Information Flow Analysis and Type Systems for Secure C Language (VITC Project) Jun FURUSE. The University of Tokyo

Similar documents
Simply-Typed Lambda Calculus

CCured. One-Slide Summary. Lecture Outline. Type-Safe Retrofitting of C Programs

Verification & Validation of Open Source

CSE Computer Security

Heap Arrays and Linked Lists. Steven R. Bagley

CSI33 Data Structures

Software Security: Vulnerability Analysis

Lecture 4 September Required reading materials for this class

CS 161 Computer Security

COS 320. Compiling Techniques

PIC 10A Pointers, Arrays, and Dynamic Memory Allocation. Ernest Ryu UCLA Mathematics

CSE 565 Computer Security Fall 2018

Formal methods for software security

MC: Meta-level Compilation

Static Analysis in C/C++ code with Polyspace

Pierce Ch. 3, 8, 11, 15. Type Systems

CSCI-GA Scripting Languages

CSE Computer Security (Fall 2006)

18-642: Code Style for Compilers

18-642: Code Style for Compilers

A brief introduction to C programming for Java programmers

Buffer overflow background

Lecture 9 Assertions and Error Handling CS240

Kurt Schmidt. October 30, 2018

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Software and Web Security 1. Root Cause Analysis. Abstractions Assumptions Trust. sws1 1

CS6202: Advanced Topics in Programming Languages and Systems Lecture 0 : Overview

Ironclad C++ A Library-Augmented Type-Safe Subset of C++

Practical Mostly-Static Information Flow Control. Andrew Myers MIT Lab for Computer Science

in memory: an evolution of attacks Mathias Payer Purdue University

An Operational and Axiomatic Semantics for Non-determinism and Sequence Points in C

C++ Programming: Polymorphism

CS-XXX: Graduate Programming Languages. Lecture 9 Simply Typed Lambda Calculus. Dan Grossman 2012

Topics Covered Thus Far CMSC 330: Organization of Programming Languages

Hacking in C. Pointers. Radboud University, Nijmegen, The Netherlands. Spring 2019

A Certified Non-Interference Java Bytecode Verifier

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2

Undefinedness and Non-determinism in C

Finding User/Kernel Pointer Bugs with Type Inference p.1

Lecture 13: Subtyping

Protection. Thierry Sans

Plan for Today. Safe Programming Languages. What is a secure programming language?

Control Flow. COMS W1007 Introduction to Computer Science. Christopher Conway 3 June 2003

Parameter passing. Programming in C. Important. Parameter passing... C implements call-by-value parameter passing. UVic SEng 265

Simple Overflow. #include <stdio.h> int main(void){ unsigned int num = 0xffffffff;

CS 430 Spring Mike Lam, Professor. Data Types and Type Checking

Comp 11 Lectures. Mike Shah. June 26, Tufts University. Mike Shah (Tufts University) Comp 11 Lectures June 26, / 57

22c:111 Programming Language Concepts. Fall Types I

CSE 565 Computer Security Fall 2018

Secure Software Development: Theory and Practice

Combining Static and Dynamic Contract Checking for Curry

CMPSC 497 Other Memory Vulnerabilities

Structuring an Abstract Interpreter through Value and State Abstractions: EVA, an Evolved Value Analysis for Frama C

Lecture Notes for 04/04/06: UNTRUSTED CODE Fatima Zarinni.

QUIZ. What is wrong with this code that uses default arguments?

Software Security: Buffer Overflow Defenses

CSE 374 Programming Concepts & Tools. Hal Perkins Spring 2010

Type Checking and Type Equality

Today Program Analysis for finding bugs, especially security bugs problem specification motivation approaches remaining issues

One-Slide Summary. Lecture Outline. Language Security

Pointer Basics. Lecture 13 COP 3014 Spring March 28, 2018

Chapter 1. Introduction

Module: Future of Secure Programming

Program Security and Vulnerabilities Class 2

Memory Safety (cont d) Software Security

Towards automated detection of buffer overrun vulnerabilities: a first step. NDSS 2000 Feb 3, 2000

Types. Type checking. Why Do We Need Type Systems? Types and Operations. What is a type? Consensus

CS 161 Computer Security

Securing Software Applications Using Dynamic Dataflow Analysis. OWASP June 16, The OWASP Foundation

Data Types. Every program uses data, either explicitly or implicitly to arrive at a result.

