Modular Program Monitors
David WalkerPrinceton University
(joint work with Lujo Bauer and Jay Ligatti)
Modular Run-time Program Monitors David Walker
Program Monitors
• A program monitor is a coroutine that runs in parallel with an untrusted application– monitors process security-relevant actions
• decide to allow/disallow application actions• may terminate or suspend application execution
– monitors detect, prevent, and recover from erroneous or malicious applications at run time
Modular Run-time Program Monitors David Walker
Simple Monitor Structure
• Monitors have 3 components– set of security-relevant application
actions– security state– computation
a
Access Control Monitor
fopenfclose
actions
acl
state computation
acl lookup
Modular Run-time Program Monitors David Walker
Polymer Project
• Polymer– An extension of Java designed to
simplify construction of run-time program monitors
• Design methodology– A formula for producing well-
structured, easy-to-understand, easy-to-modify monitors
Modular Run-time Program Monitors David Walker
Policy Architecture: The Problem
Java corePolymer language extensions
HostSystem(Java)
Program Monitor Definition
Untrusted application
Modular Run-time Program Monitors David Walker
Policy Architecture: Simple Policies
Java corePolymer language extensions
HostSystem(Java)
SimplePolicyDef.
systeminterface
Modular Run-time Program Monitors David Walker
class limitFiles extends Policy { private int openFiles = 0; private int maxOpen = 0; limitFiles(int max) { maxOpen = max; }
....
}
A Simple Polymer Policy
private policy state,protected from malicious applications
policy constructor
Modular Run-time Program Monitors David Walker
class limitFiles extends Policy { private int openFiles = ... private int maxOpen = ...
private ActionSet actions = new ActionSet( new String[] {“fileOpen(String)”, “fileClose()”} ); ....
}
A Simple Polymer Policy Continued
set of policy-relevant methods
Modular Run-time Program Monitors David Walker
class limitFiles extends Policy { private ActionSet actions = ... private int openFiles = ... private int maxOpen = ... Suggestion step(Action a) { aswitch (a) { case fileOpen(String s) : if (++openFiles <= maxOpen) return Suggestion.OK(); else return Suggestion.Halt(); case fileClose() : ...
A Simple Polymer Policy Continued
policybehaviour
Modular Run-time Program Monitors David Walker
class limitFiles extends Policy { private ActionSet actions = ... private int openFiles = ... private int maxOpen = ... Suggestion step(Action a) { aswitch (a) { case fileOpen(String s) : if (++openFiles <= maxOpen) return Suggestion.OK(); else return Suggestion.Halt(); case fileClose() : ...
A Simple Polymer Policy Continued
Modular Run-time Program Monitors David Walker
class limitFiles extends Policy { private ActionSet actions = ... private int openFiles = ... private int maxOpen = ... Suggestion step(Action a) { aswitch (a) { case fileOpen(String s) : if (++openFiles <= maxOpen) return Suggestion.OK(); else return Suggestion.Halt(); case fileClose() : ...
A Simple Polymer Policy Continued
Modular Run-time Program Monitors David Walker
class limitFiles extends Policy { private ActionSet actions = ... private int openFiles = ... private int maxOpen = ... Suggestion step(Action a) { aswitch (a) { case fileOpen(String s) : if (++openFiles <= maxOpen) return Suggestion.OK(); else return Suggestion.Halt(); case fileClose() : ...
A Simple Polymer Policy Continued
Modular Run-time Program Monitors David Walker
Realistic Monitors
• Protect complex system interfaces– interfaces replicate functionality in many
different places– method parameters communicate
information in different forms– eg: Java file system interface
• 9 different methods to open files• 4 different methods to close files• filename strings, file objects, self used to
identify files
Modular Run-time Program Monitors David Walker
Policy Architecture: Abstract Actions
Java corePolymer language extensions
HostSystem(Java)
AbstractActionDef.
concrete systeminterface
abstract systeminterface
SimplePolicyDef.
Modular Run-time Program Monitors David Walker
Abstract Action Definitions
java.lang.io
FileReader(String fileName);FileReader(File file);RandomAccessFile(...);...
FileReader.close();RandomAccessFile.close();...
fileOpen(String n);
fileClose();
Modular Run-time Program Monitors David Walker
Realistic Monitors
• Combine simple policies defined over a variety of different resources– eg: sample applet policy
• file system access control• bounds on bytes written and number of
files opened• restricted network access
– no access after file system read– communication with applet source only
Modular Run-time Program Monitors David Walker
Policy Architecture:Complex Policies
Java corePolymer language extensions
HostSystem(Java)
AbstractActionDef.
SimplePolicyDef.
PolicyComb.Def.
Complex, System-specific Policy
concrete systeminterface
abstract systeminterface
Modular Run-time Program Monitors David Walker
Policy Combinators
• Conjunction, Disjunction, Chinese wall,...
s1 s2
Conjunctive Policy
P1 P2
s
Modular Run-time Program Monitors David Walker
Related Work
• Aspect-oriented programming– New polymer features:
• first-class suggestions, abstract actions, action patterns, policy combinators, policy architecture, formal semantics
• Monitoring languages• Poet and Pslang, Naccio, Ariel, Spin Kernel
• Logical monitoring specifications• MAC (temporal logic), Bigwig (second-order
monadic logic)
Modular Run-time Program Monitors David Walker
Summary: Polymer
• First steps towards the design of a modern language for programming modular run-time security monitors
• For future software releases & papers see– www.cs.princeton.edu/sip/projects/
polymer/
Modular Run-time Program Monitors David Walker
End
Top Related