Retrofitting legacy code for authorization policy enforcement

Researchers have argued that the best way to construct a secure system is to proactively integrate security into the design of the system. However, this tenet is rarely followed because of economic and practical considerations. Instead, security mechanisms are added as the need arises, by retrofitting legacy code. Existing techniques to do so are manual and ad hoc, and often result in security holes. We present program analysis techniques to assist the process of retrofitting legacy code for authorization policy enforcement. These techniques can be used to retrofit legacy servers, such as X window, Web, proxy, and cache servers. Because such servers manage multiple clients simultaneously, and offer shared resources to clients, they must have the ability to enforce authorization policies. A developer can use our techniques to identify security-sensitive locations in legacy servers, and place reference monitor calls to mediate these locations. We demonstrate our techniques by retrofitting the X11 server to enforce authorization policies on its X clients

[1]  F. J. Corbató,et al.  Introduction and overview of the multics system , 1965, AFIPS '65 (Fall, part I).

[2]  Of references. , 1966, JAMA.

[3]  Peter J. Denning,et al.  Protection: principles and practice , 1972, AFIPS '72 (Spring).

[4]  Peter Deutsch,et al.  A Flexible Measurement Tool for Software Systems , 1971, IFIP Congress.

[5]  James P Anderson,et al.  Computer Security Technology Planning Study , 1972 .

[6]  James P Anderson Computer Security Technology Planning Study. Volume 2 , 1972 .

[7]  William A. Wulf,et al.  HYDRA , 1974, Commun. ACM.

[8]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[9]  Jerome H. Saltier,et al.  Protection of information in computer systems , 1975, IEEE CSIT Newsletter.

[10]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[11]  Jeffrey D. Ullman,et al.  Protection in operating systems , 1976, CACM.

[12]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[13]  K J Biba,et al.  Integrity Considerations for Secure Computer Systems , 1977 .

[14]  Henry M. Levy,et al.  Capability-Based Computer Systems , 1984 .

[15]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[16]  V. Rich Personal communication , 1989, Nature.

[17]  Jeremy Epstein,et al.  A prototype for Trusted X labeling policies , 1990, [1990] Proceedings of the Sixth Annual Computer Security Applications Conference.

[18]  Joseph Robert Horgan,et al.  Dynamic program slicing , 1990, PLDI '90.

[19]  John McLean,et al.  The specification and modeling of computer security , 1990, Computer.

[20]  Jeffrey Picciotto,et al.  Compartmented Mode Workstation: Prototype Highlights , 1990, IEEE Trans. Software Eng..

[21]  Jeffrey Picciotto Towards trusted cut and paste in the X Window System , 1991, Proceedings Seventh Annual Computer Security Applications Conference.

[22]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[23]  John McHugh,et al.  A High Assurance Window System Prototype , 1993 .

[24]  Alan Eustace,et al.  ATOM - A System for Building Customized Program Analysis Tools , 1994, PLDI.

[25]  Barton P. Miller,et al.  Dynamic program instrumentation for scalable performance tools , 1994, Proceedings of IEEE Scalable High Performance Computing Conference.

[26]  Rokia Missaoui,et al.  INCREMENTAL CONCEPT FORMATION ALGORITHMS BASED ON GALOIS (CONCEPT) LATTICES , 1995, Comput. Intell..

[27]  Jim Zelenka,et al.  Informed prefetching and caching , 1995, SOSP.

[28]  Matt Bishop,et al.  Checking for Race Conditions in File Accesses , 1996, Comput. Syst..

[29]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[30]  Bogdan Korel,et al.  Application of Dynamic Slicing in Program Debugging , 1997, AADEBUG.

[31]  Gregor Snelting,et al.  Assessing Modular Structure of Legacy Code Based on Mathematical Concept Analysis , 1997, Proceedings of the (19th) International Conference on Software Engineering.

[32]  Frank Tip,et al.  Reengineering class hierarchies using concept analysis , 1998, SIGSOFT '98/FSE-6.

[33]  Thomas Reps,et al.  Techniques for software renovation , 1998 .

[34]  Barton P. Miller,et al.  Fine-grained dynamic instrumentation of commodity operating system kernels , 1999, OSDI '99.

[35]  Li Gong,et al.  Inside Java 2 Platform Security: Architecture, API Design, and Implementation , 1999 .

