Thoughts on Retrofitting Legacy Code for...
Transcript of Thoughts on Retrofitting Legacy Code for...
![Page 1: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/1.jpg)
Thoughts on Retrofitting Legacy
Code for Security
Somesh Jha
University of Wisconsin
(Mar 3, 2011)
Science of Security, ITI (April 2, 2015)
![Page 2: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/2.jpg)
Somesh Jha Retrofitting Legacy Code for Security 2
Kaminsky scores 23, No. 5
Wisconsin beats Illinois 68-49
Feb 15, 2015
![Page 3: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/3.jpg)
Somesh Jha Retrofitting Legacy Code for Security 3
![Page 4: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/4.jpg)
Threat Landscape:
Summary of
Symantec Threat Report 2014
![Page 5: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/5.jpg)
Key Findings 91% increase in targeted attacks
campaigns in 2013
62% increase in the number of breaches
in 2013
Over 552M identities were exposed via
breaches in 2013
23 zero-day vulnerabilities discovered
38% of mobile users have experienced
mobile cybercrime in past 12 months
Somesh Jha Retrofitting Legacy Code for Security 5
![Page 6: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/6.jpg)
Key Findings (Contd.)
Spam volume dropped to 66% of all email
traffic
1 in 392 emails contain a phishing attacks
Web-based attacks are up 23%
1 in 8 legitimate websites have a critical
vulnerability
Somesh Jha Retrofitting Legacy Code for Security 6
![Page 7: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/7.jpg)
What I feel like?
Somesh Jha Retrofitting Legacy Code for Security 7
![Page 8: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/8.jpg)
News is Grim
See talks at
• DARPA Cyber Colloqium
• http://www.darpa.mil/Cyber_Colloqium_Prese
ntations.aspx
What do we do?
Somesh Jha Retrofitting Legacy Code for Security 8
![Page 9: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/9.jpg)
Clean-slate Design
Rethink the entire system stack
Networks
• NSF program
o See http://cleanslate.stanford.edu
• See DARPA Mission Resilient Clouds (MRC)
program
Hosts
• DARPA CRASH program
Somesh Jha Retrofitting Legacy Code for Security 9
![Page 10: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/10.jpg)
Somesh Jha Retrofitting Legacy Code for Security 10
Some Interesting Systems Operating systems with powerful capabilities
• Asbestos, HiStar, Flume
• Capsicum
• ….
Virtual-machine based
• Proxos
• Overshadow
Possible to build applications with strong
guarantees
• Web server: No information flow between threads
handling different requests
![Page 11: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/11.jpg)
Two Guiding Principles
Provide powerful primitives at lower levels
in the “system stack”
• Example: HiStar (information flow labels at
the OS level)
Systems will be compromised, but limit the
damage
• Example: Process can be compromised, but
sensitive data cannot be exfiltrated
Somesh Jha Retrofitting Legacy Code for Security 11
![Page 12: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/12.jpg)
Somesh Jha Retrofitting Legacy Code for Security 12
What happens to all the code?
Should we implement all the code from
scratch?
Can we help programmers adapt their code
for these new platforms?
Analogy
• We have strong foundation
• Can we build a strong house on top of it?
![Page 13: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/13.jpg)
Ideal Functionality
Input: functionality/security policy
• Output: functional/secure code
Proving safety is “undecidable”
• Rice’s theorem (proving any non-trivial
property is undecidable)
I think
• Synthesis is “relatively hard”
o Even if provided with an oracle to prove safety
Somesh Jha Retrofitting Legacy Code for Security 13
![Page 14: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/14.jpg)
Somesh Jha Retrofitting Legacy Code for Security 14
Retrofitting legacy code
Need systematic techniques to
retrofit legacy code for security
Legacy
code
Retrofitted
code
INSECURE SECURE
![Page 15: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/15.jpg)
Premise
Techniques and ideas from
• Verification
• Static Analysis
• …
Can help with this problem
Somesh Jha Retrofitting Legacy Code for Security 15
![Page 16: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/16.jpg)
Collaborators and Funding
Somesh Jha Retrofitting Legacy Code for Security 16
![Page 17: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/17.jpg)
The Problem
Somesh Jha Retrofitting Legacy Code for Security 17
![Page 18: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/18.jpg)
Rewriting Programs
for a Capability System[Harris et. al., Oakland 2013]
Basic problem: take an insecure program
and a policy, instrument program to
invoke OS primitives to satisfy the policy
Key technique: reduce to safety game
between program and instrumentation
Somesh Jha Retrofitting Legacy Code for Security 18
![Page 19: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/19.jpg)
Capsicum
Somesh Jha Retrofitting Legacy Code for Security 19
![Page 20: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/20.jpg)
What is Capsicum?
