verify what
play

Verify what? Navigating the Attack Surface Mark S. Miller, Google - PowerPoint PPT Presentation

Jan 14, 2024 •98 likes •592 views

Verify what? Navigating the Attack Surface Mark S. Miller, Google Formal Methods meets JavaScript Imperial College, March 2018 Risk as Attack Surface a Expected Risk: likelihood * damage Potential damage Likelihood of exploitable

  1. Verify what? Navigating the Attack Surface Mark S. Miller, Google Formal Methods meets JavaScript Imperial College, March 2018

  2. Risk as Attack Surface a

  3. Expected Risk: ∫ likelihood * damage Potential damage Likelihood of exploitable vulnerability a

  4. Expected Risk: ∫ likelihood * damage Resources to damage Fallible agents a

  5. Access Matrix Permission or Authority? Resources to damage Fallible agents a

  6. Hollow Out the Attack Surface! /etc/passwd Alan’s stu ff Barb’s stu ff Doug’s stu ff Kernel + root OS’s TCB ~alan ~barb ~doug a

  7. Decouple accounts /etc/passwd Alan’s stu ff Barb’s stu ff Doug’s stu ff Kernel + root OS’s TCB ~alan ~barb ~doug a

  8. a

  9. Decouple applications contact info pgp keyring calc.xls Net access Shell, Desktop Browser Spreadsheet Email client a

  10. Decouple apps contact info pgp keyring calc.xls Net access MobileOS Doug’s TCB Browser app Spreadsheet doc Mail a app

  11. Decouple apps contact info pgp keyring calc.xls Net access MobileOS Doug’s TCB Browser app Spreadsheet doc Mail a app

  12. Substrate Historical System System CMNM, Plessey 250, C.mmp, CM*, Hardware Crash-SAFE, CHERI, Risc-V CAP, Flex, IBM System/38, Intel 432 DVH, Hydra, StarOS, RATS, Capsicum, CloudABI, Genode, 
 OS Cal-TSS, PSOS, NLTSS, Spring Barrelfish, Fuchsia Gnosis, KeyKOS, GuardOS, KeyKOS family OS seL4 EROS, CapROS, Coyotos Distributed OS Ameoba, Mach, Midori Gedanken, W7, J-Kernel, Joe-E, Emily, Monte, Frozen Realms, Language CaPerl, Caja, Tamed Pict, Plash shill, Wyvern, wasm-gc Act-1, Eden, Emerald, 
 Distributed Language Pony, Kappa, Dr.SES Vulcan, Joule, E, Oz-E, M# Distributed Storage Scoopfs Tahoe-LAFS DCCS, CapTP, Foolscap, Crypto Protocol COAST, Cap’n Proto Client Utility, Waterken Offline Certs SPKI/SDSI, E-Speak, CapCert Macaroons, ld-ocap Gravity, Dfinity, RChain, Cosmos, Blockchain Veres One, Sovrin, Agoric Systems User Interface CapDesk, Scoopfs, Belay Sandstorm

  13. Substrate Historical System System CMNM, Plessey 250, C.mmp, CM*, Hardware Crash-SAFE, CHERI, Risc-V CAP, Flex, IBM System/38, Intel 432 DVH, Hydra, StarOS, RATS, Capsicum, CloudABI, Genode, 
 OS Cal-TSS, PSOS, NLTSS, Spring Barrelfish, Fuchsia Gnosis, KeyKOS, GuardOS, KeyKOS family OS seL4 EROS, CapROS, Coyotos Distributed OS Ameoba, Mach, Midori Gedanken, W7, J-Kernel, Joe-E, Emily, Monte, Frozen Realms , Language CaPerl, Caja , Tamed Pict, Plash shill, Wyvern, wasm-gc Act-1, Eden, Emerald, 
 Distributed Language Pony, Kappa, Dr.SES Vulcan, Joule, E, Oz-E, M# Distributed Storage Scoopfs Tahoe-LAFS DCCS, CapTP, Foolscap, Crypto Protocol COAST, Cap’n Proto Client Utility, Waterken Offline Certs SPKI/SDSI, E-Speak, CapCert Macaroons, ld-ocap Gravity, Dfinity, RChain , Cosmos , Blockchain Veres One , Sovrin , Agoric Systems User Interface CapDesk, Scoopfs, Belay Sandstorm

