Fabio Massacci Ida Siahaan



Similar documents
A Security Architecture for Web 2.0 Applications

How Program Monitors Enforce Non-Safety

A Runtime Monitoring Environment for Mobile Java

Enforcing Security Policies. Rahul Gera

Software Engineering using Formal Methods

Run-Time Monitors and Security Policy

Provably Correct Inline Monitoring for. Multithreaded Java-like Programs

The Model Checker SPIN

Computability Classes for Enforcement Mechanisms*

Fundamentals of Software Engineering

The Advantages of Using an Inliner

History-based Access Control with Local Policies

Habanero Extreme Scale Software Research Project

Formal Verification by Model Checking

ARIZONA CTE CAREER PREPARATION STANDARDS & MEASUREMENT CRITERIA SOFTWARE DEVELOPMENT,

Formal Verification of Software

Driving force. What future software needs. Potential research topics

TPCalc : a throughput calculator for computer architecture studies

Algorithmic Software Verification

Today s Agenda. Automata and Logic. Quiz 4 Temporal Logic. Introduction Buchi Automata Linear Time Logic Summary

Jieh Hsiang Department of Computer Science State University of New York Stony brook, NY 11794

Software Model Checking: Theory and Practice

An Exception Monitoring System for Java

T Reactive Systems: Introduction and Finite State Automata

CORRELATED TO THE SOUTH CAROLINA COLLEGE AND CAREER-READY FOUNDATIONS IN ALGEBRA

Regression Verification: Status Report

A Service-oriented Approach to Mobile Code Security

GameTime: A Toolkit for Timing Analysis of Software

Using Patterns and Composite Propositions to Automate the Generation of Complex LTL

A Thread Monitoring System for Multithreaded Java Programs

A Classification of Model Checking-based Verification Approaches for Software Models

South Carolina College- and Career-Ready (SCCCR) Algebra 1

Runtime Verification for Real-Time Automotive Embedded Software

Fabio Patrizi DIS Sapienza - University of Rome

Objects for lexical analysis

Unified Static and Runtime Verification of Object-Oriented Software

INF5140: Specification and Verification of Parallel Systems

AP Computer Science AB Syllabus 1

Testing LTL Formula Translation into Büchi Automata

Reconfigurable Architecture Requirements for Co-Designed Virtual Machines

Security Monitor Inlining for Multithreaded Java

Formal Verification Toolkit for Requirements and Early Design Stages

Virtualization Technologies (ENCS 691K Chapter 3)

Towards Software Configuration Management for Test-Driven Development

Chapter 2 Addendum (More on Virtualization)

Cassandra. References:

Pushing the Envelope of Optimization Modulo Theories with Linear-Arithmetic Cost Functions

StaRVOOrS: A Tool for Combined Static and Runtime Verification of Java

Monitoring Metric First-order Temporal Properties

Algebra Unpacked Content For the new Common Core standards that will be effective in all North Carolina schools in the school year.

Automated Program Behavior Analysis

Bachelor of Games and Virtual Worlds (Programming) Subject and Course Summaries

ONLINE EXERCISE SYSTEM A Web-Based Tool for Administration and Automatic Correction of Exercises

A System for Interactive Authorization for Business Processes for Web Services

Trustworthy Software Systems

This unit will lay the groundwork for later units where the students will extend this knowledge to quadratic and exponential functions.

Integrating Formal Models into the Programming Languages Course

Automata Theory. Şubat 2006 Tuğrul Yılmaz Ankara Üniversitesi

Third Party Data Session Control in the Evolved Packet System

TATJA: A Test Automation Tool for Java Applets

A Theory of Secure Control Flow

Software Verification: Infinite-State Model Checking and Static Program

FAREY FRACTION BASED VECTOR PROCESSING FOR SECURE DATA TRANSMISSION

6.080/6.089 GITCS Feb 12, Lecture 3

Automated Formal Analysis of Internet Routing Systems

Model checking test models. Author: Kevin de Berk Supervisors: Prof. dr. Wan Fokkink, dr. ir. Machiel van der Bijl

Model Checking based Software Verification

Winter 2016 Course Timetable. Legend: TIME: M = Monday T = Tuesday W = Wednesday R = Thursday F = Friday BREATH: M = Methodology: RA = Research Area

CSC4510 AUTOMATA 2.1 Finite Automata: Examples and D efinitions Definitions

Runtime Verification - Monitor-oriented Programming - Monitor-based Runtime Reflection

Thomas Jefferson High School for Science and Technology Program of Studies Foundations of Computer Science. Unit of Study / Textbook Correlation

DNA Data and Program Representation. Alexandre David

Attack graph analysis using parallel algorithm

Eastern Washington University Department of Computer Science. Questionnaire for Prospective Masters in Computer Science Students

End-to-end Web Application Security

Automating Mimicry Attacks Using Static Binary Analysis

Datavetenskapligt Program (kandidat) Computer Science Programme (master)

Rigorous Software Development CSCI-GA

µz An Efficient Engine for Fixed points with Constraints

Transcription:

Inline-Reference Monitor Optimization using Automata Modulo Theory (AMT) Fabio Massacci Ida Siahaan 2009-09-24 STM09 - UNITN - Siahaan 1

Inlined Reference Monitors Security Policy Original Application IRM Rewriter Secured Application Policy Enforcement Toolkit (PoET) Implementing IRMs for Java Virtual Machine Language (JVML) applications Primary concern: trusted computing base (TCB) 17,500 loc Java source code U. Erlingsson, F. B. Schneider, IRM Enforcement of Java Stack Inspection, IEEE Symposium on Security and Privacy 2000 2009-09-24 STM09 - UNITN - Siahaan 2

Optimizing Security Policy or Rewriter Insert Security Automata Evaluate transitions Simplify Automata Compile Automata push r1 push r1 push r1 if state==q0 then state:=q1 else ABORT push r1 Security Automata SFI Implementation (SASI) Implementing IRMs for x86 and JVML Minimizing TCB by working at the level of object code Ulfar Erlingsson, Fred B. Schneider, SASI Enfocement of Security Policies: A Retrospective, New Security Paradigm Workshop 1999 2009-09-24 STM09 - UNITN - Siahaan 3

Optimizing Security Policy or Rewriter Trade off between moving more processes out of trusted part and the complexity of the whole process K. Hamlen, Security policy enforcement by automated programrewriting, Ph.D. thesis, Cornell University, 2006. Efficient IRM Enforcement a constrained representation of history-based access control policies exploit the structure of this policy representation extended into a distributed optimization protocol F. Yan, P.W.L. Fong, Efficient IRM Enforcement of History-Based Access Control Policies., ASIACCS 2009 2009-09-24 STM09 - UNITN - Siahaan 4

Security by Contract (SxC) SxC device view N. Bielova, N. Dragoni, F. Massacci, K. Naliuka, and I. Siahaan, Matching in security-by-contract for mobile code, J. of Logic and Algebraic Programming 2009 2009-09-24 STM09 - UNITN - Siahaan 5

IRM Optimization Given an (un)trusted code and a policy that a platform specifies to be inlined, how can we obtain an optimized IRM? 2009-09-24 STM09 - UNITN - Siahaan 6

Components of IRM Optimization Contract Extractor extract security relevant behaviors from code 2009-09-24 STM09 - UNITN - Siahaan 7

Components of IRM Optimization Claim Checker verify that the claimed contract complies to the code digitally signed by a trusted code provider 2009-09-24 STM09 - UNITN - Siahaan 8

Components of IRM Optimization Simulation Checker check a policy simulates a contract 2009-09-24 STM09 - UNITN - Siahaan 9

Components of IRM Optimization Optimizer discharge behaviors which are already enforced by code 2009-09-24 STM09 - UNITN - Siahaan 10

Components of IRM Optimization Rewriter inject policy to the code 2009-09-24 STM09 - UNITN - Siahaan 11

IRM Optimization Models 2009-09-24 STM09 - UNITN - Siahaan 12

Rewriter on Trusted part Model1: Contract Extractor on Trusted part 2009-09-24 STM09 - UNITN - Siahaan 13

Model6: Contract Extractor on Untrusted part Optimizer and Rewriter on Untrusted part 2009-09-24 STM09 - UNITN - Siahaan 14

Automata Modulo Theory (AMT) 2009-09-24 STM09 - UNITN - Siahaan 15

Security Automata A class of Büchi automata that accept safety properties (recognizers) a countable set Q of automaton states, a countable set Q 0 Q of initial automaton states, a countable set I of input symbols, and a transition function δ : (Q x Q ) 2 Q F. Schneider, Enforceable Security Policies, ACM Transactions on Information and System Security, Vol. 3, No. 1, February 2000 2009-09-24 STM09 - UNITN - Siahaan 16

Edit Automata Truncation automaton (recognizer) terminate application Suppression automaton (transducer) truncation automaton + suppress undesired or dangerous actions without necessarily terminating the program Insertion automaton (transducer) truncation automaton + insert additional actions into the event stream Edit automata = Suppression automaton + Insertion automaton Jay Ligatti, Lujo Bauer, David Walker, Enforcement Mechanisms for Run-time Security Policies?, Int J Inf Secur (2005) 4 2009-09-24 STM09 - UNITN - Siahaan 17

Automata Modulo Theory (AMT) AMT = Büchi automata + Satisability Modulo Theories (SMT) a set E of formulae in the language of the theory T as input symbols a finite set Q of automaton states, an initial state q 0 Q, a set F Q of accepting states, and a labeled transition function δ : (Q x E ) 2 Q F. Massacci, I. Siahaan, Matching midlet s security claims with a platform security policy using automata modulo theory., NordSec 07 2009-09-24 STM09 - UNITN - Siahaan 18

Satisability Modulo Theories (SMT) The problem of deciding the satisability of a first-order formula with respect to some decidable first-order theory T (SMT(T)) A Σ-theory is a set of first-order sentences with signature Σ Examples of theories of interest: Equality and Uninterpreted Functions (EUF), Linear Arithmetic (LA): both over the reals (LA(Q)) and the integers (LA(Z)) Examples of SMT tools: Z3 MathSAT Primary interest for SMT(T) when T is a combination of two or more theories T 1,...,T n. Example of an atom: f(x + 4y) = g(2x - y) R.Sebastiani, Lazy Satisability Modulo Theories, Journal on Satisability, Boolean Modeling and Computation 3 (2007) 141-224 2009-09-24 STM09 - UNITN - Siahaan 19

Example of AMT 2009-09-24 STM09 - UNITN - Siahaan 20

IRM Optimization using AMT 2009-09-24 STM09 - UNITN - Siahaan 21

Searching an Optimized Policy Given two automata C and P representing resp. the formal specification of a contract and of a policy, we have an efficient IRM OptP derived from P with respect to C when: every APIs invoked by the intersection of OptP and C can also be invoked by P [sound] OptP is smaller than P with respect to C [optimal] 2009-09-24 STM09 - UNITN - Siahaan 22

Contract-Policy Example Contract Policy 2009-09-24 STM09 - UNITN - Siahaan 23

Removes non existing actions Contract Policy Optimize 1 Policy 2009-09-24 STM09 - UNITN - Siahaan 24

Removes already promised actions Contract Optimize 1 Policy Optimize 2 Policy 2009-09-24 STM09 - UNITN - Siahaan 25

Future Work Implementation and study of IRM with or without optimization c pre cost c c opt t pre t dep time t use c.t use >> c pre.(t pre + t dep ) + c opt.(t use (t pre + t dep )) Assumption: t use >> t pre t us >> t dep 2009-09-24 STM09 - UNITN - Siahaan 26

Future Work Effect of changes both in frequency (how often a code modified) and size (how much a code modified). c pre cost c c opt t pre t dep t use t pre t dep t use time c.t use?? c pre.(t pre + t dep ) + c opt.(t use (t pre + t dep )) 2009-09-24 STM09 - UNITN - Siahaan 27

Thank you 2009-09-24 STM09 - UNITN - Siahaan 28

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information