retrofitting legacy code with authorization mechanisms vinod ganapathy rutgers university...

Retrofitting Legacy Code with Authorization Mechanisms

Vinod GanapathyRutgers University

[email protected]

Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement 2

Principle of Design for Security

Historic example: • MULTICS [Corbato et al. ‘65]

More recent examples:• Operating systems • Database servers

To create a secure system, designit to be secure from the ground up


Relevance of the Principle today

Deadline-driven software development• Design.Build.(Patch)* is here to stay• Few people have expertise with a single large

codebase.• Tedious to sift through large codebases and

reason about security. • Diverse/Evolving security requirements

oMULTICS security study [Karger and Schell, ‘72]

Most deployed software is not designed for security


Retrofitting legacy code

Need systematic techniques toretrofit legacy code for security

Legacycode

Retrofitted code

INSECURE SECURE


Retrofitting legacy code

Enforcing type safety • CCured [Necula et al. ’02]

Partitioning for privilege separation• PrivTrans [Brumley and Song, ’04]

Enforcing authorization policies

Need systematic techniques toretrofit legacy code for security


Resource manager

Enforcing authorization policies

Resource user

Operation request Response

Authorization policy‹Alice, /etc/passwd, File_Read›

Reference monitor

Allowed? YES/NO


Retrofitting for authorization Mandatory access control for Linux

• Linux Security Modules [Wright et al.,’02]

• SELinux [Loscocco and Smalley,’01]

Secure windowing systems• Trusted X, Compartmented-mode workstation,

X11/SELinux [Epstein et al.,’90][Berger et al.,’90][Kilpatrick et al.,’03]

Java Virtual Machine/SELinux [Fletcher,‘06]

IBM Websphere/SELinux [Hocking et al.,‘06]

Painstaking, manual procedure


This tutorial

Three program analysis and transformation techniques (in increasing order of sophistication)

to retrofit legacy code with reference monitors


Contents of the tutorial

Fingerprints: A new representation for security-sensitive operations

Three algorithms to mine fingerprints Results: Reduced effort to retrofit legacy

code for authorization policy enforcement• Manual effort needed reduces to a few hours• Applied to X server, Linux kernel, etc.

Analyses and transformations forauthorization policy enforcement


Outline Motivation Problem

• Example• Retrofitting legacy code: Lifecycle

Solutions• Dynamic fingerprint mining• Static mining with concept analysis• Static mining leveraging user choice


X server with multiple X clients

REMOTE

LOCAL


REMOTE

Malicious remote X client

LOCAL


REMOTE

Undesirable information flow

LOCAL


Desirable information flow

LOCAL

REMOTE


Other policies to enforce Prevent unauthorized

• Copy and paste• Modification of inputs meant for other clients• Changes to window settings of other clients• Retrieval of bitmaps: Screenshots

[Berger et al., ’90]

[Epstein et al., ‘90]

[Kilpatrick et al., ‘03]

Security is not a ‘blocker’ Security by design, in practice

“It isn't clear this qualifies as a blocker under any circumstances. The importance of

security increases only as we are into serious deployment and start becoming a target. First

things, first....”

- https://dev.laptop.org/ticket/260 Need a way to protect against applications sniffing each other's keystrokes, which X permits by default.

16

https://dev.laptop.org/ticket/260


X server

X server with authorization

X client

Operation request Response

Authorization policy

Reference monitor

Allowed? YES/NO


Outline Motivation Problem

• Example• Retrofitting legacy code: Lifecycle

Solution


Retrofitting lifecycle

1. Identify security-sensitive operations

2. Locate where they are performed in code

3. Instrument these locations

Input_EventCreateDestroyCopyPasteMap

Security-sensitive operations Source Code Policy checks

Can the client receive this

Input_Event?


Problems

X11 ~ proposed 2003, implemented 2007, changing to date. [Kilpatrick et al., ‘03]

Linux Security Modules ~ 2 years [Wright et al., ’02]

PostgreSQL: Began in 2006, still not mainline.

