Efficient, Context-Sensitive Detection of Real-World Semantic Attacks

Post on 04-Jan-2016

38 views 0 download

Preview:

Click to see full reader
Report this document
SHARE

description

Michael Bond Varun Srivastava Kathryn McKinley Vitaly Shmatikov University of Texas at Austin. Efficient, Context-Sensitive Detection of Real-World Semantic Attacks. Real Semantic Exploits & Efficient, Context-Sensitive Detection. How an applet loads a class. - PowerPoint PPT Presentation

Transcript of Efficient, Context-Sensitive Detection of Real-World Semantic Attacks

Michael BondVarun SrivastavaKathryn McKinleyVitaly ShmatikovUniversity of Texas at Austin

Real Semantic Exploits&

Efficient, Context-Sensitive Detection

classLoader.loadClass(“java.util.HashSet”);classLoader.loadClass(“java.util.HashSet”);

How an applet loads a class

loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}

loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}

classLoader.loadClass(“java.util.HashSet”);classLoader.loadClass(“java.util.HashSet”);

loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}

loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}

SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()

classLoader.loadClass(“java.util.HashSet”);classLoader.loadClass(“java.util.HashSet”);

Access-control security

loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}

loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}

ClassLoader.loadClass():341ClassLoader.loadClass():341

walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...}

walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...}

FileURLLoader.getResource():73FileURLLoader.getResource():73

SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()

classLoader.loadClass(“java.util.HashSet”);classLoader.loadClass(“java.util.HashSet”);

loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}

loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}

ClassLoader.loadClass():341ClassLoader.loadClass():341

walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...}

walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...} SecurityManager.checkRead()SecurityManager.checkRead()

File.checkRead():1485File.checkRead():1485

File.exists():268File.exists():268

FileURLLoader.getResource():73FileURLLoader.getResource():73

SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()

classLoader.loadClass(“java.util.HashSet”);classLoader.loadClass(“java.util.HashSet”);

classLoader.loadClass(“sun/applet/AppletClassLoader”);classLoader.loadClass(“sun/applet/AppletClassLoader”);

Sun Java Virtual Machine 1.3

loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}

loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}

classLoader.loadClass(“sun/applet/AppletClassLoader”);classLoader.loadClass(“sun/applet/AppletClassLoader”);

loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}

loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}

SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()

classLoader.loadClass(“sun/applet/AppletClassLoader”);classLoader.loadClass(“sun/applet/AppletClassLoader”);

loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}

loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}

ClassLoader.loadClass():341ClassLoader.loadClass():341

walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...}

walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...} SecurityManager.checkRead()SecurityManager.checkRead()

File.checkRead():1485File.checkRead():1485

File.exists():268File.exists():268

FileURLLoader.getResource():73FileURLLoader.getResource():73

SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()

classLoader.loadClass(“sun/applet/AppletClassLoader”);classLoader.loadClass(“sun/applet/AppletClassLoader”);

loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}

loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}

ClassLoader.loadClass():341ClassLoader.loadClass():341

walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...}

walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...} SecurityManager.checkRead()SecurityManager.checkRead()

File.checkRead():1485File.checkRead():1485

File.exists():268File.exists():268

FileURLLoader.getResource():73FileURLLoader.getResource():73

SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()

classLoader.loadClass(“sun/applet/AppletClassLoader”);classLoader.loadClass(“sun/applet/AppletClassLoader”);

Semantic exploit

Examples:•Omitted security check•Untrusted code executes in wrong context•Misconfigured security policy

loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}

loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}

ClassLoader.loadClass():341ClassLoader.loadClass():341

walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...}

walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...} SecurityManager.checkRead()SecurityManager.checkRead()

File.checkRead():1485File.checkRead():1485

File.exists():268File.exists():268

FileURLLoader.getResource():73FileURLLoader.getResource():73

SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()

classLoader.loadClass(“sun/applet/AppletClassLoader”);classLoader.loadClass(“sun/applet/AppletClassLoader”);

How to detect this exploit?

Infeasible path detection?

Does not violate semantics

(e.g., type & memory safety,

control-flow integrity)

loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}

loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}

ClassLoader.loadClass():341ClassLoader.loadClass():341

walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...}

walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...} SecurityManager.checkRead()SecurityManager.checkRead()

File.checkRead():1485File.checkRead():1485

File.exists():268File.exists():268

FileURLLoader.getResource():73FileURLLoader.getResource():73

SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()

classLoader.loadClass(“sun/applet/AppletClassLoader”);classLoader.loadClass(“sun/applet/AppletClassLoader”);

How to detect this exploit?