  14. Substrate Historical System System CMNM, Plessey 250, C.mmp, CM*, Hardware Crash-SAFE, CHERI, Risc-V CAP, Flex, IBM System/38, Intel 432 DVH, Hydra, StarOS, RATS, Capsicum, CloudABI, Genode, 
 OS Cal-TSS, PSOS, NLTSS, Spring Barrelfish, Fuchsia Gnosis, KeyKOS, GuardOS, KeyKOS family OS seL4 EROS, CapROS, Coyotos Distributed OS Ameoba, Mach, Midori Gedanken, W7, J-Kernel, Joe-E, Emily, Monte, Frozen Realms, Language CaPerl, Caja, Tamed Pict, Plash shill, Wyvern, wasm-gc Act-1, Eden, Emerald, 
 Distributed Language Pony, Kappa, Dr.SES Vulcan, Joule, E , Oz-E, M# Distributed Storage Scoopfs Tahoe-LAFS DCCS, CapTP , Foolscap, Crypto Protocol COAST, Cap’n Proto Client Utility, Waterken Offline Certs SPKI/SDSI, E-Speak, CapCert Macaroons, ld-ocap Gravity, Dfinity, RChain, Cosmos, Blockchain Veres One, Sovrin, Agoric Systems User Interface CapDesk , Scoopfs, Belay Sandstorm

  15. Decouple caplets contact info pgp keyring calc.xls Net access E, CapDesk Doug’s TCB DarpaBrowser caplet Excel in Polaris CapMail a caplet

  16. a

  17. Decouple modules contact info pgp keyring calc.xls Net access main() CapMail’s TCB address book gpg plugin SMTP , POP a stacks

  18. Decouple modules contact info pgp keyring calc.xls Net access main() CapMail’s TCB address book gpg plugin SMTP , POP a stacks

  19. s platform ess book

  20. Decouple objects exports (TCB)

  21. Decouple objects exports (TCB)

  22. Defensive Programming

  23. Defense in Depth

  24. Reduce area Mix of strategies /etc/passwd Alan’s stu ff Barb’s stu ff Doug’s stu ff Kernel + root OS’s TCB ~alan ~barb ~doug a

  25. Reduce horizontal space POLA — Principle of Least Authority /etc/passwd Alan’s stu ff Barb’s stu ff Doug’s stu ff Kernel + root OS’s TCB ~alan ~barb ~doug a

  26. Reduce density Apply POLA recursively /etc/passwd Alan’s stu ff Barb’s stu ff Doug’s stu ff Kernel + root OS’s TCB ~alan ~barb ~doug a

  27. Reduce height Minimize+verify each TCB /etc/passwd Alan’s stu ff Barb’s stu ff Doug’s stu ff Verified 𝞶 kernel No root ~alan ~barb lang, desktop ~doug main() a

  28. Reduce width Partition virtualized legacy /etc/passwd Alan’s stu ff Barb’s stu ff Doug’s stu ff ~alan VMM ~barb ~doug Polaris CHERI ffi a

  29. Multiplicative risk reduction Reduce horizontal space POLA Reduce density Composition across scales Reduce height Minimize TCBs: 𝞶 kernel, lang, … Reduce width Compositional virtualization

  30. Choose Verification Battles Reduce horizontal space POLA Patterns limit authority? Reduce density Composition across scales Embedding preserves security? Reduce height Minimize TCBs: 𝞶 kernel, lang, … Formal verification Reduce width Compositional virtualization Impenetrable confinement?

  31. Substrate Historical System System CMNM, Plessey 250, C.mmp, CM*, Hardware Crash-SAFE, CHERI , Risc-V CAP, Flex, IBM System/38, Intel 432 DVH, Hydra, StarOS, RATS, Capsicum , CloudABI, Genode, 
 OS Cal-TSS, PSOS, NLTSS, Spring Barrelfish, Fuchsia Gnosis, KeyKOS, GuardOS, KeyKOS family OS seL4 EROS, CapROS, Coyotos Distributed OS Ameoba, Mach, Midori Gedanken, W7, J-Kernel, Joe-E, Emily, Monte , Frozen Realms , Language CaPerl, Caja , Tamed Pict, Plash shill, Wyvern, wasm-gc Act-1, Eden, Emerald, 
 Distributed Language Pony , Kappa, Dr.SES Vulcan, Joule, E, Oz-E, M# Distributed Storage Scoopfs Tahoe-LAFS DCCS, CapTP, Foolscap, Crypto Protocol COAST, Cap’n Proto Client Utility, Waterken Offline Certs SPKI/SDSI, E-Speak, CapCert Macaroons, ld-ocap Gravity, Dfinity, RChain, Cosmos , Blockchain Veres One, Sovrin , Agoric Systems User Interface CapDesk, Scoopfs, Belay Sandstorm

