ࡱ> F^nh.en%JFIFC    $.' ",#(7),01444'9=82<.342C  2!!22222222222222222222222222222222222222222222222222" }!1AQa"q2#BR$3br %&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz w!1AQaq"2B #3Rbr $4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz ?( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( (:OIlв0x=1QA];#ڮ?@)gĔu{f~FݟʼF >q<ϻ,O'tfR~`s޸.MT"CkaE*}ۆh!Ya$UƼVMyˀ1Ԟ%+g$0D;r;0x\1DJQ\*9+k7WZ#Օ9 3_BkRn|1쑳8_8id 3^em*Oܑd=s>UIVEE`QEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEauەJ㎘<ʫ Ӯ`_$LTTWEEHк S!U  2@Fr9Al ˸'h9$5˺6[$ l`_FY\ .F1,j5NU#O O-vMџl1UEEE`y'.-ȥ*غ1c9Kq$oh؀`X7,̘=j+FK#9WM&Θu3>!)*@'> nwj7+mh}zs\c+A֟)dMF Y[Qp+ ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( (]kGG8[n-k5ޟ-:go`;?5!<]_뚩vmL{rpӭchsKK u#<޹ڳӡz#* i+P:v#5=z)S]ʃ69bKޓK%}k_^P,Lr98QʳU{:QB .+mfMps ^f=@ ӰV$zJBN(((((((((((((((((((((((((((HX6VOאx*ck{)^^+;+/ EryPtsWѦkOTѥA,FBIm98p w"$zΗFM yƜn' =5Ѥv>mٻr Ă&<ܛ=X+ 'r_ >wh4R Z6 yӢd e5mz$Z$2O$jK^ i%+s#֫jd ^ͱRE<o,͆gj~׎nۜM:+9۞L׹#fu6AEWQQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEW|ThL(EB8^p֐xh'k4ʗ%C:ttCor.܃X ݓr*[0K$px8Zv׮4fUag=8MjhA@b2I'Jt|`cwdsPd۵[Zx"귥ظ8V*Bt<Y'̬@$u5>uKv؆[$*&55|:Ӗ@ۘEVaEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEP\/쁔318-꼳P[TyC1=1gEu<Âga#eqD҂Tڋ $_-Q 'qV/#-1G5Z~ŌWQ`gϭoJ3>r\>uy5#,Me`F{lw%b8agRteR{7 ֥28茏)'Q\R<%d|ͼ_?C9~΍В'$֭wV90* ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( E wa[KϧkԫXXg{7ZƮ3ͬm&WqN˂2MGR6Ӏn|o "gRFQPFGC\MYY0dGaW-nYaqTt'.\Ơ0q)4vB#HȤm%-1HjAN[o5b{'hHu?멮_oyWQ]a?QZQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEF6ص5>'\7-gcvlFkKLjUJBdmǮjV 9|NX3֦Epچ%ckh9˱ «iS$SwyX嶵IB z`h;l}P8띍!\"ay\'ke3j d'JXtCMwvKF>&QEh@QEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEWJeS41xzJ:(v;氮iMq.`Pb AOEBD!A@[%XT?/IPjQ\YÕBIzV}E\8#= íA6ACp}+"j;֙ 8sC$.!{V,MF8XwJo%M7ayO7v?g޸O˖E1DWw^ᣞŠ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( 58}z$ FGuXb>J{XgvTJ:W: ,`I8RzuSO$aH\Fj9HkpI1Az^5jpZF;O!A)mI-;7MŮ@ykƪ6Z7QױqSPcFJ1[.prqӵmKJG͜)- Q<BP !'8Z$ij!v2~DTsv%z⡶@Vq1={6!Ya4nnAqϥ G8%=pO7lWe\gÒEV'^:# AEVQ@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@q5ȾM]q4%o43%aSGZڒ>rVn݆8~%ic1X 8N%H^}fBۓL7 ݰܻd#BI*IͲuc$$@اJO^,1ZX!;H: w'xڂ2. v|>lŪ М~ kaS ( ((((((((((((((((((((((((((+#RҰy"P+Cc7ZgÃ$)|_p%0!vi- GTLp×'YA c޹%8@Ȳ0W\*! S$BjOQQol 㑚ͫ}It_T3ںK1~UJ5{Gj0ҢpD0{SNOslX@đN{>; x8j:}S(H ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( n1 H3/Wa\+`.kwiK#Y%1!>X`d:qJ5&؆\`JvDOO~?\nEpZ(>07#ic3N`\@=)0kZ IVHq'5mnQ8死:VSbo5f|?Wם4]~עWeT( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( hvAj+=>џtU]?,"ݐ qSj1G I74JǓrhpEgRO ɜgFn{cTЀ/BA?NjXJi;$ާT"UG#Z*Mpj2{ gg؃kFC?=z%y'zSѡ#\+ (؀((((((((((((((((((((((((((Sa?m Z -Vmth֬| hp rxj=uA8 OUhgs1NjOP^ϖz559&_. DŭJ$=jʹ2$OaA ^]פ2ͻ߼aqjS{)05W&uOPIW'{XgkBxU4 {S-pxP;Qzu_(((((((((((((((((((((((((((+NfoPjk+[HJ]c8 YVpz+w* IW-Yedg`?7}+dY_dF=}|$Prif ƓxqE7:}k*v4` G"|-xӮ$s sO/&CVv (((((((((|\b3`Zެ-gWeCGMg޾ ҵn̓zz&!