Writing and analyzing system policies in SUPPL

Transcription

1 Writing and analyzing system policies in SUPPL Robert Dockins (Galois, Inc.) Andrew Tolmach (LRI Univ. Paris-Sud) Alix Trieu (ENS Rennes) SOUND project Portland State University 1

2 (SAFE and) SOUND SOUND BAE Systems University of Pennsylvania Portland State University Apogee Research Safety on Untrusted Network Devices TEAM SOUND Wrapper Direct connection bound to specific identities for misbehavior attribution IBR a priori connection SOUND Data Service enables sensors to monitor data channels and attribute misbehavior to its origin SOUND supports two classes of applications: 1. SOUND-aware apps that are written for SOUND 2. Legacy apps that run within the SOUND Wrapper SOUND Identity Service empowers SOUND to trace misbehavior back to all associated identities, including users, applications, and systems Users and applications authenticate using the SOUND Identity Service Po Manlicy ua Policy Program Static Analyzer Compiler l Data Tables Policy Evaluator now extends to applications and users to protect communications from end point-to-endpoint Events Actions Network IBR a priori connection Assertions are used to validate users to the application server Application servers request new direct connections to SOUND-protected data repositories Applications connect to SOUND by way of the SOUND Connector, a system-level component of the SOUND Connection Service Data connections are bound to the identities associated with the data request for misbehavior attribution Policy Properties SUPPL Platform Policies combined with sensor observations form SOUND decisions SOUND Connection Service SOUND MODEL Informal Policy STATE TRANSITION SIMULATION RESULTS

3 Configuring an Active Firewall VPN-style network access on a per-connection level. 3

4 Configuring an Active Firewall VPN-style network access on a per-connection level. Who may access network resources? Who is to be considered malicious and how is their access limited? Who gets what quality of service? 4

5 Configuring an Active Firewall VPN-style network access on a per-connection level. Complex, changing configuration criteria Multiple administrators must cooperate to set policy Set of administration domains is dynamic Different administrators have different goals Multiple, complex platforms for implementing policy decisions 5

6 Existing tools are poor... Primitive user-driven configuration methods Mysterious command-line incantations Inflexible graphical control panels Highly limited configuration languages Usually limited to static configuration Cannot react to past behavior Must often fall back to ad-hoc coding Fragile, hard to validate 6

7 Domain-Specific Languages to the rescue! Design a domain-specific policy language specification generating implementations testing static analysis (But not just for security policies...) cf. Ponder, PDL, ASL, FML, JRules,... 7

8 SUPPL Simple Unified Policy Programming Language Event-Condition-Action (ECA) policies Full-featured programming language Supports combining of policies Supports static conflict detection (Domain-neutral) (Modest performance goals) 8

9 Event-Condition-Action Policies 9

10 SUPPL Language Elements condition evaluation pure logic-programming event/action handling imperative code Like Prolog, but with strong type and mode disciplines Precise interface with surrounding environment Locally stateless style; data tables for handling stateful policies 10

11 Connection service: interface primitive type principal. data ip4address ::= ip(number, number, number, number). event connectrequest { who : principal, src : ip4address, dest : ip4address }. event hostbehavesbadly (ip4address). action allow. action deny(string). % include reason for denial 11

12 Connection service: predicates and handlers predicate connectionauthorized(principal in, ip4address in). connectionauthorized(princ, DEST) :- DEST = ip(192,168,0,1). connectionauthorized(princ, DEST) :- domain(dest,dom), administrator(princ,dom). primitive predicate administrator(principal in, number in). predicate domain(ip4address in, number out). domain(ip(a, B, C, D), N) :- A = N. handle connectrequest {who:?p, src:?saddr, dest:?daddr} => query connectionauthorized(p,daddr) => allow; _ => deny("connection not authorized"); end; end. 12

