AutoISES: Automatically Inferring Security Specifications and Detecting Violations
Size: px
Start display at page:

Download "AutoISES: Automatically Inferring Security Specifications and Detecting Violations"

Transcription

1 : Automatically Inferring Security Specifications and Detecting Violations (U. of Illinois at Urbana-Champaign) Xiaolan (Catherine) Zhang (IBM Research) Xiao Ma, Weiwei Xiong, Yuanyuan Zhou (U. of Illinois at Urbana-Champaign)

2 Motivation Software security is critically important. Huge financial impact: $13-40 Billion loss to American business due to software vulnerabilities [Fortify] 2

3 Motivation Software security is critically important. Huge financial impact: $13-40 Billion loss to American business due to software vulnerabilities [Fortify] Mandatory Access Control (MAC) is proposed to provide stronger security. Already included in Linux kernel 2.6 series (Linux Security Modules) Xen (Xen Security Modules) 2

4 Background linux/fs/read_write.c: ssize_t vfs_read() { ret = security_file_permission(file, ); if (!ret) { ret = file->f_op->read(file, ); } } 3

5 Background Security check function linux/fs/read_write.c: ssize_t vfs_read() { ret = security_file_permission(file, ); if (!ret) { ret = file->f_op->read(file, ); } } 3

6 Background Security check function linux/fs/read_write.c: ssize_t vfs_read() { ret = security_file_permission(file, ); if (!ret) { ret = file->f_op->read(file, ); } } Security sensitive operation 3

7 Background Security check function linux/fs/read_write.c: ssize_t vfs_read() { ret = security_file_permission(file, ); if (!ret) { ret = file->f_op->read(file, ); } } Security sensitive operation All sensitive operations are authorized by the proper security check function. 3

8 Challenge Difficult to implement because sensitive operations are scattered throughout the code. E.g., file read/write in read(), readdir(), readv(), splice_read(), write(), writev(), splice_write(),... New operation instances may be added. 4

9 Challenge Difficult to implement because sensitive operations are scattered throughout the code. E.g., file read/write in read(), readdir(), readv(), splice_read(), write(), writev(), splice_write(),... New operation instances may be added. A missing/incorrect security check leads to security compromises. 4

10 A Real Vulnerability linux/fs/read_write.c: ssize_t vfs_read() { ret = security_file_permission(file, ); if (!ret) { ret = file->f_op->read(file, ); } } linux/fs/readdir.c: ssize_t vfs_readdir() { ret = security_file_permission(file, ); if (!ret) { ret = file->f_op->readdir(file, ); } } linux/fs/read_write.c: ssize_t do_readv_writev() { ret = file->f_op->readv(file, ); } 5

11 A Real Vulnerability linux/fs/read_write.c: ssize_t vfs_read() { ret = security_file_permission(file, ); if (!ret) { ret = file->f_op->read(file, ); } } linux/fs/readdir.c: ssize_t vfs_readdir() { ret = security_file_permission(file, ); if (!ret) { ret = file->f_op->readdir(file, ); } } linux/fs/read_write.c: ssize_t do_readv_writev() { ret = file->f_op->readv(file, ); } Same security sensitive operation: file read/write 5

12 A Real Vulnerability Security check linux/fs/read_write.c: ssize_t vfs_read() { ret = security_file_permission(file, ); if (!ret) { ret = file->f_op->read(file, ); } } linux/fs/readdir.c: ssize_t vfs_readdir() { ret = security_file_permission(file, ); if (!ret) { ret = file->f_op->readdir(file, ); } } linux/fs/read_write.c: ssize_t do_readv_writev() { ret = file->f_op->readv(file, ); } Same security sensitive operation: file read/write 5

13 A Real Vulnerability Security check Forgot to call security_file_permission(). linux/fs/read_write.c: linux/fs/readdir.c: linux/fs/read_write.c: ssize_t vfs_read() { ret = security_file_permission(file, ); if (!ret) { ret = file->f_op->read(file, ); } } ssize_t vfs_readdir() { ret = security_file_permission(file, ); if (!ret) { ret = file->f_op->readdir(file, ); } } ssize_t do_readv_writev() { ret = file->f_op->readv(file, ); } Same security sensitive operation: file read/write 5

14 The Gap Want to check: All sensitive operations are authorized by the proper security check. 6

15 Want to check: The Gap All sensitive operations are authorized by the proper security check. High-level property: Too abstract to verify. 6

16 Want to check: The Gap All file read/write operations are protected by security_file_permission(). High-level property: Too abstract to verify. 6

17 Want to check: The Gap All file read/write operations are protected by security_file_permission(). High-level property: Too abstract to verify. Code-level rules: Can be directly used for checking but difficult to write and maintain. 6

18 Want to check: The Gap All file read/write operations are protected by security_file_permission(). High-level property: Too abstract to verify. Security Check Function: security_file_permission Security Sensitive Operation (A group of data structure accesses): 1. READ inode->i_size 12. READ address_space->tree_lock 2. READ file->f_flags 13. READ page->_count 3. READ file->f_pos 14. READ page->flags 4. READ file->f_dentry 15. WRITE page->index 5. READ file->f_dentry->d_inode 16. READ page->mapping 6. READ file->f_vfsmnt 17. WRITE page->mapping 7. READ dentry->d_inode 18. READ pglist_data->node_zonelists 8. READ address_space->flags 19. READ zone->wait_table 9. READ address_space->nrpages 20. READ zone->wait_table_bits 10. WRITE address_space->nrpages 21. READ (Global) nr_pagecache 11. READ address_space->page_tree 22. READ (Global) zone_table Code-level rules: Can be directly used for checking but difficult to write and maintain. 6

19 Want to check: The Gap All file read/write operations are protected by security_file_permission(). High-level property: Too abstract to verify. Security Check Function: security_file_permission Security Sensitive Operation (A group of data structure accesses): 1. READ inode->i_size 2. READ file->f_flags 3. READ file->f_pos 4. READ file->f_dentry 5. READ file->f_dentry->d_inode 6. READ file->f_vfsmnt 7. READ dentry->d_inode 8. READ address_space->flags 9. READ address_space->nrpages Don t try to read it. 10. WRITE address_space->nrpages 11. READ address_space->page_tree 12. READ address_space->tree_lock 13. READ page->_count 14. READ page->flags 15. WRITE page->index 16. READ page->mapping 17. WRITE page->mapping 18. READ pglist_data->node_zonelists 19. READ zone->wait_table 20. READ zone->wait_table_bits 21. READ (Global) nr_pagecache 22. READ (Global) zone_table Auto-generated by Code-level rules: Can be directly used for checking but difficult to write and maintain. 6

20 Want to check: The Gap All file read/write operations are protected by security_file_permission(). High-level property: Too abstract to verify. Gap Security Check Function: security_file_permission Security Sensitive Operation (A group of data structure accesses): 1. READ inode->i_size 2. READ file->f_flags 3. READ file->f_pos 4. READ file->f_dentry 5. READ file->f_dentry->d_inode 6. READ file->f_vfsmnt 7. READ dentry->d_inode 8. READ address_space->flags 9. READ address_space->nrpages Don t try to read it. 10. WRITE address_space->nrpages 11. READ address_space->page_tree 12. READ address_space->tree_lock 13. READ page->_count 14. READ page->flags 15. WRITE page->index 16. READ page->mapping 17. WRITE page->mapping 18. READ pglist_data->node_zonelists 19. READ zone->wait_table 20. READ zone->wait_table_bits 21. READ (Global) nr_pagecache 22. READ (Global) zone_table Auto-generated by Code-level rules: Can be directly used for checking but difficult to write and maintain. 6

21 Idea Automatically infer code-level security specifications/rules from the common case Rationale: Released code is mostly correct. 7

22 Idea Automatically infer code-level security specifications/rules from the common case Rationale: Released code is mostly correct. shares rationale with previous studies. [Ernst et al. 00], [Engler et al. 01], [Ammons et al. 02], [Li et al. 05], [Lu et al. 07] We extract a different type of rules. Extracting different rules require different techniques. 7

23 Contributions First to automatically infer code-level security specifications and detect violations Extracted 84 rules and detected 8 security violations (7 confirmed by developers) from the latest versions of the Linux kernel and Xen Bridged the gap more secure software. Quantitatively evaluated 4 different levels of rules granularity (in our paper) 8

24 Contributions Focus of this Talk First to automatically infer code-level security specifications and detect violations Extracted 84 rules and detected 8 security violations (7 confirmed by developers) from the latest versions of the Linux kernel and Xen Bridged the gap more secure software. Quantitatively evaluated 4 different levels of rules granularity (in our paper) 8

25 Outline Motivation, Challenges & Contributions Our Approach Evaluation & Results Related work Automatically infer code-level security specs Automatically detect violations to these specs Conclusions 9

26 Rule Inference Problem Given Source code, and A set of N security check functions 10

27 Rule Inference Problem Given Source code, and A set of N security check functions Infer a set of rules in the form of <Checki, Opi>, where Opi <protectedby Checki, 1<= i <= N Opi: security sensitive operation Checki: security check function 10

28 Challenges Rule: <Checki, Opi>, where Opi <protectedby Checki 11

29 Challenges 1. How to represent Opi? Rule: <Checki, Opi>, where Opi <protectedby Checki 11

30 Challenges 1. How to represent Opi? 2. How to define protected? Rule: <Checki, Opi>, where Opi <protectedby Checki 11

31 Challenges 1. How to represent Opi? 2. How to define protected? Rule: <Checki, Opi>, where Opi <protectedby Checki Usually documented: e.g., security_file_permission() 11

32 Challenges 1. How to represent Opi? 2. How to define protected? Rule: <Checki, Opi>, where Opi <protectedby Checki 11

33 Challenges 1. How to represent Opi? 2. How to define protected? Rule: <Checki, Opi>, where Opi <protectedby Checki 3. Where to start the analysis? 4. How to infer rules? 5. How to rank violations? 11

34 Representing Sensitive Op Using functions to represent sensitive operations??? linux/fs/read_write.c: ssize_t vfs_read() { ret = security_file_permission(file, ); if (!ret) { ret = file->f_op->read(file, ); } } linux/fs/readdir.c: ssize_t vfs_readdir() { ret = security_file_permission(file, ); if (!ret) { ret = file->f_op->readdir(file, ); } } linux/fs/read_write.c: ssize_t do_readv_writev() { ret = file->f_op->readv(file, ); } 12

35 Representing Sensitive Op Using functions to represent sensitive operations??? linux/fs/read_write.c: linux/fs/readdir.c: linux/fs/read_write.c: ssize_t vfs_read() { ret = security_file_permission(file, ); if (!ret) { ret = file->f_op->read(file, ); } } ssize_t vfs_readdir() { ret = security_file_permission(file, ); if (!ret) { ret = file->f_op->readdir(file, ); } } ssize_t do_readv_writev() { ret = file->f_op->readv(file, ); } Problem Same security sensitive operation can be mapped to different functions. Find nothing in common for file read/write operation 12

36 Key Observation linux/fs/read_write.c: ssize_t vfs_read() { ret = security_file_permission(file, ); if (!ret) { ret = file->f_op->read(file, ); } } linux/fs/readdir.c: ssize_t vfs_readdir() { ret = security_file_permission(file, ); if (!ret) { ret = file->f_op->readdir(file, ); } } linux/fs/read_write.c: ssize_t do_readv_writev() { ret = file->f_op->readv(file, ); } 13

37 Key Observation linux/fs/read_write.c: ssize_t vfs_read() { ret = security_file_permission(file, ); if (!ret) { ret = file->f_op->read(file, ); } } do_sync_read() linux/fs/readdir.c: ssize_t vfs_readdir() { ret = security_file_permission(file, ); if (!ret) { ret = file->f_op->readdir(file, ); } } linux/fs/read_write.c: ssize_t do_readv_writev() { ret = file->f_op->readv(file, ); } 13

38 Key Observation linux/fs/read_write.c: ssize_t vfs_read() { ret = security_file_permission(file, ); if (!ret) { ret = file->f_op->read(file, ); } } do_sync_read() linux/fs/readdir.c: ssize_t vfs_readdir() { ret = security_file_permission(file, ); if (!ret) { ret = file->f_op->readdir(file, ); } } linux/fs/read_write.c: ssize_t do_readv_writev() { ret = file->f_op->readv(file, ); } filp->f_op->aio_read() 13

39 Key Observation linux/fs/read_write.c: ssize_t vfs_read() { ret = security_file_permission(file, ); if (!ret) { ret = file->f_op->read(file, ); } } do_sync_read() linux/fs/readdir.c: ssize_t vfs_readdir() { ret = security_file_permission(file, ); if (!ret) { ret = file->f_op->readdir(file, ); } } linux/fs/read_write.c: ssize_t do_readv_writev() { ret = file->f_op->readv(file, ); } filp->f_op->aio_read() linux/mm/filemap.c: ssize_t generic_file_aio_read() {... struct file *filp =...; if (filp->f_flags & O_DIRECT) { } } 13

40 Key Observation linux/fs/read_write.c: linux/mm/filemap.c: ssize_t vfs_read() generic_file_aio_read() { {... ret struct = security_file_permission(file, *filp =...; ); if (!ret) (filp->f_flags { & O_DIRECT) { } ret } = file->f_op->read(file, ); } } linux/fs/readdir.c: ssize_t vfs_readdir() { ret = security_file_permission(file, ); if (!ret) { ret = file->f_op->readdir(file, ); } } linux/fs/read_write.c: ssize_t do_readv_writev() { ret = file->f_op->readv(file, ); } 13

41 Key Observation linux/fs/read_write.c: linux/mm/filemap.c: ssize_t vfs_read() generic_file_aio_read() { {... ret struct = security_file_permission(file, *filp =...; ); if (!ret) (filp->f_flags { & O_DIRECT) { } ret } = file->f_op->read(file, ); } } linux/include/linux/fs.h: linux/fs/readdir.c: ssize_t static inline vfs_readdir() void file_accessed( { ret = security_file_permission(file, struct * file) ); {... if if (!ret) (file->f_flags { & O_NOATIME) { ret = file->f_op->readdir(file, ); } } linux/fs/read_write.c: ssize_t do_readv_writev() { ret = file->f_op->readv(file, ); } 13

42 Key Observation linux/fs/read_write.c: linux/mm/filemap.c: ssize_t vfs_read() generic_file_aio_read() { {... ret struct = security_file_permission(file, *filp =...; ); if (!ret) (filp->f_flags { & O_DIRECT) { } ret } = file->f_op->read(file, ); } } linux/include/linux/fs.h: linux/fs/readdir.c: ssize_t static inline vfs_readdir() void file_accessed( { ret = security_file_permission(file, struct * file) ); {... if if (!ret) (file->f_flags { & O_NOATIME) { ret = file->f_op->readdir(file, ); } } linux/mm/filemap.c: linux/fs/read_write.c: ssize_t generic_file_aio_read() do_readv_writev() { {... ret struct = file->f_op->readv(file, *filp =...; ); if (filp->f_flags & O_DIRECT) } } } 13

43 Key Observation linux/fs/read_write.c: linux/mm/filemap.c: ssize_t vfs_read() generic_file_aio_read() { {... ret struct = security_file_permission(file, *filp =...; ); if (!ret) (filp->f_flags { & O_DIRECT) { } ret } = file->f_op->read(file, ); } } linux/include/linux/fs.h: linux/fs/readdir.c: ssize_t static inline vfs_readdir() void file_accessed( { ret = security_file_permission(file, struct * file) ); {... if if (!ret) (file->f_flags { & O_NOATIME) { ret = file->f_op->readdir(file, ); } } linux/mm/filemap.c: linux/fs/read_write.c: ssize_t generic_file_aio_read() do_readv_writev() { {... ret struct = file->f_op->readv(file, *filp =...; ); if (filp->f_flags & O_DIRECT) } } } Ultimately the same operations access the same data structures. e.g., READ file->f_flags, READ inode->i_size,... Because security checks are designed to protect data. 13

44 Security Specification A set of tuples <Checki, Opi> Opi := {Access}+ Access := READ AST WRITE AST AST := typename( field)+ global variable Use a group of data structure accesses to represent a security op. 14

45 Defining Protected All data accesses that occur after the check An approximation of the true protected data accesses Can include unrelated accesses (noises) But noises can be eliminated during rule inference (later) and violation detection (in paper). 15

46 Where to Start the Analysis? security check data structure access 16 function function call

47 Where to Start the Analysis? security check data structure access 16 function function call

48 Where to Start the Analysis? security check data structure access 16 function function call

49 Where to Start the Analysis? security check data structure access 16 function function call

50 Where to Start the Analysis? Obviously, the triangles are protected. Naive approach Starting from the direct callers of security checks security check data structure access 16 function function call

51 Where to Start the Analysis? Obviously, the triangles are protected. Naive approach Starting from the direct callers of security checks Problem Find NO security sensitive operation after the check because direct callers are wrapper functions. security check data structure access 16 function function call

52 Where to Start the Analysis? Obviously, the triangles are protected. Naive approach Starting from the direct callers of security checks Problem Find NO security sensitive operation after the check because direct callers are wrapper functions. linux/fs/namei.c: int permission(struct inode *inode,...) {... return security_inode_permission(inode); } security check data structure access 16 function function call

53 Root Functions Our approach (automatic) : Break the program into modules Based on build configuration (e.g., makefile) Identify root functions of each module Functions that do not have callers Call graph analysis 17

54 Rule Inference For each root function Extract data structure accesses after each security check 18

55 Rule Inference For each root function Extract data structure accesses after each security check From sys_read() 1. READ inode->i_size 2. READ file->f_flags 3. READ sock_iocb->async_msg 4. WRITE msghdr->msg_name... From old_readdir() 1. READ inode->i_size 2. READ file->f_flags 3. READ readdir_callback->result 4. WRITE readdir_callback->result... Static traces from other root functions are not shown. 18

56 Rule Inference For each root function Extract data structure accesses after each security check Compute the intersection of all sets of data structure accesses for the same security check Can mask noises From sys_read() 1. READ inode->i_size 2. READ file->f_flags 3. READ sock_iocb->async_msg 4. WRITE msghdr->msg_name... From old_readdir() 1. READ inode->i_size 2. READ file->f_flags 3. READ readdir_callback->result 4. WRITE readdir_callback->result... Static traces from other root functions are not shown. 18

57 Rule Inference For each root function Extract data structure accesses after each security check Compute the intersection of all sets of data structure accesses for the same security check Can mask noises From sys_read() 1. READ inode->i_size 2. READ file->f_flags 3. READ sock_iocb->async_msg 4. WRITE msghdr->msg_name... From old_readdir() 1. READ inode->i_size 2. READ file->f_flags 3. READ readdir_callback->result 4. WRITE readdir_callback->result... Static traces from other root functions are not shown. 18

58 Rule Inference For each root function Extract data structure accesses after each security check Compute the intersection of all sets of data structure accesses for the same security check Can mask noises From sys_read() 1. READ inode->i_size 2. READ file->f_flags 3. READ sock_iocb->async_msg 4. WRITE msghdr->msg_name... From old_readdir() 1. READ inode->i_size 2. READ file->f_flags 3. READ readdir_callback->result 4. WRITE readdir_callback->result... Static traces from other root functions are not shown. 18

59 Rule Inference For each root function Extract data structure accesses after each security check Compute the intersection of all sets of data structure accesses for the same security check Can mask noises Security rule: security_file_permission 1. READ inode->i_size 2. READ file->f_flags... Static traces from other root functions are not shown. 18

60 Violation Ranking Untrusted-space exposability study No need to protect sensitive operations initiated from the trusted space (e.g, kernel). Automatic reachability study from export functions (e.g., syscalls for Linux, hypercalls for Xen) Errors: definitely exposable to the untrusted space Warnings: possibly exposable to the untrusted space 19

61 Violation Ranking Untrusted-space exposability study No need to protect sensitive operations initiated from the trusted space (e.g, kernel). Automatic reachability study from export functions (e.g., syscalls for Linux, hypercalls for Xen) Errors: definitely exposable to the untrusted space Warnings: possibly exposable to the untrusted space The more accesses matched, the more likely to be a sensitive operation. 19

62 Static Analysis Inter-procedural, flow-insensitive For both rule inference and violation detection 20

63 Static Analysis Inter-procedural, flow-insensitive For both rule inference and violation detection Inter-procedural required by the problem Data accesses for the same operation can be as far as 18 levels apart in the call chain Simple function pointer alias analysis 20

64 Static Analysis Inter-procedural, flow-insensitive For both rule inference and violation detection Inter-procedural required by the problem Data accesses for the same operation can be as far as 18 levels apart in the call chain Simple function pointer alias analysis Flow-insensitive because of scalability 20

65 Outline Motivation, Challenges & Contributions Our Approach Evaluation & Results Related work Automatically infer code-level security specs Automatically detect violations to these specs Conclusions 21

66 Evaluated Software Software Lines of Code Total # of Checks Linux 5.0M 96 Xen 0.3M 67 focused on permission checks. Excluding initialization and clean-up checks 22

67 Results & Overhead Software # of rules # of True Violations # False Positives in Errors # of Warnings # Inspected # Uninspected Linux /6 25(2) 265 Xen /2 3 0 Total /8 28(2)

68 Results & Overhead Software # of rules # of True Violations # False Positives in Errors # of Warnings # Inspected # Uninspected Linux /6 25(2) 265 Xen /2 3 0 Total /8 28(2)

69 Results & Overhead Software # of rules # of True Violations # False Positives in Errors # of Warnings # Inspected # Uninspected Linux /6 25(2) 265 Xen /2 3 0 Total /8 28(2) out of the 8 true violations are already confirmed by the corresponding developers. 23

70 Results & Overhead Software # of rules # of True Violations # False Positives in Errors # of Warnings # Inspected # Uninspected Linux /6 25(2) 265 Xen /2 3 0 Total /8 28(2) out of the 8 true violations are already confirmed by the corresponding developers. Error reports have a reasonable false positive rate. 23

71 Results & Overhead Software # of rules # of True Violations # False Positives in Errors # of Warnings # Inspected # Uninspected Linux /6 25(2) 265 Xen /2 3 0 Total /8 28(2) out of the 8 true violations are already confirmed by the corresponding developers. Error reports have a reasonable false positive rate. 23

72 Results & Overhead Software # of rules # of True Violations # False Positives in Errors # of Warnings # Inspected # Uninspected Linux /6 25(2) 265 Xen /2 3 0 Total /8 28(2) out of the 8 true violations are already confirmed by the corresponding developers. Error reports have a reasonable false positive rate. 23

73 Results & Overhead Software # of rules # of True Violations # False Positives in Errors # of Warnings # Inspected # Uninspected Linux /6 25(2) 265 Xen /2 3 0 Total /8 28(2) out of the 8 true violations are already confirmed by the corresponding developers. Error reports have a reasonable false positive rate. On average, 2 hrs for rule generation + detection 23

74 Detected Violations (I) linux/fs/sys_splice.c: static long do_splice_from(, struct file * out,...) { linux/fs/sys_splice.c: static long do_splice_to( struct file * in,...) { return out->f_op->splice_write(); } return in->f_op->splice_read(); } 24

75 Detected Violations (I) linux/fs/sys_splice.c: static long do_splice_from(, struct file * out,...) { linux/fs/sys_splice.c: static long do_splice_to( struct file * in,...) { Exploitable Violations! Forgot to call security_file_permission(). return out->f_op->splice_write(); } return in->f_op->splice_read(); } 24

76 Detected Violations (II) linux/net/decnet/netfilter/dn_rtmsg.c: static inline void dnrmg_receive_user_skb(...) { } if (!cap_raised(...)) RCV_SKB_FAIL(_EPERM); 25

77 Detected Violations (II) linux/net/decnet/netfilter/dn_rtmsg.c: static inline void dnrmg_receive_user_skb(...) { Inconsistency Violations! Should use security_netlink_recv() instead. } if (!cap_raised(...)) RCV_SKB_FAIL(_EPERM); 25

78 Related Work Detecting security violations [Zhang et al. 02][Edwards et al. 02] [Jaeger et al. 04] Require rules to be given. 26

79 Related Work Detecting security violations [Zhang et al. 02][Edwards et al. 02] [Jaeger et al. 04] Require rules to be given. Retrofitting legacy code [Ganapathy et al. 06 & 07] Different goal: adding security checks Need prior knowledge about the API & sensitive data types Require manual refinement. 26

80 Related Work Detecting security violations [Zhang et al. 02][Edwards et al. 02] [Jaeger et al. 04] Require rules to be given. Retrofitting legacy code [Ganapathy et al. 06 & 07] Different goal: adding security checks Need prior knowledge about the API & sensitive data types Require manual refinement. Inferring programming rules [Ernst et al. 00], [Engler et al. 01], [Ammons et al. 02], [Li et al. 05], [Lu et al. 07] Extract different types of rules 26

81 Conclusions Automatically extract code-level specifications and detect security violations Extracted 84 rules and detected 8 security violations from the latest versions of the Linux kernel and Xen Close a critical gap between secure design and secure implementation 27

82 Conclusions Automatically extract code-level specifications and detect security violations Extracted 84 rules and detected 8 security violations from the latest versions of the Linux kernel and Xen Close a critical gap between secure design and secure implementation Lots of opportunities for future research Apply to more security properties Use faster and more precise static analysis 27

83 Thank you! Questions? (U. of Illinois at Urbana-Champaign) Xiaolan (Catherine) Zhang (IBM Research) Xiao Ma, Weiwei Xiong, Yuanyuan Zhou (U. of Illinois at Urbana-Champaign)

Similar documents

Unix (Linux) Device Drivers

Unix (Linux) Device Drivers Unix (Linux) Device Drivers Kernel module that handles the interaction with an specific hardware device, hiding its operational details behind a common interface Three basic categories Character Block

More information

Kernel Synchronization I. Changwoo Min

Kernel Synchronization I. Changwoo Min 1 Kernel Synchronization I Changwoo Min 2 Summary of last lectures Tools: building, exploring, and debugging Linux kernel Core kernel infrastructure syscall, module, kernel data structures Process management

More information

Character Device Drivers

Character Device Drivers Character Device Drivers 張大緯 CSIE, NCKU The information on the slides are from Linux Device Drivers, Third Edition, by Jonathan Corbet, Alessandro Rubini, and Greg Kroah-Hartman. Copyright 2005 O Reilly

More information

Automatic Placement of Authorization Hooks in the Linux Security Modules Framework

Automatic Placement of Authorization Hooks in the Linux Security Modules Framework Automatic Placement of Authorization Hooks in the Linux Security Modules Framework Vinod Ganapathy vg@cs.wisc.edu University of Wisconsin, Madison Joint work with Trent Jaeger tjaeger@cse.psu.edu Pennsylvania

More information

NUMA replicated pagecache for Linux

NUMA replicated pagecache for Linux NUMA replicated pagecache for Linux Nick Piggin SuSE Labs January 27, 2008 0-0 Talk outline I will cover the following areas: Give some NUMA background information Introduce some of Linux s NUMA optimisations

More information

Proceedings of the 11 th USENIX Security Symposium

Proceedings of the 11 th USENIX Security Symposium USENIX Association Proceedings of the 11 th USENIX Security Symposium San Francisco, California, USA August 5-9, 2002 THE ADVANCED COMPUTING SYSTEMS ASSOCIATION 2002 by The USENIX Association All Rights

More information

RCU. ò Walk through two system calls in some detail. ò Open and read. ò Too much code to cover all FS system calls. ò 3 Cases for a dentry:

RCU. ò Walk through two system calls in some detail. ò Open and read. ò Too much code to cover all FS system calls. ò 3 Cases for a dentry: Logical Diagram VFS, Continued Don Porter CSE 506 Binary Formats RCU Memory Management File System Memory Allocators System Calls Device Drivers Networking Threads User Today s Lecture Kernel Sync CPU

More information

VFS, Continued. Don Porter CSE 506

VFS, Continued. Don Porter CSE 506 VFS, Continued Don Porter CSE 506 Logical Diagram Binary Formats Memory Allocators System Calls Threads User Today s Lecture Kernel RCU File System Networking Sync Memory Management Device Drivers CPU

More information

Virtual File System. Don Porter CSE 506

Virtual File System. Don Porter CSE 506 Virtual File System Don Porter CSE 506 History ò Early OSes provided a single file system ò In general, system was pretty tailored to target hardware ò In the early 80s, people became interested in supporting

More information

Virtual File System. Don Porter CSE 306

Virtual File System. Don Porter CSE 306 Virtual File System Don Porter CSE 306 History Early OSes provided a single file system In general, system was pretty tailored to target hardware In the early 80s, people became interested in supporting

More information

Finding User/Kernel Pointer Bugs with Type Inference p.1

Finding User/Kernel Pointer Bugs with Type Inference p.1 Finding User/Kernel Pointer Bugs with Type Inference Rob Johnson David Wagner rtjohnso,daw}@cs.berkeley.edu. UC Berkeley Finding User/Kernel Pointer Bugs with Type Inference p.1 User/Kernel Pointer Bugs

More information

Linux Device Drivers. 3. Char Drivers. 1. Introduction 2. Kernel Modules 3. Char Drivers 4. Advanced Char Drivers 5. Interrupts

Linux Device Drivers. 3. Char Drivers. 1. Introduction 2. Kernel Modules 3. Char Drivers 4. Advanced Char Drivers 5. Interrupts Linux Device Drivers Dr. Wolfgang Koch Friedrich Schiller University Jena Department of Mathematics and Computer Science Jena, Germany wolfgang.koch@uni-jena.de Linux Device Drivers 1. Introduction 2.

More information

Virtual File System (VFS) Implementation in Linux. Tushar B. Kute,

Virtual File System (VFS) Implementation in Linux. Tushar B. Kute, Virtual File System (VFS) Implementation in Linux Tushar B. Kute, http://tusharkute.com Virtual File System The Linux kernel implements the concept of Virtual File System (VFS, originally Virtual Filesystem

More information

RCU. ò Dozens of supported file systems. ò Independent layer from backing storage. ò And, of course, networked file system support

RCU. ò Dozens of supported file systems. ò Independent layer from backing storage. ò And, of course, networked file system support Logical Diagram Virtual File System Don Porter CSE 506 Binary Formats RCU Memory Management File System Memory Allocators System Calls Device Drivers Networking Threads User Today s Lecture Kernel Sync

More information

Virtual Machine Introspection Bhushan Jain

Virtual Machine Introspection Bhushan Jain Virtual Machine Introspection Bhushan Jain Computer Science Department Stony Brook University 1 Traditional Environment Operating System 2 Traditional Environment Process Descriptors Kernel Heap Operating

More information

Retrofitting Legacy Code for Authorization Policy Enforcement Vinod Ganapathy

Retrofitting Legacy Code for Authorization Policy Enforcement Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement Vinod Ganapathy Ph.D. Thesis Defense Thursday, July 12 th, 2007 Principle of Design for Security To create a secure system, design it to be

More information

CS5460/6460: Operating Systems. Lecture 24: Device drivers. Anton Burtsev April, 2014

CS5460/6460: Operating Systems. Lecture 24: Device drivers. Anton Burtsev April, 2014 CS5460/6460: Operating Systems Lecture 24: Device drivers Anton Burtsev April, 2014 Device drivers Conceptually Implement interface to hardware Expose some high-level interface to the kernel or applications

More information

VIRTUAL FILE SYSTEM AND FILE SYSTEM CONCEPTS Operating Systems Design Euiseong Seo

VIRTUAL FILE SYSTEM AND FILE SYSTEM CONCEPTS Operating Systems Design Euiseong Seo VIRTUAL FILE SYSTEM AND FILE SYSTEM CONCEPTS 2016 Operating Systems Design Euiseong Seo (euiseong@skku.edu) File Layout An entity that separates and isolates data Files have meanings only to applications

More information

CSE Computer Security

CSE Computer Security CSE 543 - Computer Security Lecture 15 - Linux Security October 18, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ 1 Retrofit Security in Existing Systems Upside Operating systems are costly to

More information

Runtime Integrity Checking for Exploit Mitigation on Embedded Devices

Runtime Integrity Checking for Exploit Mitigation on Embedded Devices Runtime Integrity Checking for Exploit Mitigation on Embedded Devices Matthias Neugschwandtner IBM Research, Zurich eug@zurich.ibm.com Collin Mulliner Northeastern University, Boston collin@mulliner.org

More information

CSE 333 SECTION 3. POSIX I/O Functions

CSE 333 SECTION 3. POSIX I/O Functions CSE 333 SECTION 3 POSIX I/O Functions Administrivia Questions (?) HW1 Due Tonight Exercise 7 due Monday (out later today) POSIX Portable Operating System Interface Family of standards specified by the

More information

How Double-Fetch Situations turn into Double-Fetch Vulnerabilities:

How Double-Fetch Situations turn into Double-Fetch Vulnerabilities: How Double-Fetch Situations turn into Double-Fetch Vulnerabilities: A Study of Double Fetches in the Linux Kernel Pengfei Wang, Jens Krinke, Kai Lu, Gen Li, Steve Dodier-Lazaro College of Computer National

More information

An Evil Copy: How the Loader Betrays You

An Evil Copy: How the Loader Betrays You An Evil Copy: How the Loader Betrays You Xinyang Ge 1,3, Mathias Payer 2 and Trent Jaeger 3 Microsoft Research 1 Purdue University 2 Penn State University 3 Page 1 Problem: A Motivating Example // main.c

More information

MP3: VIRTUAL MEMORY PAGE FAULT MEASUREMENT

MP3: VIRTUAL MEMORY PAGE FAULT MEASUREMENT MP3: VIRTUAL MEMORY PAGE FAULT MEASUREMENT University of Illinois at Urbana-Champaign Department of Computer Science CS423 Fall 2011 Keun Soo Yim GOAL A Linux kernel module to profile VM system events

More information

CS 378 (Spring 2003)

CS 378 (Spring 2003) Department of Computer Sciences THE UNIVERSITY OF TEXAS AT AUSTIN CS 378 (Spring 2003) Linux Kernel Programming Yongguang Zhang (ygz@cs.utexas.edu) Copyright 2003, Yongguang Zhang This Lecture Interprocess

More information

Designing a True Direct-Access File System with DevFS

Designing a True Direct-Access File System with DevFS Designing a True Direct-Access File System with DevFS Sudarsun Kannan, Andrea Arpaci-Dusseau, Remzi Arpaci-Dusseau University of Wisconsin-Madison Yuangang Wang, Jun Xu, Gopinath Palani Huawei Technologies

More information

Distribution Kernel Security Hardening with ftrace

Distribution Kernel Security Hardening with ftrace Distribution Kernel Security Hardening with ftrace Because sometimes your OS vendor just doesn't have the security features that you want. Written by: Corey Henderson Exploit Attack Surface Hardening system

More information

Confinement (Running Untrusted Programs)

Confinement (Running Untrusted Programs) Confinement (Running Untrusted Programs) Chester Rebeiro Indian Institute of Technology Madras Untrusted Programs Untrusted Application Entire Application untrusted Part of application untrusted Modules

More information

Fall 2017 :: CSE 306. File Systems Basics. Nima Honarmand

Fall 2017 :: CSE 306. File Systems Basics. Nima Honarmand File Systems Basics Nima Honarmand File and inode File: user-level abstraction of storage (and other) devices Sequence of bytes inode: internal OS data structure representing a file inode stands for index

More information

Objectives. Chapter 2: Operating-System Structures. 2.1 Operating System Services

Objectives. Chapter 2: Operating-System Structures. 2.1 Operating System Services Objectives Chapter 2: Operating-System Structures To describe the services an operating system provides to users, processes, and other systems To discuss the various ways of structuring an operating system

More information

Introduction Reading Writing scull. Linux Device Drivers - char driver

Introduction Reading Writing scull. Linux Device Drivers - char driver Overview 1 2 3 4 Major, minor File Operations The file Structure The inode structure Registraction simplest driver, suitable for most simple devices, follow the book. Jernej Figure: Vičič. (Simple Character

More information

The Virtual Filesystem

The Virtual Filesystem The Virtual Filesystem File Systems old days "the" filesystem! now many filesystem types, many instances need to copy file from NTFS to Ext3 original motivation NFS support (Sun) idea filesystem op abstraction

More information

Sandboxing. CS-576 Systems Security Instructor: Georgios Portokalidis Spring 2018

Sandboxing. CS-576 Systems Security Instructor: Georgios Portokalidis Spring 2018 Sandboxing CS-576 Systems Security Instructor: Georgios Portokalidis Sandboxing Means Isolation Why? Software has bugs Defenses slip Untrusted code Compartmentalization limits interference and damage!

More information

Improving I/O Bandwidth With Cray DVS Client-Side Caching

Improving I/O Bandwidth With Cray DVS Client-Side Caching Improving I/O Bandwidth With Cray DVS Client-Side Caching Bryce Hicks Cray Inc. Bloomington, MN USA bryceh@cray.com Abstract Cray s Data Virtualization Service, DVS, is an I/O forwarder providing access

More information

Towards automated detection of buffer overrun vulnerabilities: a first step. NDSS 2000 Feb 3, 2000

Towards automated detection of buffer overrun vulnerabilities: a first step. NDSS 2000 Feb 3, 2000 Towards automated detection of buffer overrun vulnerabilities: a first step David Wagner Eric A. Brewer Jeffrey S. Foster Alexander Aiken NDSS 2000 Feb 3, 2000 1 Introduction The state of computer security

More information

Supporting Operating System Kernel Data Disambiguation using Points-to Analysis

Supporting Operating System Kernel Data Disambiguation using Points-to Analysis Supporting Operating System Kernel Data Disambiguation using Points-to Analysis Amani Ibriham, James Hamlyn-Harris, John Grundy & Mohamed Almorsy Center for Computing and Engineering Software Systems Swinburne

More information

CSE543 - Computer and Network Security Module: Virtualization

CSE543 - Computer and Network Security Module: Virtualization CSE543 - Computer and Network Security Module: Virtualization Professor Trent Jaeger CSE543 - Introduction to Computer and Network Security 1 1 Operating System Quandary Q: What is the primary goal of

More information

Advanced Systems Security: Ordinary Operating Systems

Advanced Systems Security: Ordinary Operating Systems Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:

More information

CCured. One-Slide Summary. Lecture Outline. Type-Safe Retrofitting of C Programs

CCured. One-Slide Summary. Lecture Outline. Type-Safe Retrofitting of C Programs CCured Type-Safe Retrofitting of C Programs [Necula, McPeak,, Weimer, Condit, Harren] #1 One-Slide Summary CCured enforces memory safety and type safety in legacy C programs. CCured analyzes how you use

More information

Do you have to reproduce the bug on the first replay attempt?

Do you have to reproduce the bug on the first replay attempt? Do you have to reproduce the bug on the first replay attempt? PRES: Probabilistic Replay with Execution Sketching on Multiprocessors Soyeon Park, Yuanyuan Zhou University of California, San Diego Weiwei

More information

CSE 333 SECTION 3. POSIX I/O Functions

CSE 333 SECTION 3. POSIX I/O Functions CSE 333 SECTION 3 POSIX I/O Functions Administrivia Questions (?) HW1 Due Tonight HW2 Due Thursday, July 19 th Midterm on Monday, July 23 th 10:50-11:50 in TBD (And regular exercises in between) POSIX

More information

Explicit Information Flow in the HiStar OS. Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, David Mazières

Explicit Information Flow in the HiStar OS. Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, David Mazières Explicit Information Flow in the HiStar OS Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, David Mazières Too much trusted software Untrustworthy code a huge problem Users willingly run malicious

More information

Module: Operating System Security. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Module: Operating System Security. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security CSE543 - Introduction to Computer and Network Security Module: Operating System Security Professor Trent Jaeger 1 OS Security So, you have built an operating system that enables user-space processes to

More information

Open Source support for OSD

Open Source support for OSD Open Source support for OSD IBM Haifa Research Lab IBM Labs in Haifa 2006 IBM Corporation Outline IBM Labs in Haifa Object Based Storage (OSD) OSD Initiator Past Going forward OSD Simulator on AlphaWorks

More information

ECEN 449 Microprocessor System Design. Hardware-Software Communication. Texas A&M University

ECEN 449 Microprocessor System Design. Hardware-Software Communication. Texas A&M University ECEN 449 Microprocessor System Design Hardware-Software Communication 1 Objectives of this Lecture Unit Learn basics of Hardware-Software communication Memory Mapped I/O Polling/Interrupts 2 Motivation

More information

Does Making The Kernel Harder Make

Does Making The Kernel Harder Make Does Making The Kernel Harder Make Making The Kernel Harder? Casey Schaufler Intel Open Source Technology Center Casey Schaufler Kernel developer from the 1970 s Supercomputers in the 1990 s Smack Linux

More information

What the CPU Sees Basic Flow Control Conditional Flow Control Structured Flow Control Functions and Scope. C Flow Control.

What the CPU Sees Basic Flow Control Conditional Flow Control Structured Flow Control Functions and Scope. C Flow Control. C Flow Control David Chisnall February 1, 2011 Outline What the CPU Sees Basic Flow Control Conditional Flow Control Structured Flow Control Functions and Scope Disclaimer! These slides contain a lot of

More information

CMPSC 497: Static Analysis

CMPSC 497: Static Analysis CMPSC 497: Static Analysis Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Page 1 Our Goal In this course,

More information

[537] Virtual Machines. Tyler Harter

[537] Virtual Machines. Tyler Harter [537] Virtual Machines Tyler Harter Outline Machine Virtualization Overview CPU Virtualization (Trap-and-Emulate) CPU Virtualization (Modern x86) Memory Virtualization Performance Challenges Outline Machine

More information

Chapter 2: System Structures

Chapter 2: System Structures Chapter 2: System Structures Chapter 2: System Structures 2.1 Operating-System Services 2.2 User and Operating-System Interface 2.3 System Calls 2.4 Types of System Calls 2.5 System Programs 2.6 Operating-System

More information

Operating Systems. System calls. Guillaume Salagnac. Fall Insa-Lyon IST Semester

Operating Systems. System calls. Guillaume Salagnac. Fall Insa-Lyon IST Semester Operating Systems System calls Guillaume Salagnac Insa-Lyon IST Semester Fall 2018 2/36 Previously on IST-OPS Application 1 Application 2 OS Kernel Hardware The CPU implements the Von Neumann cycle executes

More information

Static Analysis Basics II

Static Analysis Basics II Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Static Analysis Basics

More information

acomment: Mining Annotations from Comments and Code to Detect Interrupt-Related Concurrency Bugs

acomment: Mining Annotations from Comments and Code to Detect Interrupt-Related Concurrency Bugs : Mining Annotations from Comments and Code to Detect Interrupt-Related Concurrency Bugs, University of Waterloo, lintan@uwaterloo.ca Yuanyuan (YY) Zhou, University of California, San Diego Yoann Padioleau,

More information

Networking Subsystem in Linux. Manoj Naik IBM Almaden Research Center

Networking Subsystem in Linux. Manoj Naik IBM Almaden Research Center Networking Subsystem in Linux Manoj Naik IBM Almaden Research Center Scope of the talk Linux TCP/IP networking layers Socket interfaces and structures Creating and using INET sockets Linux IP layer Socket

More information

OMNIO: A Tool for I/O Recording, Analysis and Replay

OMNIO: A Tool for I/O Recording, Analysis and Replay OMNIO: A Tool for I/O Recording, Analysis and Replay Bryan Flynt Cooperative Institute for Research in the Atmosphere Colorado State University Fort Collins, Colorado USA Mark Govett Advanced Technology

More information

Implementing Interfaces. Marwan Burelle. July 20, 2012

Implementing Interfaces. Marwan Burelle. July 20, 2012 Implementing marwan.burelle@lse.epita.fr http://www.lse.epita.fr/ July 20, 2012 Outline 1 2 3 4 Quick Overview of System oriented programming language Variant of C with a rationnalized syntax. Syntactic

More information

Fall 2014:: CSE 506:: Section 2 (PhD) Securing Linux. Hyungjoon Koo and Anke Li

Fall 2014:: CSE 506:: Section 2 (PhD) Securing Linux. Hyungjoon Koo and Anke Li Securing Linux Hyungjoon Koo and Anke Li Outline Overview Background: necessity & brief history Core concepts LSM (Linux Security Module) Requirements Design SELinux Key elements Security context: identity

More information

CS 378 (Spring 2003)

CS 378 (Spring 2003) Department of Computer Sciences THE UNIVERSITY OF TEXAS AT AUSTIN CS 378 (Spring 2003) Linux Kernel Programming Yongguang Zhang (ygz@cs.utexas.edu) Copyright 2003, Yongguang Zhang Linux File System Mounting

