RE-TRUST Design Alternatives on JVM



Similar documents
RE-TRUST. PoliTO Prototypes Overview. Paolo Falcarin, Stefano DiCarlo Alessandro Cabutto, Nicola Garazzino, Davide Barberis

Decomposition into Parts. Software Engineering, Lecture 4. Data and Function Cohesion. Allocation of Functions and Data. Component Interfaces

90% of data breaches are caused by software vulnerabilities.

Remote Pointcut - A Language Construct for Distributed AOP

QUIRE: : Lightweight Provenance for Smart Phone Operating Systems

Restraining Execution Environments

Homeland Security Red Teaming

Savitribai Phule Pune University

Embedded Java & Secure Element for high security in IoT systems

JAVA 2 Network Security

Ciphire Mail. Abstract

Virtual Machine Security

SECURE IMPLEMENTATIONS OF CONTENT PROTECTION (DRM) SCHEMES ON CONSUMER ELECTRONIC DEVICES

2 Introduction to Java. Introduction to Programming 1 1

Jonathan Worthington Scarborough Linux User Group

Chapter 3 Operating-System Structures

Running Secure Server Software on Insecure Hardware without a Parachute

CPA SECURITY CHARACTERISTIC SECURE VOIP CLIENT

Overview. SSL Cryptography Overview CHAPTER 1

Understanding and Integrating KODAK Picture Authentication Cameras

A SECURITY ARCHITECTURE FOR AGENT-BASED MOBILE SYSTEMS. N. Borselius 1, N. Hur 1, M. Kaprynski 2 and C.J. Mitchell 1

Second year review WP2 overview SW-based Method. Trento - October 17th, 2008

How to Secure Infrastructure Clouds with Trusted Computing Technologies

Example of Standard API

[SMO-SFO-ICO-PE-046-GU-

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Verfahren zur Absicherung von Apps. Dr. Ullrich Martini IHK,

System Structures. Services Interface Structure

Implementing Cisco IOS Network Security

Instrumentation Software Profiling

ARM-BASED PERFORMANCE MONITORING FOR THE ECLIPSE PLATFORM

JavaCard. Java Card - old vs new

A Framework for Secure and Verifiable Logging in Public Communication Networks

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

The Value of Physical Memory for Incident Response

Opportunistic Security

Threat Model for Software Reconfigurable Communications Systems

Patterns for Secure Boot and Secure Storage in Computer Systems

Cloud Computing. Up until now

CMSC 421, Operating Systems. Fall Security. URL: Dr. Kalpakis

Blackbox Android. Breaking Enterprise Class Applications and Secure Containers. Marc Blanchou Mathew Solnik 10/13/

UNCLASSIFIED CPA SECURITY CHARACTERISTIC REMOTE DESKTOP. Version 1.0. Crown Copyright 2011 All Rights Reserved

W ith an estimated 14 billion devices connected to

Summary of the SEED Labs For Authors and Publishers

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

SENSE Security overview 2014

Lecture 7: Class design for security

Designing and Coding Secure Systems

CPA SECURITY CHARACTERISTIC TLS VPN FOR REMOTE WORKING SOFTWARE CLIENT

Textbooks: Matt Bishop, Introduction to Computer Security, Addison-Wesley, November 5, 2004, ISBN

Security Overview for Windows Vista. Bob McCoy, MCSE, CISSP/ISSAP Technical Account Manager Microsoft Corporation

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Client Server Registration Protocol

CPA SECURITY CHARACTERISTIC ENTERPRISE MANAGEMENT OF DATA AT REST ENCRYPTION

Mobility Introduction Android. Duration 16 Working days Start Date 1 st Oct 2013

SOFTWARE ASSET MANAGEMENT Continuous Monitoring. September 16, 2013

IINS Implementing Cisco Network Security 3.0 (IINS)

Enabling SSL and Client Certificates on the SAP J2EE Engine

Peer-to-peer Cooperative Backup System

Data Storage Security in Cloud Computing

Lecture Overview. INF3510 Information Security Spring Lecture 4 Computer Security. Meaningless transport defences when endpoints are insecure

User. Role. Privilege. Environment. Checkpoint. System

NATIONAL SECURITY AGENCY Ft. George G. Meade, MD

Payment Card Industry (PCI) Terminal Software Security. Best Practices

CrashPlan Security SECURITY CONTEXT TECHNOLOGY

Authorize.net modules for oscommerce Online Merchant.

I Control Your Code Attack Vectors Through the Eyes of Software-based Fault Isolation. Mathias Payer, ETH Zurich

Bypassing Memory Protections: The Future of Exploitation

Threat Modeling. Frank Piessens ) KATHOLIEKE UNIVERSITEIT LEUVEN

Security Guide. BlackBerry Enterprise Service 12. for BlackBerry. Version 12.0

Understanding Digital Certificates and Secure Sockets Layer (SSL)

Chapter 3: Operating-System Structures. Common System Components

UNCLASSIFIED Version 1.0 May 2012

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography

Secure Network Communications FIPS Non Proprietary Security Policy

Computer and Network Security

Dell Client BIOS: Signed Firmware Update

Chapter 2 System Structures

This is DEEPerent: Tracking App behaviors with (Nothing changed) phone for Evasive android malware

.NET and J2EE Intro to Software Engineering

Analysis of advanced issues in mobile security in android operating system

Research and Design of Universal and Open Software Development Platform for Digital Home

Accellion Secure File Transfer Cryptographic Module Security Policy Document Version 1.0. Accellion, Inc.

APPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK

Last Class: OS and Computer Architecture. Last Class: OS and Computer Architecture

Monitoring, Tracing, Debugging (Under Construction)

AGENDA. Background. The Attack Surface. Case Studies. Binary Protections. Bypasses. Conclusions

SAFECode Security Development Lifecycle (SDL)

CycurHSM An Automotive-qualified Software Stack for Hardware Security Modules

JAVA WEB START OVERVIEW

Replication on Virtual Machines

CPA SECURITY CHARACTERISTIC MIKEY-SAKKE SECURE VOIP GATEWAY

FIPS Non-Proprietary Security Policy. IBM Internet Security Systems SiteProtector Cryptographic Module (Version 1.0)

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus

Chapter 10. Cloud Security Mechanisms

PHOENIX: SECURE FILE TRANSFER USING SSL

PrivyLink Cryptographic Key Server *

Evaluation of Alternative Instrumentation Frameworks

Session ID: Session Classification:

ERserver. iseries. Secure Sockets Layer (SSL)

Transcription:

RE-TRUST Design Alternatives on JVM ( - Italy) paolo.falcarin@polito.it http://softeng.polito.it/falcarin Trento, December, 19 th 2006 Tamper-Detection Tamper-detection goals Detect malicious modifications to program Cause the program to fail if modified Check the executable version itself E.g., compare program with a hash of itself Self-checking relies on code checkers whose position is hidden in the application whose behavior is often obfuscated Trento 19 Dec. 2006 2

Issues on self-checking However, no technique can prevent all attacks Goal is to increase the cost for the attacker Current self-checking techniques: bundled within the application can be identified and disabled Nobody will notice!!! Trento 19 Dec. 2006 3 RE-TRUST approach Two main benefits: remote verification that self-checking has been performed continuous replacement of selfchecking code 2 Prototypes implemented: Using Dynamic AOP Using JVMTI Trento 19 Dec. 2006 4

Prototype(s) Chat Client TFlow Server UNTRUSTED ENTRUSTER SERVICE Chat Server Trento 19 Dec. 2006 5 Prototype 1: Dynamic Aspect Chat Client DynUntrusted AOP runtime environment load TrustedFlow Aspect Factory Chat Server Code Checker and Tag Generator (aspect) replace Aspect Manager Tag Checker Msg Tag Trento 19 Dec. 2006 6

Aspect-Oriented Programming Trento 19 Dec. 2006 7 Aspect Weaving Aspect is extra-code that modularizes the implementation of a crosscutting concern The final code is obtained by weaving base code and aspect code At compile time with an aspect compiler At run time with a dynamic-aop JVM Trento 19 Dec. 2006 8

Why AOP? Aspect Oriented Programming (AOP) Modularizes self-checking code Aspect has a privileged view on the whole code Trusted Tag generator in dynamic aspect It can be continuously updated Client code is NOT aspect-aware Trento 19 Dec. 2006 9 Dynamic AOP with PROSE PROSE is an extension to standard JVM with dynamic AOP features Aspects can be remotely added/removed at run-time In PROSE terminology: An Aspect is a Java class It contains many Crosscut objects A crosscut is a pointcut-advice pair Trento 19 Dec. 2006 10

The Tag Generator Crosscut public Crosscut taggenerator = new MethodCut() { public void METHOD_ARGS(PrintWriter p, String msg) { StringBuffer tag = new StringBuffer(msg); tag.append( crypt( counter, key )); tag = hash(tag); p.println(tag); p.println(counter); p.flush(); counter++; } protected PointCutter pointcutter() { PointCutter socket = Within.method("println").AND(type("PrintWriter")); return Executions.before().AND(socket); } }; Trento 19 Dec. 2006 12 Bytecode checking Using BCEL Java library Extract the actual method signature and class name. Keyed-hash of bytecode method is compared with the original one If they differ the key is nullified =>The tag generator sends wrong tags =>The server detects tampering Trento 19 Dec. 2006 13

The Bytecode Checker Crosscut public Crosscut bytecodechecker = new MethodCut() { public void METHOD_ARGS(ANY x, REST pp) { String classname = thisjoinpoint().getthis().getclass().getname(); String method = thisjoinpoint().getsignature(); if (!checkbytecode(classname, method)) key=null; } protected PointCutter pointcutter() { return Executions.before(). AND(Within.packageTypes("it.polito.chat.*")); } }; Trento 19 Dec. 2006 14 Sandbox Java "sandbox" restricts the operations an application can do. protecting from hostile programs downloaded from un-trusted servers We face with the dual problem: The trusted aspects sent by the trusted server cannot trust the environment they will be deployed in. Deployed aspect forbids many dangerous activities to the running application. Trento 19 Dec. 2006 15

The Sandbox Crosscut public Crosscut shield = new MethodCut() { public void METHOD_ARGS(ANY x, REST pp) { key=null; } protected PointCutter pointcutter() { PointCutter native = Within.method(NATIVE_MODIFIER); PointCutter fork = Within.method("exec").AND(type("java.lang.Runtime")); PointCutter loader = Within.subType("java.lang.ClassLoader")). AND(NOT(Within.type( java.security.secureclassloader )); return Executions.before().AND(native.OR(fork).OR(loader)); } }; Trento 19 Dec. 2006 16 Prototype 2: JVMTI Client (e.g. Chat Client) + Execution monitor CLIENT Code Checker (agent) auth update Agent manager SERVER Server (e.g. Chat Server) + Tag checker Tag Generator (agent) update Msg Tag Trento 19 Dec. 2006 17

Prototype 2 (JVMTI) Execution interception with JVMTI Run JVM (Java 5) in agent mode An agent plugged-in using the JNI interface It downloads module libraries at run-time Transparent tag insertion Call to socket write are intercepted And Data buffer is tagged Method entry is monitored Method byte-code is continuously verified With JVMTI also program s memory can be accessed Trento 19 Dec. 2006 18 Tag generation Tag is uid:counter:sign:plainmsg Where uid is ip:port Counter-mode block cipher Crypt: Blowfish Hash: sha-1 counter msg Crypt key Concat Hash signature Trento 19 Dec. 2006 19

Integrity check Module contains List of crypto hashes (each method) Symmetric key Keyed hash recomputed each time a method is called Hash compared with good copy Trento 19 Dec. 2006 20 Threats: Disablement Dynamic Module allows: integrity-checking code better modularized Clearly separated from client It is inserted at run-time Disabling checking =>stops tag generation =>tampering detected by TFC =>server can block untrusted client Trento 19 Dec. 2006 21

Threats: Replacement Discovery of secret key to create correct tags Replace aspect to disable checking but sending correct tags: Attacker must obtain module code (coming at run-time) Replacement must be applied before TTG expires New module checks previous one Trento 19 Dec. 2006 22 Safety features of the JVM Unspecified memory layout: JVM stores Application in different data areas Java stacks (one for each thread) A method area where bytecodes are stored A heap, where objects created are stored When the JVM loads a class file, it decides where to store the bytecodes. An attacker cannot predict where the class data will be stored The way in which a JVM lays out its inner data depends on JVM implementation Trento 19 Dec. 2006 23

Threats: debuggers Dynamic AOP relies on debugger Prototype2 relies on JVMTI In both cases attackers cannot run client in debug mode Is this enough to thwart them? Attacker should be smart to discover the checker behavior Difficult access to mobile code Automating this attack before a new module arrives is not trivial Trento 19 Dec. 2006 24 Open issues: platform All software-based techniques rely on an un-trusted external platform: the JVM, the O.S., the hardware. This is a problem for ALL integrity-checking techniques Our Prototype could (?) check authenticity of: underlying VM O.S. & HW configuration Trento 19 Dec. 2006 25

Conclusions The aspect/agent checker is: Not bundled within application Its strategy is not visible through static code analysis Easily configurable Can check previously installed ones Could check the platform itself Trento 19 Dec. 2006 26 Possible Enhancements Module obfuscation Module factory Server authentication Network protocol design Measures O.S. configuration checking Integration with HW Hiding key with White-box Cryptography Trento 19 Dec. 2006 27

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information