Secure Programming via Visibly Pushdown Safety Games

Several recent operating systems provide system calls that allow an application to explicitly manage the privileges of modules with which the application interacts. Such privilege-aware operating systems allow a programmer to a write a program that satisfies a strong security policy, even when it interacts with untrusted modules. However, it is often non-trivial to rewrite a program to correctly use the system calls to satisfy a high-level security policy. This paper concerns the policy-weaving problem, which is to take as input a program, a desired high-level policy for the program, and a description of how system calls affect privilege, and automatically rewrite the program to invoke the system calls so that it satisfies the policy. We present an algorithm that solves the policy-weaving problem by reducing it to finding a winning modular strategy to a visibly pushdown safety game, and applies a novel game-solving algorithm to the resulting game. Our experiments demonstrate that our algorithm can efficiently rewrite practical programs for a practical privilege-aware system.

[1]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[2]  Robin Milner,et al.  On Observing Nondeterminism and Concurrency , 1980, ICALP.

[3]  Thomas A. Henzinger,et al.  Alternating Refinement Relations , 1998, CONCUR.

[4]  Thomas A. Henzinger,et al.  Alternating-time temporal logic , 1999 .

[5]  Úlfar Erlingsson,et al.  IRM enforcement of Java stack inspection , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[6]  Rajeev Alur,et al.  Modular strategies for recursive game graphs , 2003, Theor. Comput. Sci..

[7]  Rajeev Alur,et al.  Visibly pushdown languages , 2004, STOC '04.

[8]  R. Alur,et al.  Symbolic computational techniques for solving games , 2005, International Journal on Software Tools for Technology Transfer.

[9]  Rajeev Alur,et al.  A Temporal Logic of Nested Calls and Returns , 2004, TACAS.

[10]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[11]  Roderick Bloem,et al.  Program Repair as a Game , 2005, CAV.

[12]  Mahesh Viswanathan,et al.  Congruences for Visibly Pushdown Languages , 2005, ICALP.

[13]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[14]  Eddie Kohler,et al.  Information flow control for standard OS abstractions , 2007, SOSP.

[15]  R. Morris,et al.  Labels and event processes in the asbestos operating system , 2007, SOSP '05.

[16]  Mark Handley,et al.  Wedge: Splitting Applications into Reduced-Privilege Compartments , 2008, NSDI.

[17]  Eddie Kohler,et al.  Manageable fine-grained information flow , 2008, Eurosys '08.

[18]  William R. Harris,et al.  Verifying Information Flow Control over Unbounded Processes , 2009, FM.

[19]  Ana Cavalcanti,et al.  FM 2009: Formal Methods, Second World Congress, Eindhoven, The Netherlands, November 2-6, 2009. Proceedings , 2009, FM.

[20]  Robert N. M. Watson,et al.  Capsicum: Practical Capabilities for UNIX , 2010, USENIX Security Symposium.

[21]  William R. Harris,et al.  DIFC programs by automatic instrumentation , 2010, CCS '10.

[22]  William R. Harris,et al.  Programming for a Capability System via Safety Games , 2011 .