More information

High Level Programming for GPGPU. Jason Yang Justin Hensley

High Level Programming for GPGPU. Jason Yang Justin Hensley Jason Yang Justin Hensley Outline Brook+ Brook+ demonstration on R670 AMD IL 2 Brook+ Introduction 3 What is Brook+? Brook is an extension to the C-language for stream programming originally developed

More information

0x1A Great Papers in Computer Security

0x1A Great Papers in Computer Security CS 380S 0x1A Great Papers in Computer Security Vitaly Shmatikov http://www.cs.utexas.edu/~shmat/courses/cs380s/ slide 1 Reference Monitor Observes execution of the program/process At what level? Possibilities:

More information

CSE 120 Principles of Operating Systems

CSE 120 Principles of Operating Systems CSE 120 Principles of Operating Systems Spring 2018 Lecture 15: Multicore Geoffrey M. Voelker Multicore Operating Systems We have generally discussed operating systems concepts independent of the number

More information

CS 378 (Spring 2003)

CS 378 (Spring 2003) Department of Computer Sciences THE UNIVERSITY OF TEXAS AT AUSTIN CS 378 (Spring 2003) Linux Kernel Programming Yongguang Zhang (ygz@cs.utexas.edu) Copyright 2003, Yongguang Zhang This Lecture Device Driver

More information

Checking System Rules Using System-Specific, Programmer- Written Compiler Extensions

Checking System Rules Using System-Specific, Programmer- Written Compiler Extensions Motivation for using Checking System Rules Using System-Specific, Programmer- Written Compiler Extensions Dawson Engler Benjamin Chelf Andy Chou Seth Hallem 1 Computer Systems Laboratory Stanford University

More information

International Journal of Computer Engineering and Technology (IJCET), ISSN 0976 & TECHNOLOGY (IJCET) PROCESS BEHAVIOUR MODELLING USING LSM

International Journal of Computer Engineering and Technology (IJCET), ISSN 0976 & TECHNOLOGY (IJCET) PROCESS BEHAVIOUR MODELLING USING LSM INTERNATIONAL 6367(Print), ISSN 0976 6375(Online) JOURNAL Volume OF 3, Issue COMPUTER 3, October-December ENGINEERING (2012), IAEME & TECHNOLOGY (IJCET) ISSN 0976 6367(Print) ISSN 0976 6375(Online) Volume

More information

we are here Page 1 Recall: How do we Hide I/O Latency? I/O & Storage Layers Recall: C Low level I/O

we are here Page 1 Recall: How do we Hide I/O Latency? I/O & Storage Layers Recall: C Low level I/O CS162 Operating Systems and Systems Programming Lecture 18 Systems October 30 th, 2017 Prof. Anthony D. Joseph http://cs162.eecs.berkeley.edu Recall: How do we Hide I/O Latency? Blocking Interface: Wait

More information

Decoupling Dynamic Information Flow Tracking with a Dedicated Coprocessor

Decoupling Dynamic Information Flow Tracking with a Dedicated Coprocessor Decoupling Dynamic Information Flow Tracking with a Dedicated Coprocessor Hari Kannan, Michael Dalton, Christos Kozyrakis Computer Systems Laboratory Stanford University Motivation Dynamic analysis help

More information

Model-based Kernel Testing for Concurrency Bugs through Counter Example Replay

Model-based Kernel Testing for Concurrency Bugs through Counter Example Replay Replace this file with prentcsmacro.sty for your meeting, or with entcsmacro.sty for your meeting. Both can be found at the ENTCS Macro Home Page. Model-based Kernel Testing for Concurrency Bugs through

More information

Dynamic Deadlock Avoidance Using Statically Inferred Effects

Dynamic Deadlock Avoidance Using Statically Inferred Effects Dynamic Deadlock Avoidance Using Statically Inferred Effects Kostis Sagonas1,2 joint work with P. Gerakios1 1 N. Papaspyrou1 P. Vekris1,3 School of ECE, National Technical University of Athens, Greece

More information

Advanced Systems Security: Ordinary Operating Systems

Advanced Systems Security: Ordinary Operating Systems Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:

More information

Operating System Security: Building Secure Distributed Systems

Operating System Security: Building Secure Distributed Systems Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Operating System Security:

More information

Advanced Systems Security: Security-Enhanced Linux

Advanced Systems Security: Security-Enhanced Linux Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:

More information

6.858 Quiz 2 Review. Android Security. Haogang Chen Nov 24, 2014

6.858 Quiz 2 Review. Android Security. Haogang Chen Nov 24, 2014 6.858 Quiz 2 Review Android Security Haogang Chen Nov 24, 2014 1 Security layers Layer Role Reference Monitor Mandatory Access Control (MAC) for RPC: enforce access control policy for shared resources

More information

SYSTEM CALL IMPLEMENTATION. CS124 Operating Systems Fall , Lecture 14

SYSTEM CALL IMPLEMENTATION. CS124 Operating Systems Fall , Lecture 14 SYSTEM CALL IMPLEMENTATION CS124 Operating Systems Fall 2017-2018, Lecture 14 2 User Processes and System Calls Previously stated that user applications interact with the kernel via system calls Typically

More information

Automatic Placement of Authorization Hooks in the Linux Security Modules Framework

Automatic Placement of Authorization Hooks in the Linux Security Modules Framework Automatic Placement of Authorization Hooks in the Linux Security Modules Framework Vinod Ganapathy University of Wisconsin vg@cs.wisc.edu Trent Jaeger Pennsylvania State University tjaeger@cse.psu.edu

More information

Model-based Kernel Testing for Concurrency Bugs through Counter Example Replay

Model-based Kernel Testing for Concurrency Bugs through Counter Example Replay Electronic Notes in Theoretical Computer Science 253 (2009) 21 36 www.elsevier.com/locate/entcs Model-based Kernel Testing for Concurrency Bugs through Counter Example Replay Moonzoo Kim, Shin Hong, Changki

More information

DOUG GOLDSTEIN STAR LAB XEN SUMMIT AUG 2016 ATTACK SURFACE REDUCTION

DOUG GOLDSTEIN STAR LAB XEN SUMMIT AUG 2016 ATTACK SURFACE REDUCTION DOUG GOLDSTEIN STAR LAB XEN SUMMIT 2016 25 AUG 2016 ATTACK SURFACE REDUCTION OVERVIEW TOPICS Define attack surface Discuss parts of Xen s attack surface Attack surface metrics for Xen Define attack surface

More information

Securing Software Applications Using Dynamic Dataflow Analysis. OWASP June 16, The OWASP Foundation

Securing Software Applications Using Dynamic Dataflow Analysis. OWASP June 16, The OWASP Foundation Securing Software Applications Using Dynamic Dataflow Analysis Steve Cook OWASP June 16, 2010 0 Southwest Research Institute scook@swri.org (210) 522-6322 Copyright The OWASP Foundation Permission is granted

More information

Finish up OS topics Group plans

Finish up OS topics Group plans Finish up OS topics Group plans Today Finish up and review Linux device driver stuff Walk example again See how it all goes together Discuss talking to MMIO RTOS (on board) Deferred interrupts Discussion

More information

Android Kernel Security

Android Kernel Security Jeff Vander Stoep and Sami Tolvanen Android Kernel Security Linux Security Summit Aug 2018 Acknowledgements People who have reported security vulnerabilities to Android security: https://source.android.com/security/overview/acknowledgements

More information

Security and Reliability of the Internet Of Things (IoT): A Smart Meter Case Study

Security and Reliability of the Internet Of Things (IoT): A Smart Meter Case Study Security and Reliability of the Internet Of Things (IoT): A Smart Meter Case Study KarthikPattabiraman Farid Molazem Tabrizi, Maryam Raiyat, Abraham Chan, Ivan Beschastnikh University of British Columbia