('rjkOm 'N8QBNcsPil`gRx1k 'Tt+vWm U$ l` kxX/t9o^H^Kx'W^^%z tWN~eWtQEtQ@Q@Q@Q@Q@Q@Q@Q@Q@TSʰA$p</$;~ڳy^AױW=ԩb?t{0Yuf(((([YĄLㆮ4[pA9ֲ2E?@ci9Wi^]Ʊ֎_m$ɖνFxE\(؀((((((((<5p@#m^dq |H&\.FHֳuP#c<t.,/I { mj N9r9[ x/9t43e0Co52dv*E|!WoBc x[NRLnj9ǥm#j,v[ʝI)O5Xcb#"N}G:/ʮ(2 ( ( ( ( ( ( ( ( ( N<=,d'i*i0Y$#Yʂ>s\@)U>ٯk a6y -x~A[vmsJ\In4h9(((LA'#7 k3c\ƿ٥/$3/d,1B{ux.\]{NX4*>lsKVLѢ+((((((((+1N|J+JRRqu]?YMR ۏnk*ssT<#,~|Hsڰunnvsh۩-ᘍԾ.oؑ$ 1I ja@ ux6i`FI⥭,~5hd+ĸ\]տ(r㷥`dG8G:χ{%!5{x/àSZq?ucY5{t~2 ( (((((((((/ʉBP=2k sFH?5ݩJ_ڢn]0N@$$Fc*WW!~ʯTsֽ;uܺ㢷?(i3J;(Np(((+pC8=k;^?$FA _{\UUAHq' /ZWEд$Imdʊ2L2Ǯ+ߵ^'$(;5UQ]fEPEPEPEPEPEPEPEPEP^1OZۤǴ ǔahy$qwcMxlS$75rq}O͈荩u*]FHѰXj.5M 7*̏zjۚ9]Jm6KS*r}ʐD}EZQ;mY(`QEQE`I`ey%(g9L,?X;;R6%ڙs^nInsY�#VʢyԎ3^|^]K\jfx>Ofז|#ͬڝ>j`2uPw8x((((((((+܂Iz8Gk5 Ƃ#,k CR4J?'öOZߋ~)BXc}e̢mr+>2mv7@>+:F6g鏷^.IVD236IZ%.zJ+r |D4/{\>ňgu w Z `2H$j% #{{}*|S 9<|R'f?NWkޙtH$1n#[jSh ,6`?S\g/M:DʌdpՕΘn WMRɝyE-y \jԖ-Gsq[+Mb׫{ldy.`9S؏OsW|)ITI |1+kQ{(Ԁ((w[݁XQ~@?׵ׂ^ܮ_L"i݆9ɮ\S[ ̤kK9Pj^ْEdQEQEQEQEQEQEQECKK x98+5aA9PH4&P9)k6)~5kB2IVmQT (((((((ɥ/޾ V-sxí);&ƕݏuU]bOcs:tKcU;OZ5MoV]#K !~t1?V<߯J]Ca#Y["2uRX'$\-du$Yt7|#rWEKxd߃ޱ-º,Ju4᷸eU'D;/c &x,?P?:POPS$Jppp69XD9V5ѕU$+((wps\D5i pO^ˑi=R\g6Z[ x55LjiҺYxA#&ki(:u"ub#,O r*ROq@4C^jn?8ҽ;&z|a1V*?@+VXO5DP>OAЭ;`6rL^UY[wg<{M:N2jJƵQ]AEPEPEPEPEPEPEP\!>ZnO=X^g AxO&lq q!MM 2@ sާ(nf|fXG\q[첋 `YE_Y?/銹;2c!\c<ZjOMRGG+/_>PŚ8OB|&H kؾ]+]RhzŞEWiQEQEr_.>2@Soe#҂ǡ6dkо.y5Wwۜd?#^{ڴJ1 ͮlcP t${ٲa߅ٕL#W5ʭȿJ]  k'E'tY= u=Fgs u$! r=eܨ=*qݜ =zV^D$U\rK5!1Ay({+38 G$H3HUWi$T"u :*2t ksuIief'q*:줭cS*_èg8>\q Gnt3! B3:J/#o,υ?()FG=yδlE*qehkq1¼RxPr +޼?a9/ʧwa\,zW6&{Hїؑx#o*q݀qk?-06>S^mڝL[XoA=UԚz-Q]8QEQEQEQEQEQEQEQEPa6>Mx(ԵۅTnPUq\Z[ZPɼAO5 w|U_jy\,MÁ;Wegٕ$eٸ8_<_]\Lg.$bj~kWqv5-^+0d_Gx/B;q=7zL~v@^0ϥ{X`ڝ(;fp~'|Q91O8*mJfeZwsPl·vGb<˴ݢyRFww wm嬐H2:{qVhՅ\I.9\}Gju+(5$!.a*2GX 9>?Z5үVcpقCIoKcgG]Y1坤Mg#G4MF;><[P3y ۓڹ$7RGxKĶ'ѣ\,뎸=ƺ E/4+F @'iaN3Wo^LwI Fo=[spڢ+s0(((((((/+ZJ35zU.QI,Mzweh1cZLpX*3\ch|&gQV7.A"@G9]0 $#r& -D~uk[-̥ j(Š(((((*9$Hci$eHfchRelT*ICQsj 2܁Qj-m99ϮIRԧTFt8`┹t%ec Mp"G$s+;M}BlfXА>bp*D5ijHrO =׋p|HQ0yZv01KE蜁EPEPJbf#2InikisM ){mFyJ!:Yw 0d5\Bw6EWj~":}ava,9o~=L }&n[T.^@ }Z*ehʬtG9a ~'lwAS{Ϥ^Z.];8<ڟ6f6{]ׇ|5矰騱$xE9HED1TX"u1eo/zw$E"U bi}gm~{{W+>ErN|(Ԁ(((((ԫA /Ğc屵A@Oug۷ӁQQ8)"' cO,; *zS#0#{|9[*C@{w—Z 5sfI %WqvfS=n aI=O[\eqL*_èFp=I{)pI< є{"EX/ΟQs^WP$HD*r`e`wck-t'okh$RA:zIG}|z~%mf[v nkEуU"c5-Zܒ(QEQEQEG$3EI^]-yinӢ$JĮ=@=}߉|W.,_ú_c!$aQ|pIV7]^B:W/ݙ#l{TwxdU!qҷ$WVkQ"5,N8`&쿽;T"r~?ׇum\YJ_'+;xQR8*AZэȨKEWYQEQE$R.QԫxV[[UnR*Uk~;2Iޡ%q gdxU*4g^Nf%DpC:GHgϟBX}g^ Jx`5xSR\rғh9$;:DBg1hoDn<1 k3;v0GOi|?`H۠יks>#0*fj0=Y.RtGI[豵5p ?y<:nK'A9yÓZzWL48!Iz*€@jA cqQi֖4Ց 4ʰY`r/AaoYGkj"Ar}ϩ$XP`RWe:J4QEj@QEQEQEQEQEQEQEV&~$;c0#)'2mlxfx"yl6=y[kk >QʸLa)Ox1H2MڭO )CUh&=W8OksT,6N0>O(Ѱ8;5): yLnan@'#?κ #WzKwǯ#\wgxrIR8#U/LFa@nGib^ۆ]o'~[?i_Dn}3_;(ܫ tVGiïJ.1gWϱk!ܒ"FkB/4qyB4 wLa_{%r.n"2׎\|Teխ w$Ni!{5ipa/}0 HR}܌c韥q߈o5Y6v[XOGGGA\*B֨M=RѲVNd8KJkaL|Ti$')eMк#`7b;822ksFnn#<˩HŒұ< ֭<*R2Agzi[op<#o]T RQ~v^LtR>i^RIYŠ( (((״y,Q2s#jPAH0^,6\c8 }C\^}INrxl.x͑cy^;^X[yNX]63@zhV/c ."beO.