13 Firewall connection service: data tables table blacklisted (ip4address,string) key (in,out) lifetime % ms = 1 min handle hostbehavesbadly(?addr) => queue insert (ADDR,"is badguy") into blacklisted; end. handle connectrequest {who:?p, src:?saddr, dest:?daddr} => query connectionauthorized(p,daddr) => query blacklisted(saddr,?why) => deny(why); _ => allow; end; _ => deny("connection not authorized"); end; end. 13

14 Types, modes, terms, clauses, queries t ::= Type id named type X, Y, Z, type variables list(t) list set(t) finite set map(t 1,t 2 ) finite map t 1 t n tuple type number numeric type string string type o ::= Mode in out ignore c ::= Clause m 1 = m 2 m 1 <> m 2 (dis)equality m 1 <= m 2 m 1 <m 2 comparisons m 1 >= m 2 m 1 >m 2 id (m 1,,m n ) predicate c 1 c 2 disjunction c 1,c 2 conjunction not c logical negation c 1 -> c 2 implication findall(m, g, X) find all m ::= Term "literal", strings 10, 3.14, 2.9e8, numbers X, Y, Z, variables?x,?y,?z, variable bindings _ anonymous variable id (m 1,,m n ) function call m 1 + m 2 m 1 m 2 numeric operations m 1 m 2 m 1 /m 2 ~m numeric negation [ ] empty list [m 1,,m n ] concrete list [m 1 m 2 ] list cons cell (m 1,,m n ) tuple g ::= id (m 1,,m n ) Goal q ::= Query m 1 = m 2 m 1 <> m 2 (dis)equality m 1 <= m 2 m 1 <m 2 comparisions m 1 >= m 2 m 1 >m 2 id (m 1,,m n ) predicate query q 1,q 2 conjunction query not c negation query 14

15 Handler bodies and declarations b ::= Handler Body b 1 b 2 sequence id (m 1,,m n ); procedure or action queue insert(m 1,,m n ) table insert into id ; queue delete(m 1,,m n ) table delete from id ; skip; noop query multibranch query q 1 => b 1 ; q n => b n ; end; foreach q => b end; foreach query d ::= Declaration primitive type id. prim type decl type id := t. type decl data id ::= data type decl id (t 1,,t n ) id (t 1,,t n ). event id (t 1,,t n ). event decl action id (t 1,,t n ). action decl procedure id (t 1,,t n ). procedure decl primitive function prim function decl id (t 1,,t n ) yields t. predicate id predicate decl (t 1 o 1?,,t n o n?). primitive predicate id primtive pred decl (t 1 o 1?,,t n o n?). mode id (o 1,,o n ). mode decl table id (t 1,,t n ) table decl key (o 1,,o n ) (lifetime int )?. index id (o 1,,o n ). index decl g :- c. rule handle id (?X 1,,?X n ) event handler => b end. define procedure procedure defn id (?X 1,,?X n ) := b end. axiom c. axiom decl lemma c. lemma decl 15

16 Type system highlights Built-in types for strings, numbers, lists, finite sets and finite maps User-definable type abbreviations and MLstyle algebraic types Predicates, functions, events, etc. require type declarations Types are inferred in rule and handler bodies Hindley-Milner polymorphism for predicates and functions 16

17 Mode system highlights Modes ensure that arguments are always fully instantiated ground data (no variables). In mode: the argument must be instantiated before the call Out mode: argument will be instantiated after call Predicate mode(s) must be declared 17

18 Comparison to Prolog Very similar syntax for rules Standard operational semantics based on SLDNF resolution Turing-complete via recursive predicates X SUPPL is strongly typed and moded X SUPPL rules are side-effect free X SUPPL has no nonlogical cut operator X SUPPL has call-by-value semantics for evaluable functions and numeric operators (no is needed) 18

19 Prototype Implementation 19

20 Static conflict detection Policies may contain conflicts One event triggers two inconsistent actions e.g. both allowing and denying a request Some systems attempt dynamic conflict resolution Based on priorities, or other meta-policies Inherently fragile and and hard to understand SUPPL approach: detect and fix conflicts statically 20