More information

CSCI 420: Mobile Application Security. Lecture 15. Prof. Adwait Nadkarni

CSCI 420: Mobile Application Security. Lecture 15. Prof. Adwait Nadkarni CSCI 420: Mobile Application Security Lecture 15 Prof. Adwait Nadkarni 1 Running scripts from home apktool instructions: Move both files (apktool.jar & apktool) to /usr/local/bin (root needed) No-root

More information

RF-IDs in the Kernel -- Episode III: I want to File Away

RF-IDs in the Kernel -- Episode III: I want to File Away What s on the menu Software Comprehension and Maintenance June 2005 RF-IDs in the Kernel -- Episode III: I want to File Away Achilleas Anagnostopoulos (archie@istlab.dmst.aueb.gr) Department of Management

More information

Sandboxing untrusted code: policies and mechanisms

Sandboxing untrusted code: policies and mechanisms Sandboxing untrusted code: policies and mechanisms Frank Piessens (Frank.Piessens@cs.kuleuven.be) Secappdev 2011 1 Overview Introduction Java and.net Sandboxing Runtime monitoring Information Flow Control

More information

Linux Kernel Evolution. OpenAFS. Marc Dionne Edinburgh

Linux Kernel Evolution. OpenAFS. Marc Dionne Edinburgh Linux Kernel Evolution vs OpenAFS Marc Dionne Edinburgh - 2012 The stage Linux is widely deployed as an OpenAFS client platform Many large OpenAFS sites rely heavily on Linux on both servers and clients

More information

Kruiser: Semi-synchronized Nonblocking Concurrent Kernel Heap Buffer Overflow Monitoring

Kruiser: Semi-synchronized Nonblocking Concurrent Kernel Heap Buffer Overflow Monitoring NDSS 2012 Kruiser: Semi-synchronized Nonblocking Concurrent Kernel Heap Buffer Overflow Monitoring Donghai Tian 1,2, Qiang Zeng 2, Dinghao Wu 2, Peng Liu 2 and Changzhen Hu 1 1 Beijing Institute of Technology

More information

Runtime Analysis. November 28, Systems and Internet Infrastructure Security Laboratory (SIIS) Page 1

Runtime Analysis. November 28, Systems and Internet Infrastructure Security Laboratory (SIIS) Page 1 Runtime Analysis November 28, 2011 Page 1 Analysis So Far Prove whether a property always holds May analysis Prove whether a property can hold Must analysis Key step: abstract interpretation to overapproximate

More information

Programming with MPI

Programming with MPI Programming with MPI p. 1/?? Programming with MPI Miscellaneous Guidelines Nick Maclaren nmm1@cam.ac.uk March 2010 Programming with MPI p. 2/?? Summary This is a miscellaneous set of practical points Over--simplifies

More information

W4118: interrupt and system call. Junfeng Yang

W4118: interrupt and system call. Junfeng Yang W4118: interrupt and system call Junfeng Yang Outline Motivation for protection Interrupt System call 2 Need for protection Kernel privileged, cannot trust user processes User processes may be malicious

More information

Motivation. What s the Problem? What Will we be Talking About? What s the Solution? What s the Problem?

Motivation. What s the Problem? What Will we be Talking About? What s the Solution? What s the Problem? 1 Checking System Rules Using System-Specific, Programmer-Written Compiler Extensions Dawson Engler Benjamin Chelf Andy Chou Seth Hallem Stanford University Matthew Thornton November 9, 2005 2 Motivation

More information

The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel. Di Shen a.k.a. Retme Keen Lab of Tencent

The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel. Di Shen a.k.a. Retme Keen Lab of Tencent The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel Di Shen a.k.a. Retme (@returnsme) Keen Lab of Tencent whoami Di Shen a.k.a. Retme (@returnsme) Member of Keen Lab Android Kernel

More information

Tutorial 2. Linux networking, sk_buff and stateless packet filtering. Roei Ben-Harush Check Point Software Technologies Ltd.

Tutorial 2. Linux networking, sk_buff and stateless packet filtering. Roei Ben-Harush Check Point Software Technologies Ltd. Tutorial 2 Linux networking, sk_buff and stateless packet filtering Agenda 1 Linux file system - networking 2 3 4 sk_buff Stateless packet filtering About next assignment 2 Agenda 1 Linux file system -

More information

Verification & Validation of Open Source

Verification & Validation of Open Source Verification & Validation of Open Source 2011 WORKSHOP ON SPACECRAFT FLIGHT SOFTWARE Gordon Uchenick Coverity, Inc Open Source is Ubiquitous Most commercial and proprietary software systems have some open

More information

Listening to Programmers /* -- Taxonomies and Characteristics of Comments in Operating System Code */

Listening to Programmers /* -- Taxonomies and Characteristics of Comments in Operating System Code */ Listening to Programmers /* -- Taxonomies and Characteristics of Comments in Operating System Code */ Yoann Padioleau,, Yuanyuan Zhou University of Illinois, Urbana-Champaign Motivation Many innovations

More information

Improving Integer Security for Systems with KINT. Xi Wang, Haogang Chen, Zhihao Jia, Nickolai Zeldovich, Frans Kaashoek MIT CSAIL Tsinghua IIIS

Improving Integer Security for Systems with KINT. Xi Wang, Haogang Chen, Zhihao Jia, Nickolai Zeldovich, Frans Kaashoek MIT CSAIL Tsinghua IIIS Improving Integer Security for Systems with KINT Xi Wang, Haogang Chen, Zhihao Jia, Nickolai Zeldovich, Frans Kaashoek MIT CSAIL Tsinghua IIIS Integer error Expected result goes out of bounds Math ( -

More information

Programming with MPI

Programming with MPI Programming with MPI p. 1/?? Programming with MPI Miscellaneous Guidelines Nick Maclaren Computing Service nmm1@cam.ac.uk, ext. 34761 March 2010 Programming with MPI p. 2/?? Summary This is a miscellaneous

More information

Scaling CQUAL to millions of lines of code and millions of users p.1

Scaling CQUAL to millions of lines of code and millions of users p.1 Scaling CQUAL to millions of lines of code and millions of users Jeff Foster, Rob Johnson, John Kodumal and David Wagner {jfoster,rtjohnso,jkodumal,daw}@cs.berkeley.edu. UC Berkeley Scaling CQUAL to millions

More information

CS 550 Operating Systems Spring System Call

CS 550 Operating Systems Spring System Call CS 550 Operating Systems Spring 2018 System Call 1 Recap: The need for protection When running user processes, the OS needs to protect itself and other system components For reliability: buggy programs

More information

Speculative Synchronization

Speculative Synchronization Speculative Synchronization José F. Martínez Department of Computer Science University of Illinois at Urbana-Champaign http://iacoma.cs.uiuc.edu/martinez Problem 1: Conservative Parallelization No parallelization

More information

Linux Security Summit Europe 2018

Linux Security Summit Europe 2018 Linux Security Summit Europe 2018 Kernel Hardening: Protecting the Protection Mechanisms Igor Stoppa - igor.stoppa@huawei.com Cyber Security & Privacy Protection Labs - Huawei introduction memory classification

More information

Lecture 19: File System Implementation. Mythili Vutukuru IIT Bombay

Lecture 19: File System Implementation. Mythili Vutukuru IIT Bombay Lecture 19: File System Implementation Mythili Vutukuru IIT Bombay File System An organization of files and directories on disk OS has one or more file systems Two main aspects of file systems Data structures

More information
2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback