memory CFI safety Threat model Not modeled Attacker controls DMA, virtual input, but has no memory, timing, physical access … 22

  62. Inductive cfi_tag := Inductive value := | Data : cfi_tag | Int : int → value | Code : id → cfi_tag. | Ptr : region → int → value. Variable cfg : id → id → bool. Definition add v1 v2 := Memory-safe Abadi et al.’s match v1, v2 with Definition cfi_monitor tags := abstract machine | Int n, Int m ⇒ Some (Int (n + m)) match pc_tag tags, ci_tag tags with CFI property Higher-level | Ptr r off, Int n | n, Code m ⇒ if cfg n m then Some m Inductive nat := Micro-policy specification abstract machine | Int n, Ptr r off ⇒ Some (Ptr r (off + n)) else None | O : nat Model of simplified | _, _ ⇒ None | _, _ ⇒ None | S : nat → nat. Micro-policy programming model RISC processor end. end. Fixpoint add n m := match n with Lemma addn0 : ∀ n, add n O = n. | O ⇒ m Proof. (* ... *) Qed. | S n ⇒ S (add n m) end. Memory CFI safety Threat model Not modeled Attacker controls DMA, virtual …and proofs input, but has no Mathematical memory, timing, about them physical access definitions… … 22

  63. Inductive cfi_tag := Inductive value := | Data : cfi_tag | Int : int → value | Code : id → cfi_tag. | Ptr : region → int → value. Variable cfg : id → id → bool. Definition add v1 v2 := Memory-safe Abadi et al.’s match v1, v2 with Definition cfi_monitor tags := abstract machine | Int n, Int m ⇒ Some (Int (n + m)) match pc_tag tags, ci_tag tags with CFI property Higher-level | Ptr r off, Int n | n, Code m ⇒ if cfg n m then Some m Inductive nat := Micro-policy specification abstract machine | Int n, Ptr r off ⇒ Some (Ptr r (off + n)) else None | O : nat Model of simplified | _, _ ⇒ None | _, _ ⇒ None | S : nat → nat. Micro-policy programming model RISC processor end. end. Fixpoint add n m := match n with Lemma addn0 : ∀ n, add n O = n. | O ⇒ m Proof. (* ... *) Qed. | S n ⇒ S (add n m) end. Memory CFI safety Threat model Not modeled Attacker controls DMA, virtual input, but has no memory, timing, physical access … 22

Recommend


More recommend