Upload File

modular program monitors david walker princeton university (joint work with lujo bauer and jay...

  • Home
  • Documents
  • Modular Program Monitors David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)
21
Modular Program Monitors David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Upload: horace-rose

Post on 17-Dec-2015

217 views

Category:

Documents


3 download

Report

Tags:

TRANSCRIPT

Page 1: Modular Program Monitors David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Modular Program Monitors

David WalkerPrinceton University

(joint work with Lujo Bauer and Jay Ligatti)

Page 2: Modular Program Monitors David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Modular Run-time Program Monitors David Walker

Program Monitors

• A program monitor is a coroutine that runs in parallel with an untrusted application– monitors process security-relevant actions

• decide to allow/disallow application actions• may terminate or suspend application execution

– monitors detect, prevent, and recover from erroneous or malicious applications at run time

Page 3: Modular Program Monitors David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Modular Run-time Program Monitors David Walker

Simple Monitor Structure

• Monitors have 3 components– set of security-relevant application

actions– security state– computation

a

Access Control Monitor

fopenfclose

actions

acl

state computation

acl lookup

Page 4: Modular Program Monitors David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Modular Run-time Program Monitors David Walker

Polymer Project

• Polymer– An extension of Java designed to

simplify construction of run-time program monitors

• Design methodology– A formula for producing well-

structured, easy-to-understand, easy-to-modify monitors

Page 5: Modular Program Monitors David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Modular Run-time Program Monitors David Walker

Policy Architecture: The Problem

Java corePolymer language extensions

HostSystem(Java)

Program Monitor Definition

Untrusted application

Page 6: Modular Program Monitors David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Modular Run-time Program Monitors David Walker

Policy Architecture: Simple Policies

Java corePolymer language extensions

HostSystem(Java)

SimplePolicyDef.

systeminterface

Page 7: Modular Program Monitors David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Modular Run-time Program Monitors David Walker

class limitFiles extends Policy { private int openFiles = 0; private int maxOpen = 0; limitFiles(int max) { maxOpen = max; }

....

}

A Simple Polymer Policy

private policy state,protected from malicious applications

policy constructor

Page 8: Modular Program Monitors David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Modular Run-time Program Monitors David Walker

class limitFiles extends Policy { private int openFiles = ... private int maxOpen = ...

private ActionSet actions = new ActionSet( new String[] {“fileOpen(String)”, “fileClose()”} ); ....

}

A Simple Polymer Policy Continued

set of policy-relevant methods

Page 9: Modular Program Monitors David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Modular Run-time Program Monitors David Walker

class limitFiles extends Policy { private ActionSet actions = ... private int openFiles = ... private int maxOpen = ... Suggestion step(Action a) { aswitch (a) { case fileOpen(String s) : if (++openFiles <= maxOpen) return Suggestion.OK(); else return Suggestion.Halt(); case fileClose() : ...

A Simple Polymer Policy Continued

policybehaviour

Page 10: Modular Program Monitors David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Modular Run-time Program Monitors David Walker

class limitFiles extends Policy { private ActionSet actions = ... private int openFiles = ... private int maxOpen = ... Suggestion step(Action a) { aswitch (a) { case fileOpen(String s) : if (++openFiles <= maxOpen) return Suggestion.OK(); else return Suggestion.Halt(); case fileClose() : ...

A Simple Polymer Policy Continued

Page 11: Modular Program Monitors David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Modular Run-time Program Monitors David Walker

class limitFiles extends Policy { private ActionSet actions = ... private int openFiles = ... private int maxOpen = ... Suggestion step(Action a) { aswitch (a) { case fileOpen(String s) : if (++openFiles <= maxOpen) return Suggestion.OK(); else return Suggestion.Halt(); case fileClose() : ...

A Simple Polymer Policy Continued

Page 12: Modular Program Monitors David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Modular Run-time Program Monitors David Walker

class limitFiles extends Policy { private ActionSet actions = ... private int openFiles = ... private int maxOpen = ... Suggestion step(Action a) { aswitch (a) { case fileOpen(String s) : if (++openFiles <= maxOpen) return Suggestion.OK(); else return Suggestion.Halt(); case fileClose() : ...

A Simple Polymer Policy Continued

Page 13: Modular Program Monitors David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Modular Run-time Program Monitors David Walker

Realistic Monitors

• Protect complex system interfaces– interfaces replicate functionality in many

different places– method parameters communicate

information in different forms– eg: Java file system interface

• 9 different methods to open files• 4 different methods to close files• filename strings, file objects, self used to

identify files

Page 14: Modular Program Monitors David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Modular Run-time Program Monitors David Walker

Policy Architecture: Abstract Actions

Java corePolymer language extensions

HostSystem(Java)

AbstractActionDef.

concrete systeminterface

abstract systeminterface

SimplePolicyDef.

Page 15: Modular Program Monitors David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Modular Run-time Program Monitors David Walker

Abstract Action Definitions

java.lang.io

FileReader(String fileName);FileReader(File file);RandomAccessFile(...);...

FileReader.close();RandomAccessFile.close();...

fileOpen(String n);

fileClose();

Page 16: Modular Program Monitors David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Modular Run-time Program Monitors David Walker

Realistic Monitors

• Combine simple policies defined over a variety of different resources– eg: sample applet policy

• file system access control• bounds on bytes written and number of

files opened• restricted network access

– no access after file system read– communication with applet source only

Page 17: Modular Program Monitors David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Modular Run-time Program Monitors David Walker

Policy Architecture:Complex Policies

Java corePolymer language extensions

HostSystem(Java)

AbstractActionDef.

SimplePolicyDef.

PolicyComb.Def.

Complex, System-specific Policy

concrete systeminterface

abstract systeminterface

Page 18: Modular Program Monitors David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Modular Run-time Program Monitors David Walker

Policy Combinators

• Conjunction, Disjunction, Chinese wall,...

s1 s2

Conjunctive Policy

P1 P2

s

Page 19: Modular Program Monitors David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Modular Run-time Program Monitors David Walker

Related Work

• Aspect-oriented programming– New polymer features:

• first-class suggestions, abstract actions, action patterns, policy combinators, policy architecture, formal semantics

• Monitoring languages• Poet and Pslang, Naccio, Ariel, Spin Kernel

• Logical monitoring specifications• MAC (temporal logic), Bigwig (second-order

monadic logic)

Page 20: Modular Program Monitors David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Modular Run-time Program Monitors David Walker

Summary: Polymer

• First steps towards the design of a modern language for programming modular run-time security monitors

• For future software releases & papers see– www.cs.princeton.edu/sip/projects/

polymer/

Page 21: Modular Program Monitors David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Modular Run-time Program Monitors David Walker

End


Design and Evaluation of a Data-Driven Password Meterlbauer/papers/... · Design and Evaluation of a Data-Driven Password Meter Blase Ur*, Felicia Alfieri, Maung Aung, Lujo Bauer,

Gifs de lujo

LUJO-ALL NEGRO first edition,

Renaza by Bella Lujo

Warning Design Guidelines - cylab.cmu.edu · Lujo Bauer, Cristian Bravo-Lillo, Lorrie Cranor, and Elli Fragkaki flbauer,cbravo,lorrie,[email protected] Carnegie Mellon University February

Kaliman de Lujo Tomo1

Marketing Lujo

1 Composing Security Policies with Polymer Jay Ligatti (Princeton); joint work with: Lujo Bauer (CMU), David Walker (Princeton)

DEL LUJO TRADICIONAL AL LUJO EXPERIENCIAL: Sector de los

El Transcantabrico Gran Lujo 2011

Lujo E-Catalogue

Web security II - University Of Maryland security II With material from Dave Levin, Mike Hicks, Lujo Bauer, Collin Jackson Previously • Web basics • SQL injection Today • Stateful

Efficient Proving for Practical Distributed Access-Control ...reiter/papers/2007/ESORICS.pdf · Efficient Proving for Practical Distributed Access-Control Systems Lujo Bauer 1,

Que es lujo marketing de lujo liquid thinking - bacardi - mexico - junio de 2016

MAHMOOD SHARIF, SRUTI BHAGAVATULA, LUJO BAUER, … · 1:2 Mahmood Sharif, Sruti Bhagavatula, Lujo Bauer, and Michael K. Reiter contexts in which it is necessary to model additional

Poly stop a hacker David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Alpha Lujo Corporate Brochoure

Lujo Bauer Limin Jia Michael K. Reiter David Swasey March 17, …lbauer/papers/2009/cylabtr09... · 2012. 6. 20. · To gain access to doc1, Alice would then combine these statements

Enforceable Security Policies - inf.ethz.ch · PDF fileYou may play a movie at most three times after ... J. Ligatti, L. Bauer, and D. Walker, ACM Trans. Inf. Syst. Secur., 2009 A

El Transcantábrico-Gran Lujo

Software Security Monitors: Theory & Practice David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Distributed System Security via Logical Frameworks Frank Pfenning Carnegie Mellon University Joint work with Lujo Bauer, Deepak Garg, and Mike Reiter

1 UCR Common Software Attacks EE 260: Architecture/Hardware Support for Security Slide credits: some slides from Dave O’halloran, Lujo Bauer (CMU) and

Web security: SQL - UMD Department of Computer … security: SQL Slides from • Michelle Mazurek 414-fall2016 •includes stuff from Dave Levin, Mike Hicks, Lujo Bauer • Dave Levin

Jay Ligatti and Srikar Reddy University of South Florida

EL TRANSCANTÁBRICO GRAN LUJO - Palace Tours

The State of Physical Attacks on Deep Learning Systems · Lujo Bauer Mila Jovovich (87%) Sharif et al., Accessorize to a Crime: Real and Stealthy Attacks on State-of-the-Art Face

Distributed Proving in Access-Control Systemslbauer/papers/2005/sp2005-distributed... · Distributed Proving in Access-Control Systems∗ Lujo Bauer† Scott Garriss‡ Michael K

LUJO EN MARRAKECH - GOLF PASSION

Alpha Lujo Corporate

What you want is not what you get: Predicting sharing policies for text-based content on Facebook Arunesh Sinha*, Yan Li †, Lujo Bauer* *Carnegie Mellon

carros de lujo

Segmento Affluent & Lujo en México - LEXIA

Casa de lujo alej carlos

Lujo Bauer, Scott Garriss, Michael K. Reiter September 29 ... · logics that encode SPKI [4, 29, 23], SD3 [24], and the RT family of logics [30]. In Section 7, we discuss our ability