Download - Modular Program Monitors David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Transcript
Page 1: Modular Program Monitors David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Modular Program Monitors

David WalkerPrinceton University

(joint work with Lujo Bauer and Jay Ligatti)

Page 2: Modular Program Monitors David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Modular Run-time Program Monitors David Walker

Program Monitors

• A program monitor is a coroutine that runs in parallel with an untrusted application– monitors process security-relevant actions

• decide to allow/disallow application actions• may terminate or suspend application execution

– monitors detect, prevent, and recover from erroneous or malicious applications at run time

Page 3: Modular Program Monitors David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Modular Run-time Program Monitors David Walker

Simple Monitor Structure

• Monitors have 3 components– set of security-relevant application

actions– security state– computation

a

Access Control Monitor

fopenfclose

actions

acl

state computation

acl lookup

Page 4: Modular Program Monitors David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Modular Run-time Program Monitors David Walker

Polymer Project

• Polymer– An extension of Java designed to

simplify construction of run-time program monitors

• Design methodology– A formula for producing well-

structured, easy-to-understand, easy-to-modify monitors

Page 5: Modular Program Monitors David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Modular Run-time Program Monitors David Walker

Policy Architecture: The Problem

Java corePolymer language extensions

HostSystem(Java)

Program Monitor Definition

Untrusted application

Page 6: Modular Program Monitors David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Modular Run-time Program Monitors David Walker

Policy Architecture: Simple Policies

Java corePolymer language extensions

HostSystem(Java)

SimplePolicyDef.

systeminterface

Page 7: Modular Program Monitors David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Modular Run-time Program Monitors David Walker

class limitFiles extends Policy { private int openFiles = 0; private int maxOpen = 0; limitFiles(int max) { maxOpen = max; }

....

}

A Simple Polymer Policy

private policy state,protected from malicious applications

policy constructor

Page 8: Modular Program Monitors David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Modular Run-time Program Monitors David Walker

class limitFiles extends Policy { private int openFiles = ... private int maxOpen = ...

private ActionSet actions = new ActionSet( new String[] {“fileOpen(String)”, “fileClose()”} ); ....

}

A Simple Polymer Policy Continued

set of policy-relevant methods

Page 9: Modular Program Monitors David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Modular Run-time Program Monitors David Walker

class limitFiles extends Policy { private ActionSet actions = ... private int openFiles = ... private int maxOpen = ... Suggestion step(Action a) { aswitch (a) { case fileOpen(String s) : if (++openFiles <= maxOpen) return Suggestion.OK(); else return Suggestion.Halt(); case fileClose() : ...

A Simple Polymer Policy Continued

policybehaviour

Page 10: Modular Program Monitors David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Modular Run-time Program Monitors David Walker

class limitFiles extends Policy { private ActionSet actions = ... private int openFiles = ... private int maxOpen = ... Suggestion step(Action a) { aswitch (a) { case fileOpen(String s) : if (++openFiles <= maxOpen) return Suggestion.OK(); else return Suggestion.Halt(); case fileClose() : ...

A Simple Polymer Policy Continued

Page 11: Modular Program Monitors David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Modular Run-time Program Monitors David Walker

class limitFiles extends Policy { private ActionSet actions = ... private int openFiles = ... private int maxOpen = ... Suggestion step(Action a) { aswitch (a) { case fileOpen(String s) : if (++openFiles <= maxOpen) return Suggestion.OK(); else return Suggestion.Halt(); case fileClose() : ...

A Simple Polymer Policy Continued

Page 12: Modular Program Monitors David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Modular Run-time Program Monitors David Walker

class limitFiles extends Policy { private ActionSet actions = ... private int openFiles = ... private int maxOpen = ... Suggestion step(Action a) { aswitch (a) { case fileOpen(String s) : if (++openFiles <= maxOpen) return Suggestion.OK(); else return Suggestion.Halt(); case fileClose() : ...

A Simple Polymer Policy Continued

Page 13: Modular Program Monitors David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Modular Run-time Program Monitors David Walker

Realistic Monitors

• Protect complex system interfaces– interfaces replicate functionality in many

different places– method parameters communicate

information in different forms– eg: Java file system interface

• 9 different methods to open files• 4 different methods to close files• filename strings, file objects, self used to

identify files

Page 14: Modular Program Monitors David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Modular Run-time Program Monitors David Walker

Policy Architecture: Abstract Actions

Java corePolymer language extensions

HostSystem(Java)

AbstractActionDef.

concrete systeminterface

abstract systeminterface

SimplePolicyDef.