Check against specification?

No specification available

loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}

loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}

ClassLoader.loadClass():341ClassLoader.loadClass():341

walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...}

walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...} SecurityManager.checkRead()SecurityManager.checkRead()

File.checkRead():1485File.checkRead():1485

File.exists():268File.exists():268

FileURLLoader.getResource():73FileURLLoader.getResource():73

SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()

classLoader.loadClass(“sun/applet/AppletClassLoader”);classLoader.loadClass(“sun/applet/AppletClassLoader”);

How to detect this exploit?

Infer specification from dynamic behavior?

loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}

loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}

ClassLoader.loadClass():341ClassLoader.loadClass():341

walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...}

walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...}

File.exists():268File.exists():268

FileURLLoader.getResource():73FileURLLoader.getResource():73

classLoader.loadClass(“sun/applet/AppletClassLoader”);classLoader.loadClass(“sun/applet/AppletClassLoader”);

Which dynamic behavior?

SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()

SecurityManager.checkRead()SecurityManager.checkRead()

File.checkRead():1485File.checkRead():1485

loadClass(“java.util.HashMap”);… SecurityManager.checkPackageAccess()…… FileURLLoader.getResource():73 walkPathComponents() :121

File.exists()

loadClass(“sun/applet/AppletClassLoader”);… SecurityManager.checkPackageAccess()…… FileURLLoader.getResource():73 walkPathComponents() :121

File.exists()

loadClass(“MyClass”);… SecurityManager.checkPackageAccess()…… FileURLLoader.getResource():73 walkPathComponents() :139

File.exists()

loadClass(“java.util.HashMap”);… SecurityManager.checkPackageAccess()…… FileURLLoader.getResource():73 walkPathComponents() :121

File.exists()

loadClass(“sun/applet/AppletClassLoader”);… SecurityManager.checkPackageAccess()…… FileURLLoader.getResource():73 walkPathComponents() :121

File.exists()

loadClass(“MyClass”);… SecurityManager.checkPackageAccess()…… FileURLLoader.getResource():73 walkPathComponents() :139

File.exists()

Train

Deploy

classLoader.loadClass(“MyClass”);classLoader.loadClass(“MyClass”);

loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}

loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}

classLoader.loadClass(“MyClass”);classLoader.loadClass(“MyClass”);

loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}

loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}

SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()

classLoader.loadClass(“MyClass”);classLoader.loadClass(“MyClass”);

loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}

loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}

ClassLoader.loadClass():341ClassLoader.loadClass():341

walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...}

walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...} SecurityManager.checkRead()SecurityManager.checkRead()

File.checkRead():1485File.checkRead():1485

File.exists():268File.exists():268

FileURLLoader.getResource():73FileURLLoader.getResource():73

SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()

classLoader.loadClass(“MyClass”);classLoader.loadClass(“MyClass”);

loadClass(“java.util.HashMap”);… SecurityManager.checkPackageAccess()…… FileURLLoader.getResource():73 walkPathComponents() :121

File.exists()

loadClass(“sun/applet/AppletClassLoader”);… SecurityManager.checkPackageAccess()…… FileURLLoader.getResource():73 walkPathComponents() :121

File.exists()

loadClass(“MyClass”);… SecurityManager.checkPackageAccess()…… FileURLLoader.getResource():73 walkPathComponents() :139

File.exists()

loadClass(“java.util.HashMap”);… SecurityManager.checkPackageAccess()…… FileURLLoader.getResource():73 walkPathComponents() :121

File.exists()

loadClass(“sun/applet/AppletClassLoader”);… SecurityManager.checkPackageAccess()…… FileURLLoader.getResource():73 walkPathComponents() :121

File.exists()

loadClass(“MyClass”);… SecurityManager.checkPackageAccess()…… FileURLLoader.getResource():73 walkPathComponents() :139

File.exists()

loadClass(“java.util.HashMap”);… SecurityManager.checkPackageAccess()…… FileURLLoader.getResource():73 walkPathComponents() :121

File.exists()

loadClass(“sun/applet/AppletClassLoader”);… SecurityManager.checkPackageAccess()…… FileURLLoader.getResource():73 walkPathComponents() :121

File.exists()

loadClass(“MyClass”);… SecurityManager.checkPackageAccess()…… FileURLLoader.getResource():73 walkPathComponents() :139

File.exists()

Train

Train

Deploy

(Sampled & Reproduced)Real Semantic Exploits

Context sensitivity needed?