21 Example conflict % Existing handler handle connectrequest {who:?p, src:?saddr, dest:?daddr} => query connectionauthorized(p,daddr) => allow; _ => deny("connection not authorized"); end; end. % Suppose new administrator adds this: primitive predicate superuser(principal in). handle connectrequest {who:?p, src:?saddr, dest:?daddr} => query superuser(p) => allow; end; end. 21

22 Example conflict conflict definition conflict allow, deny(_). handle connectrequest {who:?p, src:?saddr, dest:?daddr} => query connectionauthorized(p,daddr) => allow; _ => deny("connection not authorized"); end; end. primitive predicate superuser(principal in). handle connectrequest {who:?p, src:?saddr, dest:?daddr} => query superuser(p) => allow; end; end. 22

23 When can conflict occur? conflict allow, deny(_). query must fail handle connectrequest {who:?p, src:?saddr, dest:?daddr} => query connectionauthorized(p,daddr) => allow; _ => deny("connection not authorized"); end; end. primitive predicate superuser(principal in). query must succeed handle connectrequest {who:?p, src:?saddr, dest:?daddr} => query superuser(p) => allow; end; end. control flow + predicate satisfiability 23

24 Conflict detection: verification formulae Render conflict condition as first-order logic formula......in context of axioms characterizing (nonprimitive) predicates and table keys If formula is satisfiable, the conflict might actually occur so report to user If formula is unsatisfiable, the conflict is definitely impossible so keep quiet 24

25 Encoding control flow conflict allow, deny(_). handle connectrequest {who:?p, src:?saddr, dest:?daddr} => query connectionauthorized(p,daddr) => allow; _ => deny("connection not authorized"); end; end. primitive predicate superuser(principal in). handle connectrequest {who:?p, src:?saddr, dest:?daddr} => query superuser(p) => allow; end; end. 25

26 Encoding control flow conflict allow, deny(_). handle connectrequest {who:?p, src:?saddr, dest:?daddr} => query connectionauthorized(p,daddr) => allow; _ => deny("connection not authorized"); end; end. p,d. connectionauthorized p d primitive predicate superuser(principal in). superuser p handle connectrequest {who:?p, src:?saddr, dest:?daddr} => query superuser(p) => allow; end; end. 25

27 Encoding predicates predicate connectionauthorized(principal in, ip4address in). connectionauthorized(princ, DEST) :- DEST = ip(192,168,0,1). connectionauthorized(princ, DEST) :- domain(dest,dom), administrator(princ,dom). primitive predicate administrator(principal in, number in). predicate domain(ip4address in, number out). domain(ip(a, B, C, D), N) :- A = N. table blacklisted (ip4address,string) key (in,out) lifetime % ms = 1 min 26

28 Encoding predicates predicate connectionauthorized(principal in, ip4address in). connectionauthorized(princ, DEST) :- DEST = ip(192,168,0,1). connectionauthorized(princ, DEST) :- domain(dest,dom), administrator(princ,dom). primitive predicate administrator(principal in, number in). predicate domain(ip4address in, number out). domain(ip(a, B, C, D), N) :- A = N. connectionauthorized p d := d = ip(192,168,0,1) table blacklisted (ip4address,string) key (in,out) lifetime % ms = 1 min ( x.domain d x administrator p x) 26

29 Encoding predicates predicate connectionauthorized(principal in, ip4address in). domain d c := connectionauthorized(princ, DEST) :- DEST = ip(192,168,0,1). connectionauthorized(princ, DEST) :- domain(dest,dom), administrator(princ,dom). c1,c2,c3,c4. d = ip(c1,c2,c3,c4) c = c4 primitive predicate administrator(principal in, number in). predicate domain(ip4address in, number out). domain(ip(a, B, C, D), N) :- A = N. table blacklisted (ip4address,string) key (in,out) lifetime % ms = 1 min 27