Page 15: Modular Program Monitors David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Modular Run-time Program Monitors David Walker

Abstract Action Definitions

java.lang.io

FileReader(String fileName);FileReader(File file);RandomAccessFile(...);...

FileReader.close();RandomAccessFile.close();...

fileOpen(String n);

fileClose();

Page 16: Modular Program Monitors David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Modular Run-time Program Monitors David Walker

Realistic Monitors

• Combine simple policies defined over a variety of different resources– eg: sample applet policy

• file system access control• bounds on bytes written and number of

files opened• restricted network access

– no access after file system read– communication with applet source only

Page 17: Modular Program Monitors David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Modular Run-time Program Monitors David Walker

Policy Architecture:Complex Policies

Java corePolymer language extensions

HostSystem(Java)

AbstractActionDef.

SimplePolicyDef.

PolicyComb.Def.

Complex, System-specific Policy

concrete systeminterface

abstract systeminterface

Page 18: Modular Program Monitors David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Modular Run-time Program Monitors David Walker

Policy Combinators

• Conjunction, Disjunction, Chinese wall,...

s1 s2

Conjunctive Policy

P1 P2

s

Page 19: Modular Program Monitors David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Modular Run-time Program Monitors David Walker

Related Work

• Aspect-oriented programming– New polymer features:

• first-class suggestions, abstract actions, action patterns, policy combinators, policy architecture, formal semantics

• Monitoring languages• Poet and Pslang, Naccio, Ariel, Spin Kernel

• Logical monitoring specifications• MAC (temporal logic), Bigwig (second-order

monadic logic)

Page 20: Modular Program Monitors David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Modular Run-time Program Monitors David Walker

Summary: Polymer

• First steps towards the design of a modern language for programming modular run-time security monitors

• For future software releases & papers see– www.cs.princeton.edu/sip/projects/

polymer/

Page 21: Modular Program Monitors David Walker Princeton University (joint work with Lujo Bauer and Jay Ligatti)

Modular Run-time Program Monitors David Walker

End


Top Related

LIPOVETSKY, GILLES - Lujo eterno, lujo emocional (Fragmento)

LIPOVETSKY, GILLES - Lujo eterno, lujo emocional (Fragmento)

Renaza by Bella Lujo

Renaza by Bella Lujo

CAP. 10. MARKETING DE LUJO

CAP. 10. MARKETING DE LUJO

Design and Evaluation of a Data-Driven Password Meterlbauer/papers/... · Design and Evaluation of a Data-Driven Password Meter Blase Ur*, Felicia Alfieri, Maung Aung, Lujo Bauer,

Design and Evaluation of a Data-Driven Password Meterlbauer/papers/... · Design and Evaluation of a Data-Driven Password Meter Blase Ur*, Felicia Alfieri, Maung Aung, Lujo Bauer,

Web security: SQL - UMD Department of Computer … security: SQL Slides from • Michelle Mazurek 414-fall2016 •includes stuff from Dave Levin, Mike Hicks, Lujo Bauer • Dave Levin

Web security: SQL - UMD Department of Computer … security: SQL Slides from • Michelle Mazurek 414-fall2016 •includes stuff from Dave Levin, Mike Hicks, Lujo Bauer • Dave Levin

Efficient Proving for Practical Distributed Access-Control ...reiter/papers/2007/ESORICS.pdf · Efficient Proving for Practical Distributed Access-Control Systems Lujo Bauer 1,

Efficient Proving for Practical Distributed Access-Control ...reiter/papers/2007/ESORICS.pdf · Efficient Proving for Practical Distributed Access-Control Systems Lujo Bauer 1,

Distributed Proving in Access-Control Systemslbauer/papers/2005/sp2005-distributed... · Distributed Proving in Access-Control Systems∗ Lujo Bauer† Scott Garriss‡ Michael K.

Distributed Proving in Access-Control Systemslbauer/papers/2005/sp2005-distributed... · Distributed Proving in Access-Control Systems∗ Lujo Bauer† Scott Garriss‡ Michael K.

EXTREMES - Lujo International

EXTREMES - Lujo International

Languages
Pages
Legal

Copyright © 2022 FDOCUMENTS