11162004.ppt

11/16/2004 CS851 Malware Proof-Carrying Code: A Language-Based Security Approach Thao Doan Wei Hu Liqian Luo Jinlin Yang CS851 Malware 11/16/2004 Outline Introduction To Language-based Security Proof-carrying Code (PCC) Example 1: Network Packet Filters Example 2: A Certifying Compiler For Java Issues With PCC Discussion Part 1 Introduction to Language-Based Security Malicious code - A growing problem What is malicious code? “any code added, changed, removed from a software system in order to intentionally cause harm or subvert the intended function of the system.” What makes it a growing problem? Growing connectivity (the Internet) Growing complexity of systems Support for extensibility Two well-known security design principles Principle of Least Privilege a component should be given the minimum privilege necessary to accomplish its task Ex: file access Principle of Minimum Trusted Computing Base keep the TCB as small and simple as possible (~ the KISS principle) Ex: JVM, Proof Checker of PCC  Approaches against malicious code Analyze the code : before execution [reject] Ex: scanning, compiler’s dataflow analysis Rewrite the code : before execution [modify] Ex: BEQZ R4, BadCode ? BEQZ R4, GoodCode Monitor the code : during execution [stop before harm] Ex: OS’ page translation hardware Audit the code : during execution [police on harm] Ex: audit trail to assess and address the problem Disadvantages of traditional approaches Miss unseen cases Trust entities required Performance Burden on consumers Motivation of language based security Is it possible to enforce security on the semantics or behavior of the code? Types, logics, proofs come into play Examples Type-Safe Languages Proof-Carrying Code Part 2 Proof-Carrying Code: Concept and Implementation  Type-safe languages Type gives semantic meaning to ultimately mere bits associated either with values in memory or with objects Type-safe languages: have complete type systems e.g., Java, C#, ML Code produc