Capsicum is a lightweight OS capability
and sandbox framework developed at the
University of Cambridge Computer
Laboratory
• supported by grants from Google, the
FreeBSD Foundation, and DARPA.
• Capsicum extends the POSIX API, providing
several new OS primitives to support object-
capability security on UNIX-like operating
systems:
Somesh Jha Retrofitting Legacy Code for Security 20
![Page 21: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/21.jpg)
Capsicum
https://www.cl.cam.ac.uk/research/security
/capsicum/
The FreeBSD implementation of
Capsicum, developed by Robert Watson
and Jonathan Anderson, ships out of the
box in FreeBSD 10.0 (and as an optionally
compiled feature in FreeBSD 9.0, 9.1, and
9.2)
Also available on Linux
Somesh Jha Retrofitting Legacy Code for Security 21
![Page 22: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/22.jpg)
Running example: gzip
gzip() {
files = parse_cl;
for (f in files)
(in, out) = open;
compr(in, out);
}
compr(in, out) {
body;
}
22
public_leak.com
![Page 23: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/23.jpg)
An Informal Policy for gzip
When gzip executes body,
it should only be able to read from in
and write to out.
23
![Page 24: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/24.jpg)
Capsicum:
An OS with Capabilities
Two levels of capability:
• High Capability (can open files)
• Low Capability (cannot open files)
Rules describing capability:
1. Process initially executes with
capability of its parent
2. Process can invoke the drop system call
to take Low Capability
24
![Page 25: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/25.jpg)
Securing gzip on Capsicum
gzip() {
files = parse_cl;
for (f in files)
(in, out) = open;
compr(in, out);
}
compr(in, out) {
drop();
body;
}
High Cap.
Low Cap.
25
public_leak.com
![Page 26: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/26.jpg)
compr(in, out) {
drop();
body;
}
Securing gzip on Capsicum
High Cap.
High Cap.
High Cap.
High Cap.
Low Cap.
26
gzip() {
files = parse_cl;
for (f in files)
(in, out) = open;
compr(in, out);
}
![Page 27: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/27.jpg)
compr(in, out) {
drop();
body;
}
Securing gzip on Capsicum
Low Cap.
Low Cap.
27
gzip() {
files = parse_cl;
for (f in files)
(in, out) = open;
compr(in, out);
}
≠High Cap.
![Page 28: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/28.jpg)
compr(in, out) {
drop();
body;
}
Securing gzip on Capsicum
High Cap.
28
gzip() {
files = parse_cl;
for (f in files)
(in, out) = open;
compr(in, out);
}
fork_compr(in, out);
Low Cap.
High Cap.
High Cap.
![Page 29: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/29.jpg)
compr(in, out) {
drop();
body;
}
Securing gzip on Capsicum
High Cap.
Low Cap.
29
gzip() {
files = parse_cl;
for (f in files)
(in, out) = open;
compr(in, out);
}
fork_compr(in, out);
![Page 30: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/30.jpg)
State of the Art in Rewriting
Somesh Jha Retrofitting Legacy Code for Security 30
Insecure Programgzip() {
…compr();…
}
compr(…) { … }
Secure Programgzip() {
…fork_compr();…
}
compr(…) {drop();…
}
gzip should always
execute comp() with
low cap, but always
open files in main with
high cap
![Page 31: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/31.jpg)
Insights
Somesh Jha Retrofitting Legacy Code for Security 31
![Page 32: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/32.jpg)
First Key Insight
Policies are not instrumented programs,
and they should be explicit.
Somesh Jha Retrofitting Legacy Code for Security 32
![Page 33: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/33.jpg)
First Key Insight
Somesh Jha Retrofitting Legacy Code for Security 33
Insecure Programgzip() {
…compr();…
}
compr(…) { … }
Secure Programgzip() {
…fork_compr();…
}
compr(…) {drop();…
}
gzip should always
execute compr() with
low cap, but always
open files in main with
high cap
Disallowed Executions
.* [ compr() with high cap ]
| .* [ open() with low cap ]
![Page 34: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/34.jpg)
Second Key Insight
From an insecure program and policy,
we can automatically write a secure program
by a solving a two-player safety game.