Addressing Future Challenges in the Development of Safe and Secure Software Components The MathWorks, Inc. 1

This exam contains 7 pages (including this cover page) and 4 questions. Once we tell you to start, please check that no pages are missing.

SoK: Eternal War in Memory

Typed Assembly Language for Implementing OS Kernels in SMP/Multi-Core Environments with Interrupts

18-600: Recitation #3

CS61C : Machine Structures

Verification and Test with Model-Based Design

Language Security. Lecture 40

Proof Carrying Code(PCC)

Outline. Classic races: files in /tmp. Race conditions. TOCTTOU example. TOCTTOU gaps. Vulnerabilities in OS interaction

Name :. Roll No. :... Invigilator s Signature : INTRODUCTION TO PROGRAMMING. Time Allotted : 3 Hours Full Marks : 70

Software Security: Buffer Overflow Attacks (continued)

Agenda. Peer Instruction Question 1. Peer Instruction Answer 1. Peer Instruction Question 2 6/22/2011

Heap Arrays. Steven R. Bagley

Outline. 1 About the course

Integer overflows. Integer overflow types. Signed vs unsigned integers. Casting between different size integer types. Arithmetic wraparound

Modern Buffer Overflow Prevention Techniques: How they work and why they don t

Low level security. Andrew Ruef

C and C++ Secure Coding 4-day course. Syllabus

Operational Semantics. One-Slide Summary. Lecture Outline

Module: Programming Language Security. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

Software Security: Buffer Overflow Attacks

Reflections on using C(++) Root Cause Analysis

Hierarchical Pointer Analysis for Distributed Programs

Gradual Typing for Functional Languages. Jeremy Siek and Walid Taha (presented by Lindsey Kuper)

This exam contains 8 pages (including this cover page) and 4 questions. Once we tell you to start, please check that no pages are missing.

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I Solutions

Type Conversion. and. Statements

Static Analysis in Practice

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

Transcription:

Information Flow Analysis and Type Systems for Secure C Language (VITC Project) Jun FURUSE The University of Tokyo furuse@yl.is.s.u-tokyo.ac.jp

e-society MEXT project toward secure and reliable software infrastructure for highly networked information society

e-society in Yonezawa lab. Related 3 sub projects: Safe language Secure existing programming languages and programs for system description (i.e. C/C++) Safe OS by typing Construct type secure OS kernel using TAL (typed assembly language) Safe OS by theorem prover Develop formal method to prove correctness of safe memory management using Coq theorem prover

Safe language sub-project Goal Securing existing C programs with minimum modifications by providing better compilers (VITC). Current threat Many security violation incidents and security hole alerts are reported around programs written in C language. Final disaster: security leaks.

VITC in spotlight Programs (written in C) survive attacks, once compiled by VITC (Vulnerability and Intrusion Tolerant Compilation) Memory safe Memory accesses are checked to prevent buffer overflow attacks. Information flow security Programs never leak secret information.

Memory safety in C Existing works: StackGuard By canary words NX-bit Approach from hardware CCured, Fail-Safe C, etc. Memory secure reimplementation of C compiler Range check for each memory access Optimization thanks to typing and pointer analysis

Safety by Failure They are all fail-safe: StackGuard NX-bit CCured, Fail-Safe C Detection of illegal memory access = Termination of program

Limitation of fail-safety Fail safety is secure, but not sufficient in some environment. The same attack now kill the program: Server programs are still vulnerable against DoS attacks. Non server programs are still unstable. The problem remains until bug fixes. Programs should survive attacks and continue to work. (Attack tolerance)

Attack tolerance Extending fail-safety to attack tolerance by boundless memory block[rinards]. Virtually infinite access range (no memory access error) Implemented by memory block extension on demand

Attack tolerance by boundless memory block f(char *user, char *pass) { char buf[256]; // This may cause buffer overflow sprintf(buf, "%s:%s", user, pass);... /* use of buf */ Buffer is extended when buffer overrun detected, as if it had larger size from the beginning. f(char *user, char *pass) { char buf[512]; // Buffer extended on demand sprintf(buf, "%s:%s", user, pass);... /* use of buf */ Very natural recovery from errors.

Wow, then, there is nothing to do! Answre is of course, No.

Attack tolerance needs more security Careless use of boundless block: new vulnerability! f(char *user, char *pass) { char buf[256 512]; sprintf(buf, "%s:%s", user, pass);... /* use of buf for secret data */ bzero(buf, 256 512);... /* use of buf for public data */ Secret information of the extended part may leak to public.

Our claim Information flow security is mandatory for attack tolerance: The final goal: protection of our privacy. Attack tolerance may introduce new security leaks, since it modifies program semantics. Such semantic modification is justified only if no security leak is assured.

VITC VITC = Attack tolerance by Memory safety + Information flow security They are mutual: Memory safety with boundless memory block Justified by information flow analysis. Information flow security by static typing Requires memory safety.

Information flow analysis by security typing for C

Information flow based security Track the flow of secure information in the program and detect suspicious leak of secrecy. Static typing A type-based approach: security typing [Volpano, Smith]. Non-interference Modifications of higher secret information must not be observed as the change of results of lower secrecy.

Why typing? Since it is automatic D.I.Y. security: You do not need: Ph.D to use theorem prover Knowledge of internals of the program All you need are: The source and the compiler security policy (small specifications of privacy) and some amount of luck.

Security typing Similar to the normal typing, but they talk about secrecy: Security labels l (L, ) Form a lattice L, such as {L, H} where L H. Type attached with security labels password : string H 3.141592 : float L Typing rules track down information flow Γ e 1 : int H Γ e 2 : int L Γ e 1 + e 2 : int H

Security typing in C: expressions C as a memory safe, imperative language: e ::= expressions n : t integer x : t variable e : t dereference e = e : t update (t)e : t cast e + e : t addition new(t) : t boundless allocation let x : t = e in e : t let binding

Security typing in C: types Types are lists of security labels: t ::= l t; l Ignoring the normal part of types: With normal part Formal type int H ptr L ptr L H; L; L The normal part C typing is boring. Functional types are treated separately. Structure members have the same type.

Types and casts Cast has been a big troublemaker of C programming. Cast is a troublemaker also in security typing. Modification of security labels by casts breaks non-interference: e : int H ptr L (int)e : int L? (int )(int)e : int? ptr L??? Solution: we do not allow casts of security labels.

Types and casts #2 Cast can change the normal part of types, but not security labels: e : int H ptr L (int)e :? H int L (int )(int)e : int H ptr L Even a mere integer type may have much longer security labels:? H? H? H? L int L (H; H; H; L; L)

Types and casts #3 Sometimes label sequence becomes infinite int *p; // t; l int length = 0; while (p!= NULL){ length++; p = (int*)*p; // t; l = t } Such types will be expressed as fixed points: µα.α; l.

Subtyping ( ) for labels is extended to subtype relation: l l l l l l t; l t; l The content type t of pointer types t; l is invariant, just like the subtyping of references.

Typing rules Quite straightforward (since we have omitted many): Γ n : t t Γ(x) Γ x : t Γ e : t t t Γ e : t Γ e : t ; l t t l t Γ e : t Γ e 1 : t; l Γ e 2 : t l t Γ e 1 = e 2 : t Γ e : t Γ (t)e : t Γ e 1 : t Γ e 2 : t Γ e 1 + e 2 : t Γ new(t) : t; l Γ e 1 : t Γ[x t] e 2 : t Γ let x = e 1 in e 2 : t l l l l, l t; l

Typing rules #2 Integer has any sequence of labels for interaction with pointers: Γ n : t Cast does nothing: Γ e : t Γ (t)e : t new(t) has a pointer type t; l: Γ new(t) : t; l

More on typing (what I omitted today) Implicit flow so called pc Stop security leaks due to conditionals: if secret H then x = 0 L else x = 1 L Function types with effects For flows produced by side effects inside functions Polymorphism For genericity of functions Type inference Constraint based system

Future work Measure impact of the new typing Cast typing may be too restrictive. Need to check using various examples. Allowing casts of security types with dynamic typing. Interaction with OS security information Dynamic security policies obtained from OS Dynamic checking Risk of new implicit information flow by run-time checks. Dependent types will be one of the keys.

Yet more: Auto-securing of C programs Memory safe C compilers produce memory safe programs without any fix of the C source code. Possible also for information flow security? Idea: Closing security leaks from H to L by replacing secret data by something lower: let f x = print "your message is "; print x f "hello" L your message is hello f password H your message is <secret> let f x l = print "your message is "; if l = L then print x else print "<secret>"

Conclusion VITC is C program compilation: Memory safe No more memory vulnerability attacks such as buffer overflow Attack tolerance Programs can survive attacks. Information flow security Programs never leak secret information, even if they are attacked.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback