static analysis of security properties by abstract...
TRANSCRIPT
Static Analysis of Security Propertiesby Abstract Interpretation
École normale supérieure, équipe Abstraction
Mehdi Bouaziz
Friday, May 11 2012
Static Analysis of Security Properties by Abstract Interpretation
−→ course MPRI 2-6:Abstract Interpretation: application to verification and staticanalysis−→ ?
Mehdi Bouaziz, École normale supérieureStatic Analysis of Security Properties by Abstract Interpretation 2/13
Static Analysis
of Security Properties
by Abstract Interpretation
−→ course MPRI 2-6:Abstract Interpretation: application to verification and staticanalysis
−→ ?
Mehdi Bouaziz, École normale supérieureStatic Analysis of Security Properties by Abstract Interpretation 2/13
Static Analysis of
Security Properties
by Abstract Interpretation
−→ course MPRI 2-6:Abstract Interpretation: application to verification and staticanalysis
−→ ?
Mehdi Bouaziz, École normale supérieureStatic Analysis of Security Properties by Abstract Interpretation 2/13
Security?
Mehdi Bouaziz, École normale supérieureIntroduction to Security 3/13
Security?
Information Security?
Mehdi Bouaziz, École normale supérieureIntroduction to Security 3/13
Security?Access ControlAccountabilityAttackAuthenticityAuthorizationAvailabilityBuffer OverflowBugClassificationConfidentialityControl-FlowCovert ChannelsCross-Site ScriptingCryptanalysisCryptographyCryptologyDangling PointerData RaceDeclassification
DeadlockEarthquakeEncryptionFireFirewallFloodingFormat StringImplicit FlowInformation-FlowInput ValidationIntegrityIsolationLanguage-BasedLeast PrivilegeMalicious CodeMemory SafetyNon-InterferenceNon-RepudiationObfuscation
PhishingPolicyPossessionRandomizationReference MonitorRiskRuntime CheckSandboxSQL InjectionStack InspectionStack OverflowSymlink RaceTaintingTheftThreatType SafetyUtilityVulnerabilityWild Jump
Mehdi Bouaziz, École normale supérieureIntroduction to Security 3/13
Key Concepts
I ConfidentialityI IntegrityI Disponibility
I AuthenticityI AccountabilityI PossessionI Non-repudiationI Utility
Ipub
Ipriv
Opub
Opriv
Mehdi Bouaziz, École normale supérieureIntroduction to Security 4/13
Key Concepts
I Confidentiality
I IntegrityI Disponibility
I AuthenticityI AccountabilityI PossessionI Non-repudiationI Utility
Ipriv
Opub
Mehdi Bouaziz, École normale supérieureIntroduction to Security 4/13
Key Concepts
I ConfidentialityI Integrity
I Disponibility
I AuthenticityI AccountabilityI PossessionI Non-repudiationI Utility
Ipub
Opriv
Mehdi Bouaziz, École normale supérieureIntroduction to Security 4/13
Key Concepts
I ConfidentialityI IntegrityI Disponibility
I AuthenticityI AccountabilityI PossessionI Non-repudiationI Utility
Mehdi Bouaziz, École normale supérieureIntroduction to Security 4/13
Key Concepts
I ConfidentialityI IntegrityI Disponibility
I AuthenticityI AccountabilityI PossessionI Non-repudiationI Utility
Mehdi Bouaziz, École normale supérieureIntroduction to Security 4/13
Security Policy
A statement that partition the states of the system into a set ofauthorized (secure) states and a set of unauthorized (nonsecure)states.
Specify who can read/write what data, execute what command,under which condition.
I Natural language (law, documentation)I Encoded text (755 root root /bin)I Code (if (x.isPrivate()) exit(1); //avoid leak)I ∅
Mehdi Bouaziz, École normale supérieureIntroduction to Security 5/13
Security Policy
A statement that partition the states of the system into a set ofauthorized (secure) states and a set of unauthorized (nonsecure)states.
Specify who can read/write what data, execute what command,under which condition.
I Natural language (law, documentation)I Encoded text (755 root root /bin)I Code (if (x.isPrivate()) exit(1); //avoid leak)I ∅
Mehdi Bouaziz, École normale supérieureIntroduction to Security 5/13
Security Policy
A statement that partition the states of the system into a set ofauthorized (secure) states and a set of unauthorized (nonsecure)states.
Specify who can read/write what data, execute what command,under which condition.
I Natural language (law, documentation)I Encoded text (755 root root /bin)
I Code (if (x.isPrivate()) exit(1); //avoid leak)I ∅
Mehdi Bouaziz, École normale supérieureIntroduction to Security 5/13
Security Policy
A statement that partition the states of the system into a set ofauthorized (secure) states and a set of unauthorized (nonsecure)states.
Specify who can read/write what data, execute what command,under which condition.
I Natural language (law, documentation)I Encoded text (755 root root /bin)I Code (if (x.isPrivate()) exit(1); //avoid leak)
I ∅
Mehdi Bouaziz, École normale supérieureIntroduction to Security 5/13
Security Policy
A statement that partition the states of the system into a set ofauthorized (secure) states and a set of unauthorized (nonsecure)states.
Specify who can read/write what data, execute what command,under which condition.
I Natural language (law, documentation)I Encoded text (755 root root /bin)I Code (if (x.isPrivate()) exit(1); //avoid leak)I ∅
Mehdi Bouaziz, École normale supérieureIntroduction to Security 5/13
Information Security Controls
I Access ControlI Information-Flow ControlI Control-Flow IntegrityI Encryption
−→ coursesMPRI 1-13: Initiation to cryptologyMPRI 2-12-1: CryptanalysisMPRI 2-12-2: Arithmetic algorithms for cryptologyMPRI 2-13-2: Error correcting codes and applications to cryptographyMPRI 2-30: Cryptographic protocols: computational and symbolic proofs
Mehdi Bouaziz, École normale supérieureIntroduction to Security 6/13
Information Security Controls
I Access ControlI Information-Flow ControlI Control-Flow IntegrityI Encryption
−→ coursesMPRI 1-13: Initiation to cryptologyMPRI 2-12-1: CryptanalysisMPRI 2-12-2: Arithmetic algorithms for cryptologyMPRI 2-13-2: Error correcting codes and applications to cryptographyMPRI 2-30: Cryptographic protocols: computational and symbolic proofs
Mehdi Bouaziz, École normale supérieureIntroduction to Security 6/13
Information Security Controls
I Access ControlI Information-Flow ControlI Control-Flow IntegrityI Encryption
−→ coursesMPRI 1-13: Initiation to cryptologyMPRI 2-12-1: CryptanalysisMPRI 2-12-2: Arithmetic algorithms for cryptologyMPRI 2-13-2: Error correcting codes and applications to cryptographyMPRI 2-30: Cryptographic protocols: computational and symbolic proofs
Mehdi Bouaziz, École normale supérieureIntroduction to Security 6/13
Information Security Controls
I Access ControlI Information-Flow ControlI Control-Flow IntegrityI Encryption
−→ coursesMPRI 1-13: Initiation to cryptologyMPRI 2-12-1: CryptanalysisMPRI 2-12-2: Arithmetic algorithms for cryptologyMPRI 2-13-2: Error correcting codes and applications to cryptographyMPRI 2-30: Cryptographic protocols: computational and symbolic proofs
Mehdi Bouaziz, École normale supérieureIntroduction to Security 6/13
ThreatsI Physical: Earthquake, Fire, Flooding, TheftI In the code:
I Memory Safety:I Buffer OverrunsI Stack OverflowI Dangling pointers
I Concurrency:I DeadlocksI Data racesI Symlink races
I Input Validation:I SQL injectionI Cross-Site Scripting (XSS)I Format String
I Control/Data-Flow:I Type SafetyI Wild JumpsI Self Modifying Code
Mehdi Bouaziz, École normale supérieureIntroduction to Security 7/13
Language-Based Mechanisms
I Runtime Checks: Reference Monitor (OS, Interpreter,Firewall), Inlined Reference Monitor
I Programming Languages: Type-Safe Languages, TypedAssembly Language (TAL)
I Executing Model: Isolation, Sandboxing, Stack Inspection
I Static Analysis: Information-Flow Typing, AbstractInterpretation
I Exotic: Obfuscation, Randomization
Mehdi Bouaziz, École normale supérieureIntroduction to Security 8/13
Security Policy (2)
I Authorization
I History-Based
I Control-Flow
I Information-Flow
I Classification (private/public)
I Declassification (when, where, by who and what private informationcan be considered public)
Mehdi Bouaziz, École normale supérieureIntroduction to Security 9/13
Information-Flow Security
Non-Interference: No two executions are observably different if theydiffer solely by confidential inputs.
Explicit Flows: from assignments
Implicit Flows: from Indirect Flows and Covert Channels:I Termination ChannelI Timing ChannelI Probabilistic ChannelI Resource Exhaustion ChannelI Power Channel
Mehdi Bouaziz, École normale supérieureIntroduction to Security 10/13
Information-Flow Security Type System
` exp : high
h /∈ V ars(exp)
` exp : low
[pc] ` skip [pc] ` h := exp
` exp : low
[low] ` l := exp
[pc] ` C1 [pc] ` C2
[pc] ` C1;C2
` exp : pc [pc] ` C
[pc] ` while exp do C
` exp : pc [pc] ` C1 [pc] ` C2
[pc] ` if exp then C1 else C2
[high] ` C
[low] ` C
Mehdi Bouaziz, École normale supérieureIntroduction to Security 11/13
Issues
Non-interference is too restrictive. Most real-world programs needexceptions to non-interference: declassification.
Examples?
Other issues:I Expressiveness: first-class functions, exceptions, objectsI Concurrency: threads, nondeterminism, distributionI Covert channels: termination, timing, probabilityI Security policies: declassification, quantitative security,
dynamic policiesI Certification: proven compilers, proof-carrying codes
Mehdi Bouaziz, École normale supérieureIntroduction to Security 12/13
Issues
Non-interference is too restrictive. Most real-world programs needexceptions to non-interference: declassification.
Examples?
Other issues:I Expressiveness: first-class functions, exceptions, objectsI Concurrency: threads, nondeterminism, distributionI Covert channels: termination, timing, probabilityI Security policies: declassification, quantitative security,
dynamic policiesI Certification: proven compilers, proof-carrying codes
Mehdi Bouaziz, École normale supérieureIntroduction to Security 12/13
Thank you for listening
Questions are welcome
Mehdi Bouaziz, École normale supérieureIntroduction to Security 13/13