micro policies
play

Micro-Policies Formally Verified, Tag-Based Security Monitors - PowerPoint PPT Presentation

Oct 17, 2023 •96 likes •900 views

Micro-Policies Formally Verified, Tag-Based Security Monitors Arthur Azevedo de Amorim Maxime Dns Nick Giannarakis Ctlin Hricu Benjamin C. Pierce Antal Spector-Zabusky Andrew Tolmach May 20, 2015 1 How can we design secure

  1. Micro-Policies Formally Verified, Tag-Based Security Monitors Arthur Azevedo de Amorim Maxime Dénès Nick Giannarakis Cătălin Hrițcu Benjamin C. Pierce Antal Spector-Zabusky Andrew Tolmach May 20, 2015 1

  2. How can we design secure systems? 2

  3. One approach: reference monitors 3

  4. ! 4

  5. ! 4

  6. ! 4

  7. ! 4

  8. ! 4

  9. ! OK 4

  10. ! 4

  11. ! 4

  12. ! 4

  13. But there is a problem… 5

  14. …they are slow 6

  15. Idea: hardware support for reference monitors 7

  16. But… 8

  17. But… 8

  18. But… 8

  19. But… 8

  20. But… 8

  21. !’ What if a new threat appears? 9

  22. Micro-Policies 10

  23. 11

  24. Micro-policy specification Compartments CFI Micro-policy programming model Memory Sealing safety 12

  25. Micro-policy specification Compartments CFI Micro-policy programming model Memory Sealing safety 12

  26. Micro-policy specification Compartments CFI Micro-policy programming model Memory Sealing safety 12

  27. Micro-policy specification Compartments CFI Micro-policy programming model Memory Sealing safety 12

  28. Micro-policy specification Compartments CFI Micro-policy programming model Memory Sealing safety 12

  29. Micro-policy specification Compartments CFI Micro-policy programming model Memory Sealing safety 12

  30. Micro-policy specification Compartments CFI machine-checked proof Micro-policy programming model Memory Sealing safety 12

  31. Micro-policy specification Compartments CFI Micro-policy programming model Memory Sealing safety 12

  32. Micro-policy specification Compartments CFI Micro-policy programming model supported by Memory Sealing safety PUMP (Programmable Unit for Metadata Processing) 12

  33. Micro-policy specification typically < 10% runtime overhead Compartments CFI (ASPLOS ’15) Micro-policy programming model supported by Memory Sealing safety PUMP (Programmable Unit for Metadata Processing) 12

  34. Programming model 13

  35. …but too powerful for efficient support General monitors Inspect program state arbitrarily 14

  36. General monitors Inspect program state arbitrarily …but too powerful for efficient support 14

  37. Insight: monitors as computation on metadata 15

  38. r0 42 r1 add r1 r2 r3 r2 add r3 r3 r3 r3 nop Memory r4 bnz r4 ff32 r5 ??? r6 pc r7 tag payload Registers 16

  39. r0 42 r1 add r1 r2 r3 r2 add r3 r3 r3 r3 nop r4 bnz r4 ff32 r5 ??? r6 pc r7 tag payload 16

  40. r0 42 r1 add r1 r2 r3 r2 add r3 r3 r3 r3 nop r4 bnz r4 ff32 r5 ??? r6 pc r7 tag payload 16

  41. r0 42 r1 add r1 r2 r3 r2 add r3 r3 r3 r3 nop r4 bnz r4 ff32 r5 ??? r6 pc r7 tag Chosen by payload policy designer 16

  42. r0 42 r1 add r1 r2 r3 r2 add r3 r3 r3 r3 nop r4 bnz r4 ff32 r5 ??? r6 pc r7 Arbitrarily complex tag Chosen by payload (e.g. pointers to policy designer data structures) 16

  43. r0 42 r1 add r1 r2 r3 r2 add r3 r3 r3 r3 nop r4 bnz r4 ff32 r5 ??? r6 pc r7 tag payload 16

  44. r0 42 r1 add r1 r2 r3 r2 add r3 r3 r3 r3 nop r4 bnz r4 ff32 r5 ??? r6 pc r7 tag payload 16

  45. r0 42 r1 add r1 r2 r3 r2 add r3 r3 r3 r3 nop r4 bnz r4 ff32 r5 ??? r6 pc r7 tag payload 16

  46. r0 42 r1 add r1 r2 r3 r2 add r3 r3 r3 r3 nop r4 bnz r4 ff32 r5 ??? r6 pc r7 tag payload 16

