Post on 12-Jan-2016
transcript
Static analysis for security
Luis SierraNovember, 2007
Stic AmSud - ReSeCo WorkshopMontevideo, Uruguay
Plan
• Some motivation
• Static analysis
• PySTA: Python Static Analyzer
• Permission usage analysis
• Conclusions and further work
Motivation
• To understand and have experience of the permissions model of Besson, Dufay, and Jensen
• Looking for a quick prototype
• Moreover, I did not know Python
Static analysis: example
• Take a program S
• Take a property P
• Check if P holds in every possible execution of S– Checking at compile time– Approximate answers
[x := 2]1;[y := 4]2;[x := 1]3;[read (z)]4;if [z > x]5
then [z := y]6
else [z := x]7
Every assignment is useful
• Check if P holds in every possible execution of S– Checking at compile time
Static analysis: example
[x := 2]1;[y := 4]2;[x := 1]3;[read (z)]4;if [z > x]5
then [z := y]6
else [z := x]7
Every assignment is useful
•1 : set([])•2 : set(['y'])•3 : ...
Pysta
• Take a program S
• Take a property P
• If Om does not terminate, we should delete assignment 2. Our analysis solves the halting problem !!!– Checking at compile time– Approximate answers
Static analysis: example
[x := 2]1;[y := 4]2;[x := 1]3;[read (z)]4;if [z > x]5
then Om; [z := y]6
else [z := x]7
Every assignment is useful
• The analyzer navigates in the control flow graph, collecting relevant information.
• This process must terminate
Working list
• The analyzer navigates in the CFG with an iterator
• We exploit Python flexibility defining – an implementation with sets– and an implementation with lists
Working list
class workingList (object): def iter (self): pass def add (self, c): pass
def MFP (a): W = WLmap [WLoption] (a.flow) for (l1, l2) in W.iter (): ... W.add ([(s,t) for (s,t) in ...]) ...
Fix-point computationdef MFP (a): W = WLmap [WLoption] (a.flow) for (l1, l2) in W.iter (): fl = a.transfer (l1) if (not a.latt.leq (fl, a.a [l2])): a.a [l2] = a.latt.join (a.a [l2], fl) W.add ([(s,t) for (s,t) in a.flow if s==l2]) a.dump ()
A static analysis
def analyze (file, analysisType): s = open (file + '.xml').read() p = parseString (s).documentElement a = analysisType (p) MFP (a)
• The analysis is declared in the main program
Some implementations
• As well as with working lists, we implemented several static analysis– Live variables– Constraint propagation– Available expressions– Permission usage
A class for analysis
class MF (object): def __init__ (self, pgm, an): ... def defLattice (self): pass def defextremalValue (self): pass def transfer (self, l, s): pass def initialAnalysis (self): self.a = {} for l in self.Lab: self.a [l] = self.extremalValue \ if l in self.extremalLabel\ else self.latt.bottom () ...
Live Variables Analysis
class Analysis (MF): def __init__ (self, pgm): MF.__init__ (self, pgm, 'BW') def defLattice (self): self.latt = SetVarLat () def defextremalValue (self): self.extremalValue = SetVar ([]) def transfer (self, l): ... def kill (self, l): return SetVar (eval (getKill (self.Blocks[l]))) def gen (self, l): return SetVar (eval (getGen (self.Blocks[l])))
Lattices
• The information collected in a static analysis is good enough to provide– an operation of least upper bound (latt.join)– a comparison (latt.leq)
• We are not interested in proving that a structure is a lattice, but in implementing quickly the relevant operations
A lattice
class lattice (object): def U (self): """Support set of the lattice. Meaningful if the
support set is finite.""" pass def join (self, a, b): """Join operation: returns a new object with
value in the lattice.""" pass def leq (self, a, b): """Less or equal relation: returns True or
False.""" pass def bottom (self): """Bottom: returns a new object """ pass
A library of lattices
class semilattice (object): ...
## a cartesian product using tuplesclass cartesianProduct (lattice): ...
## a function spaceclass functionspace (lattice): ...
## a function using a dictionaryclass genFunction (object): ...
class newbottom (lattice): ...
class powerset (lattice): ...
class dual (lattice):
Multiplicities and permissions
1
0
Permissions lattice
Permissions analysis
class Analysis (MF): ... def defLattice (self): self.latt = Perm (self.Resources,
self.Action, self.ResType) def defextremalValue (self): self.extremalValue = self.latt.bottom () def transfer (self, l): ...
class Perm (functionspace): ...
Permissions analysis
class Res (powerset): ...
class Act (powerset): ...
class PermRT (newbottom): ...
class Mult (lattice): ...
class PermMult (cartesianProduct): ...
class RTfunc (oneFunction): ...
class Perm (functionspace): ...
A program
grant (http ('*'), read, inf)grant (https ('site'), read, 1)grant (file ('walletId'), read, 1)while ...: while ...: consume (http ('site'), read) if ...: consume (http ('*'), read) else: breakconsume (file ('walletId'), read)if ...: consume (http ('site'), read)else: grant (file ('walletVisa'), read, 1) consume (file ('walletVisa'), read) consume (https ('site'), read)
PySTA
pgmtoxmlAE, LV, PU, CP
.pgm
.xml
analyze dumpAE, LV, PU, CP
grant (http ('*'), read, inf)grant (https ('site'), read, 1)grant (file ('walletId'), read, 1)while True: while True: consume (http ('site'), read) if True: consume (http ('*'), read) else: breakconsume (file ('walletId'), read)if True: consume (http ('site'), read)else: grant (file ('walletVisa'), read, 1) consume (file ('walletVisa'), read) consume (https ('site'), read)
<?xml version="1.0" ?><pgm> <meta Actions="set(['read'])" Label="15" ResType="set(['http', 'file', 'https'])" Resources="set(['walletId', 'walletVisa', 'site'])"/> <main> <command gen="http * read inf" kill="" label="1"/> <command gen="https site read 1" kill="" label="2"/> <command gen="file walletId read 1" kill="" label="3"/> <loop breaks="[9]" label="4"> <loop breaks="[]" label="5"> </branch> </main></pgm>
1 P12 P23 P34 ERROR5 P4
Conclusions and further work
• Python is a good tool for fast and modular programming
• Compare the classes of PySTA with the Coq viewpoint
• Program interesting examples• Modify the permissions model using ad hoc
constructs• Program new analyses
Bibliography
• A Formal Model of Access Control for Mobile Interactive Devices. Frédéric Besson, Guillaume Dufay, and Thomas Jensen