  32. Questions?

  34. Networks of request making Human to Human (econ) Object to Human (ui) Human to Object (ui) Object to Object (software eng)

  35. The Principal-Agent Loop Allow Explain actions request Inspect internals Agent Ince reacts Reward Select Monitor cooperation agent effects

  36. The Principal-Agent Loop Allow Explain actions request Inspect internals Agent Ince reacts Reward Select Monitor cooperation agent effects

  37. The Principal-Agent Loop Allow Explain actions request Inspect internals Agent Ince reacts Reward Select Monitor cooperation agent effects

  38. The Principal-Agent Loop Allow Explain actions request Inspect internals Agent Ince reacts Reward Select Monitor cooperation agent effects

  39. The Elements of Decision Alignment Human to Human to/from Object to Human Object Object Select Trademark App stores Trusted developer agent Chain of custody White and black lists Same origin Inspect Trusted path Types, Verification Accounting controls internals URL bar Open source eyeballs Allow App permissions Security Law, Contracts actions Powerbox Protection patterns Explain Language User interface Abstraction request Reward Economics Machine learning Objective functions cooperation Incentive Alignment Agorics Monitor Reviews, Complaints Contracts, Testing Bug reports effects Word of mouth Backprop

  40. The Elements of Decision Alignment Human to Human to/from Object to Human Object Object Select Trademark App stores Trusted developer agent Chain of custody White and black lists Same origin Types, Verification Inspect Trusted path Accounting controls Open source eyeballs internals URL bar Allow App permissions Security Law, Contracts actions Powerbox Protection patterns Explain Language User interface Abstraction request Reward Economics Machine learning Objective functions cooperation Incentive Alignment Agorics Monitor Reviews, Complaints Contracts, Testing Bug reports effects Word of mouth Backprop

  41. The Elements of Decision Alignment Human to Human to/from Object to Human Object Object Select Trademark App stores Trusted developer agent Chain of custody White and black lists Same origin Inspect Trusted path Types, Verification Accounting controls internals URL bar Open source eyeballs Allow App permissions Security Law, Contracts actions Powerbox Protection patterns Explain Language User interface Abstraction request Reward Economics Machine learning Objective functions cooperation Incentive Alignment Agorics Contracts, Testing Monitor Reviews, Complaints Bug reports Backprop effects Word of mouth

Recommend

Trust But Verify Trust But Verify Trust But Verify Trust But Verify What Is CEC Entertainment?

Trust But Verify Trust But Verify Trust But Verify Trust But Verify What Is CEC Entertainment?

Trust But Verify Trust But Verify Trust But Verify Trust But Verify What Is CEC Entertainment? CEC Entertainment, Irving TX Founded by Nolan Bushnell Revenue What Is CEC Entertainment? What Is CEC Entertainment? What Is CEC Entertainment?

305 views • 19 slides
Verify 1099 Data 3 3 1 Verify 1099 Data Verify Vendors that will receive 1099s and their

Verify 1099 Data 3 3 1 Verify 1099 Data Verify Vendors that will receive 1099s and their

2019 CALENDAR YEAR-END CLOSING PROCEDURES 1 USAS-R CYE Procedures Verify 1099 Data Month End Close Calendar Year End Close 1099 Procedures TR1099 Program 2 2 Verify 1099 Data 3 3 1 Verify 1099 Data Verify Vendors

357 views • 8 slides
Trust, but Verify: An Improved Estimating Technique Using the Integrated Master Schedule (IMS)

Trust, but Verify: An Improved Estimating Technique Using the Integrated Master Schedule (IMS)

Trust, but verify is a form of advice given which recommends that while a source of information might be considered reliable, one should perform additional research to verify that such information is accurate, or trustworthy. The original

437 views • 32 slides
verify for NETCONF <draft-cole-netconf-verify-00.txt>

verify for NETCONF <draft-cole-netconf-verify-00.txt>

verify for NETCONF <draft-cole-netconf-verify-00.txt> <draft-cole-netconf-transaction-test-00.txt> Robert G. Cole 1 Dan Romascanu 2 Andy Bierman 3 1 U.S. Army CERDEC 2 Avaya dromasca@avaya.com 3 Netconf Central