  47. r0 42 r1 add r1 r2 r3 r2 add r3 r3 r3 r3 nop r4 bnz r4 ff32 r5 ??? r6 pc r7 tag payload 16

  48. r0 42 r1 add r1 r2 r3 r2 add r3 r3 r3 r3 nop r4 bnz r4 ff32 r5 ??? r6 pc r7 tag payload 16

  49. r0 42 r1 add r1 r2 r3 r2 add r3 r3 r3 r3 nop r4 bnz r4 ff32 r5 ??? r6 pc r7 tag payload 16

  50. r0 42 r1 add r1 r2 r3 r2 add r3 r3 r3 r3 nop r4 bnz r4 ff32 r5 ??? r6 pc r7 tag payload 16

  51. Is it flexible? 17

  52. Control-flow integrity Compartmentalization (à la Wahbe et al.’s SFI) Heap memory safety Dynamic sealing 18

  53. Example: CFI 19

  54. 1729 Data add r1 r2 r3 Code bnz r3 8 Code jump r4 Code bnz r5 8 Code sub r1 r2 r1 Code add r3 r4 r4 Code {InstTag = Data } → {Inst = Store , Mem = Code } → 20

  55. 1729 Data add r1 r2 r3 Code bnz r3 8 Code jump r4 Code bnz r5 8 Code sub r1 r2 r1 Code add r3 r4 r4 Code {InstTag = Data } → {Inst = Store , Mem = Code } → 20

  56. 1729 Data 1 add r1 r2 r3 Code bnz r3 8 Code jump r4 Code 2 4 {Pc = 4 , InstTag = Code 5 } → OK bnz r5 8 Code {Pc = 1 , InstTag = Code 5 } → sub r1 r2 r1 Code 3 5 add r3 r4 r4 Code 6 CFG pc 1 20

  57. 1729 Data 1 add r1 r2 r3 Code 1 bnz r3 8 Code 2 jump r4 Code 3 2 4 {Pc = 4 , InstTag = Code 5 } → OK bnz r5 8 Code 4 {Pc = 1 , InstTag = Code 5 } → sub r1 r2 r1 Code 5 3 5 add r3 r4 r4 Code 6 6 pc 1 20

  58. 1729 Data 1 add r1 r2 r3 Code 1 bnz r3 8 Code 2 jump r4 Code 3 2 4 {Pc = 4 , InstTag = Code 5 } → OK bnz r5 8 Code 4 {Pc = 1 , InstTag = Code 5 } → sub r1 r2 r1 Code 5 3 5 add r3 r4 r4 Code 6 Previous instruction id 6 pc 1 20

  59. 1729 Data 1 add r1 r2 r3 Code 1 bnz r3 8 Code 2 jump r4 Code 3 2 4 {Pc = 4 , InstTag = Code 5 } → OK bnz r5 8 Code 4 {Pc = 1 , InstTag = Code 5 } → sub r1 r2 r1 Code 5 3 5 add r3 r4 r4 Code 6 6 pc 1 20

  60. Is it secure? 21

  61. Inductive cfi_tag := Inductive value := | Data : cfi_tag | Int : int → value | Code : id → cfi_tag. | Ptr : region → int → value. Variable cfg : id → id → bool. Definition add v1 v2 := Memory-safe Abadi et al.’s match v1, v2 with Definition cfi_monitor tags := abstract machine | Int n, Int m ⇒ Some (Int (n + m)) match pc_tag tags, ci_tag tags with CFI property Higher-level | Ptr r off, Int n | n, Code m ⇒ if cfg n m then Some m Inductive nat := Micro-policy specification abstract machine | Int n, Ptr r off ⇒ Some (Ptr r (off + n)) else None | O : nat Model of simplified | _, _ ⇒ None | _, _ ⇒ None | S : nat → nat. Micro-policy programming model RISC processor end. end. Fixpoint add n m := match n with Lemma addn0 : ∀ n, add n O = n. | O ⇒ m Proof. (* ... *) Qed. | S n ⇒ S (add n m) end. Memory CFI safety Threat model Not modeled Attacker controls DMA, virtual input, but has no memory, timing, physical access … 22

