Abstract:Abstract. We present a framework that automatically produces suggestions to resolve type errors in security-typed programs, enabling legacy code to be retrofit with comprehensive security policy mediation. Resolving such type errors requires selecting a placement of mediation statements that implement runtime security decisions, such as declassifiers and authorization checks. Manually placing mediation statements in legacy code can be difficult, as there may be several, interacting type errors. In this paper, … Show more
“…Given available security policies, we claim that building system-wide infor- mation flow problems can be largely automated, resulting a similar effort as configuring information flow problems for single entities (programs or MAC policies). We design an automated method to produce mediator placements from such problems that is an extension of the basic graph cut idea [37,19] to address general lattices and constrained mediators.…”
Section: Designmentioning
confidence: 99%
“…Researchers had the insight that placing a mediator to resolve information flow errors for a lattice policy containing two levels li and lj is tantamount to generating an edge cut 4 of the data flow graph with the nodes mapped to li as the sources and the nodes mapped to lj as the sinks [37,19]. This property is called Cut-Mediation Equivalence.…”
Section: Computing Minimal Mediationmentioning
confidence: 99%
“…In the context of security lattices, researchers previously suggested a simple greedy solution to the problem that returns the union of the solutions for each individual cut problem [19].…”
Section: Computing Minimal Mediationmentioning
confidence: 99%
“…Our goal is to use the system's available security policies to produce a system-wide policy with the minimal mediation necessary to resolve the system's information flow errors as defined in Definition 2.1. We are motivated by prior work that demonstrated that a placement of mediators that resolves all information flow errors is equivalent to a cut of error paths in the data flow graph [37,19]. However, to make this idea practical, we explore how to produce an information flow policy for the example web application that resolves its local and remote threats.…”
Modern distributed systems are composed from several offthe-shelf components, including operating systems, virtualization infrastructure, and application packages, upon which some custom application software (e.g., web application) is often deployed. While several commodity systems now include mandatory access control (MAC) enforcement to protect the individual components, the complexity of such MAC policies and the myriad of possible interactions among individual hosts in distributed systems makes it difficult to identify the attack paths available to adversaries. As a result, security practitioners react to vulnerabilities as adversaries uncover them, rather than proactively protecting the system's data integrity. In this paper, we develop a mostly-automated method to transform a set of commodity MAC policies into a system-wide policy that proactively protects system integrity, approximating the Clark-Wilson integrity model. The method uses the insights from the Clark-Wilson model, which requires integrity verification of security-critical data and mediation at program entrypoints, to extend existing MAC policies with the proactive mediation necessary to protect system integrity. We demonstrate the practicality of producing Clark-Wilson policies for distributed systems on a web application running on virtualized Ubuntu SELinux hosts, where our method finds: (1) that only 27 additional entrypoint mediators are sufficient to mediate the threats of remote adversaries over the entire distributed system and (2) and only 20 additional local threats require mediation to approximate Clark-Wilson integrity comprehensively. As a result, available security policies can be used as a foundation for proactive integrity protection from both local and remote threats.
“…Given available security policies, we claim that building system-wide infor- mation flow problems can be largely automated, resulting a similar effort as configuring information flow problems for single entities (programs or MAC policies). We design an automated method to produce mediator placements from such problems that is an extension of the basic graph cut idea [37,19] to address general lattices and constrained mediators.…”
Section: Designmentioning
confidence: 99%
“…Researchers had the insight that placing a mediator to resolve information flow errors for a lattice policy containing two levels li and lj is tantamount to generating an edge cut 4 of the data flow graph with the nodes mapped to li as the sources and the nodes mapped to lj as the sinks [37,19]. This property is called Cut-Mediation Equivalence.…”
Section: Computing Minimal Mediationmentioning
confidence: 99%
“…In the context of security lattices, researchers previously suggested a simple greedy solution to the problem that returns the union of the solutions for each individual cut problem [19].…”
Section: Computing Minimal Mediationmentioning
confidence: 99%
“…Our goal is to use the system's available security policies to produce a system-wide policy with the minimal mediation necessary to resolve the system's information flow errors as defined in Definition 2.1. We are motivated by prior work that demonstrated that a placement of mediators that resolves all information flow errors is equivalent to a cut of error paths in the data flow graph [37,19]. However, to make this idea practical, we explore how to produce an information flow policy for the example web application that resolves its local and remote threats.…”
Modern distributed systems are composed from several offthe-shelf components, including operating systems, virtualization infrastructure, and application packages, upon which some custom application software (e.g., web application) is often deployed. While several commodity systems now include mandatory access control (MAC) enforcement to protect the individual components, the complexity of such MAC policies and the myriad of possible interactions among individual hosts in distributed systems makes it difficult to identify the attack paths available to adversaries. As a result, security practitioners react to vulnerabilities as adversaries uncover them, rather than proactively protecting the system's data integrity. In this paper, we develop a mostly-automated method to transform a set of commodity MAC policies into a system-wide policy that proactively protects system integrity, approximating the Clark-Wilson integrity model. The method uses the insights from the Clark-Wilson model, which requires integrity verification of security-critical data and mediation at program entrypoints, to extend existing MAC policies with the proactive mediation necessary to protect system integrity. We demonstrate the practicality of producing Clark-Wilson policies for distributed systems on a web application running on virtualized Ubuntu SELinux hosts, where our method finds: (1) that only 27 additional entrypoint mediators are sufficient to mediate the threats of remote adversaries over the entire distributed system and (2) and only 20 additional local threats require mediation to approximate Clark-Wilson integrity comprehensively. As a result, available security policies can be used as a foundation for proactive integrity protection from both local and remote threats.
“…However, building either attack trees or attack graphs currently requires knowledge about the likely vulnerabilities on individual hosts, which may be incomplete (i.e., previously-unknown vulnerabilities may be missed) and brittle (i.e., vulnerabilities may be patched). Alternatively, researchers have developed methods to place security monitoring to block or limit adversary access to prevent attacks based on classical problems [27,30,17]. These methods focus on only one layer of the system, such as the network, a single host, or a single program because the size of the graphs becomes prohibitive.…”
System administrators employ network monitors, such as traffic analyzers, network intrusion prevention systems, and firewalls, to protect the network's hosts from remote adversaries. The problem is that vulnerabilities are caused primarily by errors in the host software and/or configuration, but modern hosts are too complex for system administrators to understand, limiting monitoring to known attacks. Researchers have proposed automated methods to compute network monitor placements, but these methods also fail to model attack paths within hosts and/or fail to scale beyond tens of hosts. In this paper, we propose a method to compute network monitor placements that leverages commonality in available access control policies across hosts to compute network monitor placement for large-scale systems. We introduce an equivalence property, called flow equivalence, which reduces the size of the placement problem to be proportional to the number of unique host configurations. This process enables us to solve mediation placement problems for thousands of hosts with access control policies containing of thousands of rules in seconds (less than 125 for a network of 9500 hosts). Our method enables administrators to place network monitors in large-scale networks automatically, leveraging the actual host configuration, to detect and prevent network-borne threats.
Abstract.It is no surprise to say that attackers have the upper hand on security practitioners today when it comes to host security. There are several causes for this problem ranging from unsafe programming languages to the complexity of modern systems at large, but fundamentally, all of the parties involved in constructing and deploying systems lack a methodology for reasoning about the security impact of their design decisions. Previous position papers have focused on identifying particular parties as being "enemies" of security (e.g., users and application developers), and proposed removing their ability to make securityrelevant decisions. In this position paper, we take this approach a step further by "keeping the enemies closer," whereby the security ramifications of design and deployment decisions of all parties must be evaluated to determine if they violate security requirements or are inconsistent with other party's assumptions. We propose a methodology whereby application developers, OS distributors, and system administrators propose, evaluate, repair, and test their artifacts to provide a defensible attack surface, the set of entry points available to an attacker. We propose the use of a hierarchical state machine (HSM) model as a foundation for automatically evaluating attack surfaces for programs, OS access control policies, and network policies. We examine how the methodology tasks can be expressed as problems in the HSM model for each artifact, motivating the possibility of a comprehensive, coherent, and mostly-automated methodology for deploying systems to manage accessibility to attackers.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.