verifying the reliability of operating system-level ... · i ganapathy, jaeger, and jha,...
TRANSCRIPT
![Page 1: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/1.jpg)
Introduction Static Analysis Implementation and Results Conclusion Questions References
Verifying the Reliability of OperatingSystem-Level Information Flow Control in Linux
Laurent Georget*Mathieu Jaume† Guillaume Piolle‡Frédéric Tronel‡ Valérie Viet Triem Tong‡
*Université de Rennes 1 / ‡CentraleSupélec / Inria, Rennes, France†LIP6, Sorbonne Universités, Paris, France
FormaliSE — 2017-05-27 1 Laurent Georget
![Page 2: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/2.jpg)
Introduction Static Analysis Implementation and Results Conclusion Questions References
An Information Flow PerspectiveI Linux Operating SystemsContainers of information: objects in the system able to storeinformation originating from users, the OS environment, etc.:
I �lesI pipesI network socketsI message queuesI processes’ memory spaceI more?
Data �ow from one container to anotherI when reading a �leI when storing a message in a message queueI etc.
FormaliSE — 2017-05-27 2 Laurent Georget
![Page 3: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/3.jpg)
Introduction Static Analysis Implementation and Results Conclusion Questions References
The information must flow
Userspace
Syscall interface
Kernelspace
Hardware
Process
Kernel thread
I User processes areisolated
I Have no privilegesI Must use System
Calls to performprivileged operations
I Syscalls cause information �ows
FormaliSE — 2017-05-27 3 Laurent Georget
![Page 4: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/4.jpg)
Introduction Static Analysis Implementation and Results Conclusion Questions References
The information must flow
Userspace
Syscall interface
Kernelspace
Hardware
Process
Kernel thread
I User processes areisolated
I Have no privilegesI Must use System
Calls to performprivileged operations
I Syscalls cause information �ows
FormaliSE — 2017-05-27 3 Laurent Georget
![Page 5: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/5.jpg)
Introduction Static Analysis Implementation and Results Conclusion Questions References
Information Flow Trackers for Linux
I Laminar Porter et al., “Practical Fine-Grained InformationFlow Control Using Laminar”
I KBlare Zimmermann, Mé, and Bidan, “An Improved ReferenceFlow Control Model for Policy-Based Intrusion Detection”
I Weir Nadkarni et al., “Practical DIFC enforcement on Android”
FormaliSE — 2017-05-27 4 Laurent Georget
![Page 6: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/6.jpg)
Introduction Static Analysis Implementation and Results Conclusion Questions References
Tracking flows with taint propagation
I Each container has a label identifying its initial contentI Each time a �ow occurs, the destination label is updated with
the source label
I Example: head file | wc
�le
/bin/head
sh
/bin/wc
FormaliSE — 2017-05-27 5 Laurent Georget
![Page 7: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/7.jpg)
Introduction Static Analysis Implementation and Results Conclusion Questions References
Tracking flows with taint propagation
I Each container has a label identifying its initial contentI Each time a �ow occurs, the destination label is updated with
the source label
I Example: head file | wc
�le
/bin/head
sh
|
/bin/wc
shfork
pipe
FormaliSE — 2017-05-27 5 Laurent Georget
![Page 8: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/8.jpg)
Introduction Static Analysis Implementation and Results Conclusion Questions References
Tracking flows with taint propagation
I Each container has a label identifying its initial contentI Each time a �ow occurs, the destination label is updated with
the source label
I Example: head file | wc
�le
/bin/head
head
|
/bin/wc
wc
execve execve
FormaliSE — 2017-05-27 5 Laurent Georget
![Page 9: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/9.jpg)
Introduction Static Analysis Implementation and Results Conclusion Questions References