87 views • 5 slides
Trust but verify Distinguishing distrust from vigilance via Mark L oczy

Trust but verify Distinguishing distrust from vigilance via Mark L oczy

Trust but verify Distinguishing distrust from vigilance via Mark L oczy Livia.Markoczy@ucr.edu The A. Gary Anderson Graduate School of Management University of California, Riverside Trust but verify p.1/31 The problem Trust but

654 views • 31 slides
E-Verify Program Background, Implementation, and Current Status Deborah Larson Employee

E-Verify Program Background, Implementation, and Current Status Deborah Larson Employee

E-Verify Program Background, Implementation, and Current Status Deborah Larson Employee Relations Policies, Programs and Services UC Human Resources August 2009 E-Verify Milestones Executive Order 13465 amended on June 6, 2008, requiring the

294 views • 14 slides
Model verification and tools C. Zingerle ZAMG Why verify? The three most important reasons to

Model verification and tools C. Zingerle ZAMG Why verify? The three most important reasons to

Model verification and tools C. Zingerle ZAMG Why verify? The three most important reasons to verify forecasts are: to monitor forecast quality - how accurate are the forecasts and are they improving over time? to improve forecast

468 views • 20 slides
GEORGIA DEPARTMENT OF AUDITS AND ACCOUNTS E-Verify Compliance and Reporting Requirements

GEORGIA DEPARTMENT OF AUDITS AND ACCOUNTS E-Verify Compliance and Reporting Requirements

GEORGIA DEPARTMENT OF AUDITS AND ACCOUNTS E-Verify Compliance and Reporting Requirements Professional People with Purpose 34 Nov 2018 Agenda Compliance Statistics E-Verify Compliance and Reporting Requirements Reporting System

375 views • 21 slides
Interactive Preview v1.6 E-Verify Self Check Interactive Preview The intent of this Preview is

Interactive Preview v1.6 E-Verify Self Check Interactive Preview The intent of this Preview is

Start Start Interactive Preview v1.6 E-Verify Self Check Interactive Preview The intent of this Preview is to provide an understanding of how a user will experience the E-Verify Self Check service. The Self Check Process Self Check While

581 views • 44 slides
Engineering Test (how are you going to verify Requirement # Importance Description Unit of

Engineering Test (how are you going to verify Requirement # Importance Description Unit of

Engineering Test (how are you going to verify Requirement # Importance Description Unit of Measure Marginal Value satisfaction) Visual Measurement based on Aiming Accuracy and Minimum Angular Error of device ability to point at specified

355 views • 19 slides
A template attack against Verify PIN algorithms Hlne Le Bouder, Thierno Barry, Damien

A template attack against Verify PIN algorithms Hlne Le Bouder, Thierno Barry, Damien

A template attack against Verify PIN algorithms Hlne Le Bouder, Thierno Barry, Damien Courouss, Jean-Louis Lanet and Ronan Lashermes July 27th 2016 A template attack against Verify PIN algorithms Le Bouder et al. July 27th 2016 1/23

590 views • 30 slides
CS 335 Software Development Introduction Jan 13, 2014 Healthcare.gov must verify a would-be

CS 335 Software Development Introduction Jan 13, 2014 Healthcare.gov must verify a would-be

CS 335 Software Development Introduction Jan 13, 2014 Healthcare.gov must verify a would-be applicants eligibility from Homeland Security, IRS and Social Security systems, in real time, plus enroll members electronically to any

346 views • 8 slides
WhatTheStack? Verify your Deployments using Tempest Christian Schwede | @cschwede_de | Nick

WhatTheStack? Verify your Deployments using Tempest Christian Schwede | @cschwede_de | Nick

WhatTheStack? Verify your Deployments using Tempest Christian Schwede | @cschwede_de | Nick Barcet | @nijaba | Juno OpenStack Summit | May 2014 Seamless Build & Delivery of Open Cloud Infrastructures 120+ Montral People

544 views • 27 slides
ATP Hygiene Monitoring What is it? A test method to verify good cleaning wherever you want it,

ATP Hygiene Monitoring What is it? A test method to verify good cleaning wherever you want it,

