The Impact of Programming Language Theory on Computer …
Download
Report
Transcript The Impact of Programming Language Theory on Computer …
The Impact of Programming
Language Theory on Computer
Security
Drew Dean
Computer Science Laboratory
SRI International
What I’m not Talking About
Cryptographic Protocol Verification
See, e.g., Computer Security
Foundations Workshop
Type Systems for Non-Interference
See, e.g., POPL
2
Much of security is:
“Program P exactly implements
Specification S and no more.”
For this talk, we assume that the
specification is correct
3
Security Tripos
No undefined user
mode behavior
Proper system call use
Correctness
wrt critical
requirements
4
Correctness wrt Security
No system that misses security checks
can be secure
Program Verification
Architectural Support
Stack inspection
Security Passing Style [WAF]
5
Program Verification
Obvious connections
Lambda calculus, Curry-Howard
Hoare Logic
…
6
Architectural Support
Stack Inspection
Access control based on endorsement of
code: answers “Who called me?”
Designed to prevent untrusted code from
bypassing access controls, while allowing
higher level code to assert that it knows
what it’s doing
7
Stack Inspection Example
Applet wants to use the Helvetica font
May require JVM to read a file
Solution:
Font handling code checks arguments
If successful, asserts privilege
Attempts to read file
Which notes that font code (privileged) has
asserted everything’s OK
8
Stack Inspection: Critique
Exposes call stack
Tail call elimination painful
Function inlining also painful
Goodbye, Church-Rosser, goodbye!
9
Security Passing Style
Wallach, Appel, Felten, TOSEM 9/00
A la CPS, pass security context as an
extra (implicit) argument
Restores tail call elimination and
function inlining
Doesn’t restore Church-Rosser
10
Observation
SPS is in closer analogy to CPS than
its authors say
Shivers: “Threads are paths through
continuation space”
Continuations are the right semantic
object to attach permissions to
Would a dependent type system work
out?
11
Properly Using System Calls
If a program handles its own security,
e.g., ftpd, it better use system calls
correctly
Many programs don’t
Wu-ftpd
Sendmail
…
12
How Can PLT help?
Joint work with David Wagner and Hao
Chen, UC Berkeley
Given a program, morph control flow
graph into an automaton that accepts
language of system calls
13
IEEE S&P 2001
Take automaton, check runtime trace
of system calls for anomaly detection
(Most of) Benefits of specificationbased intrusion detection without
needing the non-existent spec
14
Current Work
Take abstracted specification, throw it
and library of security “best practices”
(and known attacks) at (custom) model
checker
But this requires understanding system
calls
Usually the POSIX spec is reasonable
But not for set*uid()
15
Understanding set*uid
Absolutely necessary for writing
secure setuid Unix programs
Linux, FreeBSD, Solaris all subtly
different
Even if all POSIX compliant
Kernel code unreadable
Reverse engineer formal model
Will appear at USENIX Security 2002
16
No Undefined User-mode
Behavior
Buffer overflows are still a problem in
2002
PL people think this is stupid
It is
Like it or not, most of the world codes
in C or unsafe C++
17
Not Just Buffer Overflows
Any corruption of program state can
cause vulnerability
Nearly science fiction attack based on a
C program double freeing a pointer
18
Observation
Memory comes in two colors
Storage of variables
Compiler/runtime support
19
Partition Property
“All variables only refer to memory
locations that the compiler has
mapped to program variables, not
compiler/runtime support (e.g., return
addresses, temporaries for evaluating
expressions, memory management
overhead, etc.)”
20
Partition Properties
Note that this is weaker than noninterference
Values obviously depend on program
values
Stronger than some forms of memory
& type safety
Should be a theorem of modern (safe)
languages
21
Conclusions
This was a brief
survey of a wide
field
“and no more” is
hard to implement
Hopefully, breaking
it down helps
Correctness
wrt critical
requirements
No undefined behavior
Proper system call use
22