1 / 14

ActionScript In-lined Reference Monitoring in Prolog

ActionScript In-lined Reference Monitoring in Prolog. Meera Sridhar and Kevin W. Hamlen The University of Texas at Dallas January 18, 2010 Supported by a grant from AFOSR PADL 2010 Madrid, Spain. Reference Monitors. Examples: file system permissions memory safety Disadvantages:

beryl
Download Presentation

ActionScript In-lined Reference Monitoring in Prolog

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ActionScript In-lined Reference Monitoring in Prolog Meera Sridhar and Kevin W. Hamlen The University of Texas at Dallas January 18, 2010 Supported by a grant from AFOSR PADL 2010 Madrid, Spain

  2. Reference Monitors • Examples: • file system permissions • memory safety • Disadvantages: • changing the policy requires changing the OS/VM • difficult to enforce finer-grained policies such as • “No modifications to files ending in .exe” OS/VM Reference Monitor grant/deny event untrusted code Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog

  3. In-lined Reference Monitors [Schneider] • enforce safety policies by injecting runtime security guards directly into untrusted binaries • guards test whether the impending operation constitutes a policy violation, and if so some corrective action is taken • maintain history of security-relevant events • Advantages: • No need to modify the OS/VM • enforce richer policies: e.g., no network sends after file reads • more flexible: code recipient can specify security policy • Examples: SASI [Erlingsson, Schneider], Java-MAC [Kim et al], Java-MOP [Chen, Rosu], Polymer [Bauer, Ligatti, Walker], ConSpec [Aktug, Naliuka], MoBILe [Hamlen, Morrisett, Schneider] OS/VM Reference Monitor grant/deny event untrusted code Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog

  4. IRM Implementation Challenges • must be fairly light-weight because it runs on the code-consumer side • binary code parsing and binary code generation are tedious and error-prone • IRM must elegantly implement many AST analyses and code-motion optimizations during rewriting • needed to preserve policy-compliant programs and generate efficient code • generated code should be amenable to formal verification (PCC[Necula & Lee], MoBILe[Hamlen, Morrisett, Schneider], and our recent work on Model-Checking IRMs [Sridhar & Hamlen, VMCAI 2010]) Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog

  5. An ActionScriptBytecode IRM system in Prolog • approximately: • 400 lines of rewriter code per security policy family • 900 lines of shared parser/generator code • 2000 of verifier code  Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog

  6. The Prolog Advantage Prolog turns out to be a surprisingly elegant language in which to implement IRM's! • DCG's facilitate binary parser implementation. • Reversible predicates combine the parser and code-generator into one piece of code! • AST's are very elegantly represented and manipulated as Prolog structures. • A Prolog implementation of binary rewriting is isomorphic to a search for a correctness proof. This is excellent for integration with a certifying IRM system (Model-Checking IRMs [Sridhar & Hamlen]) or a PCC system [Necula & Lee]. Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog

  7. Application: Preventing malicious URL-redirections Adobe’s very real problem: • anyone can write a malicious ABC ad applet and float them around • ad-distributor doesn’t have a good way of pre-checking these since they might change dynamically Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog

  8. Application: Preventing malicious URL-redirections Solution: Use an IRM framework! • URL-redirections are implemented in ActionScriptBytecodeby the navigateToURL system call • let’s say we have a method checkURL,with a trusted implementation provided by the ad-distributor • checkURL validates the input to navigateToURL, and may depend on dynamic information Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog

  9. Application: Preventing malicious URL-redirections Solution (contd.): • insert a call to checkURL(s) before a call to navigateToURL(s) directly into bytecode • naïve approach – insert checkURL before every navigateToURL, but for efficiency reasons might want to pre-validate string • fits the Flash/AIR model perfectly, because security-enforcement done at code-consumer end, and code-producer (ad-creator) need not be trusted at all! Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog

  10. A couple other real-world policies postok policy: • sanitizes strings entered into message box widgets • This can be helpful in preventing cross-site scripting attacks, privacy violations, and buffer-overflow exploits that affect older versions of the ActionScript VM. • We enforced the policy on the Posty AIR application, which allows users to post messages to social networking sites such as Twitter, Jaiku, Tumblr, and Friendfeed. Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog

  11. A couple other real-world policies flimit policy • enforces a resource bound that disallows the creation of more than n files on the user's machine • enforced this policy on the FedEx Desktop AIR application, which continuously monitors a user's shipment status and sends tracking information directly to his or her desktop • IRM implements the policy by injecting a counter into the untrusted code that tracks file creations Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog

  12. Implementation and Results Details for more details, please visit my website: www.utdallas.edu/~meera.sridhar Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog

  13. Conclusion slide • IRM’s provide a more sophisticated security enforcement mechanism than traditional means. • Prolog provides a very elegant solution to typical IRM implementation challenges. • We implemented a prototype IRM system for ActionScriptbytecode. • We demonstrated the feasibility of our solution by enforcing several real-world policies. Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog

  14. Selected Citations • B. W. DeVries, G. Gupta, K. W. Hamlen, S. Moore, and M. Sridhar. ActionScriptBytecode Verification with Co-logic Programming. In Proc. of the ACM SIGPLAN Workshop on Prog. Languages and Analysis for Security (PLAS), 2009. • K. W. Hamlen, G. Morrisett, and F. B. Schneider. Computability Classes for Enforcement Mechanisms. In ACM Trans. Prog. Languages and Systems, 2006. • F. B. Schneider. Enforceable Security Policies. ACM Trans. Information and System Security, 3:30–50, 2000. • M. Sridhar and K. W. Hamlen. Model-checking In-lined Reference Monitors. In Proc. Intl. Conf. on Verification, Model-Checking and Abstract Interpretation, 2010. Sridhar and Hamlen: ActionScript In-lined Reference Monitoring in Prolog

More Related