Tracking flows with taint propagation
I Each container has a label identifying its initial contentI Each time a �ow occurs, the destination label is updated with
the source label
I Example: head file | wc
�le
/bin/head
head
|
/bin/wc
wc
read
FormaliSE — 2017-05-27 5 Laurent Georget
![Page 10: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/10.jpg)
Introduction Static Analysis Implementation and Results Conclusion Questions References
Tracking flows with taint propagation
I Each container has a label identifying its initial contentI Each time a �ow occurs, the destination label is updated with
the source label
I Example: head file | wc
�le
/bin/head
head
|
/bin/wc
wcwrite
FormaliSE — 2017-05-27 5 Laurent Georget
![Page 11: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/11.jpg)
Introduction Static Analysis Implementation and Results Conclusion Questions References
Tracking flows with taint propagation
I Each container has a label identifying its initial contentI Each time a �ow occurs, the destination label is updated with
the source label
I Example: head file | wc
�le
/bin/head
head
|
/bin/wc
wc
read
FormaliSE — 2017-05-27 5 Laurent Georget
![Page 12: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/12.jpg)
Introduction Static Analysis Implementation and Results Conclusion Questions References
Tracking flows with taint propagation
I Each container has a label identifying its initial contentI Each time a �ow occurs, the destination label is updated with
the source label
I Example: head file | wc
�le
/bin/head
head
|
/bin/wc
wc . . .
FormaliSE — 2017-05-27 5 Laurent Georget
![Page 13: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/13.jpg)
Example 1: read
fs/read_write.c
![Page 14: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/14.jpg)
Introduction Static Analysis Implementation and Results Conclusion Questions References
Graphs and execution paths
I One system call = One graphI One possible execution path = One path from INIT to ENDI One instruction = One nodeI One sequence or jump = One edge
Extracted directly from the GCC compiler
Not exactly C but GIMPLE: intermediate representation
In Static Single Assignment form1
1Cytron et al., “E�ciently Computing Static Single Assignment Form and theControl Dependence Graph”.
FormaliSE — 2017-05-27 7 Laurent Georget
![Page 15: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/15.jpg)
INIT
<ssa 799>.5 = capable(26)
[<ssa 799>.5 != 0]
[!<ssa 799>.5 != 0]
tty_vhangup_self()
<ssa 800>.1 = PHI <0, -1>
<ssa 800>.1
END
/** This routine simulates a hangup* on the tty, to arrange that* users are given clean terminals* at login time.*/
SYSCALL_DEFINE0(vhangup){
if (capable(CAP_SYS_TTY_CONFIG)) {tty_vhangup_self();return 0;
}return -EPERM;
}
![Page 16: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/16.jpg)
Introduction Static Analysis Implementation and Results Conclusion Questions References
Anatomy of a syscall
Syscall = Entry-point of a user process in the kernel
1. Basic checks2. Advanced checks / lock taking3. Linux Security Modules hooks4. Actual operation5. Lock release6. Return
Many shortcuts exist, in case of errors.
FormaliSE — 2017-05-27 9 Laurent Georget
![Page 17: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/17.jpg)
Introduction Static Analysis Implementation and Results Conclusion Questions References
Anatomy of a syscall
Syscall = Entry-point of a user process in the kernel
1. Basic checks2. Advanced checks / lock taking3. Linux Security Modules hooks4. Actual operation5. Lock release6. Return
Many shortcuts exist, in case of errors.
FormaliSE — 2017-05-27 9 Laurent Georget
![Page 18: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/18.jpg)
Introduction Static Analysis Implementation and Results Conclusion Questions References
Anatomy of a syscall
Syscall = Entry-point of a user process in the kernel
1. Basic checks2. Advanced checks / lock taking3. Linux Security Modules hooks4. Actual operation5. Lock release6. Return
Many shortcuts exist, in case of errors.
FormaliSE — 2017-05-27 9 Laurent Georget
![Page 19: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/19.jpg)
Introduction Static Analysis Implementation and Results Conclusion Questions References
The Linux Security Modules Framework
LSM provides security kernel developpers with:I Additional general-purpose security �elds in kernel data
structures (inodes, tasks, etc.)I Hooks strategically placed in the syscalls code to register
callbacks
I Expected use: LSMs store their state in the �elds and use thehooks to
I manage the stateI authorize security-sensitive operations
FormaliSE — 2017-05-27 10 Laurent Georget
![Page 20: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/20.jpg)
Introduction Static Analysis Implementation and Results Conclusion Questions References
The Linux Security Modules Framework
LSM provides security kernel developpers with:I Additional general-purpose security �elds in kernel data
structures (inodes, tasks, etc.)I Hooks strategically placed in the syscalls code to register
callbacksI Expected use: LSMs store their state in the �elds and use thehooks to
I manage the stateI authorize security-sensitive operations
FormaliSE — 2017-05-27 10 Laurent Georget
![Page 21: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/21.jpg)
Introduction Static Analysis Implementation and Results Conclusion Questions References
Our problem
Information �ow trackers can only observe the execution of syscallswhen called through a LSM hook.
If a syscall can generate an information �ow without going througha LSM hook, that �ow will be missed.
Important property to ensure a correct �ow trackingThere must be a LSM hook in each execution path leading to theproduction of a �ow in system calls.
FormaliSE — 2017-05-27 11 Laurent Georget
![Page 22: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/22.jpg)
Introduction Static Analysis Implementation and Results Conclusion Questions References
Our problem
Information �ow trackers can only observe the execution of syscallswhen called through a LSM hook.
If a syscall can generate an information �ow without going througha LSM hook, that �ow will be missed.
Important property to ensure a correct �ow trackingThere must be a LSM hook in each execution path leading to theproduction of a �ow in system calls.
FormaliSE — 2017-05-27 11 Laurent Georget
![Page 23: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/23.jpg)
Introduction Static Analysis Implementation and Results Conclusion Questions References
Previous works
I Zhang, Edwards, and Jaeger, “Using CQUAL for Static Analysisof Authorization Hook Placement”
I Jaeger, Edwards, and Zhang, “Consistency analysis ofauthorization hook placement in the Linux security modulesframework”
I Ganapathy, Jaeger, and Jha, “Automatic Placement ofAuthorization Hooks in the Linux Security ModulesFramework”
I Muthukumaran, Jaeger, and Ganapathy, “Leveraging "choice" toautomate authorization hook placement”
FormaliSE — 2017-05-27 12 Laurent Georget
![Page 24: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/24.jpg)
Introduction Static Analysis Implementation and Results Conclusion Questions References
Finding problematic paths
Paths
FormaliSE — 2017-05-27 13 Laurent Georget
![Page 25: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/25.jpg)
Introduction Static Analysis Implementation and Results Conclusion Questions References
Finding problematic paths
Paths
Paths�ows
FormaliSE — 2017-05-27 13 Laurent Georget
![Page 26: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/26.jpg)
Introduction Static Analysis Implementation and Results Conclusion Questions References
Finding problematic paths
Paths
Paths�ows PathsLSM
FormaliSE — 2017-05-27 13 Laurent Georget
![Page 27: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/27.jpg)
Introduction Static Analysis Implementation and Results Conclusion Questions References
Finding problematic paths
PathsPaths
P
Paths�ows PathsLSM
FormaliSE — 2017-05-27 13 Laurent Georget
![Page 28: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/28.jpg)
Introduction Static Analysis Implementation and Results Conclusion Questions References
Finding problematic paths
PathsPaths
P
Paths�ows PathsLSM
P is the set of apparently valid paths generating �ows not coveredby a LSM hooks =⇒ paths to analyze
FormaliSE — 2017-05-27 13 Laurent Georget
![Page 29: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/29.jpg)
Introduction Static Analysis Implementation and Results Conclusion Questions References
Instructions causing flows and LSM hooks
LSM hooks can be automatically found in the code of system calls
Instructions causing �ows less so. . .
Several heuristics:I Use of lockingI End of checksI Calls to architecture/hardware-dependent functionsI Dynamic calls through function pointers
FormaliSE — 2017-05-27 14 Laurent Georget
![Page 30: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/30.jpg)
Introduction Static Analysis Implementation and Results Conclusion Questions References
Instructions causing flows and LSM hooks
LSM hooks can be automatically found in the code of system calls
Instructions causing �ows less so. . .
Several heuristics:I Use of lockingI End of checksI Calls to architecture/hardware-dependent functionsI Dynamic calls through function pointers
FormaliSE — 2017-05-27 14 Laurent Georget
![Page 31: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/31.jpg)
Several standard problems
Some paths are actuallyimpossible: we should excludethem
Loops mean there are an in�nityof paths of �nite length: wecannot analyze them all
![Page 32: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/32.jpg)
Dealing with impossible paths and loopsPathsPaths
Paths�ows
P
PathsLSM
Property (Complete mediation)The complete mediation holds if, and only if: P ⊆ I, i.e. all theexecution paths that perform an information �ow and are not
controlled by the information �ow monitor since they do not contain a
LSM hook are impossible according to the static analysis.
![Page 33: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/33.jpg)
Dealing with impossible paths and loopsPathsPaths
Paths�ows
P
PathsLSM
I
Property (Complete mediation)The complete mediation holds if, and only if: P ⊆ I, i.e. all theexecution paths that perform an information �ow and are not
controlled by the information �ow monitor since they do not contain a
LSM hook are impossible according to the static analysis.
![Page 34: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/34.jpg)
Dealing with impossible paths and loopsPathsPaths
Paths�ows
P
PathsLSM
Paths
I
Paths
Property (Complete mediation)The complete mediation holds if, and only if: P ⊆ I, i.e. all theexecution paths that perform an information �ow and are not
controlled by the information �ow monitor since they do not contain a
LSM hook are impossible according to the static analysis.
![Page 35: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/35.jpg)
Dealing with impossible paths and loopsPaths
Acyclicpathsin P
Paths
Paths�ows
PPathsLSM
Paths
I
Paths
I Since P may be in�nite, we need a way to make the analysis of thesubset of acyclic paths in P su�cient to conclude on all paths in P.
![Page 36: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/36.jpg)
Introduction Static Analysis Implementation and Results Conclusion Questions References
Analysis outlineGeneral idea:
I Analyze each system call independentlyI In each system call,
1. identify nodes producing �ows2. trace the paths back up until reaching either the beginning of
the function or a LSM hook3. discard the paths reaching a LSM hook (paths in PathsLSM )4. when reaching a loop, jump to the outer-most loop header to
select only acyclic pathsI For each analyzed path,
I go through each node and edge in orderI gather constraints on variables from nodes and guards on edges
in a con�gurationI when reaching a con�guration with inconsistent constraints,
declare the path as impossibleOR when reaching the end of the path, declare it as possible
FormaliSE — 2017-05-27 17 Laurent Georget
![Page 37: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/37.jpg)
Satisfiability
a.1 = PHI <0, a.8>
f(a.1)
<ssa 1>.6 = f(a.1)
[<ssa 1>.6 != a.1] [!<ssa 1>.6 != a.1]
a.11 = PHI <a.1>
[a.11 > 10]
[!a.11 > 10]
__printf_chk(1, &"fixpoint after 10\n")
...
Satis�abilityCurrent node: a.1 = PHI<0,a.8>
Set of constraints:{a.1 = 0}
Satis�able: Yes
![Page 38: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/38.jpg)
Satisfiability
<ssa 1>.6 = f(a.1)
a.1 = PHI <0, a.8>
f(a.1)
[<ssa 1>.6 != a.1] [!<ssa 1>.6 != a.1]
a.11 = PHI <a.1>
[a.11 > 10]
[!a.11 > 10]
__printf_chk(1, &"fixpoint after 10\n")
...
Satis�abilityCurrent node: <ssa 1>.6 = f(a.1)
Set of constraints:{a.1 = 0}
Satis�able: Yes
![Page 39: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/39.jpg)
Satisfiability
a.11 = PHI <a.1>
a.1 = PHI <0, a.8>
<ssa 1>.6 = f(a.1)
f(a.1)
[<ssa 1>.6 != a.1] [!<ssa 1>.6 != a.1]
[a.11 > 10]
[!a.11 > 10]
__printf_chk(1, &"fixpoint after 10\n")
...
Satis�abilityCurrent edge: [!<ssa 1>.6 != a.1]
Set of constraints:{a.1 = 0,
<ssa 1>.6 6= a.1
}Satis�able: Yes
![Page 40: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/40.jpg)
Satisfiability
a.11 = PHI <a.1>
a.1 = PHI <0, a.8>
<ssa 1>.6 = f(a.1)
f(a.1)
[<ssa 1>.6 != a.1] [!<ssa 1>.6 != a.1]
[a.11 > 10]
[!a.11 > 10]
__printf_chk(1, &"fixpoint after 10\n")
...
Satis�abilityCurrent node: a.11 = PHI<a.1>
Set of constraints:a.1 = 0,
<ssa 1>.6 6= a.1,a.11 = a.1
Satis�able: Yes
![Page 41: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/41.jpg)
Satisfiability
a.11 = PHI <a.1>
a.1 = PHI <0, a.8>
<ssa 1>.6 = f(a.1)
f(a.1)
[<ssa 1>.6 != a.1] [!<ssa 1>.6 != a.1]
[a.11 > 10]
[!a.11 > 10]
__printf_chk(1, &"fixpoint after 10\n")
...
Satis�abilityCurrent edge: [a.11 > 10]
Set of constraints:a.1 = 0,
<ssa 1>.6 6= a.1,a.11 = a.1,a.11 > 10
Satis�able: No =⇒ path impossible
![Page 42: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/42.jpg)
Satisfiability
f(a.1)
a.1 = PHI <0, a.8>
<ssa 1>.6 = f(a.1)
[<ssa 1>.6 != a.1] [!<ssa 1>.6 != a.1]
a.11 = PHI <a.1>
[a.11 > 10]
[!a.11 > 10]
__printf_chk(1, &"fixpoint after 10\n")
...
Satis�ability
Set of constraints:a.1 = 0,
<ssa 1>.6 6= a.1,a.11 = a.1,a.11 > 10
Satis�able: No =⇒ path impossible
The satis�ability is veri�ed bySMT-solver Yices 2.
2Bruno Dutertre and Leonardo de Moura. The Yices SMT solver. Tech. rep.SRI International, 2006.
![Page 43: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/43.jpg)
Handling loops
f(a.1)
a.8 = a.1 + 1
a.1 = PHI <0, a.8>
<ssa 1>.6 = f(a.1)
[<ssa 1>.6 != a.1] [!<ssa 1>.6 != a.1]
a.11 = PHI <a.1>
[a.11 > 10]
[!a.11 > 10]
__printf_chk(1, &"fixpoint after 10\n")
Loop
Loop header
Exit node
Entry node
Backward edge
For this example, this is
the interesting node from
which we construct a path
towards the beginning of
the function.
Dealing with loops
Loops have a special syntax andare detected by GCCWe de�ne a equivalencerelation on paths : two paths areequivalent if they are identical upto their cycles.We analyze only acyclic paths(normal form)
When there is a loop, we removeconstraints about all variablesmodi�ed inside the loop. =⇒The number of iterations of loopsdoes not change the resultingcon�guration.
![Page 44: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/44.jpg)
Introduction Static Analysis Implementation and Results Conclusion Questions References
Implementation
The analysis is implemented as Kayrebt::PathExaminer2, a GCC4.8 plugin3,4.
No extraction of CFGs needed: the analysis works on GCC’s CFG.
Deep insertion inside the compilation process: after the optimizedphase.
Needs a previous annotation of nodes causing information �ows andinlinable functions (can be done with Kayrebt::Callgraphs)
3Richard Matthew Stallman and the GCC developer community. Using theGNU Compiler Collection (GCC). . Tech. rep. 2013. url:https://gcc.gnu.org/onlinedocs/gcc-4.8.4/gcc/ (visited on 05/18/2015).
4Emese Revfy. Introduce GCC plugin infrastructure. Published: Patchsubmitted to the kernel mailing-list. 2016.
FormaliSE — 2017-05-27 20 Laurent Georget
![Page 45: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/45.jpg)
Introduction Static Analysis Implementation and Results Conclusion Questions References
Results — Explanations
X : Everything is allright, complete mediation is ensured
∼ : We have identi�ed some problems: some paths whichshould be impossible and are not
× : We wanted to analyze the paths but there are actuallyno LSM hooks in the system call
FormaliSE — 2017-05-27 21 Laurent Georget
![Page 46: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/46.jpg)
Introduction Static Analysis Implementation and Results Conclusion Questions References
Results — read, write, and their kin
Syscall Result Details
read . . . . . . . X All paths in P are impossiblereadv . . . . . X All paths in P are impossiblepreadv . . . . X All paths in P are impossiblepread64 . . . X All paths in P are impossiblewrite . . . . . X All paths in P are impossiblewritev . . . . X All paths in P are impossiblepwritev . . . X All paths in P are impossiblepwrite64 . . X All paths in P are impossiblesendfile . . X All paths in P are impossiblesendfile64 X All paths in P are impossible
FormaliSE — 2017-05-27 22 Laurent Georget
![Page 47: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/47.jpg)
Introduction Static Analysis Implementation and Results Conclusion Questions References
Results — splice-like system calls
Syscall Result Details
splice . . ∼ No hook for the pipe-to-pipe �ow. . All other paths are impossible
tee . . . . . × No LSM hookvmsplice ∼ One path is possible
FormaliSE — 2017-05-27 23 Laurent Georget
![Page 48: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/48.jpg)
Introduction Static Analysis Implementation and Results Conclusion Questions References
Results — network-specific system calls
Syscall Result Details
recv . . . . X Set P is emptyrecvmsg . X Set P is emptyrecvmmsg ∼ One path is possiblerecvfrom X Set P is emptysend . . . . X Set P is emptysendmsg . X Set P is emptysendmmsg ∼ One path is possiblesendto . . X Set P is empty
FormaliSE — 2017-05-27 24 Laurent Georget
![Page 49: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/49.jpg)
Introduction Static Analysis Implementation and Results Conclusion Questions References
Results — processes’ life
Syscall Result Details
fork . . . . X Set P is emptyvfork . . . X Set P is emptyclone . . . X Set P is emptyexecve . . X Set P is emptyexecveat X Set P is empty
FormaliSE — 2017-05-27 25 Laurent Georget
![Page 50: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/50.jpg)
Introduction Static Analysis Implementation and Results Conclusion Questions References
Results — System V and POSIX message qeues
Syscall Result Details
msgrcv . . . . . . . . . . X All paths in P are impossiblemsgsnd . . . . . . . . . . X Set P is emptymq_timedreceive × No LSM hookmq_timedsend . . . × No LSM hook
FormaliSE — 2017-05-27 26 Laurent Georget
![Page 51: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/51.jpg)
Introduction Static Analysis Implementation and Results Conclusion Questions References
Results — Memory-to-memory flows
Syscall Result Details
process_vm_readv . X Some paths possible but not con-sidered an actual �ow
process_vm_writev X Some paths possible but not con-sidered an actual �ow
migrate_pages . . . . X Set P is emptymove_pages . . . . . . . . X Set P is emptyshmat . . . . . . . . . . . . . . X Set P is emptymmap_pgoff . . . . . . . . X Set P is emptymmap . . . . . . . . . . . . . . . X Set P is emptyptrace . . . . . . . . . . . . X Some paths possible but not con-
sidered an actual �ow
FormaliSE — 2017-05-27 27 Laurent Georget
![Page 52: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/52.jpg)
Introduction Static Analysis Implementation and Results Conclusion Questions References
Outcome
Interesting results:I confort the idea that it is possible to do information �ow
tracking with LSMI highlight some holes in the design and implementation of LSM
with respect to information �ow trackingI give a veri�able and reproducible way to analyze and improve
the LSM framework
FormaliSE — 2017-05-27 28 Laurent Georget
![Page 53: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/53.jpg)
Introduction Static Analysis Implementation and Results Conclusion Questions References
Static analysis assisted by the compiler
The GCC plugin interface has been opened to implementoptimizations passes.But! It is also a new way of performing static analysis!Already used in the Linux kernel5
Bene�tsI GCC data structures available: CFGs, points-to oracle, etc.I Analysis can be done on simpler intermediate representationsI Ability to deal with GCCismsI The code that is analyzed is not the code that is written but the
code that will get executed (or at least, a closer form thereof)
5Emese Revfy. Introduce GCC plugin infrastructure. Published: Patchsubmitted to the kernel mailing-list. 2016.
FormaliSE — 2017-05-27 29 Laurent Georget
![Page 54: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/54.jpg)
Introduction Static Analysis Implementation and Results Conclusion Questions References
Static analysis assisted by the compiler
The GCC plugin interface has been opened to implementoptimizations passes.But! It is also a new way of performing static analysis!Already used in the Linux kernel5
Bene�tsI GCC data structures available: CFGs, points-to oracle, etc.I Analysis can be done on simpler intermediate representationsI Ability to deal with GCCismsI The code that is analyzed is not the code that is written but the
code that will get executed (or at least, a closer form thereof)
5Emese Revfy. Introduce GCC plugin infrastructure. Published: Patchsubmitted to the kernel mailing-list. 2016.
FormaliSE — 2017-05-27 29 Laurent Georget
![Page 55: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/55.jpg)
Introduction Static Analysis Implementation and Results Conclusion Questions References
On-going work
Cover more overt and covert channels of information �ows in acorrect, veri�able way.
In particular, deal with mmap-ed �les and shared memories.
Deal with concurrency between �ows.
FormaliSE — 2017-05-27 30 Laurent Georget
![Page 56: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/56.jpg)
Thank you for your attention.
Questions?
![Page 57: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/57.jpg)
Introduction Static Analysis Implementation and Results Conclusion Questions References
Ron Cytron et al. “E�ciently Computing Static SingleAssignment Form and the Control Dependence Graph”. In:ACM Transactions on Programming Languages andSystems 13.4 (Oct. 1991), pp. 451–490. url:http://doi.acm.org/10.1145/115372.115320.Bruno Dutertre and Leonardo de Moura. The Yices SMTsolver. Tech. rep. SRI International, 2006.Vinod Ganapathy, Trent Jaeger, and Somesh Jha. “AutomaticPlacement of Authorization Hooks in the Linux SecurityModules Framework”. In: ACM Conference on Computerand Communications Security. ACM, 2005.Trent Jaeger, Antony Edwards, and Xiaolan Zhang.“Consistency analysis of authorization hook placement in theLinux security modules framework”. In: ACM Trans. Inf.Syst. Secur. 7.2 (2004).
FormaliSE — 2017-05-27 32 Laurent Georget
![Page 58: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/58.jpg)
Introduction Static Analysis Implementation and Results Conclusion Questions References
Divya Muthukumaran, Trent Jaeger, and Vinod Ganapathy.“Leveraging "choice" to automate authorization hookplacement”. In: ACM Conference on Computer andCommunications Security. ACM, 2012.Adwait Nadkarni et al. “Practical DIFC enforcement onAndroid”. In: USENIX Security Symposium. 2016.Donald E. Porter et al. “Practical Fine-Grained InformationFlow Control Using Laminar”. In: ACM Transactions onProgramming Languages and Systems 37.1 (Nov. 2014).Emese Revfy. Introduce GCC plugin infrastructure.Published: Patch submitted to the kernel mailing-list. 2016.Richard Matthew Stallman andthe GCC developer community. Using the GNU CompilerCollection (GCC). Tech. rep. 2013. url:https://gcc.gnu.org/onlinedocs/gcc-4.8.4/gcc/(visited on 05/18/2015).
FormaliSE — 2017-05-27 33 Laurent Georget
![Page 59: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/59.jpg)
Introduction Static Analysis Implementation and Results Conclusion Questions References
Xiaolan Zhang, Antony Edwards, and Trent Jaeger. “UsingCQUAL for Static Analysis of Authorization HookPlacement”. In: USENIX Security Symposium. USENIXAssociation, 2002.
Jacob Zimmermann, Ludovic Mé, and Christophe Bidan. “AnImproved Reference Flow Control Model for Policy-BasedIntrusion Detection”. In: Computer Security – ESORICS2003. Lecture Notes in Computer Science 2808. SpringerBerlin Heidelberg, Oct. 13, 2003, pp. 291–308.
FormaliSE — 2017-05-27 34 Laurent Georget
![Page 60: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/60.jpg)
Variables
Variables are separated in 2x2 categories:I Varsmem vs. Varstemp
I Varsmem: Aliasable variablesI Varstemp: Variables whose address is never taken
I Varsptr vs. VarsZI Varsptr : PointersI VarsZ: Numeric variables
The typing is enforced by the compiler.
Many variables are synthetized by the compiler itself to maintain theSSA property.
FormaliSE — 2017-05-27 35 Laurent Georget
![Page 61: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/61.jpg)
Node types
Simple assignments
<ssa 183>.87 = <ssa 182>.86
E�ects: Case x = y Add a constraint x = y
Case p = &y Add a mapping p↔ y
FormaliSE — 2017-05-27 36 Laurent Georget
![Page 62: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/62.jpg)
Node types
Assignments through pointers
*a.1 = y
E�ects:I If there is a mapping a.1↔ x, add a constraint x = y
I Otherwise, remove all constraints about variables a.1 may pointto (GCC has a points-to oracle)
FormaliSE — 2017-05-27 36 Laurent Georget
![Page 63: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/63.jpg)
Node types
Phi nodes<ssa 184>.88 = PHI«ssa 183>.87, retval.83>
Found after nodes where several edges meet.
E�ects:
x = PHI < e1, e2, . . . , en >Add a constraint x = ei where ei
correspond to the branch taken inthis path
FormaliSE — 2017-05-27 36 Laurent Georget
![Page 64: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/64.jpg)
Node types
Function calls
retval.85 = security_file_permission(file.7, 4)
E�ects:I Remove constraints on the return valueI Remove constraints on variables in Varsmem
Portions of assembly code are also represented with this node
FormaliSE — 2017-05-27 36 Laurent Georget
![Page 65: Verifying the Reliability of Operating System-Level ... · I Ganapathy, Jaeger, and Jha, “Automatic Placement of Authorization Hooks in the Linux Security Modules Framework” I](https://reader035.vdocuments.us/reader035/viewer/2022071211/6022cc379a65990f6b4150ae/html5/thumbnails/65.jpg)
Edges
. . . . . .[!retval.83 < 0]
E�ects:I Add the constraint corresponding to the guardI The operator is one of {=, 6=, <,>,≥,≤}
Guards on edges with the same source node are complementary
FormaliSE — 2017-05-27 37 Laurent Georget