[Harris et. al., CAV 2012]
Somesh Jha Retrofitting Legacy Code for Security 34
![Page 35: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/35.jpg)
Second Key Insight
Somesh Jha Retrofitting Legacy Code for Security 35
Insecure Programgzip() {
…compr();…
}
compr(…) { … }
Secure Programgzip() {
…fork_compr();…
}
compr(…) {drop();…
}
Disallowed Executions
.* [ compr() with high cap ]
| .* [ open() with low cap ]
capweave
![Page 36: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/36.jpg)
The Technique
Somesh Jha Retrofitting Legacy Code for Security 36
![Page 37: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/37.jpg)
Weaving as a Game
Two steps:
1. Model uninstrumented program,
policy, and Capsicum as
languages/automata
2. From automata, translate weaving
problem to a two-player safety game
Somesh Jha Retrofitting Legacy Code for Security 37
![Page 38: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/38.jpg)
Step 1: Model
Program is a language over
program instructions (Instrs)
Policy is a language of instructions paired
with capability (Instrs x Caps)
Capsicum is a transducer from
instructions and primitives to capabilities
(Instrs U Prims → Caps)
Somesh Jha Retrofitting Legacy Code for Security 38
![Page 39: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/39.jpg)
Step 2: Construct a Game
From models, construct a “game” between
insecure program and instrumentation
Program plays instructions (Instrs),
instrumentation plays primitives (Prims)
Program wins if it generates
an execution that violates the policy
Somesh Jha Retrofitting Legacy Code for Security 39
![Page 40: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/40.jpg)
Safety Games: A Primer
Two players: Attacker and Defender
Play: Attacker and Defender choose actions in
alternation
Player goals:
Attacker: generate a play accepted by the game
Defender: thwart the Attacker
Somesh Jha Retrofitting Legacy Code for Security 40
![Page 41: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/41.jpg)
fork
parse_clnoop
drop
body
body
ret compr
open open
noopdrop
loop
call compr
noop
join
41
![Page 42: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/42.jpg)
fork
parse_clnoop
drop
body
body
ret compr
open open
noopdrop
loop
call compr
noop
join
42
![Page 43: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/43.jpg)
Winning Strategy
Winning strategy: choices that a player can make to always win a game
![Page 44: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/44.jpg)
fork
parse_clnoop
drop
body
body
ret compr
open open
noopdrop
loop
call compr
noop
join
44
![Page 45: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/45.jpg)
ret compr /
fork
parse_clparse_cl /
drop
body
ret compr
open
noop
loop
call compr
noop
join
body /
loop /
call compr /
open /
noop
45
![Page 46: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/46.jpg)
Some Details
Somesh Jha Retrofitting Legacy Code for Security 46
![Page 47: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/47.jpg)
Experimental Highlights
• capweave policies are small compared toprogram size (10’s of lines vs. thousands)
• capweave instruments most programs fast enough to be in an edit-compile-run cycle
• capweave-rewritten programs have reasonable overhead vs. hand-rewritten
![Page 48: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/48.jpg)
Name kLoC Pol.Lines
Time
bzip2 8 70 4m57s
gzip 9 68 3m26s
php-cgi 852 114 46m36s
tar 108 49 0m08s
tcpdump 87 52 0m09s
wget 64 35 0m10s
capweave Performance
48
![Page 49: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/49.jpg)
Name Tests Passed Overhead:capweave / hand
bzip2 6 6 20.90%
gzip 2 2 15.03%
php-cgi 11 2 65.64%
tar 1 1 64.78%
tcpdump 29 27 24.77%
wget 4 4 0.91%
Weaved-program Performance
49
![Page 50: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/50.jpg)
Additional Challenges
• User Study
– Patterson: “How do you know you are doing better?”
• Optimizations
– Incorporate quantitative measures into games (e.g., mean-payoff games)
• User-friendliness
– Better policy language
![Page 51: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/51.jpg)
The Future
Somesh Jha Retrofitting Legacy Code for Security 51
![Page 52: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/52.jpg)
OK… but when does it end?
Decentrailized Information Flow
• Asbestos [SOSP 2005]
• HiStar [SOSP 2006]
• Flume [SOSP 2007]*
Analogous problem to capabilities
• Capabilities ≈ flows
• drop ≈ labels
* Related work in [Harris et. al., CCS 2010]
![Page 53: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/53.jpg)
Capsicum
53
Program Policy
capweave
Capsicum
Program
Weaver
Generator
![Page 54: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/54.jpg)
HiStar
54
Program Policy
hiweave
HiStar
Program
Weaver
Generator
![Page 55: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/55.jpg)
55
Questions
![Page 56: Thoughts on Retrofitting Legacy Code for Securitypublish.illinois.edu/science-of-security-lablet/files/2015/06/... · Thoughts on Retrofitting Legacy Code for Security ... • DARPA](https://reader031.fdocuments.us/reader031/viewer/2022022421/5a899aa27f8b9afe568b5d9a/html5/thumbnails/56.jpg)
Summary
Somesh Jha Retrofitting Legacy Code for Security 56
Insecure Programgzip() {
…compr();…
}
compr(…) { … }
Secure Programgzip() {
…fork_compr();…
}
compr(…) {drop();…
}
Disallowed Executions
.* [ compr() with high cap ]
| .* [ open() with low cap ]
capweave