retrofitting legacy code for security vinod ganapathy computer sciences department university of...
TRANSCRIPT
![Page 1: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/1.jpg)
Retrofitting Legacy Code for Security
Vinod GanapathyComputer Sciences Department
University of Wisconsin-Madison
![Page 2: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/2.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 2
Principle of Design for Security
Historic example: • MULTICS [Corbato et al. ‘65]
More recent examples:• Operating systems • Database servers
To create a secure system, designit to be secure from the ground up
![Page 3: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/3.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 3
Relevance of the Principle today
Deadline-driven software development• Design.Build.(Patch)* is here to stay
Diverse/Evolving security requirements• MULTICS security study [Karger and Schell, ‘72]
Most deployed software is not designed for security
![Page 4: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/4.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 4
Retrofitting legacy code
Need systematic techniques toretrofit legacy code for security
Legacycode
Retrofitted code
INSECURE SECURE
![Page 5: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/5.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 5
Retrofitting legacy code
Enforcing type safety • CCured [Necula et al. ’02]
Partitioning for privilege separation• PrivTrans [Brumley and Song, ’04]
Enforcing authorization policies
Need systematic techniques toretrofit legacy code for security
![Page 6: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/6.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 6
Resource manager
Enforcing authorization policies
Resource user
Operation request Response
Authorization policy‹Alice, /etc/passwd, File_Read›
Reference monitor
Allowed? YES/NO
![Page 7: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/7.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 7
Retrofitting for authorization Mandatory access control for Linux
• Linux Security Modules [Wright et al.,’02]
• SELinux [Loscocco and Smalley,’01]
Secure windowing systems• Trusted X, Compartmented-mode workstation,
X11/SELinux [Epstein et al.,’90][Berger et al.,’90][Kilpatrick et al.,’03]
Java Virtual Machine/SELinux [Fletcher,‘06]
IBM Websphere/SELinux [Hocking et al.,‘06]
Painstaking, manual procedure
![Page 8: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/8.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 8
Contributions
Fingerprints: New abstraction to represent security-sensitive operations
Reduced effort to retrofit legacy code for authorization policy enforcement• From several years to a few hours• Applied to X server, Linux kernel, PennMUSH
Analyses and transformations forauthorization policy enforcement
![Page 9: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/9.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 9
Outline Motivation Problem
• Example• Retrofitting legacy code: Lifecycle
Solution
![Page 10: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/10.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 10
X server with multiple X clients
REMOTE
LOCAL
![Page 11: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/11.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 11
REMOTE
Malicious remote X client
LOCAL
![Page 12: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/12.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 12
REMOTE
Undesirable information flow
LOCAL
![Page 13: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/13.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 13
Desirable information flow
LOCAL
REMOTE
![Page 14: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/14.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 14
Other policies to enforce Prevent unauthorized
• Copy and paste• Modification of inputs meant for other clients• Changes to window settings of other clients
• Retrieval of bitmaps: Screenshots
[Berger et al., ’90]
[Epstein et al., ‘90]
[Kilpatrick et al., ‘03]
![Page 15: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/15.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 15
X server
X server with authorization
X client
Operation request Response
Authorization policy
Reference monitor
Allowed? YES/NO
![Page 16: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/16.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 16
Outline Motivation Problem
• Example• Retrofitting legacy code: Lifecycle
Solution
![Page 17: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/17.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 17
Retrofitting lifecycle
1. Identify security-sensitive operations
2. Locate where they are performed in code
3. Instrument these locations
Input_EventCreateDestroyCopyPasteMap
Security-sensitive operations Source Code Policy checks
Can the client receive this
Input_Event?
