Post on 21-Mar-2016
description
transcript
EFFICIENT RUNTIME POLICY ENFORCEMENT USING COUNTEREXAMPLE-GUIDED ABSTRACTION REFINEMENTMatt Fredrikson, Rich Joiner, Somesh Jha, Tom Reps, Phillip Porras, Hassen Saïdi, Vinod Yegneswaran
1
Funded by:
Outline• Ensuring safety properties: current practice
• CEGAR: program verification• IRM: filtering program behavior
• SafetyWeave: a hybrid approach
• Implementation and experimental results
2
CEGAR
Model Construction
ModelChecking
ModelRefinement
Safety Property
Source Code
“Verified”
CounterexampleTrace
Invalid counter-example
Valid counter-example
No counter-examples
3
CEGAR Issues• Computational complexity
• Model grows exponentially with each refinement step• May not terminate (in our lifetimes)
• Statically indeterminable behavior• Higher-order functions• Dynamic scope
• No recourse for valid counterexamples• Requires manual intervention
Takeaway: CEGAR can be an expensive analysis
4
Runtime Enforcement
Safety Property
Inlined Reference Monitoring
Source Code
Dynamically-filtered
Source Code
Úlfar Erlingsson, Fred B. Schneider, “The inlined reference monitor approach to security policy enforcement,” 2004
5
IRM Example var state = 0; if (state == 0 && check("var d = document", "call(document.getElementById)")) state = 1; if (state == 0 && check("var d = document", "call(document.getElementsByTagName)")) state = 1; if (state == 1 && check("var d = document", "set(document.cookie)")) halt();1 var d = document; if (state == 0 && check("var f = d.getElementById", "call(document.getElementById)")) state = 1; if (state == 0 && check("var f = d.getElementById", "call(document.getElementsByTagName)")) state = 1; if (state == 1 && check("var f = d.getElementById", "set(document.cookie)")) halt();2 var f = d.getElementById; if (state == 0 && check("var t = f('secret')", "call(document.getElementById)")) state = 1; if (state == 0 && check("var t = f('secret')", "call(document.getElementsByTagName)")) state = 1; if (state == 1 && check("var t = f('secret')", "set(document.cookie)")) halt();3 var t = f('secret'); if (state == 0 && check("if (t)", "call(document.getElementById)")) state = 1; if (state == 0 && check("if (t)", "call(document.getElementsByTagName)")) state = 1; if (state == 1 && check("if (t)", "set(document.cookie)")) halt();4 if (t) { if (state == 0 && check("d.cookie = t.innerHTML", "call(document.getElementById)")) state = 1; if (state == 0 && check("d.cookie = t.innerHTML", "call(document.getElementsByTagName)")) state = 1; if (state == 1 && check("d.cookie = t.innerHTML", "set(document.cookie)")) halt();5 d.cookie = t.innerHTML;6 }
1 var d = document;2 var f = d.getElementById;3 var t = f('secret');4 if (t) {5 d.cookie = t.innerHTML;6 }
1 var d = document;2 var f = d.getElementById;3 var t = f('secret');4 if (t) {5 d.cookie = t.innerHTML;6 }
var state = 0; if (state == 0 && check("var d = document", "call(document.getElementById)")) state = 1; if (state == 0 && check("var d = document", "call(document.getElementsByTagName)")) state = 1; if (state == 1 && check("var d = document", "set(document.cookie)")) halt();1 var d = document; if (state == 0 && check("var f = d.getElementById", "call(document.getElementById)")) state = 1; if (state == 0 && check("var f = d.getElementById", "call(document.getElementsByTagName)")) state = 1; if (state == 1 && check("var f = d.getElementById", "set(document.cookie)")) halt();2 var f = d.getElementById; if (state == 0 && check("var t = f('secret')", "call(document.getElementById)")) state = 1; if (state == 0 && check("var t = f('secret')", "call(document.getElementsByTagName)")) state = 1; if (state == 1 && check("var t = f('secret')", "set(document.cookie)")) halt();3 var t = f('secret'); if (state == 0 && check("if (t)", "call(document.getElementById)")) state = 1; if (state == 0 && check("if (t)", "call(document.getElementsByTagName)")) state = 1; if (state == 1 && check("if (t)", "set(document.cookie)")) halt();4 if (t) { if (state == 0 && check("d.cookie = t.innerHTML", "call(document.getElementById)")) state = 1; if (state == 0 && check("d.cookie = t.innerHTML", "call(document.getElementsByTagName)")) state = 1; if (state == 1 && check("d.cookie = t.innerHTML", "set(document.cookie)")) halt();5 d.cookie = t.innerHTML;6 }
Safety property: Don’t inspect the documentprior to assigning to the cookie.
Safety property: Don’t inspect the documentprior to assigning to the cookie.
