Software Security - Software Security A good programmer is someone who always looks both ways before crossing a one-way street Doug Linder sysadmin How

Software Security - Software Security A good programmer is...

This preview shows page 1 - 12 out of 39 pages.

A good programmer is someone who always looks both ways before crossing a one-way street. — Doug Linder, sysadmin Software Security
Constrain program behaviorReference monitorsInline reference monitorsSandboxesMake potentially harmful code less likelyGood programming practiceSafe languagesProof-carrying codeEnsure program integrityContent-derived names Signed code How can we ensure that software is run securely? 2
Constraining program behavior 3 Monitor Speakers Disk Memory Network Program
Constraining program behavior 3 Monitor Speakers Disk Memory Network Reference monitor Program
Sees everything a program is about to do before it’s actually done Can instantly and completely halt program execution May instead simply prevent the action Has no other effect on the program or system Is this buildable? Probably not, unless we have either A perfect way to predict the future A time machine R eference monitor 4
Sees almost everything a program is about to do before it’s actually done Can instantly and completely halt program execution May instead simply prevent the action Has limited no other effect on the program or system A real reference monitor is buildable Ideal Real reference monitor 5
Reference monitors prevent buffer overflow attacks SFI method prevents crossing of security module boundaries How can code protect itself better? One solution: StackGuard Writes a “canary” word adjacent to the return address Buffer overflow typically has to overwrite the word to get to the return address If word is modified, don’t return to the address Pick the word randomly for each execution (not for each program!) Preventing stack-smashing 6
Protect individual words of memory using MemGuard Use VM protection to make memory read-only Allow writing only via special API Problem: can be inefficient when many words share the same page as the return address Can be slower, but is even harder to circumvent More on StackGuard 7
Get memory safety by inserting checking instructions around loads, stores, and jumps This can be expensive! Reduce cost by Using delay slots Masking references Result: overhead ~5%! Formed a company: Collusa Software Microsoft purchased it! Wahbe & Lucco made a pretty penny… Software fault isolation (SFI) 8
Method 1: trap references not to local domain Useful for debugging Location (in code) of error is known Method 2: reset references to be to local segment Can cause “mysterious” failures Prevents damage to other segments Both methods use “cross-fault- domain remote procedure call” to call other fault domains SFI: details 9 Offset =? Trap if not equal Domain # Domain # Actual Domain Domain # Offset Offset Offset 000…0 Actual Domain
OS provides reference monitors for most security-critical resources Program opens file in Unix: OS checks permissions Program allocates memory space: OS checks that program is allowed to allocate, and that there’s space available Limited flexibility

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture