Module: Future of Secure Programming

Transcription

1 Module: Future of Secure Programming Professor Trent Jaeger Penn State University Systems and Internet Infrastructure Security Laboratory (SIIS) 1

2 Programmer s Little Survey Problem What does program for security mean? Implement a program Have you ever programmed for security? Without creating vulnerabilities When do you start to consider security when you What is a vulnerability? program? What do you try to do to make your code secure? When do you know you are done making your code secure? Should a programmer fix every flaw in their programs? Systems and and Internet Infrastructure Security Security (SIIS) (SIIS) Laboratory Laboratory 22

3 Programmer s Problem Implement a program Without creating vulnerabilities What is a vulnerability? Systems and Internet Infrastructure Security (SIIS) Laboratory 3

4 Systems and Internet Infrastructure Security Laboratory (SIIS) 4 Software Vulnerabilities Vulnerability combines A flaw Accessible to an adversary Who can exploit that flaw Which would you focus on to prevent vulnerabilities?

5 Systems and Internet Infrastructure Security Laboratory (SIIS) 5 Buffer Overflow Static Analysis For C code where char dest[len]; int n;... n = input();... strncpy(dest, src, n); Can this code cause a buffer overflow?

6 Systems and Internet Infrastructure Security Laboratory (SIIS) 6 Runtime Analysis One approach is to run the program to determine how it behaves Analysis Inputs Input Values - command line arguments Environment - state of file system, environment variables, etc. Question Can any input value in any environment cause a flaw (e.g., buffer overflow)? What are limitations of runtime analysis?

7 Systems and Internet Infrastructure Security (SIIS) Laboratory Laboratory (SIIS) 8 7 Runtime Static Analysis Analysis One approach is to run the program to determine how it behaves Explore all possible executions of a program! Analysis Inputs All possible inputs! Input Values - command line arguments All possible states! Environment - state of file system, environment variables, etc. Question Can any input value in any environment cause a flaw (e.g., buffer overflow)? What are limitations of runtime analysis?

8 Runtime Static Analysis One approach is to run the program to determine how it behaves Provides an approximation of behavior! Analysis Inputs Run in the aggregate! Input Values - command line arguments Rather than executing on ordinary states! Environment - state of file system, environment variables, etc. Finite-sized descriptors representing a collection of states! Question Run in non-standard way! Can any input value in any environment cause a flaw (e.g., buffer overflow)? Run in fragments! What are limitations of runtime analysis? Stitch them together to cover all paths! Runtime testing is inherently incomplete, but static analysis can cover all paths! Systems and Internet Infrastructure Security (SIIS) Laboratory Laboratory (SIIS) 10 8

9 Systems and Internet Infrastructure Security (SIIS) Laboratory Laboratory (SIIS) 11 9 Runtime Static Analysis Example One approach is to run the program to determine how it behaves Descriptors represent the sign of a value! Analysis Inputs Positive, negative, zero, unknown! Input Values - command line arguments For an expression, c = a * b! Environment - state of file system, environment variables, etc. If a has a descriptor pos! Question And b has a descriptor neg! Can any input value in any environment cause a flaw (e.g., buffer overflow)? What is the descriptor for c after that instruction?! What are limitations of runtime analysis? How might this help?!

10 Runtime Descriptors Analysis One approach is to run the program to determine how it behaves Choose a set of descriptors that! Analysis Inputs Abstracts away details to make analysis tractable! Input Values - command line arguments Preserves enough information that key properties hold! Environment - state of file system, environment variables, etc. Can determine interesting results! Question Using sign as a descriptor! Can any input value in any environment cause a flaw (e.g., buffer overflow)? Abstracts away specific integer values (billions to four)! Guarantees when a*b = 0 it will be zero in all executions! What are limitations of runtime analysis? Choosing descriptors is one key step in static analysis! Systems and Internet Infrastructure Security (SIIS) Laboratory Laboratory (SIIS) 12 10

11 Systems and Internet Infrastructure Security Laboratory (SIIS) 11 Buffer Overflow Static Analysis For C code where char dest[len]; int n; n = input(); strncpy(dest, src, n); Static analysis will try all paths of the program that impact variable n and flow to strncpy May be complex in general because Paths: Exponential number of program paths Interprocedural: n may be assigned in another function Aliasing: n s memory may be accessed from many places What descriptor values do you care about for n?

12 Systems and Internet Infrastructure Security Laboratory (SIIS) 12 Limitations of Static Analysis Scalability Can be expensive to reason about all executions of complex programs False positives Overapproximation means that executions that are not really possible will be modeled Accuracy Alias analysis and other imprecision may lead to false negatives Sound methods (no false negatives) can exacerbate scalability and false positives problems Bottom line: Static analysis often must be directed

13 Preventing These Vulnerabilities What can the programmer do to secure their program in such cases? Systems and Internet Infrastructure Security Laboratory (SIIS) 13

14 Information Denning s Lattice Flow Model Control Formalizes information flow models! FM = {N, P, SC, /, >} Shows that the information flow model instances form a lattice! N are objects, P are processes,! {SC, >} is a partial ordered set,! SC, the set of security classes is finite,! SC has a lower bound,! and / is a lub operator! Implicit and explicit information flows! Semantics for verifying that a configuration is secure! Static and dynamic binding considered! Biba and BLP are among the simplest models of this type Systems and Internet Infrastructure Security (SIIS) Laboratory Laboratory (SIIS) 14

15 Information Denning s Lattice Flow Model Control Formalizes information flow models! What is it? FM = {N, P, SC, /, >} Shows that the information flow model instances form a lattice! N are objects, P are processes,! {SC, >} is a partial ordered set,! SC, the set of security classes is finite,! SC has a lower bound,! and / is a lub operator! Implicit and explicit information flows! Semantics for verifying that a configuration is secure! Static and dynamic binding considered! Biba and BLP are among the simplest models of this type Systems and Internet Infrastructure Security (SIIS) Laboratory Laboratory (SIIS) 14

16 Information Denning s Lattice Flow Model Control Formalizes information flow models! What is it? FM = {N, P, SC, /, >} Simple security & -property Shows that the information flow model instances form a lattice! N are objects, P are processes,! {SC, >} is a partial ordered set,! SC, the set of security classes is finite,! SC has a lower bound,! and / is a lub operator! Implicit and explicit information flows! Semantics for verifying that a configuration is secure! Static and dynamic binding considered! Biba and BLP are among the simplest models of this type Systems and Internet Infrastructure Security (SIIS) Laboratory Laboratory (SIIS) 14

17 Information Denning s Lattice Flow Model Control Formalizes information flow models! What is it? FM = {N, P, SC, /, >} Simple security & -property Shows that the information flow model instances form a lattice! N are objects, P are processes,! {SC, >} is a partial ordered set,! SC, the set of security classes is finite,! SC has a lower bound,! and / is a lub operator! Implicit and explicit information flows! Semantics for verifying that a configuration is secure! Static and dynamic binding considered! Biba and BLP are among the simplest models of this type Systems and Internet Infrastructure Security (SIIS) Laboratory Laboratory (SIIS) 14

18 Implicit and explicit flows Information Flow Control Explicit! Direct transfer to b from a (e.g., b = a)! Implicit! Where value of b may depend on value of a indirectly (e.g., if a = 0, then b = c)! Model covers all programs! Statement S! Sequence S1, S2! Conditional c: S1,, Sm! Implicit flows only occur in conditionals! Systems and Internet Infrastructure Security (SIIS) Laboratory Laboratory (SIIS) 15

19 Implicit and explicit flows Information Flow Control Explicit! What is it? Direct transfer to b from a (e.g., b = a)! Implicit! Where value of b may depend on value of a indirectly (e.g., if a = 0, then b = c)! Model covers all programs! Statement S! Sequence S1, S2! Conditional c: S1,, Sm! Implicit flows only occur in conditionals! Systems and Internet Infrastructure Security (SIIS) Laboratory Laboratory (SIIS) 15