  62. Inductive cfi_tag := Inductive value := | Data : cfi_tag | Int : int → value | Code : id → cfi_tag. | Ptr : region → int → value. Variable cfg : id → id → bool. Definition add v1 v2 := Memory-safe Abadi et al.’s match v1, v2 with Definition cfi_monitor tags := abstract machine | Int n, Int m ⇒ Some (Int (n + m)) match pc_tag tags, ci_tag tags with CFI property Higher-level | Ptr r off, Int n | n, Code m ⇒ if cfg n m then Some m Inductive nat := Micro-policy specification abstract machine | Int n, Ptr r off ⇒ Some (Ptr r (off + n)) else None | O : nat Model of simplified | _, _ ⇒ None | _, _ ⇒ None | S : nat → nat. Micro-policy programming model RISC processor end. end. Fixpoint add n m := match n with Lemma addn0 : ∀ n, add n O = n. | O ⇒ m Proof. (* ... *) Qed. | S n ⇒ S (add n m) end. Memory CFI safety Threat model Not modeled Attacker controls DMA, virtual …and proofs input, but has no Mathematical memory, timing, about them physical access definitions… … 22

  63. Inductive cfi_tag := Inductive value := | Data : cfi_tag | Int : int → value | Code : id → cfi_tag. | Ptr : region → int → value. Variable cfg : id → id → bool. Definition add v1 v2 := Memory-safe Abadi et al.’s match v1, v2 with Definition cfi_monitor tags := abstract machine | Int n, Int m ⇒ Some (Int (n + m)) match pc_tag tags, ci_tag tags with CFI property Higher-level | Ptr r off, Int n | n, Code m ⇒ if cfg n m then Some m Inductive nat := Micro-policy specification abstract machine | Int n, Ptr r off ⇒ Some (Ptr r (off + n)) else None | O : nat Model of simplified | _, _ ⇒ None | _, _ ⇒ None | S : nat → nat. Micro-policy programming model RISC processor end. end. Fixpoint add n m := match n with Lemma addn0 : ∀ n, add n O = n. | O ⇒ m Proof. (* ... *) Qed. | S n ⇒ S (add n m) end. Memory CFI safety Threat model Not modeled Attacker controls DMA, virtual input, but has no memory, timing, physical access … 22

Recommend

From Tap Water to Marine Organisms: a Micro-Spectroscopic Approach to Micro-Plastic

From Tap Water to Marine Organisms: a Micro-Spectroscopic Approach to Micro-Plastic

From Tap Water to Marine Organisms: a Micro-Spectroscopic Approach to Micro-Plastic Characterization The world leader in serving science Proprietary &amp; Confidential Micro-Plastics What are they? A micro-plastic is a small piece of

319 views • 31 slides
Trading Space for Place Micro-Loft Case Studies WHAT IS A MICRO-LOFT? Micro-Lofts are rental or

Trading Space for Place Micro-Loft Case Studies WHAT IS A MICRO-LOFT? Micro-Lofts are rental or

CANADIAN APARTMENT INVESTMENT CONFERENCE Trading Space for Place Micro-Loft Case Studies WHAT IS A MICRO-LOFT? Micro-Lofts are rental or condominium homes that are smaller than typical for a given market. Apart from the small unit size,

551 views • 34 slides
MICRO STANDING OFFER PROGRAM (MICRO-SOP) JUNE 9 VANCOUVER MEETING AND JUNE 10 WEBINAR June 9

MICRO STANDING OFFER PROGRAM (MICRO-SOP) JUNE 9 VANCOUVER MEETING AND JUNE 10 WEBINAR June 9

MICRO STANDING OFFER PROGRAM (MICRO-SOP) JUNE 9 VANCOUVER MEETING AND JUNE 10 WEBINAR June 9 /10, 2014 MICRO-SOP OVERVIEW AGENDA BC Hydro Offers for Small, Clean Energy Projects What is the Micro-SOP? Engagement Overview Key

565 views • 19 slides
Micro-architectural Attacks Chester Rebeiro IIT Madras 1 Things we thought gave us security!

Micro-architectural Attacks Chester Rebeiro IIT Madras 1 Things we thought gave us security!