6
IRM Issues• Runtime overhead
• Spurious instrumentation placement• Programs run slower
Takeaway: IRM can be expensive at runtime
7
The Idea• Combine CEGAR and IRM• Statically remove naïve IRM instrumentation• Limit the size of the abstract program model
8
Rewritten Program
1 var d = document;2 var f = d.getElementById;3 var t = f('secret');4 if (t) {5 d.cookie = t.innerHTML;6 }
var state = 0;1 var d = document;2 var f = d.getElementById; if (state == 0 && check("var t = f('secret')", "call(document.getElementById)")) state = 1;3 var t = f('secret');4 if (t) { if (state == 1 && check("d.cookie = t.innerHTML", "set(document.cookie)")) halt();5 d.cookie = t.innerHTML;6 }
Safety property: Don’t inspect the documentprior to assigning to the cookie.
9
The SafetyWeave Algorithm• INPUT: Program, safety property• OUTPUT: Rewritten program
• Sound• Rewritten program proven safe w.r.t. the property• All benign execution is preserved
• Language-independent• Tunable tradeoff between static and dynamic overhead• Always terminates
Characteristics
10
Safety Properties• Temporal state traces that a program should not exhibit• Can be encoded as an automaton with state predicates
labeling the edges
call(document.getElementById)
call(document.getElementsByTagName)
set(document.cookie)A B C
* *
11
Source Code Rewriting
Invalid counter-example
Valid counter-example
No counter-examples
Verified, InstrumentedSource Code
Model Construction
ModelChecking
ModelRefinement
Safety Property
Source Code
Key Insight: CEGAR analysis used to minimize
IRM instrumentation
12
Source Code Rewriting
No counter-examples
Abstraction Limit
Reached
Verified, InstrumentedSource Code
Model Construction
ModelChecking
ModelRefinement
Safety Property
Source Code
Key Insight: Number of predicates learned limited
to ensure termination
13
• Why JavaScript?• Pervasive on the Internet• Code often comes from many authors
• Libraries, advertisements, mash-ups, web service interfaces
• JavaScript is challenging to analyze statically• Higher-order functions, scope-resolution rules,
writable native objects
Prototype Implementation• JaM is the JavaScript Model Checker
14
Deployment Scenario15
Websiteowners:
JaM Adsentreprenuer:
JaM analysisserver
Verified online ad service
JaM is part of a DARPA clean-slate security effort
Source Code Rewriting
Verified, InstrumentedSource Code
Model Construction
ModelChecking
ModelRefinement
Safety Property
Source Code OpenNWAXSB,
Kaluza/Yices
ClosureCompiler
16
JavaScript Language Model• Implements symbolic pre-image operator over program
statements• Based on JavaScript semantics of Maffeis et al.
• Sergio Maffeis, John Mitchell, Ankur Taly, “Operational Semantics of JavaScript,” APLAS ‘08
• Operational semantics encoded as a logic program
exp(H,L,E,H,L,Va) :- is_this(E), scope(H,L,'@this',L1), aget(H,L1,'@this',Va).
Scope(H,l,@this)= l1 H,l1.@Get(@this)= va-------------------- [E-This] H,l,this -> H,l,va
To evaluate the “this” keyword, traverse thescope chain and retrieve its reference value.
17
Applications and Policies• Benchmark applications
• 12 real programs used on the WWW• Range from 25 to 4000 lines• Exercise a wide range of JavaScript coding patterns and
constructs
• JaM safety properties• Communication with external hosts• Modification of persistent storage to reflect page contents• Creation of foreign pop-up dialog boxes• DOM access/modification
18
Experimental Results• Initial abstract model (without refinement)
• Program model composed of predicates used in safety property• 89% to 100% of statements deemed safe
• Effect of model refinement• 5 of 12: required no refinement• 5 of 12: reduced spurious counterexamples by learning
1 to 4 predicates
19
Source Code Rewriting
Invalid counter-example
Valid counter-example
No counter-examples
Verified, InstrumentedSource Code
Model Construction
ModelChecking
ModelRefinement
Safety Property
Source Code
Abstraction Limit
Reached
20
Complete Results
A Simple Example: Program & Policy
call readHistory
call readFile
call sendPacketA B C
* *
1 api[0] = readFile;2 api[1] = sendPacket;3 while (true) {4 instr, data = read();5 api[instr](data);6 }
Control Flow Automaton
api[0] = readFile
api[1] = sendPacket
{false}
{exit}
{true}
instr, data = read()
api[instr](data)while(true)
Data Automatonα: call readFileβ: call readHistoryγ: call sendPacket
α
!α
!α
!α!β
!β
β
!β
!γ
!γ
!γ
γ
[Self-edgesomittedfor sanity]