History sensitivity needed?

SlashPathMistakenly omitted security check

Yes Yes

XSLTUntrusted code executes in wrong (application) security context

Yes No

LiveConnectUntrusted code executes in wrong (applet) security context

No No

OperaPolicyMisconfigured security policy

No No

ClassLoader.loadClass():312ClassLoader.loadClass():312

ClassLoader.loadClass():341ClassLoader.loadClass():341

SecurityManager.checkRead()SecurityManager.checkRead()

File.checkRead():1485File.checkRead():1485

File.exists():268File.exists():268

FileURLLoader.getResource():73FileURLLoader.getResource():73

FileURLLoader.walkPathComponents():121FileURLLoader.walkPathComponents():121

More

con

text

sen

siti

vit

y

ClassLoader.loadClass():312ClassLoader.loadClass():312

ClassLoader.loadClass():341ClassLoader.loadClass():341

SecurityManager.checkRead()SecurityManager.checkRead()

File.checkRead():1485File.checkRead():1485

File.exists():268File.exists():268

FileURLLoader.getResource():73FileURLLoader.getResource():73

FileURLLoader.walkPathComponents():121FileURLLoader.walkPathComponents():121

Fals

e n

egati

ves

Fals

e p

osi

tives

More

con

text

sen

siti

vit

y

ClassLoader.loadClass():312ClassLoader.loadClass():312

ClassLoader.loadClass():341ClassLoader.loadClass():341

SecurityManager.checkRead()SecurityManager.checkRead()

File.checkRead():1485File.checkRead():1485

File.exists():268File.exists():268

FileURLLoader.getResource():73FileURLLoader.getResource():73

FileURLLoader.walkPathComponents():121FileURLLoader.walkPathComponents():121

Fals

e n

egati

ves

Fals

e p

osi

tives

More

con

text

sen

siti

vit

y

Overh

ead

loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}

loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}

ClassLoader.loadClass():341ClassLoader.loadClass():341

walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...}

walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...}

SecurityManager.checkRead()SecurityManager.checkRead()

File.checkRead():1485File.checkRead():1485

File.exists():268File.exists():268

FileURLLoader.getResource():73FileURLLoader.getResource():73

SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()

classLoader.loadClass(“java.util.HashSet”);classLoader.loadClass(“java.util.HashSet”);

loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}

loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}

ClassLoader.loadClass():341ClassLoader.loadClass():341

walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...}

walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...}

SecurityManager.checkRead()SecurityManager.checkRead()

File.checkRead():1485File.checkRead():1485

File.exists():268File.exists():268

FileURLLoader.getResource():73FileURLLoader.getResource():73

SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()

classLoader.loadClass(“java.util.HashSet”);classLoader.loadClass(“java.util.HashSet”);

S ← walkStack ()check ( S )

S ← walkStack ()check ( S )

Proportional todepth & security

calls

High overhead at security calls

Efficient,Depth-Limited

Context Sensitivity

Represent calling context asprobabilistically unique integer

Compute value at every callUse value at security calls

Compute value at every callUse value at security calls

Always-available contextLow overhead at security calls

loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}

loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}

ClassLoader.loadClass():341ClassLoader.loadClass():341

walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...}

walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...}

SecurityManager.checkRead()SecurityManager.checkRead()

File.checkRead():1485File.checkRead():1485

File.exists():268File.exists():268

FileURLLoader.getResource():73FileURLLoader.getResource():73

SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()

classLoader.loadClass(“java.util.HashSet”);classLoader.loadClass(“java.util.HashSet”);

loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}

loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}

ClassLoader.loadClass():341ClassLoader.loadClass():341

walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...}

walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...}

SecurityManager.checkRead()SecurityManager.checkRead()

File.checkRead():1485File.checkRead():1485

File.exists():268File.exists():268

FileURLLoader.getResource():73FileURLLoader.getResource():73

SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()

classLoader.loadClass(“java.util.HashSet”);classLoader.loadClass(“java.util.HashSet”);

V1 ← f ( V0 , cs1 )

V0 ← 0

loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}

loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}

ClassLoader.loadClass():341ClassLoader.loadClass():341

walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...}

walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...}

SecurityManager.checkRead()SecurityManager.checkRead()

File.checkRead():1485File.checkRead():1485

File.exists():268File.exists():268

FileURLLoader.getResource():73FileURLLoader.getResource():73

SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()

classLoader.loadClass(“java.util.HashSet”);classLoader.loadClass(“java.util.HashSet”);

V1 ← f ( V0 , cs1 )

V2 ← f ( V0 , cs2 )

V0 ← 0

loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}

loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}

ClassLoader.loadClass():341ClassLoader.loadClass():341

walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...}

walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...}

SecurityManager.checkRead()SecurityManager.checkRead()

File.checkRead():1485File.checkRead():1485

File.exists():268File.exists():268

FileURLLoader.getResource():73FileURLLoader.getResource():73

SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()

classLoader.loadClass(“java.util.HashSet”);classLoader.loadClass(“java.util.HashSet”);

V1 ← f ( V0 , cs1 )

V2 ← f ( V0 , cs2 )V3 ← f ( V2 , cs3 )

V4 ← f ( V3 , cs4 )

V5 ← f ( V4 , cs5 )V6 ← f ( V5 , cs6 )

V7 ← f ( V6 , cs7 )

V0 ← 0

loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}

loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}

ClassLoader.loadClass():341ClassLoader.loadClass():341

walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...}

walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...}

SecurityManager.checkRead()SecurityManager.checkRead()

File.checkRead():1485File.checkRead():1485

File.exists():268File.exists():268

FileURLLoader.getResource():73FileURLLoader.getResource():73

SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()

classLoader.loadClass(“java.util.HashSet”);classLoader.loadClass(“java.util.HashSet”);

V1 ← f ( V0 , cs1 )check ( V1 )

V2 ← f ( V0 , cs2 )V3 ← f ( V2 , cs3 )

V4 ← f ( V3 , cs4 )

V5 ← f ( V4 , cs5 )V6 ← f ( V5 , cs6 )

V7 ← f ( V6 , cs7 )check ( V7 )

V0 ← 0

loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}

loadClass(name) { ... if (name.lastIndexOf(‘.’) != -1) securityManager.checkPackageAccess(name); ... super.loadClass();}

ClassLoader.loadClass():341ClassLoader.loadClass():341

walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...}

walkPathComponents() { ...121: { ... if (file.exists()) ... } ...139: { ... if (file.exists()) ... } ...}

SecurityManager.checkRead()SecurityManager.checkRead()

File.checkRead():1485File.checkRead():1485

File.exists():268File.exists():268

FileURLLoader.getResource():73FileURLLoader.getResource():73

SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()

classLoader.loadClass(“java.util.HashSet”);classLoader.loadClass(“java.util.HashSet”);

V1 ← f ( V0 , cs1 )check ( V1 )

V2 ← f ( V0 , cs2 )V3 ← f ( V2 , cs3 )

V4 ← f ( V3 , cs4 )

V5 ← f ( V4 , cs5 )V6 ← f ( V5 , cs6 )

V7 ← f ( V6 , cs7 )check ( V7 )

V0 ← 0

Historysensitivity

f ( V , cs ) ≡ 3V + cs (mod 232)

f ( V , cs ) ≡ 3V + cs (mod 232)

Motivated by MPI data-type hashing [Langou et al. ’05] [Gropp ’00]

f ( V , cs ) ≡ 3V + cs (mod 232)

Encodes entire calling context

f ( V , cs ) ≡ 2 32/k V + cs (mod 232)

Encodes last k call sites

f ( V , cs ) ≡ 2 32/k V + cs (mod 232)

Cheap to compute

f ( V , cs ) ≡ 2 32/k V + cs (mod 232)

Cheap to computeComposition cheap to compute

f ( V , cs ) ≡ 2 32/k V + cs (mod 232)

Cheap to computeComposition cheap to computeNon-commutative

f ( V , cs ) ≡ 2 32/k V + cs (mod 232)

Cheap to computeComposition cheap to computeNon-commutativeProbabilistically unique (?)

Not proportionalto depth

Low overhead at security calls

Detect all exploitswithout many false positives

Context sensitivity: 3History sensitivity: 1

Real Semantic Exploit

Context sensitivity needed?

History sensitivity needed?

SlashPathMistakenly omitted security check

Yes Yes

XSLTUntrusted code executes in wrong (application) security context

Yes No

LiveConnectUntrusted code executes in wrong (applet) security context

No No

OperaPolicyMisconfigured security policy

No No

Leave-one-out cross-validation on

12 benign applets8 benign XSLT inputs

Leave-one-out cross-validation on

12 benign applets8 benign XSLT inputs

Depth-limited context sensitivity needed

Context and history sensitivityfor unsafe languages [Forrest et al., Feng et

al.]

Context sensitivityfor anomalous paths [Inoue et al.]

Context & history sensitivityactually neededfor real exploits

Context & history sensitivityactually neededfor real exploits

Tension between false positives & negatives

check(V) { H = h(V, lastV); checkHelper(H); lastV = V; }

classLoader.loadClass(“java.util.HashSet”)classLoader.loadClass(“java.util.HashSet”)

SecurityManager.checkRead()SecurityManager.checkRead()SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()

classLoader.loadClass(“java.util.HashSet”)classLoader.loadClass(“java.util.HashSet”)

classLoader.loadClass(“sun/applet/AppletClassLoader”)classLoader.loadClass(“sun/applet/AppletClassLoader”)

SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess() SecurityManager.checkRead()SecurityManager.checkRead()

SecurityManager.checkRead()SecurityManager.checkRead()SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()

classLoader.loadClass(“java.util.HashSet”)classLoader.loadClass(“java.util.HashSet”)

classLoader.loadClass(“sun/applet/AppletClassLoader”)classLoader.loadClass(“sun/applet/AppletClassLoader”)

SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess() SecurityManager.checkRead()SecurityManager.checkRead()

SecurityManager.checkRead()SecurityManager.checkRead()SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()

Train: observe behavior

Deploy: detect new behavior

classLoader.loadClass(“java.util.HashSet”)classLoader.loadClass(“java.util.HashSet”)

classLoader.loadClass(“sun/applet/AppletClassLoader”)classLoader.loadClass(“sun/applet/AppletClassLoader”)

SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess() SecurityManager.checkRead()SecurityManager.checkRead()

SecurityManager.checkRead()SecurityManager.checkRead()SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()

classLoader.loadClass(“MyClass”);classLoader.loadClass(“MyClass”);

SecurityManager.checkRead()SecurityManager.checkRead()SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()

classLoader.loadClass(“java.util.HashSet”)classLoader.loadClass(“java.util.HashSet”)

classLoader.loadClass(“sun/applet/AppletClassLoader”)classLoader.loadClass(“sun/applet/AppletClassLoader”)

SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()

SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()

classLoader.loadClass(“MyClass”);classLoader.loadClass(“MyClass”);

SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()

SecurityManager.checkRead()...FileURLLoader.walkPathComponents():139...

SecurityManager.checkRead()...FileURLLoader.walkPathComponents():139...

SecurityManager.checkRead()...FileURLLoader.walkPathComponents():121...

SecurityManager.checkRead()...FileURLLoader.walkPathComponents():121...

SecurityManager.checkRead()...FileURLLoader.walkPathComponents():121...

SecurityManager.checkRead()...FileURLLoader.walkPathComponents():121...

classLoader.loadClass(“java.util.HashSet”)classLoader.loadClass(“java.util.HashSet”)

classLoader.loadClass(“sun/applet/AppletClassLoader”)classLoader.loadClass(“sun/applet/AppletClassLoader”)

SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()

SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()

classLoader.loadClass(“MyClass”);classLoader.loadClass(“MyClass”);

SecurityManager.checkPackageAccess()SecurityManager.checkPackageAccess()

SecurityManager.checkRead()...FileURLLoader.walkPathComponents():139...

SecurityManager.checkRead()...FileURLLoader.walkPathComponents():139...

SecurityManager.checkRead()...FileURLLoader.walkPathComponents():121...

SecurityManager.checkRead()...FileURLLoader.walkPathComponents():121...

SecurityManager.checkRead()...FileURLLoader.walkPathComponents():121...

SecurityManager.checkRead()...FileURLLoader.walkPathComponents():121...

Train: observe behavior

Deploy: detect new behavior

Train: observe behavior

C3 H1

Context sensitivity History sensitivity

C3 H1

Context sensitivity History sensitivity(applets only)

C0 H0 C0 H1

C1 H0 C1 H1

C3 H0 C3 H1

CH0 CH1

Anomalies

(All)

C0H00 (35)

C1H00 (54)

C3H00 (110)

CH00 (194)

Anomalies

(All)

C0H10 (59)

C1H11 (90)

C3H12 (145)

CH12 (222)

Anomalies

(All)

C00 (20)

C10 (40)

C32 (42)

C222 (1,573)

Leave-one-out cross-validation on

12 benign applets8 benign XSLT inputs

ArcTest

AtomViewer

CardTest

DiffEq

DitherTest

DrawTest

C3H0 0 0 0 0 4 0

C3H1 1 9 0 1 7 0

CH0 32 113 0 125 77 10

CH1 40 61 10 131 94 5Euler Gas Matrix Puzzle ReflFrame StringWave

C3H0 2 0 0 0 4 0

C3H1 6 1 0 1 6 0

CH0 46 14 56 10 74 9

CH1 101 28 73 12 93 0

ui resume testcase testcase2

C0 0 0 0 0

C1 1 0 0 2

C3 0 0 1 2

C 15 3 63 1,409

testcase3

testcase4

testcase5

testcase6

C0 0 0 0 0

C1 0 1 0 0

C3 0 1 0 0

C 6 2 49 1

Top related

Defending against Injection Attacks through Context-Sensitive String Evaluationtadek.pietraszek.org/publications/pietraszek05_defending.pdf · 2011-02-27 · Defending against Injection
 Documents
PhishGuru: A System for Educating Users about Semantic Attacksponguru/pk_final_proposal.pdf · attacks: silently eliminating the attacks, warning users about the attacks, and training
 Documents
SADA: Semantic Adversarial Diagnostic Attacks for Autonomous … · fabdullah.hamdi, matthias.mueller.2, bernard.ghanemg@kaust.edu.sa Abstract One major factor impeding more widespread
 Documents
Cashtags: Prevent Leaking Sensitive Information … · attacks on mobile devices based on visual observations. ... Cashtags: Prevent Leaking Sensitive Information through ... more
 Documents
Identifying Security Issues in the Semantic Web: Injection attacks in the Semantic Query Languages
 Technology
Context-sensitive Analysis or Semantic Elaboration Comp 412 Copyright 2010, Keith D. Cooper & Linda Torczon, all rights reserved. Students enrolled in.
 Documents
Social Influence Analysis in Microblogging Platforms – A Topic ... - Semantic … · Social Influence Analysis in Microblogging Platforms – A Topic-Sensitive based Approach
 Documents
Trust and Semantic Attacks-Phishing
 Documents
2017 THALES DATA THREAT REPORT adoption is high use of sensitive data a concern top 5 data security concerns for iot. 30% - identifying which data is sensitive. 24% - impact of attacks
 Documents
Trust and Semantic Attacks - CyLab Usable Privacy and Security …cups.cs.cmu.edu/courses/ups-sp06/slides/060223.pdf · 2006. 3. 1. · Trust and Semantic Attacks - II Ponnurangam
 Documents
Stroke Protocol and Patient Outcomes - Semantic Scholar · stroke protocol and patient outcomes 2 attacks, and 180,000 are recurrent attacks (Heart Disease and Stroke Statistics,
 Documents
Di erential Power Analysis Side-Channel Attacks in ...martin/MQP/hnathpettengill.pdf · 2.1 Side-Channel Attacks Side-channel cryptanalysis is a branch of cryptography in which sensitive
 Documents
Episodic and semantic memory functioning in very old · PDF fileEpisodic and semantic memory functioning in very ... to an episodic memory factor, and a common factor (sensitive to
 Documents
Exposed! A Survey of Attacks on Private Dataattacks: reconstruction attacks, which approximately determine a sensitive feature of all the individuals covered by the dataset, and tracing
 Documents
Learning Semantic Context-sensitive Term Associations for Information Retrieval
 Documents
FIGHTING THE NEXT GENERATION OF TARGETED BEC ATTACKS …€¦ · NEXT GENERATION OF TARGETED BEC ATTACKS. ... Analyze outbound email to see what sensitive ... proofpoint.com/email.
 Documents
Cybersecurity - Aquion · 2018. 2. 6. · CylancePROTECT® CHALLENGES • Antivirus systems unable to prevent malware attacks • Securing vast amounts of sensitive historic research
 Documents
On the Robustness of Semantic Segmentation …openaccess.thecvf.com/content_cvpr_2018/papers/Arnab_On...On the Robustness of Semantic Segmentation Models to Adversarial Attacks Anurag
 Documents
Detecting semantic social engineering attacks with the weakest …gala.gre.ac.uk/id/eprint/19331/7/19331 LOUKAS_Detecting... · 2018-03-02 · Detecting semantic social engineering
 Documents
DeepSQLi: Deep Semantic Learning for Testing SQL Injection · the Akamai report1, SQLi attacks constituted 65.1% of the cyber-attacks on Web applications during November 2017 to March
 Documents

Copyright © 2022 FDOCUMENTS