Micro-architectural Attacks Chester Rebeiro IIT Madras 1 Things we thought gave us security! Cryptography Passwords Information Flow Policies Privileged Rings ASLR Virtual Machines and confinement Javascript

891 views • 59 slides
The Anatomy Of An API MacSysAdmin 2020 Charles Edge Software Is Just A Collection of

The Anatomy Of An API MacSysAdmin 2020 Charles Edge Software Is Just A Collection of

The Anatomy Of An API MacSysAdmin 2020 Charles Edge Software Is Just A Collection of Interconnected API Endpoints Microservices Monoliths Data UI Access Layer Business Logic Microservices UI Micro- Micro- Micro- Micro- Micro-

541 views • 53 slides
SiPINTAR - A Case Study of Hybrid Product between Asuransiku (Micro Insurance) and Emasku (Micro

SiPINTAR - A Case Study of Hybrid Product between Asuransiku (Micro Insurance) and Emasku (Micro

SiPINTAR - A Case Study of Hybrid Product between Asuransiku (Micro Insurance) and Emasku (Micro Investment) as Part of National Strategy for Financial Inclusion in Indonesia Jakub Nugraha Micro Insurance Division and Agriculture Insurance Dept

618 views • 25 slides
09/06/2017 Micro-structure and micro-mechanics of Disclosures and acknowledgements breast

09/06/2017 Micro-structure and micro-mechanics of Disclosures and acknowledgements breast

09/06/2017 Micro-structure and micro-mechanics of Disclosures and acknowledgements breast density James McConnell Charles Streuli Mike Sherratt, University of Manchester Sue Astley Contents X-rays 1. Physics of X-ray/tissue interaction a.

309 views • 15 slides
BBC micro:bit challenges for implementing Digital Technologies in primary years About the

BBC micro:bit challenges for implementing Digital Technologies in primary years About the

BBC micro:bit challenges for implementing Digital Technologies in primary years About the BBC:microbit The micro:bit is a handheld, small, fully programmable Physical BBC micro:bit computer that you can use to create simple games, sense the

469 views • 15 slides
Introduction to writing and debugging micro- services mwan@diceresearch.org 1 Micro-service

Introduction to writing and debugging micro- services mwan@diceresearch.org 1 Micro-service

Introduction to writing and debugging micro- services mwan@diceresearch.org 1 Micro-service Input/output parameters Prototype of a micro-service int findObjType ( msParam_t *objInput , msParam_t *typeOutput , ruleExecInfo_t *rei );

498 views • 16 slides
A Micro Crowdsourcing Architecture to Localize A Micro Crowdsourcing Architecture to Localize Web

A Micro Crowdsourcing Architecture to Localize A Micro Crowdsourcing Architecture to Localize Web

A Micro Crowdsourcing Architecture to Localize A Micro Crowdsourcing Architecture to Localize Web Content for Less-Resourced Languages Asanka Wasala Chris Exton Ruvan Weerasinghe Reinhard Schler Adapted from:

504 views • 31 slides
Micro-frontends Architecture @lucamezzalira 1 Ciao :) Luca Mezzalira VP of Architecture at

Micro-frontends Architecture @lucamezzalira 1 Ciao :) Luca Mezzalira VP of Architecture at

Micro-frontends Architecture @lucamezzalira 1 Ciao :) Luca Mezzalira VP of Architecture at DAZN Google Developer Expert London Javascript Community Manager 2 Agenda 1. From monolith to micro 2. What is a Micro-frontend? 3. Technical

687 views • 37 slides
Micro Content, Chatbots, and Machine Learning What do they mean for Technical Authoring?

Micro Content, Chatbots, and Machine Learning What do they mean for Technical Authoring?

Micro Content, Chatbots, and Machine Learning What do they mean for Technical Authoring? PRESENTED BY Mike Hamilton V.P. Product Evangelism MadCap Software Agenda Micro Content Definition Attributes A Micro Content Strategy

816 views • 48 slides
iRODS Micro-Services Reagan Moore {moore, sekar, mwan, schroeder, bzhu, ptooby, antoine,

iRODS Micro-Services Reagan Moore {moore, sekar, mwan, schroeder, bzhu, ptooby, antoine,

iRODS Micro-Services Reagan Moore {moore, sekar, mwan, schroeder, bzhu, ptooby, antoine, sheauc}@diceresearch.org {chienyi, marciano, michael_conway}@email.unc.edu 1 Implications iRODS policies are enforced at the remote storage location

151 views • 14 slides
Micro Markets The New Breakroom Experience Outline What is a Micro Market? Employee Benefits

Micro Markets The New Breakroom Experience Outline What is a Micro Market? Employee Benefits

Micro Markets The New Breakroom Experience Outline What is a Micro Market? Employee Benefits Unique Features Customizable Layouts Basic Requirements Your Workplace Deserves A Better Breakroom Did You Know? A well-stocked break room leads to

428 views • 19 slides
An Integrated micro-macro firms distress model based on payments network Micro Financial