Manual

At this point, SE-PostgreSQL has taken up a *lot* of community resources, not to mention an enormous and

doubtless frustrating amount of *the lead developer’s* time and effort, thus far without a single committed patch, or even a consensus as to what it should (or could) do. Rather than continuing to blunder

into the future, I think we need to do a reality check -

http://archives.postgresql.org/message-id/[email protected]


Problems

Violation of complete mediation Time-of-check to Time-of-use bugs [Zhang et al., ‘02]

[Jaeger et al., ‘04]

Error-prone


Our approach

Fingerprints: A new representation of security-sensitive operations

Legacy code retrofitted using fingerprints• Use of static and dynamic program analysis• Must achieve complete mediation• Ideally, must not place redundant hooks

Automated

Principled


Approach overviewLegacy code

Retrofitted code

Miner

Fingerprints

Matcher


Outline Motivation Problem Solution

• Fingerprints • Dynamic fingerprint mining• Static fingerprint mining with concept analysis• Static fingerprint mining leveraging user

choice


What are fingerprints?

Resource accesses that are unique to a security-sensitive operation

Denote key steps needed to perform the security-sensitive operation on a resource

Code-level signatures of security-sensitive operations


Examples of fingerprints Input_Event :- Cmp xEvent->type == KeyPress


Security-sensitive operations Source Code


Examples of fingerprints Input_Event :-

Cmp xEvent->type == KeyPress Input_Event :- Cmp xEvent->type == MouseMove

Map :- Set Window->mapped to True & Set xEvent->type to MapNotify

Enumerate :- Read Window->firstChild & Read Window->nextSib & Cmp Window ≠ 0


MapSubWindows(Window *pParent, Client *pClient) { Window *pWin; … // Run through linked list of child windows pWin = pParent->firstChild; … for (;pWin != 0; pWin=pWin->nextSib) { ... // Code that maps each child window

... }}

Fingerprint matching X server function MapSubWindows

Performs Enumerate

Enumerate :- Read Window->firstChild & Read Window->nextSib & Cmp Window ≠ 0


MapSubWindows(Window *pParent, Client *pClient) { Window *pWin; … // Run through linked list of child windows if CHECK(pClient,pParent,Enumerate) == ALLOWED { pWin = pParent->firstChild; … for (;pWin != 0; pWin=pWin->nextSib) { ... // Code that maps each child window

... } } else { HANDLE_FAILURE }}

Placing authorization checks X server function MapSubWindows


Fingerprint matching Currently employ simple pattern matching More sophisticated matching possible

• Metacompilation [Engler et al., ‘01]

• MOPS [Chen and Wagner, ‘02] Inserting authorization checks is akin to

static aspect-weaving [Kiczales et al., ’97]

Other aspect-weaving techniques possible• Runtime aspect-weaving



• Fingerprints• Dynamic fingerprint mining • Static fingerprint mining with concept analysis• Static fingerprint mining leveraging user

choice


Dynamic fingerprint mining



Output: FingerprintsInput_Event :- Cmp xEvent->type == KeyPress


Dynamic fingerprint mining Security-sensitive operations [NSA’03]

Use this information to induce the program to perform security-sensitive operations

Input_Event Input to window from device

Create Create new window

Destroy Destroy existing window

Map Map window to console


Problem definition S: Set of security-sensitive operations D: Descriptions of operations in S R: Set of resource accesses

• Read/Set/Cmp of Window/xEvent Each s є S has a fingerprint

• A fingerprint is a subset of R• Contains a resource access unique to s

Problem: Find fingerprints for each security-sensitive operation in S using D


Traces contain fingerprints

Induce security-sensitive operation • Typing to window will induce Input_Event

Fingerprint must be in runtime trace • Cmp xEvent->type == KeyPress


Security-sensitive operations Source Code Runtime trace


Compare traces to localize

Localize fingerprint in trace• Trace difference and intersection




Runtime traces Trace the program and record reads/writes

to resource data structures• Window and xEvent in our experiments

Example: from X server startup (In function SetWindowtoDefaults) Set Window->prevSib to 0 Set Window->firstChild to 0 Set Window->lastChild to 0

… about 1400 such resource accesses


Using traces for fingerprinting Obtain traces for each security-sensitive

operation• Series of controlled tracing experiments

Examples• Typing to keyboard generates Input_Event• Creating new window generates Create• Creating window also generates Map• Closing existing window generates Destroy


Comparison with “diff” and “∩”

Openxterm

Closexterm

Movexterm

Openbrowser

Switchwindows

Create

Destroy

Map

Unmap

Input_Event

Annotation is a manual step


- Move xtermCreate = Open xterm ∩ Open browser

Comparison with “diff” and “∩”

Openxterm

Closexterm

Movexterm

Openbrowser

Switchwindows

Create

Destroy

Map

Unmap

Input_Event

Perform same set operations on resource accesses


Set equations Each trace has a set of labels

• Open xterm: {Create, Map}• Browser: {Create, Destroy, Map, Unmap}• Move xterm: {Map, Input_Event}

Need set equation for {Create}• Compute an exact cover for this set• Open xterm ∩ Open browser – Move xterm

Perform the same set operations on the set of resource accesses in each trace


Experimental methodologySource code

Server with logging enabled

Raw traces

Relevant portions of traces

Pruned traces

gcc –-enable-logging

Run experiments and collect traces

Localize security-sensitive operation

Compare traces with “diff” and “∩”


Dynamic mining: Results1,000,000

54,000

900

126

1

10

100

1,000

10,000

100,000

1,000,000

Source Code Raw Traces RelevantPortions

PrunedTraces

Siz

e

Each fingerprint localized towithin 126 resource accesses


1. Incomplete: False negatives2. High-level description needed 3. Operations are manually induced

Limitations of dynamic mining





• Fingerprints• Dynamic fingerprint mining• Static fingerprint mining with concept analysis• Static fingerprint mining leveraging user

choice


Static fingerprint mining



Output: Candidate FingerprintsCmp xEvent->type == KeyPress

Resources

• Window• xEvent


Problem definition R: Set of resource accesses

• Read/Set/Cmp of Window/xEvent E: Set of entry points into the server Goal: Find fingerprints using R and E

Not given an a priori description of security-sensitive operations


Straw-man proposal I

Finest level of granularity Cmp xEvent->type == KeyPress Read Window->firstChild Read Window->nextSib Cmp Window ≠ 0

Each resource access in R is a fingerprint


Problem with this proposal

Cmp xEvent->type == KeyPress Read Window->firstChild Read Window->nextSib Cmp Window ≠ 0

Difficult to write and maintainpolicies at this level of granularity


Straw-man proposal II

Coarsest level of granularity

Call MapSubWindows Call MapWindow

Write policies allowing/disallowing the use of an API call

Each API in E is a fingerprint


Problem with this proposal

Call MapSubWindows • Enumerates child windows and maps them to

the screen Call MapWindows

• Maps a window onto the screen

Does not reflect actual resourceaccesses performed by API call


Our approach

Each API entry point implicitly defines a set of resource accesses

Cluster resource accesses based upon the API entry points that perform them

Cluster resource accesses that always happen together


Static analysis Extract resource accesses potentially

possible via each entry point Example from the X server

• Entry point: MapSubWindows(…)• Resource accesses:

Set xEvent->type To MapNotify Set Window->mapped To True Read Window->firstChildRead Window->nextSibCmp Window ≠ 0