![Page 18: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/18.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 18
Problems Time-consuming
• X11/SELinux ~ 2 years [Kilpatrick et al., ‘03]
• Linux Security Modules ~ 2 years [Wright et al., ‘02]
Error-prone [Zhang et al., ‘02][Jaeger et al., ‘04]
• Violation of complete mediation• Time-of-check to Time-of-use bugs
![Page 19: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/19.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 19
Our approach
Retrofitting takes just a few hours• Automatic analysis: ~ minutes• Interpreting results: ~ hours
Basis to prove security of retrofitted code
Reduces errors
Reduces manual effort
![Page 20: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/20.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 20
Approach overviewLegacy code
Retrofitted code
Miner
Fingerprints
Matcher
![Page 21: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/21.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 21
Outline Motivation Problem Solution
• Fingerprints [CCS’05]• Dynamic fingerprint mining• Static fingerprint mining
![Page 22: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/22.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 22
What are fingerprints?
Resource accesses that are unique to a security-sensitive operation
Denote key steps needed to perform the security-sensitive operation on a resource
Code-level signatures of security-sensitive operations
![Page 23: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/23.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 23
Examples of fingerprints Input_Event :-
Cmp xEvent->type == KeyPress
Input_EventCreateDestroyCopyPasteMap
Security-sensitive operations Source Code
![Page 24: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/24.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 24
Examples of fingerprints Input_Event :-
Cmp xEvent->type == KeyPress Input_Event :- Cmp xEvent->type == MouseMove
Map :- Set Window->mapped to True & Set xEvent->type to MapNotify
Enumerate :- Read Window->firstChild & Read Window->nextSib & Cmp Window ≠ 0
![Page 25: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/25.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 25
MapSubWindows(Window *pParent, Client *pClient) { Window *pWin; … // Run through linked list of child windows pWin = pParent->firstChild; … for (;pWin != 0; pWin=pWin->nextSib) { ... // Code that maps each child window
... }}
Fingerprint matching X server function MapSubWindows
Performs Enumerate
Enumerate :- Read Window->firstChild & Read Window->nextSib & Cmp Window ≠ 0
![Page 26: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/26.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 26
MapSubWindows(Window *pParent, Client *pClient) { Window *pWin; … // Run through linked list of child windows if CHECK(pClient,pParent,Enumerate) == ALLOWED { pWin = pParent->firstChild; … for (;pWin != 0; pWin=pWin->nextSib) { ... // Code that maps each child window
... } } else { HANDLE_FAILURE }}
Placing authorization checks X server function MapSubWindows
![Page 27: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/27.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 27
Fingerprint matching Currently employ simple pattern matching More sophisticated matching possible
• Metacompilation [Engler et al., ‘01]
• MOPS [Chen and Wagner, ‘02] Inserting authorization checks is akin to
static aspect-weaving [Kiczales et al., ’97]
Other aspect-weaving techniques possible• Runtime aspect-weaving
![Page 28: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/28.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 28
Outline Motivation Problem Solution
• Fingerprints• Dynamic fingerprint mining [Oakland’06]• Static fingerprint mining
![Page 29: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/29.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 29
Dynamic fingerprint mining
Input_EventCreateDestroyCopyPasteMap
Security-sensitive operations Source Code
Output: FingerprintsInput_Event :- Cmp xEvent->type == KeyPress
![Page 30: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/30.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 30
Dynamic fingerprint mining Security-sensitive operations [NSA’03]
Use this information to induce the program to perform security-sensitive operations
Input_Event Input to window from device
Create Create new window
Destroy Destroy existing window
Map Map window to console
![Page 31: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/31.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 31
Problem definition S: Set of security-sensitive operations D: Descriptions of operations in S R: Set of resource accesses
• Read/Set/Cmp of Window/xEvent
Each s є S has a fingerprint• A fingerprint is a subset of R• Contains a resource access unique to s
Problem: Find fingerprints for each security-sensitive operation in S using D
![Page 32: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/32.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 32
Traces contain fingerprints
Induce security-sensitive operation • Typing to window will induce Input_Event
Fingerprint must be in runtime trace • Cmp xEvent->type == KeyPress
Input_EventCreateDestroyCopyPasteMap
Security-sensitive operations Source Code Runtime trace
![Page 33: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/33.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 33
Compare traces to localize
Localize fingerprint in trace• Trace difference and intersection
Input_EventCreateDestroyCopyPasteMap
Security-sensitive operations Source Code Runtime trace
![Page 34: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/34.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 34
Runtime traces Trace the program and record reads/writes
to resource data structures• Window and xEvent in our experiments
Example: from X server startup (In function SetWindowtoDefaults) Set Window->prevSib to 0 Set Window->firstChild to 0 Set Window->lastChild to 0
… about 1400 such resource accesses
![Page 35: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/35.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 35
Using traces for fingerprinting Obtain traces for each security-sensitive
operation• Series of controlled tracing experiments
Examples• Typing to keyboard generates Input_Event• Creating new window generates Create• Creating window also generates Map• Closing existing window generates Destroy
![Page 36: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/36.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 36
Comparison with “diff” and “∩”
Open
xterm
Close
xterm
Move
xterm
Open
browser
Switch
windows
Create
Destroy
Map
Unmap
Input_Event
Annotation is a manual step
![Page 37: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/37.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 37
- Move xtermCreate = Open xterm ∩ Open browser
Comparison with “diff” and “∩”
Open
xterm
Close
xterm
Move
xterm
Open
browser
Switch
windows
Create
Destroy
Map
Unmap
Input_Event
Perform same set operations on resource accesses
![Page 38: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/38.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 38
Set equations Each trace has a set of labels
• Open xterm: {Create, Map}• Browser: {Create, Destroy, Map, Unmap}• Move xterm: {Map, Input_Event}
Need set equation for {Create}• Compute an exact cover for this set• Open xterm ∩ Open browser – Move xterm
Perform the same set operations on the set of resource accesses in each trace
![Page 39: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/39.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 39
Experimental methodologySource code
Server with logging enabled
Raw traces
Relevant portions of traces
Pruned traces
gcc –-enable-logging
Run experiments and collect traces
Localize security-sensitive operation
Compare traces with “diff” and “∩”
![Page 40: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/40.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 40
Dynamic mining: Results1,000,000
54,000
900
126
1
10
100
1,000
10,000
100,000
1,000,000
Source Code Raw Traces RelevantPortions
PrunedTraces
Siz
e
Each fingerprint localized towithin 126 resource accesses
![Page 41: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/41.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 41
1. Incomplete: False negatives2. High-level description needed 3. Operations are manually induced
Limitations of dynamic mining
Input_EventCreateDestroyCopyPasteMap
Security-sensitive operations Source Code Runtime trace
![Page 42: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/42.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 42
Outline Motivation Problem Solution
• Fingerprints• Dynamic fingerprint mining• Static fingerprint mining [ICSE’07]
![Page 43: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/43.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 43
Static fingerprint mining
Input_EventCreateDestroyCopyPasteMap
Security-sensitive operations Source Code
Output: Candidate FingerprintsCmp xEvent->type == KeyPress
Resources
• Window• xEvent
![Page 44: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/44.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 44
Problem definition R: Set of resource accesses
• Read/Set/Cmp of Window/xEvent
Each trace of the program contains a set of resource accesses from R
Problem: Compute smallest mutually disjoint partition P = {C1, C2, …, Cn} of R
• R = C1 U C2 U … U Cn
• Resource accesses in each trace of the program are composed of elements of P
![Page 45: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/45.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 45
Problem definition
C1, C2, …, Cn called candidate fingerprints
Hypothesis: Candidate fingerprints represent security-sensitive operations
C1
C2
C3
C4
C1
C2
C4
C4
![Page 46: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/46.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 46
Each entry point implicitly defines a set of traces through the program
