Software Security Monitors:Theory & Practice

David WalkerPrinceton University

(joint work with Lujo Bauer and Jay Ligatti)

July 2003 Software Security Monitors David Walker

General-purpose Security Monitors

• A security monitor (program monitor) is a process that runs in parallel with an untrusted application– monitors examine application actions

• decide to allow/disallow application actions• may terminate an application, log

application actions, etc. – monitors detect, prevent, and recover from

erroneous or malicious behavior at run time– monitors generalize specific enforcement

mechanisms such as access control lists, etc.

July 2003 Software Security Monitors David Walker

What is a security monitor?

Monitors analyze & transform untrusted application actions:

Application generates actions to be input into monitor

Monitor

Machine executes actions output by monitor

a3 a1a2a2

Input Stream

a4 a2a2

Output Stream

a1… …

July 2003 Software Security Monitors David Walker

Possible Monitor Actions

• Accept the action

• Halt the application

• Suppress (skip) the operation

• Insert some computation

• Also: replace results; raise exceptions

July 2003 Software Security Monitors David Walker

Formalizing security monitors

• Security monitors => formal automata that transform a stream of program actions

• Given: a set of possible program actions A• Monitors are deterministic state machines:

(Q, q0, T) where

Q = state set q0 = start state T = transition function

July 2003 Software Security Monitors David Walker

Operational Semantics

Single step (determined by T):

(Sin, q) (Sin’, q’)

Multi-step (reflexive, transitive closure of T):

(Sin, q) (Sin’, q)

Output sequence is observable Input sequences are not observable

So

So

July 2003 Software Security Monitors David Walker

A Hierarchy of Security Monitors

Insert Suppress OK Halt

Truncation

Suppression

Insertion

Edit

We classify monitors based on their transformational abilities (ie: based on T).

July 2003 Software Security Monitors David Walker

An Example: E-Banana.com

• Set of application actions: A = { take(n), // take n bananas

pay(n), // pay for n bananas browse, // browse for bananas receipt // commit}

• Edit Automaton:

take(n)pay(n)

pay(n);take(n);receipt

pay(n)take(n)

receipt

tn

pn

tpninit

browse

browsestart

July 2003 Software Security Monitors David Walker

Edit Automata

Definition: (Q,q0,T)– where T = (t,e,i)– State transition function t

• t : action x state state

– Emission function e • e : action x state {+,-}

– Insertion function i• i : action x state action sequence x state

July 2003 Software Security Monitors David Walker

Edit Automata

• Operational Semantics– (S, q) (S’, q’)

if S=a;S’ and t(a,q)=q’ and e(a,q)= +

– (S, q) (S’, q’)if S=a;S’ and t(a,q)=q’ and e(a,q)= -

– (S, q) (S, q’)if S=a;S’ and i(a,q)=(Sins, q’)

– (S, q) (empty, q)otherwise

a

Sins

(E-Accept)

(E-Suppress)

(E-Insert)

(E-Halt)

July 2003 Software Security Monitors David Walker

Security Policies• A program execution is a sequence of actions• A Security Property is a predicate over

executions.• Example Properties:

– P(S) iff bananas taken equal bananas paid for in S– Access control, resource bounds policies are policies

• Non-properties:– Relations between different executions of a program– Information-flow policies

July 2003 Software Security Monitors David Walker

What does it mean to enforce a policy?

• Principle of SoundnessAll observable outputs obey the policy

sequences Sin . state q’ . sequence So

1. (Sin, q0) (empty, q’)

2. P(So)

• Principle of TransparencySemantics of executions that already obey policy

must be preserved

3. P(Sin) (Sin So)

So

July 2003 Software Security Monitors David Walker

Some Useful Equivalences

Remove/Insert unnecessary actions– fclose(f);fclose(f) fclose(f)

• Replace a sequence with equivalent actions– socket(S);send(S,m) socketSend(S,m)

• Permute independent actions– fopen(f);fopen(g) fopen(g);fopen(f)

• Necessary properties:– reflexive, symmetic & transitive– S S’ P(S) P(S’)

July 2003 Software Security Monitors David Walker

E-Banana.com

• Equivalence Rules:

1) (browse; S) S

2) (S1; take(n); pay(n); S2) (S1; pay(n); take(n); S2)

July 2003 Software Security Monitors David Walker

Conservative Enforcement

Enforcer satisfies Soundness but not necessarily Transparency

properties P .( sequence S . P(S)) P can be conservatively enforced

Conservative

July 2003 Software Security Monitors David Walker

Effective Enforcement

Enforcer satisfies Soundness and Transparency provides some flexibility for the enforcer

to edit the execution sequence guarantees the final results of running

the application with the monitor are semantically equivalent to running the application without the monitor

Conservative

Effective

July 2003 Software Security Monitors David Walker

Precise Enforcement

Definition Enforcer satisfies Soundness and

Transparency Enforcer must output actions in lock-step

with application

Motivation In some scenarios, operations cannot be

delayed without disrupting application semantics

Conservative

Precise

Effective

July 2003 Software Security Monitors David Walker

What properties can be enforced?

• The enforceable properties depend upon– the definition of enforcement (conservative,

effective, precise)– the class of automaton (truncation,

suppression, insertion, edit)– the space of possible input programs

• if the monitor can assume certain “bad” executions do not occur, it can enforce more properties

• static program analysis (type systems; proof-carrying code) can constrain program execution in ways useful to run-time monitors

July 2003 Software Security Monitors David Walker

Effective Enforcement

• An E-Banana.com policy:

– Our edit automaton is an effective enforcer:• It satisfies Soundness• It satisfies Transparency• Proofs are by induction over the possible inputs

– Less powerful automata (truncation, suppression and insertion) cannot enforce the E-Banana property• Proof by contradiction shows either Soundness

or Transparency will be violated

browse*; ((take(n);pay(n) | pay(n);take(n)) ; receipt)*

July 2003 Software Security Monitors David Walker

A Simple Theorem

• Theorem: Any decideable predicate P on executions is a property that can be effectively enforced by some edit automaton– Proof: construct a transactional edit

automaton that suppresses and logs program actions when ¬P(S) and commits (outputs) when P(S), for every initial sequence of actions S in a program execution

July 2003 Software Security Monitors David Walker

Effectively Enforceable Properties

Editing Properties

Insertion Properties

Suppression Properties

Trunc. Prop.

July 2003 Software Security Monitors David Walker

Summary of theoretical results

• We have developed the following rigorous methodology for reasoning about run-time security:

1. Define the computational framework using formal operational semantics

2. Define what it means to enforce a policy

3. Prove results about enforceable policies & mechanisms from definitions 1 & 2

July 2003 Software Security Monitors David Walker

Future Work/Research Ideas

• Proper definitions of enforcement for infinite execution sequences– Understanding edit automata on infinite sequences

• Understand transactional policies & develop “transaction automata”– what can they enforce?

• Incorporate more practical elements into the model– security environment; cryptographic secrets– replacement of results, exceptions and program

state

July 2003 Software Security Monitors David Walker

Polymer, the Language

• Polymer – A domain-specific language for programming

security monitors (ie: edit automata)– Java + a couple of simple extensions:

• atomic policy definitions encapsulating– a set of security-relevant actions– security state– decision procedure that produces security “suggestions”

(halt, suppress action, insert action, etc)

• compositional policy definitions involving– higher-order policy combinators

July 2003 Software Security Monitors David Walker

Securing Untrusted Applications

Javaapplication

policyinterface

instrumentedapplication

describes security-relevant program points

contains hooksto call monitor

untrusted code

separately compiled from policy

July 2003 Software Security Monitors David Walker

Securing Untrusted Applications

Javaapplication

policyinterface

policyimplementation

instrumentedapplication

secure application

implements dynamicsecurity policy

combines applicationand policy

July 2003 Software Security Monitors David Walker

class limitFiles extends Policy { private int openFiles = 0; private int maxOpen = 0;

limitFiles(int max) { maxOpen = max; }

....

}

Atomic Polymer Policy

private policy state

policy constructor

new policydefinitionextendspolicy class

July 2003 Software Security Monitors David Walker

class limitFiles extends Policy { private int openFiles = ... private int maxOpen = ...

public ActionPattern[] actions = new ActionPattern[] { <File fileOpen(String)>, <void fileClose(File)> }; ....

}

Atomic Polymer Policy Continued

set of policy-relevant methods

July 2003 Software Security Monitors David Walker

class limitFiles extends Policy { private int openFiles = ... private int maxOpen = ... public ActionPattern[] actions = ... Suggestion before(Action a) { aswitch (a) { case fileOpen(String s) : if (++openFiles <= maxOpen) return Suggestion.OK(); else return Suggestion.Halt(); case fileClose(File f) : ...

Atomic Polymer Policy Continued

policybehavior

July 2003 Software Security Monitors David Walker

class limitFiles extends Policy { private int openFiles = ... private int maxOpen = ... public ActionPattern[] actions = ... Suggestion before(Action a) { aswitch (a) { case fileOpen(String s) : if (++openFiles <= maxOpen) return Suggestion.OK(); else return Suggestion.Halt(); case fileClose(File f) : ...

Atomic Polymer Policy Continued

July 2003 Software Security Monitors David Walker

class limitFiles extends Policy { public ActionPattern[] actions = ... private int openFiles = ... private int maxOpen = ... Suggestion before(Action a) { aswitch (a) { case fileOpen(String s) : if (++openFiles <= maxOpen) return Suggestion.OK(); else return Suggestion.Halt(); case fileClose(File f) : ...

