modular program monitors david walker princeton university (joint work with lujo bauer and jay...
TRANSCRIPT
Modular Program Monitors
David WalkerPrinceton University
(joint work with Lujo Bauer and Jay Ligatti)
Modular Run-time Program Monitors David Walker
Program Monitors
• A program monitor is a coroutine that runs in parallel with an untrusted application– monitors process security-relevant actions
• decide to allow/disallow application actions• may terminate or suspend application execution
– monitors detect, prevent, and recover from erroneous or malicious applications at run time
Modular Run-time Program Monitors David Walker
Simple Monitor Structure
• Monitors have 3 components– set of security-relevant application
actions– security state– computation
a
Access Control Monitor
fopenfclose
actions
acl
state computation
acl lookup
Modular Run-time Program Monitors David Walker
Polymer Project
• Polymer– An extension of Java designed to
simplify construction of run-time program monitors
• Design methodology– A formula for producing well-
structured, easy-to-understand, easy-to-modify monitors
Modular Run-time Program Monitors David Walker
Policy Architecture: The Problem
Java corePolymer language extensions
HostSystem(Java)
Program Monitor Definition
Untrusted application
Modular Run-time Program Monitors David Walker
Policy Architecture: Simple Policies
Java corePolymer language extensions
HostSystem(Java)
SimplePolicyDef.
systeminterface
Modular Run-time Program Monitors David Walker
class limitFiles extends Policy { private int openFiles = 0; private int maxOpen = 0; limitFiles(int max) { maxOpen = max; }
....
}
A Simple Polymer Policy
private policy state,protected from malicious applications
policy constructor
Modular Run-time Program Monitors David Walker
class limitFiles extends Policy { private int openFiles = ... private int maxOpen = ...
private ActionSet actions = new ActionSet( new String[] {“fileOpen(String)”, “fileClose()”} ); ....
}
A Simple Polymer Policy Continued
set of policy-relevant methods
Modular Run-time Program Monitors David Walker
class limitFiles extends Policy { private ActionSet actions = ... private int openFiles = ... private int maxOpen = ... Suggestion step(Action a) { aswitch (a) { case fileOpen(String s) : if (++openFiles <= maxOpen) return Suggestion.OK(); else return Suggestion.Halt(); case fileClose() : ...
A Simple Polymer Policy Continued
policybehaviour
Modular Run-time Program Monitors David Walker
class limitFiles extends Policy { private ActionSet actions = ... private int openFiles = ... private int maxOpen = ... Suggestion step(Action a) { aswitch (a) { case fileOpen(String s) : if (++openFiles <= maxOpen) return Suggestion.OK(); else return Suggestion.Halt(); case fileClose() : ...
A Simple Polymer Policy Continued
Modular Run-time Program Monitors David Walker
class limitFiles extends Policy { private ActionSet actions = ... private int openFiles = ... private int maxOpen = ... Suggestion step(Action a) { aswitch (a) { case fileOpen(String s) : if (++openFiles <= maxOpen) return Suggestion.OK(); else return Suggestion.Halt(); case fileClose() : ...
A Simple Polymer Policy Continued
Modular Run-time Program Monitors David Walker
class limitFiles extends Policy { private ActionSet actions = ... private int openFiles = ... private int maxOpen = ... Suggestion step(Action a) { aswitch (a) { case fileOpen(String s) : if (++openFiles <= maxOpen) return Suggestion.OK(); else return Suggestion.Halt(); case fileClose() : ...
A Simple Polymer Policy Continued
Modular Run-time Program Monitors David Walker
Realistic Monitors
• Protect complex system interfaces– interfaces replicate functionality in many
different places– method parameters communicate
information in different forms– eg: Java file system interface
• 9 different methods to open files• 4 different methods to close files• filename strings, file objects, self used to
identify files
Modular Run-time Program Monitors David Walker
Policy Architecture: Abstract Actions
Java corePolymer language extensions
HostSystem(Java)
AbstractActionDef.
concrete systeminterface
abstract systeminterface
SimplePolicyDef.
Modular Run-time Program Monitors David Walker
Abstract Action Definitions
java.lang.io
FileReader(String fileName);FileReader(File file);RandomAccessFile(...);...
FileReader.close();RandomAccessFile.close();...
fileOpen(String n);
fileClose();
Modular Run-time Program Monitors David Walker
Realistic Monitors
• Combine simple policies defined over a variety of different resources– eg: sample applet policy
• file system access control• bounds on bytes written and number of
files opened• restricted network access
– no access after file system read– communication with applet source only
Modular Run-time Program Monitors David Walker
Policy Architecture:Complex Policies
Java corePolymer language extensions
HostSystem(Java)
AbstractActionDef.
SimplePolicyDef.
PolicyComb.Def.
Complex, System-specific Policy
concrete systeminterface
abstract systeminterface
Modular Run-time Program Monitors David Walker
Policy Combinators
• Conjunction, Disjunction, Chinese wall,...
s1 s2
Conjunctive Policy
P1 P2
s
Modular Run-time Program Monitors David Walker
Related Work
• Aspect-oriented programming– New polymer features:
• first-class suggestions, abstract actions, action patterns, policy combinators, policy architecture, formal semantics
• Monitoring languages• Poet and Pslang, Naccio, Ariel, Spin Kernel
• Logical monitoring specifications• MAC (temporal logic), Bigwig (second-order
monadic logic)
Modular Run-time Program Monitors David Walker
Summary: Polymer
• First steps towards the design of a modern language for programming modular run-time security monitors
• For future software releases & papers see– www.cs.princeton.edu/sip/projects/
polymer/
Modular Run-time Program Monitors David Walker
End