Resource accesses performed by these traces can be statically characterized
Entry points define tracesSource Code Program traces
API
![Page 47: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/47.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 47
Static analysis Extract resource accesses potentially
possible via each entry point Example from the X server
• Entry point: MapSubWindows(…)• Resource accesses:
Set xEvent->type To MapNotify Set Window->mapped To True
Read Window->firstChildRead Window->nextSibCmp Window ≠ 0
![Page 48: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/48.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 48
Resource accessesMapSub
Windows
Map
Window
KeyboardInput
Set xEvent->type To MapNotify
Set Window->mapped To True
Read Window->firstChild
Read Window->nextSib
Cmp Window ≠ 0
Cmp xEvent->type==KeyPress
270 API functions430 distinct resource accesses
Identify candidate fingerprints by comparing resource accesses
![Page 49: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/49.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 49
FeaturesInstances
Concept analysisMapSub
Windows
Map
Window
KeyboardInput
Set xEvent->type To MapNotify
Set Window->mapped To True
Read Window->firstChild
Read Window->nextSib
Cmp Window ≠ 0
Cmp xEvent->type==KeyPress
Comparison via hierarchical clustering
![Page 50: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/50.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 50
A B C
123456
Hierarchical clustering
Cmp xEvent->type==KeyPress
Cmp Window ≠ 0
Read Window->nextSib
Read Window->firstChild
Set Window->mapped To True
Set xEvent->type To MapNotify
Keyboard
Input
Map
Window
MapSub
Windows
{A,B,C}, Ф
{A,B}, {1,2}
{A}, {1,2,3,4,5}
{C}, {6}
Ф, {1,2,3,4,5,6}
![Page 51: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/51.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 51
{A}, {1,2,3,4,5}
A B C
123456
Mining candidate fingerprints
Cmp xEvent->type==KeyPress
Cmp Window ≠ 0
Read Window->nextSib
Read Window->firstChild
Set Window->mapped To True
Set xEvent->type To MapNotify
Keyboard
Input
Map
Window
MapSub
Windows
{A,B,C}, Ф
{A,B}, {1,2}{C}, {6}
Ф, {1,2,3,4,5,6}
Cand. Fing. 1
Cand. Fing. 2
Cand. Fing. 3
![Page 52: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/52.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 52
Static mining: Results
1.438
3.7115
3.718
94,014PennMUSH
30,096X Server/dix
4,476ext2
Avg. SizeCand. Fing.LOCBenchmark
1
10
100
1,000
10,000
100,000
ext2 X server PennMUSH
Siz
e
![Page 53: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/53.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 53
X Server/dix
ext2
Benchmark
22
11
Manually identified
Security-sensitive ops
Candidate
fingerprints
Static mining: Results
115
18
Able to find at least one fingerprint for each security-sensitive operation
![Page 54: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/54.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 54
Identified automatically in a few minutesInterpretation takes just a few hours
Identified as part of multi-year efforts
Static mining: Results
115
18
X Server/dix
ext2
Benchmark
22
11
Manually identified
Security-sensitive ops
Candidate
fingerprints
![Page 55: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/55.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 55
Associated 59 candidate fingerprints with security-sensitive operations
Remaining are likely security-sensitive too
Static mining: Results
X Server/dix
ext2
Benchmark
22
11
Manually identified
Security-sensitive ops
Candidate
fingerprints
115
18
Read Window->DrawableRec->width & Read Window->DrawableRec->height
![Page 56: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/56.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 56
Summary of contributions
Input_EventCreateDestroyCopyPasteMap
Can the client receive this
Input_Event?
Fingerprints
Matching[CCS’05]
Mining[Oakland’06][ICSE’07]
![Page 57: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/57.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 57
Implications
Before: Approximately 2 years After: Few hours
• Analysis: ~ minutes; Interpretation: ~ hours
Before: Violation of complete mediation After: Basis to prove security
Can reduce manual effort
Can reduce errors
![Page 58: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/58.jpg)
Vinod Ganapathy Retrofitting Legacy Code for Security 58
Future work Emitting security proofs
• Guarantee that retrofitted code satisfies principle of complete mediation
• Counter-example must add additional authorization checks
More expressive fingerprint languages• Temporal information on resource accesses• Encode dataflow facts in fingerprints
![Page 59: Retrofitting Legacy Code for Security Vinod Ganapathy Computer Sciences Department University of Wisconsin-Madison vg@cs.wisc.edu](https://reader035.vdocuments.net/reader035/viewer/2022062315/56649da05503460f94a8bd01/html5/thumbnails/59.jpg)
Retrofitting Legacy Code for Security
Vinod GanapathyComputer Sciences Department
University of Wisconsin-Madison
http://www.cs.wisc.edu/~vg