MASTER CLASS ATP HYGIENE MONITORING & RAPID TESTS FOR COLIFORM/E.COLI/TOTAL COUNT 9TH FOOD SAFETY AND & QUALITY SUMMIT NEW DELHI 2&3 DECEMBER 2014 ATP Hygiene Monitoring What is it? A test method to verify good cleaning

261 views • 25 slides
Atlas Certified provides an automated solution to verify and monitor license and certification

Atlas Certified provides an automated solution to verify and monitor license and certification

Atlas Certified provides an automated solution to verify and monitor license and certification data in an increasingly skill-based and regulated marketplace. The content of this presentation is proprietary and confidential. What is

492 views • 8 slides
How to capture, model, and verify the knowledge of legal, security, and privacy experts: a

How to capture, model, and verify the knowledge of legal, security, and privacy experts: a

Universit degli Studi di Trento How to capture, model, and verify the knowledge of legal, security, and privacy experts: a pattern-based approach L. Compagna, P. El Khoury F. Massacci , N. Zannone R. Thomas Security Research Dept.

357 views • 14 slides
Record&Verify and Patient Information System Eugenia Moretti ASUIUD Udine

Record&Verify and Patient Information System Eugenia Moretti ASUIUD Udine

School of Medical Physics for Radiation Therapy: Dosimetry and Treatment Planning for Basic and Advanced Applications 24-march 5-april 2019 Record&Verify and Patient Information System Eugenia Moretti ASUIUD Udine

1.2k views • 118 slides
Record&Verify and Patient Information System Eugenia Moretti ASUIUD Udine

Record&Verify and Patient Information System Eugenia Moretti ASUIUD Udine

School of Medical Physics for Radiation Therapy: Dosimetry and Treatment Planning for Basic and Advanced Applications 27-march 7-april 2017 Record&Verify and Patient Information System Eugenia Moretti ASUIUD Udine

1.47k views • 112 slides
Total Traceability Implemented Strategies to confirm/verify the final destiny of blood

Total Traceability Implemented Strategies to confirm/verify the final destiny of blood

Total Traceability Implemented Strategies to confirm/verify the final destiny of blood components Maria Antnia Escoval, Condeo J, Ramoa A, Sousa G . 33 rd International Congress of the ISBT Seoul, May 31 June 5, 2014 2 Aim To assess

337 views • 23 slides
Fighting Layout Bugs Techniques to automatically verify the work of HTML and CSS programmers

Fighting Layout Bugs Techniques to automatically verify the work of HTML and CSS programmers

Fighting Layout Bugs Techniques to automatically verify the work of HTML and CSS programmers QCon London 2010 Who am I? Michael Tamm System Architect Selenium committer Conference Speaker author of numerous JUnit tests ;)

1.13k views • 96 slides
Cybersecurity for IoT: Verify your Software Today! Allan Blanchard, Nikolai Kosmatov (based on a

Cybersecurity for IoT: Verify your Software Today! Allan Blanchard, Nikolai Kosmatov (based on a

Cybersecurity for IoT: Verify your Software Today! Allan Blanchard, Nikolai Kosmatov (based on a tutorial prepared with Frdric Loulergue) Outline Introduction Verification of absence of runtime errors using Frama-C/Eva Deductive

694 views • 58 slides
Cold End Coupler Assembly (WS0) Verify torque and tighten as needed all the fasteners for

Cold End Coupler Assembly (WS0) Verify torque and tighten as needed all the fasteners for

Cold End Coupler Assembly (WS0) Verify torque and tighten as needed all the fasteners for the cavity beamline(under vacuum) as received (starting from CM07) Assemble pump/backfill/purge flex hose to the cavity Record as

366 views • 9 slides
Practical BDD with Behat and Mink Jeremy Mikola (@jmikola) In order to verify application

Practical BDD with Behat and Mink Jeremy Mikola (@jmikola) In order to verify application

Practical BDD with Behat and Mink Jeremy Mikola (@jmikola) In order to verify application behavior As a software developer I need tests In order to verify application behavior As a software developer I need tests Preferably automated tests

482 views • 44 slides
Trust, but Verify: What the Digital and Transparency Revolutions in Social Science Mean

Trust, but Verify: What the Digital and Transparency Revolutions in Social Science Mean

8/2/2015 University of Chicago Peking University Summer Institute on International Relations Theory and Methods (Beijing, August 2015) Trust, but Verify: What the Digital and Transparency Revolutions in Social Science Mean for You

333 views • 16 slides

More recommend