30 Encoding predicates predicate connectionauthorized(principal in, ip4address in). administrator p d: uninterpreted connectionauthorized(princ, DEST) :- DEST = ip(192,168,0,1). connectionauthorized(princ, DEST) :- domain(dest,dom), administrator(princ,dom). primitive predicate administrator(principal in, number in). predicate domain(ip4address in, number out). domain(ip(a, B, C, D), N) :- A = N. table blacklisted (ip4address,string) key (in,out) lifetime % ms = 1 min 28

31 Encoding predicates predicate connectionauthorized(principal in, ip4address in). blacklisted a s: uninterpreted connectionauthorized(princ, DEST) :- DEST = ip(192,168,0,1). forall k d1 d2, connectionauthorized(princ, DEST) :- domain(dest,dom), administrator(princ,dom). blacklisted k d1 blacklisted k d2 d1 = d2 primitive predicate administrator(principal in, number in). predicate domain(ip4address in, number out). domain(ip(a, B, C, D), N) :- A = N. table blacklisted (ip4address,string) key (in,out) lifetime % ms = 1 min 29

32 Fixing conflicts One way to fix the conflict is to change the SUPPL policy by adding the following clause: connection_authorized(princ,dest) :- superuser(princ) 30

33 Fixing conflicts One way to fix the conflict is to change the SUPPL policy by adding the following clause: connection_authorized(princ,dest) :- superuser(princ) connectionauthorized p d := d = ip(192,168,0,1) ( x.domain d x administrator p x) superuser p Conflict formula is now unsatisfiable 30

34 Generating conflict formulae Find all control flow paths through the program, from event to action For each pair of paths that might be executed in response to a single event, generate a formula representing a potential conflict Being careful about quantifiers Have formalized this process for the core event handling language and proven it sound 31

35 Checking formulae Give the formulae to a standard SMT solver Currently done via Why3 Just a formula, not a Why3 program Allows flexible choice of backends Handles polymorphism, some built-in types CVC4, Alt-Ergo seem to be best provers for us 32

36 Why3 Example theory Background type principal type ip4address = IP real real real real predicate administrator principal real predicate superuser principal predicate domain (a1:ip4address) (a2:real) = exists (x1 x2 x3 x4 : real). a1 = IP x1 x2 x3 x4 /\ x1 = a2 predicate connectionauthorized (a1:principal) (a2:ip4address) = (exists x1. domain a2 x1 /\ administrator a1 x1) \/ a1 = IP end theory Conflict0 use import Background function p : principal function dst : ip4address Axiom conflict: superuser p /\ not (connectionauthorized p dst) Goal impossible: false end 33

37 Feedback to user Currently via highlighted html prettyprinted from SUPPL source [demo] Currently working to improve specificity of feedback Would like to get models back from provers to instantiate variables in conflict 34

38 False positives If analysis reports no conflicts, there are none Converse definitely untrue! False positives due to Uninterpreted predicates, tables Recursive predicates Prover incompleteness or timeout User can eliminate by passing hints to prover 35

39 Vocabulary of prover hints axiom : assertion about predicates or tables lemma : assertion about predicates or tables which we ask prover to confirms presume : assertion about events forbid: assertion about actions All very dangerous! but we do ask prover to find inconsistencies 36

40 SUPPL: Summary A domain-neutral language for programming ECA policies. Unusual combination of pure logic programming + imperative wrapper + data tables Designed to support static error and conflict checking 37

41 SUPPL: Status Prototype implementation compiles and runs simple policies for an active proxying firewall the SOUND research network platform Language details in APLAS14 paper Have initial implementation (and proofs of correctness) of conflict analysis [JFLA submission] Software is released under open-source license 38

42 web.cecs.pdx.edu/~rdockins/suppl Thanks! Questions? 39