Atomic Polymer Policy Continued

July 2003 Software Security Monitors David Walker

Complex Monitors

• Combine atomic policies defined over a variety of different resources– eg: sample applet policy

• file system access control• number of files opened• restricted network access

– no network access after local file is read– communication with applet source only

July 2003 Software Security Monitors David Walker

Policy Combinators

• Programmers may write parameterized policy combinators:– And, Or, Forall, Exists, Chinese wall,...

s1 s2

AndPolicy:P1 P2

s

July 2003 Software Security Monitors David Walker

Policy Combinators

class AndPolicy extends Policy {

private Policy p1; private Policy p2; AndPolicy(Policy pol1, Policy pol2) { p1 = pol1; p2 = pol2; ... } }

first-classpolicies

July 2003 Software Security Monitors David Walker

Policy Combinators

class AndPolicy extends Policy { ... Suggestion before(Action a) {

Suggestion s1 = p1.before(a); Suggestion s2 = p2.before(a); if (s1.isOK() && s2.isOK()) return Suggestion.OK(); else ... }}

usingsuggestions

In reality, writing combinatorsis very tricky

July 2003 Software Security Monitors David Walker

Summary of Language Design

• Polymer facilitates the implementation of program monitors by

1. encapsulating all elements (relevant actions, state, decision procedure) of atomic policies in a single place

2. providing mechanisms to compose policies in a well-defined manner

3. coming equipped with a formal semantics– we’re working on it

July 2003 Software Security Monitors David Walker

Conclusions

• Technology for securing extensible systems is in high demand– Software security monitors are one part of the

solution

• For more information, see– Edit Automata: Enforcement Mechanisms for Run-time

Security Policies. IJIS 2003.– Types and effects for non-interfering program monitors.

 ISSS 2002 & LNCS 2609.– More Enforceable Security Policies. FCS 2002.– www.cs.princeton.edu/sip/projects/polymer/

July 2003 Software Security Monitors David Walker

End

July 2003 Software Security Monitors David Walker

Realistic Monitors

• Protect complex system interfaces– interfaces replicate functionality in many

different places– method parameters communicate

information in different forms– eg: Java file system interface

• 9 different methods to open files• 4 different methods to close files• filename strings, file objects, self used to

identify files

July 2003 Software Security Monitors David Walker

Abstract Action Definitions

java.lang.io

FileReader(String fileName);FileReader(File file);RandomAccessFile(...);...

FileReader.close();RandomAccessFile.close();...

fileOpen(String n);

fileClose();

July 2003 Software Security Monitors David Walker

Abstract Action Definitions

class fileOpen extends ActionSig {

boolean canMatch(Action a) { aswitch (a) { case FileReader(_) : return true; case RandomAccessFile () : return true; ... } String parameter1(Action a) { .... }}

July 2003 Software Security Monitors David Walker

class limitFiles extends Policy { ... Suggestion step(Action a) { aswitch (a) { case fileOpen(String s) :

...

case fileClose() :

... }}

Abstract Action Pattern Matching

fileOpen.canMatch(a)

fileOpen.parameter1(a)

July 2003 Software Security Monitors David Walker

Taxonomy of Precisely Enforceable Properties

July 2003 Software Security Monitors David Walker

Secure Application

Java corePolymer language extensions

HostSystem(Java)

Program Monitor Definition

Untrusted application

July 2003 Software Security Monitors David Walker

Policy Architecture: Simple Policies

Java corePolymer language extensions

HostSystem(Java)

SimplePolicyDef.

systeminterface

July 2003 Software Security Monitors David Walker

Policy Architecture: Abstract Actions

Java corePolymer language extensions

HostSystem(Java)

AbstractActionDef.

concrete systeminterface

abstract systeminterface

SimplePolicyDef.

July 2003 Software Security Monitors David Walker

Policy Architecture:Complex Policies

Java corePolymer language extensions

HostSystem(Java)

AbstractActionDef.

SimplePolicyDef.

PolicyComb.Def.

Complex, System-specific Policy

concrete systeminterface

abstract systeminterface

July 2003 Software Security Monitors David Walker

Securing Extensible Systems

• Many questions:– Our application requires property X. Can

we enforce it precisely or will we have to get by with an approximation?

– How do we write down our policy succinctly and unambiguously?

– What specific mechanism will we need to enforce our policy?

– How do we implement the mechanism?

July 2003 Software Security Monitors David Walker

Summary

• A general framework for formal reasoning about security monitors– defined a hierarchy of security monitors– gave meaning to the word “enforceable”– developed rigorous proofs concerning

enforceable properties

• Polymer: A programming language for composing security monitors– techniques for modular monitor design &

composition– formal semantics as an extension of

FeatherWeight Java