An Integrated micro-macro firms distress model based on payments network Micro Financial

Outline Introduction Micro-financial stress test A preliminary analysis An Integrated micro-macro firms distress model based on payments network Micro Financial Stress Test Guy Kelman 1 Marco Lamieri 2 Volker Nannen 3 Sorin Solomon 1 1

494 views • 27 slides
Pollution, fertility and public policies Luca Gori * and Mauro Sodini * Kyiv, Ukraine, NED 2019,

Pollution, fertility and public policies Luca Gori * and Mauro Sodini * Kyiv, Ukraine, NED 2019,

Pollution, fertility and public policies Luca Gori * and Mauro Sodini * Kyiv, Ukraine, NED 2019, September 09 th , 2016 * University of Pisa Motivations Micro and Macro founded model to study the relationship between (some) economic and

833 views • 24 slides
The Brazilian experience on the Simples Nacional: Micro Entrepreneur, Micro and Small

The Brazilian experience on the Simples Nacional: Micro Entrepreneur, Micro and Small

The Brazilian experience on the Simples Nacional: Micro Entrepreneur, Micro and Small Businesses Executive Secretariat of the Management Committee of Simples Nacional Silas Santiago Manila, July, 2018

538 views • 34 slides
Micro-CTvlab: A web based virtual gallery of biological specimens using micro-computed tomography

Micro-CTvlab: A web based virtual gallery of biological specimens using micro-computed tomography

Micro-CTvlab: A web based virtual gallery of biological specimens using micro-computed tomography By : Kleoniki Keklikoglou, Eva Chatzinikolaou, Sarah Faulwetter, Irene Filiopoulou, Nikitas Michalakis, Nikos Minadakis, Emmanouela Panteri, George

662 views • 38 slides
Micro-Bubbles By: Givi Basishvili Xavier Marrero What are Micro-Bubbles? Small bubbles

Micro-Bubbles By: Givi Basishvili Xavier Marrero What are Micro-Bubbles? Small bubbles

Micro-Bubbles By: Givi Basishvili Xavier Marrero What are Micro-Bubbles? Small bubbles (&gt;10m; 0.000001meters) Can hold: Oxygen - Genetic Info (DNA) - Drugs - Used for Medical Purposes 10m Purpose Deliver Chemicals

742 views • 18 slides
Micro Milling of High Aspect Ratio Micro Process Engineering IMVT Engineering IMVT Structures in

Micro Milling of High Aspect Ratio Micro Process Engineering IMVT Engineering IMVT Structures in

Forschungszentrum Karlsruhe in der Helmholtz-Gemeinschaft Micro Milling of High Aspect Ratio Micro Process Engineering IMVT Engineering IMVT Structures in Ceramics T. Gietzelt, L. Eichhorn, J. Binder* Institute of Micro Process Engineering,

229 views • 18 slides
City of Rock Hill Financial Policies 2016 What are Financial Policies? Financial Policies are a

City of Rock Hill Financial Policies 2016 What are Financial Policies? Financial Policies are a

City of Rock Hill Financial Policies 2016 What are Financial Policies? Financial Policies are a method of institutionalizing good financial management practices in the organization. They clarify and crystallize the strategic intent for

216 views • 18 slides
Micro Focus Lender Presentation 20 February 2020 Disclaimer This presentations has been

Micro Focus Lender Presentation 20 February 2020 Disclaimer This presentations has been

Micro Focus Lender Presentation 20 February 2020 Disclaimer This presentations has been prepared solely to provide a basis for for potential providers of finance to consider whether to assist Micro Focus International PLC (Micro Focus&quot;)

624 views • 38 slides
Structural policies, worker flows European Central Bank and resilience: evidence for the euro

Structural policies, worker flows European Central Bank and resilience: evidence for the euro

Robert Anderton Structural policies, worker flows European Central Bank and resilience: evidence for the euro area using individual-level Benedetta Di Lupidio micro data European Central Bank 2nd Joint IMF-OECD-World Bank Conference on

813 views • 60 slides
Micro Power Generators Sung Park Kelvin Yuk ECS 203 Overview Why Micro Power Generators are

Micro Power Generators Sung Park Kelvin Yuk ECS 203 Overview Why Micro Power Generators are

Micro Power Generators Sung Park Kelvin Yuk ECS 203 Overview Why Micro Power Generators are becoming important Types of Micro Power Generators Power Generators Reviewed Ambient Vibrational energy Radiant heat energy

445 views • 19 slides

More recommend