Resource accessesMapSubWindows

MapWindow

KeyboardInput

Set xEvent->type To MapNotify

Set Window->mapped To True

Read Window->firstChild

Read Window->nextSib

Cmp Window ≠ 0

Cmp xEvent->type==KeyPress

270 API functions430 distinct resource accesses

Identify candidate fingerprints by clustering resource accesses


FeaturesInstances

Concept analysisMapSubWindows

MapWindow

KeyboardInput





Cmp Window ≠ 0


Comparison via hierarchical clustering


A B C

123456

Hierarchical clustering


Cmp Window ≠ 0





Keyboard

Input

Map

Window

MapSub

Windows

{A,B,C}, Ф

{A,B}, {1,2}

{A}, {1,2,3,4,5}

{C}, {6}

Ф, {1,2,3,4,5,6}


{A}, {1,2,3,4,5}

A B C

123456

Mining candidate fingerprints


Cmp Window ≠ 0





Keyboard

Input

Map

Window

MapSub

Windows

{A,B,C}, Ф

{A,B}, {1,2}{C}, {6}

Ф, {1,2,3,4,5,6}

Cand. Fing. 1

Cand. Fing. 2

Cand. Fing. 3


Static mining: Results

1.438

3.7115

3.718

94,014PennMUSH

30,096X Server/dix

4,476ext2

Avg. SizeCand. Fing.LOCBenchmark

1

10

100

1,000

10,000

100,000

ext2 X server PennMUSH

Siz

e


X Server/dix

ext2

Benchmark

22

11

Manually identified

Security-sensitive ops

Candidate

fingerprints


115

18

Able to find at least one fingerprint for each security-sensitive operation


Identified automatically in a few minutesInterpretation takes just a few hours

Identified as part of multi-year efforts


115

18

X Server/dix

ext2

Benchmark

22

11

Manually identified


Candidate

fingerprints


Associated 59 candidate fingerprints with security-sensitive operations

Remaining are likely security-sensitive too


X Server/dix

ext2

Benchmark

22

11

Manually identified


Candidate

fingerprints

115

18

Read Window->DrawableRec->width & Read Window->DrawableRec->height



• Fingerprints• Dynamic fingerprint mining• Static fingerprint mining with concept analysis• Static fingerprint mining leveraging user

choiceoDivya Muthukumaran and Trent Jaeger

63

Shortcomings that remain Identifying security-sensitive objects is still

manual Hook placement suggested by fingerprints:

• Are they “minimal”?• How do they compare to manually-placed

hooks?

Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement

65

Inferring security-sensitive objects and operations

Idea: Follow the client-request• In servers, client-request determines choice.

“Choice”: • Determines which objects are selected to be

operated upon. • Determines which operation is selected to be

performed on objects.

66

write v

o1

o2

o3

o4

BRequest Interface

i

Cv = Lookup(O,i)

User A

User B

D

A

FI

JH

read v

K

L

E

Program

Container O

Op1.3Op1.2Op1.1Security-sensitive

operation

Tainted variable

Security-sensitive variable

Control statement

Predicated on tainted variable

67

Program

User request

Lookup Function

Global Reads

A) Identify Tainted

Variables (VT)

B) Identify Security-sensitive

Objects(VS)

C) User-choice Operations

D) Security-sensitive operations

68

clientRequest stuff = ReadRequestFromClient(); …

int ChangeWindowProperty(ClientPtr *c, WindowPtr * w){ WindowPtr * win; PropertyPtr * pProp; err = LookupWindow(&win,stuff->window, c); rc = LookupProperty(&pProp, win, stuff->property, c); if (rc == BadMatch) {/* Op 1*/ pProp->name = property; pProp->format = format; pProp->data = data; pProp->size = len; } else { /* Op 2 */ if (stuff->mode == REPLACE) { /* Op 2.1 */ pProp->data = data; pProp->size = len; pProp->format = format; } else if (stuff->mode == APPEND) {/* Op 2.2 */ pProp->data = data; pProp->size += len; } }}

69

clientRequest stuff = ReadRequestFromClient();

int ChangeWindowProperty(ClientPtr * c, WindowPtr * w){ WindowPtr * win; PropertyPtr * pProp; err = LookupWindow(&win,stuff->window, c); rc = LookupProperty(&pProp, win, stuff->property, c); if (rc == BadMatch) {/* Op 1*/ pProp->name = property; pProp->format = format; pProp->data = data; pProp->size = len; } else { /* Op 2 */ if (mode == REPLACE) { /* Op 2.1 */ pProp->data = data; pProp->size = len; pProp->format = format; } else if (mode == APPEND) {/* Op 2.2 */ pProp->data = data; pProp->size += len; } }}

Static Taint analysis

70

Program

User request

Lookup Function

Global Reads

A) Identify Tainted

Variables (VT)


Objects(VS)



Retrieval of objects from containers: • List access (*->next pointer)

• Array access (pointer arithmetic)…

71

List Access: LookupProperty

for (prop=win->userProps; prop; prop=prop->next {if (prop->name == pName)

break;*p = prop;}

return p;

Array Access: LookupWindow

Resource res = clientTable[i]return res;

72

Program

User request

Lookup Function

Global Reads

A) Identify Tainted

Variables (VT)


Objects(VS)



Def 2: A variable v V∈ S(P) if any following are true: a) If it is assigned a value from a container via a lookup

function using a variable v V∈ T(P), b) If D is true for some v’ V∈ S(P). c) If it is a global variable and in the set VT(P).

73

int ChangeWindowProperty(ClientPtr * c, WindowPtr * w, int mode){ WindowPtr * win; PropertyPtr * pProp; err = LookupWindow(&win,stuff->window, c); rc = LookupProperty(&pProp, win, stuff->property, c); if (rc == BadMatch) {/* Op 1*/ pProp->name = property; pProp->format = format; pProp->data = data; pProp->size = len; } else { /* Op 2 */ if (mode == REPLACE) { /* Op 2.1 */ pProp->data = data; pProp->size = len; pProp->format = format; } else if (mode == APPEND) {/* Op 2.2 */ pProp->data = data; pProp->size += len; } }}

TechnologyDetecting code patterns

Static Taint analysis

74

Program

User request

Lookup Function

Global Reads

A) Identify Tainted

Variables (VT)


Objects(VS)



75

int ChangeWindowProperty(ClientPtr * c, WindowPtr * w, int mode){ WindowPtr * win; PropertyPtr * pProp; err = LookupWindow(&win,stuff->window, c); rc = LookupProperty(&pProp, win, stuff->property, c); if (rc == BadMatch) {/* Op 1*/ pProp->name = property; pProp->format = format; pProp->data = data; pProp->size = len; } else { /* Op 2 */ if (stuff->mode == REPLACE) { /* Op 2.1 */ pProp->data = data; pProp->size = len; pProp->format = format; } else if (stuff->mode == APPEND) {/* Op 2.2 */ pProp->data = data; pProp->size += len; } }}

76

A C

B D

A DB C

Taken Not- takenTaken Not-taken

Control Flow Graph (CFG)

Control Dependence Graph (CDG)

78

Program

User request

Lookup Function

Global Reads

A) Identify Tainted

Variables (VT)


Objects(VS)



80

Results: Reduction in programmer effortProgram X Server postgres pennmush memcached

LOC 28k 49k 78k 9k

Total variables 7795 12350 24372 2350

Tainted variables

2975 (38%) 5100 (41%) 4168 (17%) 490 (20%)

Security sensitive variables

823 (9%) 402 (3%) 1573 (6%) 82 (3%)

Data Structures 404 278 311 41

Sensitive Data structures

61(15%)

30 (10%)

38 (12%)

7(17%)

User-choice Operations

4760 5063 6485 996

Sensitive operations 1382 (29%)

1378 (27%)

1382 (21%)

203(20%)

81


LOC 28k 49k 78k 9k

Total variables 7795 12350 24372 2350

Tainted variables

2975 (38%) 5100 (41%) 4168 (17%) 490 (20%)


823 (9%) 402 (3%) 1573 (6%) 82 (3%)



61(15%)

30 (10%)

38 (12%)

7(17%)


4760 5063 6485 996

Sensitive operations 1382 (29%)

1378 (27%)

1382 (21%)

203(20%)

2241

82


LOC 28k 49k 78k 9k

Total variables 7795 12350 24372 2350

Tainted variables

2975 (38%) 5100 (41%) 4168 (17%) 490 (20%)


823 (10%) 402 (3%) 1573 (6%) 82 (3%)



61(15%) 30 (10%)

38 (12%)

7(17%)


4760 5063 6485 996

Sensitive operations 1382 (29%) 1378 (27%) 1382 (21%)

203(20%)

< 95%

84

Results Two sets of programs: a) With manually placed hooks: X server,

postgres. B) No manual hooks: pennmush,

memcached.

85

Results: Reduction in programmer effort

Program X Server postgres pennmush memcached

LOC 28k 49k 78k 9k


823 (10%) 402 (3%) 1573 (6%) 82 (3%)

Sensitive operations 1382 (29%) 1378 (27%) 1382 (21%)

203(20%)

Hooks 532 (11%)

579 (11%)

714(11%)

56(5%)

< 61%

86

Comparing with manual hooks

X Server:• Manual: ~200 hooks• Automated: ~530 hooks

Postgres: • Manual: ~370• Automated: ~570

What does this mean?

Criteria for comparing hooks

Control dominance Data dominance

Hooks Criteria

87

88

Comparison of manual and automated hook placements


Summary


Can the client receive this

Input_Event?

Fingerprints

MatchingMining


Lessons for the future

Modifications may break software Modifying executables is challenging

Modifying legacy code is non-trivial

Low-overhead runtime system for policy enforcement on unmodified code


Lessons for the future

Type-safety violations the main problem

Soundness/completeness hard to achieve for C

Provable guarantees with additional runtime checks?


Lessons for the futureDifficult to automate failure handling

Aspect-oriented solution?

Failure handling is a crosscutting-concern Handling failure gracefully is the main

challenge

Checkpoint and rollback?

94Vinod Ganapathy Retrofitting Legacy Code for Authorization Policy Enforcement

Example: X Server

Remote Client A

Remote Client B

Remote Client A

Remote Client B

95

Example: X Server Confidentiality violation Remote Client A

Remote Client B

WinA

WinB

GetScreen,WinAGetscreen,WinB

96

GetScreen

GetScreen

Example: X Server Confidentiality violation Integrity violation

Remote Client B

Remote Client A

Remote Client B

ChangeProp, WinAChangeProp, WinA

97

ChangeProp

ChangeProp

Remote Client A

Example: X Server Confidentiality violation Integrity violation

Remote Client B

Remote Client A

Remote Client B

ChangeProp, WinAChangeProp, WinA

98

ChangeProp

ChangeProp

Remote Client A

Policy: (clientA, WinA, ChangeProp) (clientB, WinB, ChangeProp)

…


Errors in labeling traces (I)

Openxterm

Closexterm

Movexterm

Openbrowser

Switchwindows

CREATE

DESTROY

MAP

UNMAP

INPUTEVENT


Errors in labeling traces (I)

Openxterm

Closexterm

Movexterm

Openbrowser

Switchwindows

CREATE

DESTROY

MAP

UNMAP

INPUTEVENT

CREATE = Trace1 – Trace3


Errors in labeling traces (II)

Openxterm

Closexterm

Movexterm

Openbrowser

Switchwindows

CREATE

DESTROY

MAP

UNMAP

INPUTEVENT


Dealing with errors in labeling Missing labels from traces:

• “∩” operation will not discard fingerprint• “diff” operation may erroneously eliminate a

fingerprint Extra labels on traces:

• May erroneously eliminate a fingerprint Trial-and-error

• Relabel and recompute set-equations Empirically: tolerance of about 15% errors

103


Observation 1: Automated hooks tend to be finer grained• Finer-grained operations• Finer-grained objects

104

Finer-grained operations

105


Observation 1: Automated hooks tend to be finer grained• Finer-grained operations• Finer-grained objects

106

Finer-grained objects

write(pChild->mapped)

read(pWin->firstChild->nextSib)

107

Comparison of manual and automated hook placements

6,1

9,3

51,5

retrofitting legacy code with authorization mechanisms vinod ganapathy rutgers university...

Documents

extra security

security problems wont

entire security subsystems

resource managers

resource request

deployed software

common software

recent examples