20 Implicit and explicit flows Information Flow Control Explicit! What is it? Direct transfer to b from a (e.g., b = a)! Simple security & -property Implicit! Where value of b may depend on value of a indirectly (e.g., if a = 0, then b = c)! Model covers all programs! Statement S! Sequence S1, S2! Conditional c: S1,, Sm! Implicit flows only occur in conditionals! Systems and Internet Infrastructure Security (SIIS) Laboratory Laboratory (SIIS) 15

21 Implicit and explicit flows Information Flow Control Explicit! What is it? Direct transfer to b from a (e.g., b = a)! Simple security & -property Implicit! Where value of b may depend on value of a indirectly (e.g., if a = 0, then b = c)! Model covers all programs! Statement S! Sequence S1, S2! Conditional c: S1,, Sm! Implicit flows only occur in conditionals! Systems and Internet Infrastructure Security (SIIS) Laboratory Laboratory (SIIS) 15

22 Information Semantics Flow Control Program is secure if:! Explicit flow from S is secure! Explicit flow of all statements in a sequence are secure (e.g., S1; S2)! Conditional c: S1,, Sm is secure if:! The explicit flows of all statements S1,, Sm are secure! The implicit flows between c and the objects in Si are secure! Systems and Internet Infrastructure Security (SIIS) Laboratory Laboratory (SIIS) 16

23 Systems and Internet Infrastructure Security (SIIS) Laboratory Laboratory (SIIS) 16 Information Semantics Flow Control What is it? Program is secure if:! Explicit flow from S is secure! Explicit flow of all statements in a sequence are secure (e.g., S1; S2)! Conditional c: S1,, Sm is secure if:! The explicit flows of all statements S1,, Sm are secure! The implicit flows between c and the objects in Si are secure!

24 Systems and Internet Infrastructure Security (SIIS) Laboratory Laboratory (SIIS) 16 Information Semantics Flow Control What is it? Program is secure if:! Simple Explicit security flow from & -property S is secure! Explicit flow of all statements in a sequence are secure (e.g., S1; S2)! Conditional c: S1,, Sm is secure if:! The explicit flows of all statements S1,, Sm are secure! The implicit flows between c and the objects in Si are secure!

25 Systems and Internet Infrastructure Security (SIIS) Laboratory Laboratory (SIIS) 16 Information Semantics Flow Control What is it? Program is secure if:! Simple Explicit security flow from & -property S is secure! Explicit flow of all statements in a sequence are secure (e.g., S1; S2)! Conditional c: S1,, Sm is secure if:! The explicit flows of all statements S1,, Sm are secure! The implicit flows between c and the objects in Si are secure!

26 Systems and Internet Infrastructure Security Laboratory (SIIS) 17 Build on Type Safety

27 Systems and Internet Infrastructure Security Laboratory (SIIS) 17 Build on Type Safety Example 1 Object obj; int i; obj = obj + i;

28 Systems and Internet Infrastructure Security Laboratory (SIIS) 17 Build on Type Safety Example 1 Object obj; int i; obj = obj + i; X

29 Build on Type Safety A type-safe language maintains the semantics of types. E.g., can t add int s to Object s. Example 1 Object obj; int i; obj = obj + i; X Systems and Internet Infrastructure Security Laboratory (SIIS) 17

30 Build on Type Safety A type-safe language maintains the semantics of types. E.g., can t add int s to Object s. Example 1 Object obj; int i; obj = obj + i; X Type-safety is compositional. A function promises to maintain type safety. Systems and Internet Infrastructure Security Laboratory (SIIS) 17

31 Systems and Internet Infrastructure Security Laboratory (SIIS) 17 Build on Type Safety A type-safe language maintains the semantics of types. E.g., can t add int s to Object s. Type-safety is compositional. A function promises to maintain type safety. Example 1 Object obj; int i; obj = obj + i; X Example 2 String proc_obj(object o);... main() { Object obj; String s = proc_obj(obj);... }

32 Systems and Internet Infrastructure Security Laboratory (SIIS) 18 Labeling Types

33 Systems and Internet Infrastructure Security Laboratory (SIIS) 18 Labeling Types Example 1 int{high} h1,h2; int{low} l; l = 5; h2 = l; h1 = h2 + 10; l = h2 + l;

34 Systems and Internet Infrastructure Security Laboratory (SIIS) 18 Labeling Types Example 1 int{high} h1,h2; int{low} l; l = 5; h2 = l; h1 = h2 + 10; l = h2 + l; X

35 Labeling Types Example 1 int{high} h1,h2; int{low} l; l = 5; h2 = l; h1 = h2 + 10; l = h2 + l; X Key insight: label types with security levels Systems and Internet Infrastructure Security Laboratory (SIIS) 18

36 Labeling Types Example 1 int{high} h1,h2; int{low} l; l = 5; h2 = l; h1 = h2 + 10; l = h2 + l; X Key insight: label types with security levels Security-typing is compositional Systems and Internet Infrastructure Security Laboratory (SIIS) 18

37 Systems and Internet Infrastructure Security Laboratory (SIIS) 18 Labeling Types Example 1 int{high} h1,h2; int{low} l; l = 5; h2 = l; h1 = h2 + 10; l = h2 + l; X Key insight: label types with security levels Security-typing is compositional Example 2 String{low} proc_obj(object{high} o);... main() { Object{high} obj; String{low} s; s = proc_obj(obj);... }

38 Systems and Internet Infrastructure Security Laboratory (SIIS) 19 Implicit Flows Static (virtual) tagging int Low mydata = 0; int Low mydata2 = 0; if (test High ) mydata = 1; mydata contains information about test so it can no longer be Low,but mydata2 is outside the conditional, so it is untainted by test else mydata = 2; mydata2 = 0; print Low (mydata2); print Low (mydata); Causes type error at compile-time

39 Systems and Internet Infrastructure Security Laboratory (SIIS) 19 Implicit Flows Static (virtual) tagging int Low mydata = 0; int Low mydata2 = 0; if (test High ) mydata = 1; mydata contains information about test so it can no longer be Low,but mydata2 is outside the conditional, so it is untainted by test else mydata = 2; mydata2 = 0; print Low (mydata2); print Low (mydata); Causes type error at compile-time

40 Systems and Internet Infrastructure Security Laboratory (SIIS) 20 Preventing These Vulnerabilities What can the programmer do to secure their program? Decentralized Information Flow Control Programmer gives hints to operating system about information flows expected Operating system enforces those expectations To prevent link traversal attacks, programmers could just state that they require objects with an expected label And use that object safely with security types in program

41 Systems and Internet Infrastructure Security Laboratory (SIIS) 20 Preventing These Vulnerabilities What can the programmer do to secure their program? Decentralized Information Flow Control Programmer gives hints to operating system about information flows expected Operating system enforces those expectations To prevent link traversal attacks, programmers could just state that they require objects with an expected label Example 1 int{high} h1, h2; int{low} l; l = 5; h2 = open({high}); h1 = read_int(h2); And use that object safely with security types in program

42 Systems and Internet Infrastructure Security Laboratory (SIIS) 21 Retrofitting for Security Take the code written in a language of the programmers choice (for functionality) and retrofit with security code (mostly-automated) Consider authorization bypass vulnerabilities In these vulnerabilities, programmers forget to add code to control access to program resources!! What!is!authoriza,on?!! Resource user! Operation request! Response! Resource manager! Authorization Hooks! Reference monitor! Allowed?! YES/NO! Authorization policy! Alice, /etc/passwd, File_Read!

43 Systems and and Internet Infrastructure Security (SIIS) Laboratory Laboratory (SIIS) 22 X Server & Many X Clients Retrofitting for Security Take the code written in a language of the programmers choice (for functionality) and retrofit with security code (mostly-automated) Consider authorization bypass vulnerabilities In these vulnerabilities, programmers forget to add code to control access to program resources REMOTE LOCAL

44 Systems and Internet Infrastructure Security (SIIS) Laboratory Laboratory (SIIS) 23 Retrofitting for Security Malicious Remote X Client Take the code written in a language of the programmers choice (for functionality) and retrofit with security code (mostly-automated) Consider authorization bypass vulnerabilities In these vulnerabilities, programmers forget to add code to control access to program resources REMOTE LOCAL

45 Systems and Internet Infrastructure Security (SIIS) Laboratory Laboratory (SIIS) 24 Illegal Information Flow Retrofitting for Security Take the code written in a language of the programmers choice (for functionality) and retrofit with security code (mostly-automated) Consider authorization bypass vulnerabilities In these vulnerabilities, programmers forget to add code to control access to program resources REMOTE LOCAL

46 Retrofitting for Security Desirable Information Flow Take the code written in a language of the programmers choice (for functionality) and retrofit with security code (mostly-automated) Consider authorization bypass vulnerabilities In these vulnerabilities, programmers forget to add code to control access to program resources LOCAL REMOTE Systems and and Internet Infrastructure Security (SIIS) Laboratory Laboratory (SIIS) 25

47 Systems and Internet Infrastructure Security Laboratory (SIIS) 26 What Should a Programmer Do? How would you ensure that all accesses to window objects in the X Server are authorized?

48 Inferring Sensitive Operations What Should a Programmer Do? How would you ensure that all accesses to window objects in the X Server are authorized? Program Program Challenges Challenges Program User A User B Request Interface i A B o1 A. Identify securitysensitive resources F H C D E I J K L o2 o3 o4... on Programs manipulate many variables 7800 in X Server Of over 400 structures Many, many structuremember accesses Systems and Internet Infrastructure Security (SIIS) Laboratory Laboratory (SIIS) 27

49 What Should a Programmer Do? Solution How would you ensure that all accesses to window objects in the X Server Requests are authorized? make choices In servers, client-request determines choices that client subjects can make in the program Choice : Resources: Determine which elements are chosen from containers. Operations: Determine which program path is selected for execution. Systems and and Internet Infrastructure Security (SIIS) Laboratory (SIIS) 28

50 Systems and and Internet Internet Infrastructure Security Security (SIIS) Laboratory Laboratory (SIIS) 29 Idea: Request Choices What Should a Programmer Do? How would you ensure that all accesses to window objects in the X Server are authorized? Program A Lookup Function using tainted variable User A Request Interface i B Container O User B o1 C v = Lookup(O,i) o2 o3 D o4 E F I K H J L

51 Systems and Internet Infrastructure Security (SIIS) Laboratory Laboratory (SIIS) 30 Idea: Request Choices What Should a Programmer Do? How would you ensure that all accesses to window objects in the X Server are authorized? Program A User A Request Interface i B Container O User B o1 C v = Lookup(O,i) o2 Op 1.0 D o3 o4 E F I K H J L

52 Systems and Internet Infrastructure Security (SIIS) Laboratory Laboratory (SIIS) 31 Idea: Request Choices What Should a Programmer Do? How would you ensure that all accesses to window objects in the Program X Server are authorized? A User A Request Interface i B Container O User B o1 C v = Lookup(O,i) o2 Op 1.0 D o3 o4 E Control Statement Predicated on a tainted variable F I K read v write v H J L

53 Systems and and Internet Infrastructure Security (SIIS) Laboratory Laboratory (SIIS) 32 Idea: Request Choices What Should a Programmer Do? How would you ensure that all accesses to window objects in the X Server are authorized? Program A User A Request Interface i B Container O User B o1 C v = Lookup(O,i) o2 Op 1.0 D o3 o4 Choice of operations E F I K read v write v H J L Op1.1 Op1.2 Op1.3

54 Systems and and Internet Infrastructure Security (SIIS) Laboratory Laboratory (SIIS) 33 Idea: Request Choices What Should a Programmer Do? How would you ensure that all accesses to window objects in the X Server are authorized? Program A User A Request Interface i B Container O User B o1 C v = Lookup(O,i) o2 Op 1.0 D o3 o4 E Security sensitive operation F I K read v write v H J L Op1.1 Op1.2 Op1.3

55 Systems and Internet Infrastructure Security Laboratory (SIIS) 34 Take Away Programming for security is difficult Programmers create flaws that are often accessible and exploitable by adversaries (vulnerabilities) Program analysis can find some flaws Static and dynamic, but limitations for each May need to fix program - security types and choice The future of secure programming may look very different Now: use favorite language for achieving function and try to add security code without creating flaws Future: use favorite language for achieving function and retrofit based on a security program