[36]  Jonathan M. Smith,et al.  EROS: a fast capability system , 1999, SOSP.

[37]  Raju Pandey,et al.  Providing Fine-grained Access Control for Java Programs , 1999, ECOOP.

[38]  David E. Evans,et al.  Flexible policy-directed code safety , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[39]  James R. Larus,et al.  Cache-conscious structure layout , 1999, PLDI '99.

[40]  Arie van Deursen,et al.  Identifying objects using cluster and concept analysis , 1999, Proceedings of the 1999 International Conference on Software Engineering (IEEE Cat. No.99CB37002).

[41]  Cristina V. Lopes,et al.  Aspect-oriented programming , 1999, ECOOP Workshops.

[42]  Laurie Hendren,et al.  Soot---a java optimization framework , 1999 .

[43]  Úlfar Erlingsson,et al.  IRM enforcement of Java stack inspection , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[44]  Jonathan M. Smith,et al.  USENIX Association , 2000 .

[45]  Peter Loscocco,et al.  Meeting Critical Security Objectives with Security-Enhanced Linux , 2001 .

[46]  Stephen Smalley,et al.  Integrating Flexible Support for Security Policies into the Linux Operating System , 2001, USENIX Annual Technical Conference, FREENIX Track.

[47]  R. Sekar,et al.  A fast automaton-based method for detecting anomalous program behaviors , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[48]  Gregor Kiczales,et al.  Aspect-oriented programming , 2001, ESEC/FSE-9.

[49]  David A. Wagner,et al.  Intrusion detection via static analysis , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[50]  Robert Grimm,et al.  Separating access control policy, enforcement, and functionality in extensible systems , 2001, TOCS.

[51]  Amitabh Srivastava,et al.  Vulcan Binary transformation in a distributed environment , 2001 .

[52]  David A. Wagner,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Detecting Format String Vulnerabilities with Type Qualifiers , 2001 .

[53]  James Cheney,et al.  Cyclone: A Safe Dialect of C , 2002, USENIX Annual Technical Conference, General Track.

[54]  Derek Bruening,et al.  Secure Execution via Program Shepherding , 2002, USENIX Security Symposium.

[55]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy code , 2002, POPL '02.

[56]  Dawson R. Engler,et al.  A system and language for building system-specific, static analyses , 2002, PLDI '02.

[57]  Sudheendra Hangal,et al.  Tracking down software bugs using automatic anomaly detection , 2002, ICSE '02.

[58]  George C. Necula,et al.  CIL: Intermediate Language and Tools for Analysis and Transformation of C Programs , 2002, CC.

[59]  Trent Jaeger,et al.  Using CQUAL for Static Analysis of Authorization Hook Placement , 2002, USENIX Security Symposium.

[60]  A. Zeller Isolating cause-effect chains from computer programs , 2002, SIGSOFT '02/FSE-10.

[61]  Rastislav Bodík,et al.  An efficient profile-analysis framework for data-layout optimizations , 2002, POPL '02.

[62]  David A. Wagner,et al.  MOPS: an infrastructure for examining security properties of software , 2002, CCS '02.

[63]  P. A. Karger,et al.  Multics security evaluation: vulnerability analysis , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[64]  Crispin Cowan,et al.  Linux security modules: general security support for the linux kernel , 2002, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[65]  Rainer Koschke,et al.  Locating Features in Source Code , 2003, IEEE Trans. Software Eng..

[66]  Niels Provos,et al.  Improving Host Security with System Call Policies , 2003, USENIX Security Symposium.

[67]  Gerard J. Holzmann,et al.  The SPIN Model Checker - primer and reference manual , 2003 .

[68]  Niels Provos,et al.  Preventing Privilege Escalation , 2003, USENIX Security Symposium.

[69]  Mayur Naik,et al.  From symptom to cause: localizing errors in counterexample traces , 2003, POPL '03.

[70]  Dawson R. Engler,et al.  RacerX: effective, static detection of race conditions and deadlocks , 2003, SOSP '03.

[71]  Thomas Ledoux,et al.  Aspect-Oriented Software Development , 2003 .

[72]  Xiangyu Zhang,et al.  Precise dynamic slicing algorithms , 2003, 25th International Conference on Software Engineering, 2003. Proceedings..

[73]  Doug Kilpatrick,et al.  Securing The X Window System With SELinux , 2003 .

[74]  Trent Jaeger,et al.  Analyzing Integrity Protection in the SELinux Example Policy , 2003, USENIX Security Symposium.

[75]  Wayne Salamon,et al.  Implementing SELinux as a Linux Security Module , 2003 .

[76]  James R. Larus,et al.  Debugging temporal specifications with concept analysis , 2003, PLDI '03.

[77]  Bill McCarty,et al.  Selinux: NSA's Open Source Security Enhanced Linux , 2004 .

[78]  Olatunji Ruwase,et al.  A Practical Dynamic Buffer Overflow Detector , 2004, NDSS.

[79]  David Brumley,et al.  Privtrans: Automatically Partitioning Programs for Privilege Separation , 2004, USENIX Security Symposium.

[80]  Mariano Ceccato,et al.  Aspect mining through the formal concept analysis of execution traces , 2004, 11th Working Conference on Reverse Engineering.

[81]  Kim Mens,et al.  Mining aspectual views using formal concept analysis , 2004 .

[82]  Jonathan S. Shapiro,et al.  Design of the EROS Trusted Window System , 2004, USENIX Security Symposium.

[83]  Somesh Jha,et al.  Formalizing sensitivity in static analysis for intrusion detection , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[84]  Úlfar Erlingsson,et al.  The Inlined Reference Monitor Approach to Security Policy Enforcement , 2004 .

[85]  Xiangyu Zhang,et al.  Cost effective dynamic program slicing , 2004, PLDI '04.

[86]  Trent Jaeger,et al.  Consistency analysis of authorization hook placement in the Linux security modules framework , 2004, TSEC.

[87]  Koushik Sen,et al.  CUTE: a concolic unit testing engine for C , 2005, ESEC/FSE-13.

[88]  Christian S. Collberg,et al.  Protecting Against Unexpected System Calls , 2005, USENIX Security Symposium.

[89]  James Newsome,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software , 2005, NDSS.

[90]  Koushik Sen,et al.  DART: directed automated random testing , 2005, PLDI '05.

[91]  Steve Vandebogart,et al.  Labels and event processes in the Asbestos operating system , 2005, TOCS.

[92]  Michael Hicks,et al.  Dynamic software updating , 2005 .

[93]  Norman Feske,et al.  A Nitpicker’s guide to a minimal-complexity secure GUI , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[94]  Joshua D. Guttman,et al.  Verifying information flow goals in Security-Enhanced Linux , 2005, J. Comput. Secur..

[95]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy software , 2005, TOPL.

[96]  H. Cleve,et al.  Locating causes of program failures , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[97]  Lujo Bauer,et al.  Composing security policies with polymer , 2005, PLDI '05.

[98]  Steve Vandebogart,et al.  Make Least Privilege a Right (Not a Privilege) , 2005, HotOS.

[99]  Mariano Ceccato,et al.  A qualitative comparison of three aspect mining techniques , 2005, 13th International Workshop on Program Comprehension (IWPC'05).

[100]  Somesh Jha,et al.  Automatic placement of authorization hooks in the linux security modules framework , 2005, CCS '05.

[101]  Martin B. Hocking,et al.  Case study: Enhancing IBM Websphere with SELinux , 2006 .

[102]  Boniface Hicks,et al.  From Languages to Systems: Understanding Practical Application Development in Security-typed Languages , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[103]  Michael K. Reiter,et al.  Bump in the Ether: A Framework for Securing Sensitive User Input , 2006, USENIX Annual Technical Conference, General Track.

[104]  V. G,et al.  Retrofitting Legacy Code for Authorization Policy Enforcement , 2006 .

[105]  Michael K. Reiter,et al.  Minimal TCB Code Execution (Extended Abstract) , 2007 .

[106]  Alex Aiken,et al.  Cooperative Bug Isolation , 2007 .

[107]  Nicholas Nethercote,et al.  Valgrind: a framework for heavyweight dynamic binary instrumentation , 2007, PLDI '07.

[108]  Somesh Jha,et al.  Mining Security-Sensitive Operations in Legacy Code Using Concept Analysis , 2007, 29th International Conference on Software Engineering (ICSE'07).

[109]  Stephen Smalley,et al.  Configuring the SELinux Policy , 2008 .