Ɨ͑l9\@ʰIo.PW :۵{{aw6)-c>%c w;9 J? |0*Ϭ͗JIk?O->n #V=Bݣ61(]=: }v on݊uv  +Žˏ ,I_p'i~+cIKI*_oȿV9f-VSZ=џ]u #8ڷ?",ԪV{O%f|cǏj#!QQaT (d*deiO$`Ñ쾂hd`{QLAEPEPEPEPEPEPEPEPEPEP{[n蠆y{:1.dź_\޽VTTеQϜ4an~Brk/9D'nzm-$8>d O]&=pT)TLLd1WbsQ|4I77Grw ,r[S=j+FpA}LcGzc,> *|^ S8>$iW'8pr:` <8-ԛq6LJ]@9?-xt]$rY#,?J7;K 9|U:nsOr2ALڴk,c񟺧]Ι+N4mu/}߂;WC[C޳3[|&~hKkc 叩=hQEu$1mvQE1Q@Q@Q@Q@Q@-`˸$NaW;{,^8Czq_]Ue)I:.dD·/86E%)|0pG++PK^rOgemu,f >(WQIQk:q)0 !78j>C݅r3T.\o.eZ?Oҵc"@(P0IEZĶEU(((((((((((((()KESLNn,?ĭTkEݻ696 ~UEC+KL!5,ZN0!Q*#9bPOB(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((٠F(:QϬYO7ӻJFIFHHC    ! ''**''555556666666666C &&,$ $,(+&&&+(//,,//666666666666666J !1A"Qaq#23B$Rbr5sCSUct%4d³,1!2AQ#a"3qBRb ?-Y^.̍mt!IŹX8R^pǛ?,8= 5AXbA!s~AaA۪چٮ$>7qߖ M֥'s|rgkD5r9:Gk8⃥M&\gf23χO@@@@@@@@@@@@@Aya)Gwo.Y59:7/iwwqGju4f~2YIcS(-;3AFG#bqWrf'UҔ˟(3WG08l6MÚdyG 2S;XݘAR%QVLu:1ٮX}_ǿp@ŰzX$8I5h2W_X65( 8HMZA e[A9RĴXbeBJցs+K=SDW0v#JecaI2jd G]V xv{-Zkyko Nn<5_>6z/JG͝f=vh 48ҌA 9Pk>ks9,q_ 0S+iABT%ʭKs> WkdذylnVLudq'y92ͧk *@%m蜔X?--, WGL}f,MaV`g>Qڑ/XCEYY-]sOL&[[ݪWOիy>bmM#(<Nїb￘@Ah'sX[M̎"G;QsTzk[6.[VԱmc9lz5fiC;0\4*vf"-h譟##?t@@@@@@@@@@@@A} T9K9ϴ5A a$[0,tr5M&ӲR)itm\b\+,;ͳլDs1ǻ-2XyS_,k։zAsy uh̩MCi n)J@=0>~u&rF RDVݑ_|3AZfIbwᅥ< J I>nY }u'o(:sSQ2"g[470&y~?j&fsTU?-J{CZ+^ZnS fWM ,7U<2}1Pq}&8V4ncnh(r>]3Z..̃쏺PZEىv)ii8w>m ±+'z C=" - [QH!I`8͌sOz1^hŮ5Qt_vWf{o?&3qy;w= aT4}0k;k rɇ\/N/5 CWli a84H#4_e8CwY݇k;wkù˷1 F!acoW@ABMP_@@@@AMҟR!B d[/a>홝 W~fcӬ\yA55|sp+/G PP(,#ނ#xi`]سM?{%:;ߨo(()C $>-qveWW >7_Ĺ=ckЙfre%"ɯKk䝯 |vӼF.[x<¬eWԵ'-b0ĢG c[9:ZFls>gMvdz[Zĩ^ <*D Un^X}mwY7o#دpɲ9FzssaK@@@Ajňevoxoofke%.oSx5y:xMTXL,\~[jVxVc(O@ -20o. ^wܨ m-8i0'uj2l-4GhIe #fd6A̲TSW \{ػ$ h`gsg6;cgYW.^!\pJ׮Hٸ~ںV6)W,٫6#l;{3F/'K4 ,-e,/E0l.A-x3nSݞr)Xk6LYR]4/A垶~\ݮ edz]̄5F A9m-(m cv5;R{@@@@@@@@AEYU@@@@@XY@@@@A1(@ M/ 0DArialr Ne,(0(B 0 DGeorgiaNe,(0(B 0  DTimes New Roman(0(B 0 0DMicrosoft Sans Serif0(B 0 "@DWingdingsSans Serif0(B 0 PDCourier Newns Serif0(B 0 1 A0.  @n?" dd@  @@`` x8~    3    (&#',"-."/  4!569:;B/CD-F LM:NQR6TU WZ#[\']+^0_`#b%$#de@ hikj lmn%qr?R$nh.en%^&$R$:QϬYO7ӻ0/^ 0AAp!f3f@8w^Q ʚ;lf8ʚ;g4~d~d@B 0ppp@ <4ddddlpC 0, <4BdBdlhG 080___PPT10 ?-CCS 2005 Automatic Placement of Authorization Hooks in the Linux Security Modules FrameworkO  =T&RAutomatic Placement of Authorization Hooks in the Linux Security Modules FrameworkSS+ Context of this talk&5Authorization policies and their enforcement Three concepts: Subjects (e.g., users, processes) Objects (e.g., system resources) Security-sensitive operations on objects. Authorization policy: A set of triples: (Subject, Object, Operation) Key question: How to ensure that the authorization policy is enforced?=m/G=!!- ! /!!;) Enforcing authorization policies!!&\Reference monitor consults the policy. Application queries monitor at appropriate locations.  Linux security modules framework!!&wFramework for authorization policy enforcement. Uses a reference monitor-based architecture. Integrated into Linux-2.6 Linux security modules framework!!&oReference monitor calls (hooks) placed appropriately in the Linux kernel. Each hook is an authorization query. $pR  Linux security modules framework!!&hAuthorization query of the form: (subj., obj., oper.)? Kernel performs operation only if query succeeds.,)6 Example& Example&  Example& !Example& &Example& (Hook placement is crucial&Must achieve complete mediation. Security-sensitive operations must be mediated by a hook that authorizes the operation. Current practice: Hooks placed manually in the kernel. Takes a long time: approx. 2 years for Linux security modules framework. Can this achieve complete mediation? Prior work has found bugs in hook placement. [Zhang et al., USENIX Security 2002, Jaeger et al., ACM CCS 2002]!ZYZZoZ%ZoZ!Yo%-           +Main message of this talk&c Static analysis can largely automate authorization hook placement and achieve complete mediation dd !N5Main message of this talk& Static analysis can largely automate authorization hook placement and achieve complete mediation Reduces turnaround time of Linux Security Modules-like projectsv  ! != ! @O6Main message of this talk& Static analysis can largely automate authorization hook placement and achieve complete mediation Towards correctness by constructiond O ! ! $/Key intuition: Matchmaking&}Each kernel function performs an operation. Each hook authorizes an operation. Match kernel functions with appropriate hooks.3%Tool for Authorization Hook Placementb&$$$ $$$$$Input: A set of security-sensitive operations. Source code of reference monitor hooks. Source code of the Linux kernel, without hooks placed. Output: Linux kernel with hooks placed.L   2%Tool for Authorization Hook Placementb&$$$ $$$$$4%Tool for Authorization Hook Placementb&$$$ $$$$$6 Security-sensitive operations&We use the set of operations from the LSM implementation of SELinux. Comprehensive set of operations on resources: FILE_READ DIR_READ FILE_WRITE DIR_WRITE SOCKET_RECV_MESG SOCKET_LISTEN & (504 such operations)8s_sG<5Authorization hook analysis& 7#Authorization hook analysis& 9$Linux kernel analysis& ;%Example& ='Example& <&Example& ?*Key observation& R8Linux kernel analysis& P7Linux kernel analysis& @)Linux kernel analysis& A+Linux kernel analysis& B,Linux kernel analysis& C-Result with ext2_rmdir & D.Idioms& E/Combining results& G0Combining results& I2 Placing hooks& J3Results&Wrote idioms for inode and socket operations Tested with SELinux reference monitor and Linux kernel version 2.4.21 False positives and negatives mainly because of imprecision in idioms.D,#S9 Future work &THook placement for general-purpose servers Example: X server. Must enforce authorization policies on X clients. Example: Prevent a  cut-and-paste from a high-security xterm to a low-security xterm. Hundreds of such servers: database servers, web servers,& Manual hook placement? Simply infeasible!~+Q+}Q,fL4Summary of important ideas&Can largely automate authorization hook placement using static analysis. Key idea: Matchmaking based on security-sensitive operations. TAHOE: A tool for LSM-hook placement. `T[   Thank You / /4" # '*1Kj  ` 3333ff3` 3333f33ff3` "3333̙ff3` Kf3̙` &e̙3g3f` f333̙po7` ___f3̙;/f9` ff3Lm` ff3LmNLm>?" dd@*?nAd@q<nAqFLK#M n?" dd@   @@``PT      M`2!p>> `;(    H䞜? ?"0`  X Click to edit Master title style!!     H? ?"`  k-Click to edit Master text styles Second level ! .    68 #" ``  `*     6̫ #" `@   h*       6\ #" `  f*     H  0޽h ? ___f3̙;/f9___PPT10i.  +D=' = @B + Edge/  p/(    Hܬ? ?" `p  X Click to edit Master title style!!    H$߬? ?" `  [#Click to edit Master subtitle style$$  H  0޽h ? ___f3̙;/f980___PPT10.   0 4(  4 4 N kk z%   n*  K%%KKpp 4 Nkk  ?%  p*  K%%KKppd 4 c $ ?XK  4 4 NTkk  )  RClick to edit Master text styles Second level Third level Fourth level Fifth level!     S  4 Tйkk z   n*  K%%KKpp  4 Tkk  ?  p*  K%%KKppH 4 0.k ? 3380___PPT10.e`&p (     Nkk z%   v* K%%KKpp  Np"kk  ?%  x* K%%KKpp  T,-kk z   v* K%%KKpp  T7kk  ?  x* K%%KKppH  0.k ? 3380___PPT10.VJ\ s k } (  x  c $l `p  _h P @ } #" P@ " <?( G@ j University of Wisconsin, Madison!!M ! <?PG( @ gPennsylvania State UniversityM   <?( G tSomesh Jha jha@cs.wisc.edu( M  <h ?P ( G z Trent Jaeger tjaeger@cse.psu.edu(! M`B # 0o ?P ( `B % 0o ?P@( @`B & 0o ?P PG`B ( 0o ? G`B : 0o ?(  `B ; 0o ?PGP@`B = 0o ?G@`B ? 0o ?( @@h    y #"V*   C <?v   [Joint work withM% B <? v  ?Vinod Ganapathy vg@cs.wisc.edu University of Wisconsin, Madison@@!M`B D 0o ?  `B F 0o ?  `B G 0o ? v `B H 0o ? v `B b 0o ?v  `B c 0o ?v  H  0޽h ? 33___PPT10i.9 6+D=' = @B +   h(   x  c $z0`      0l~c"$ ``  H  0޽h ? ___f3̙;/f9___PPT10i.=^+D=' = @B +  |(  ~  s *0`   ~  s *h`    <v  >0 l  68c"`p   BP   SApplication to be secured0$ F      n   08c"`    <H LReference Monitor0N  `     `    0"` `  @0 N  q    : 4T  a z  #  q :   < a  p(subj.,obj.,oper.) 0 f  <| a z  p(subj.,obj.,oper.) 0 f T  a  #  q   <P a Z  p(subj.,obj.,oper.) 0 f  <8ï a   p(subj.,obj.,oper.) 0 f  <ǯ @ a  p(subj.,obj.,oper.) 0 f  <ܯ00 $  >Policy0dB  <Do@@pB  HDo  <`l OCan I perform operation OP?0^B  6D @^B  6D   < `  :Yes/No0H  0޽h ? ___f3̙;/f9___PPT10i.=`D+D=' = @B +    p` (  p~ p s *0`   ~ p s *`   p <( v  >0 >F p  p p  p" jAlinux-penguin |  n p 08c"`p  p <` D Linux Kernel 0 $ F    p  n  p 08c"`   p < LReference Monitor0N  `   p  `   p 0"` `  @0 N  q  p  : 4T  a z  p#  q :  p < a  p(subj.,obj.,oper.) 0 f p < a z  p(subj.,obj.,oper.) 0 f T  a  p#  q  p <L! a Z  p(subj.,obj.,oper.) 0 f p <& a   p(subj.,obj.,oper.) 0 f p <* @ a  p(subj.,obj.,oper.) 0 f p <.00 $  >Policy0H p 0޽h ? ___f3̙;/f9___PPT10i.=`D+D=' = @B +  2$P?(  $x $ c $90`   x $ c $<`    $ <?v  >0 *8 p   $p  $" dAlinux-penguin |  n  $ 08c"`p   $ <B D Linux Kernel 0 * 8   "$ t $ 68c"`  $ B@ LReference Monitor0@  `   $ `  $ 6hH"` `  @0 @  q  $ : @T  a z  $#  q :  $ BO a  p(subj.,obj.,oper.) 0 f $ BpS a z  p(subj.,obj.,oper.) 0 f2T  a  $#  q  $ BW a Z  p(subj.,obj.,oper.) 0 f $ BJ a   p(subj.,obj.,oper.) 0 f $ B` @ a  p(subj.,obj.,oper.) 0 f !$ <e00 $  >Policy0dB #$ <Do@@dB $$ <Do` ` dB %$ <Do  dB &$ <Do   -$ 0 j"`P  p ;Hooks0^B /$ 6D ^B 0$ 6D@P ^B 1$ 6D` ^B 2$ 6D H $ 0޽h ? ___f3̙;/f9___PPT10i.=`D+D=' = @B +D  [Sh(  h~ h s * s0`   ~ h s *lu`   h <Dzv  >0 >F p  h p  h" jAlinux-penguin |  n h 08c"`p  h <,~ D Linux Kernel 0 $ F    h  n  h 08c"`   h < LReference Monitor0N  `   h  `   h 0"` `  @0 N  q  h  : 4T  a z  h#  q :  h < a  p(subj.,obj.,oper.) 0 f h < a z  p(subj.,obj.,oper.) 0 f T  a  h#  q  h < a Z  p(subj.,obj.,oper.) 0 f h < a   p(subj.,obj.,oper.) 0 f h <  @ a  p(subj.,obj.,oper.) 0 f h <`00 $  >Policy0dB h <Do@@pB h HDo h <<7*  }(subj., obj., oper.)?0, h <0 |  :Yes/No0H h 0޽h ? ___f3̙;/f9___PPT10i.=`D+D=' = @B +  '(  ~  s *`    < v  >0 >F p   p  " jAlinux-penguin |  n  08c"`p   << D Linux Kernel 0 $ F      n   08c"`    < LReference Monitor0N  `     `    0"` `  @0 N  q    : 4T  a z  #  q :   < a  p(subj.,obj.,oper.) 0 f  < a z  p(subj.,obj.,oper.) 0 f T  a  #  q   <p a Z  p(subj.,obj.,oper.) 0 f  <l a   p(subj.,obj.,oper.) 0 f  <t @ a  p(subj.,obj.,oper.) 0 f  <00 $  >Policy0dB  <Do@@pB  HDo  <7*  }(subj., obj., oper.)?0,  <0 |  :Yes/No0 ! T ?"0`   l p p,$D 0$  0Ԕ"`J Virtual File System Code for Directory Removal int vfs_rmdir(inode *dir, dentry *dentry) { & err = security_inode_rmdir(dir,dentry); if (!err) { dir->i_op->rmdir(dir,dentry); } }p/00/<"/  lB B <DԔ`p` " s *"`  H  0޽h ? ___f3̙;/f9___PPT10n.=`D+kBFDB' = @B D' = @BA?%,( < +O%,( < +D4' =%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*%(+  ` "S(  ~  s * `    <v  >0 >F p   p  " jAlinux-penguin |  n  08c"`p   << D Linux Kernel 0 $ F     n   08c"`    <4! LReference Monitor0N  `     `    0L "` `  @0 N  q     : 4T  a z  #  q :   <h) a  p(subj.,obj.,oper.) 0 f  <- a z  p(subj.,obj.,oper.) 0 f T  a  #  q   <0 a Z  p(subj.,obj.,oper.) 0 f  <T5 a   p(subj.,obj.,oper.) 0 f  <9 @ a  p(subj.,obj.,oper.) 0 f  < 00 $  >Policy0dB  <Do@@pB  HDo  <B7*  }(subj., obj., oper.)?0,  <G0 |  :Yes/No0  TI ?"0`   F p  p$  04KԔ"`J Virtual File System Code for Directory Removal int vfs_rmdir(inode *dir, dentry *dentry) { & err = security_inode_rmdir(dir,dentry); if (!err) { dir->i_op->rmdir(dir,dentry); } }p/00/<"/  lB B <DԔ`p`  s *"`  l ! 63f33"`P ^B " 6D` PH  0޽h ? ___f3̙;/f9___PPT10i.=`D+D=' = @B +   )!!!(  ~  s *`    <v  >0 >F p   p  " jAlinux-penguin |  n  08c"`p   <$ D Linux Kernel 0 $ F     n   08c"`    <0 LReference Monitor0N  `     `    0"` `  @0 N  q     : 4T  a z  #  q :   <X a  p(subj.,obj.,oper.) 0 f  <\ a z  p(subj.,obj.,oper.) 0 f T  a  #  q   < a Z  p(subj.,obj.,oper.) 0 f  < a   p(subj.,obj.,oper.) 0 f  <D @ a  p(subj.,obj.,oper.) 0 f  <00 $  >Policy0dB  <Do@@pB  HDo  <7*  }(subj., obj., oper.)?0,  <0 |  :Yes/No0  T ?"0`   F p  p$  0Ԕ"`J Virtual File System Code for Directory Removal int vfs_rmdir(inode *dir, dentry *dentry) { & err = security_inode_rmdir(dir,dentry); if (!err) { dir->i_op->rmdir(dir,dentry); } }p/00/<"/  lB B <DԔ`p`  s *"`  l  63f33"`P ^B  6D` P^B ! 6D` PH  0޽h ? ___f3̙;/f9___PPT10i.=`D+D=' = @B +F   ]U!(  ~  s *$`    <'v  >0 >F p   p  " jAlinux-penguin |  n  08c"`p   <$+ D Linux Kernel 0 $ F     n   08c"`    </ LReference Monitor0N  `     `    0P."` `  @0 N  q     : 4T  a z  #  q :   <|7 a  p(subj.,obj.,oper.) 0 f  << a z  p(subj.,obj.,oper.) 0 f T  a  #  q   <D? a Z  p(subj.,obj.,oper.) 0 f  <PD a   p(subj.,obj.,oper.) 0 f  < A @ a  p(subj.,obj.,oper.) 0 f  <N00 $  >Policy0dB  <Do@@pB  HDo  <PR7*  }(subj., obj., oper.)?0,  <V0 |  :Yes/No0  T|X ?"0`   F p  p$  0ZԔ"`J Virtual File System Code for Directory Removal int vfs_rmdir(inode *dir, dentry *dentry) { & err = security_inode_rmdir(dir,dentry); if (!err) { dir->i_op->rmdir(dir,dentry); } }p/00/<"/  lB B <DԔ`p`  s *"`  l  63f33"`Pp H  0޽h ? ___f3̙;/f9___PPT10i.=`D+D=' = @B +  @ b(  ~  s *n`    <rv  >0 >F p   p  " jAlinux-penguin |  n  08c"`p   <pu D Linux Kernel 0 $ F     n   08c"`    <y LReference Monitor0N  `     `    0~"` `  @0 N  q     : 4T  a z  #  q :   <x a  p(subj.,obj.,oper.) 0 f  <؆ a z  p(subj.,obj.,oper.) 0 f T  a  #  q   <t a Z  p(subj.,obj.,oper.) 0 f  < a   p(subj.,obj.,oper.) 0 f  <@ @ a  p(subj.,obj.,oper.) 0 f  <00 $  >Policy0dB  <Do@@pB  HDo  <H7*  }(subj., obj., oper.)?0,  <@0 |  :Yes/No0  T ?"0`   F p  p$  0$Ԕ"`J Virtual File System Code for Directory Removal int vfs_rmdir(inode *dir, dentry *dentry) { & err = security_inode_rmdir(dir,dentry); if (!err) { dir->i_op->rmdir(dir,dentry); } }p/00/<"/  lB B <DԔ`p`  s *"`    <P  u+Key: Hooks must achieve complete mediation..,0H  0޽h ? ___f3̙;/f9___PPT10i.=`D+D=' = @B +}  `$(  r  S |0`   r  S P`  H  0޽h ? ___f3̙;/f9___PPT10i.Tr+D=' = @B +}  $(  r  S 0`   r  S `  H  0޽h ? ___f3̙;/f9___PPT10i.W+D=' = @B +   (  x  c $0`   x  c $`  l  68c"`p H  0޽h ? ___f3̙;/f9___PPT10i.W+D=' = @B +   (  x  c $l0`   x  c $@`  l  68c"`p  H  0޽h ? ___f3̙;/f9___PPT10i.W+D=' = @B +   +.m(  ~  s *X0`   ~  s *,`    <xv  >0 >F p   p  " jAlinux-penguin |  n  08c"`p   < D Linux Kernel 0 $ F      n   08c"`    <$ LReference Monitor0N  `     `    0 "` `  @0 N  q    : 4T  a z  #  q :   <T a  p(subj.,obj.,oper.) 0 f  < a z  p(subj.,obj.,oper.) 0 f T  a  #  q   < a Z  p(subj.,obj.,oper.) 0 f  < a   p(subj.,obj.,oper.) 0 f  < @ a  p(subj.,obj.,oper.) 0 f  <D#00 $  >Policy0`  s *"`@ P l  pW  ) pW ,$D 0fB  6Dp p  " <p W  ? op1,op2,op3 0 @  p7  ( p7 fB  6D   ! <, T  7op30k@  p7  ' p7 rB  BD` P pP @  p0  & p0 rB  BD` 0 p0 m@  l  % l fB  6D   <0 l  ;op1,op20 # <4  ;op1,op20 $ <H7 P 7  7op30l ` p  .` p ,$D 0`B * 0DjJ` 0 `B + 0DjJ ` P `B , 0DjJ0 ` p `B - 0DjJP ` p H  0޽h ? ___f3̙;/f9___PPT10.=`D+nDZ D~' = @B D9' = @BA?%,( < +O%,( < +D4' =%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*)%(D4' =%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*.%(+    ` (   r   S D`      E0e0e ?3"0e0`   H   0޽h ? ___f3̙;/f9___PPT10i.+D=' = @B +d   { s @,(     L0e0e ?3"0e0`     dAlinux-penguin   #  |A ?linux-penguin"@ 1  ' pA(double-fishing-hook0` r  <|"` p jB   BD8c0jB   BD8c 0    <(Qw ? Hook code 0  % <S t  OLinux kernel, no hooks.0 & <XP4  NLinux kernel + hooks.0 )  A( ?double-fishing-hook"@`  + <(˜  ?TAHOE0!dB , <D8c@ @H  0޽h ? ___f3̙;/f9___PPT10i.p+D=' = @B +B  YQ8(  8 8  c0e0e ?3"0e0`    8 jAlinux-penguin   8  |A ?linux-penguin"@ 1  8 vA(double-fishing-hook0` l 8 6|"` p dB 8 <D8c0dB 8 <D8c 0 dB  8 <D8c@@  8 < hw ? Hook code 0   8 <ll t  OLinux kernel, no hooks.0  8 <iP4  NLinux kernel + hooks.0  8  A( ?double-fishing-hook"@`  8 <|u  ?TAHOE0! 8 ByjJ"` HHook analysis0 8 6}jJ"`q K  JKernel analysis0 8 BjJ"`P   <Join0 8 B0tjJ"`P *  E Hook Placer 0 dB 8 <D8cP dB 8 <D8cP  8 < * OOperations authorized0 8 < & J  NOperations performed0dB 8 <DjJ@ @H 8 0޽h ? ___f3̙;/f9___PPT10i.p+D=' = @B +}  @$(  @r @ S 0`   r @ S ȕ`  H @ 0޽h ? ___f3̙;/f9___PPT10i.pGG(+D=' = @B +  9<W(  <r < S ؜0`   2 < S <`  zAnalyze source code of hooks and: Recover the operations authorized. Conditions under which they are authorized. Example:6"O "O  < 6pPl int selinux_inode_permission(struct *inode, int mask) { op = 0; // s = info about process requesting operation if (mask & MAY_EXEC) op |= DIR_SEARCH; if (mask & MAY_WRITE) op |= DIR_WRITE; if (mask & MAY_READ) op |= DIR_READ; Query_Policy(s, inode, op); }0f f f(f*f(f  fl I F  00 (< 0N   )<  00 *< <   s ATAHOE 0!n +< 0"`: p  ,< RA ?linux-penguin" `   -< RA ?linux-penguin"p @  fB .< 6Dp` pfB /< 6D0 ` 0 fB 0< 6D@   1< ^A( ?double-fishing-hook" @   2< 0D"``  p  D0   3< <"`    B0 fB 4< 6D p fB 5< 6D 0 fB 6< 6D   7< s *p3"``   D0   8< ^A( ?double-fishing-hook" `  9< <t"` j ` B0 H < 0޽h ? ___f3̙;/f9___PPT10i.Y+D=' = @B +  /'L(  Lx L c $(0`    L c $`  (` Flow-and-context-sensitive static analysis: DIR_READ authorized if `mask & MAY_READ DIR_WRITE authorized if `mask & MAY_WRITE DIR_SEARCH authorized if `mask & MAY_EXEC 22   L 6,@P<  int selinux_inode_permission(struct *inode, int mask) { op = 0; // s = info about process requesting operation if (mask & MAY_EXEC) op |= DIR_SEARCH; if (mask & MAY_WRITE) op |= DIR_WRITE; if (mask & MAY_READ) op |= DIR_READ; Query_Policy(s, inode, op); }0f f f(f*f(f  fl I F  00 L 0N   L  00 L <,  s ATAHOE 0!n  L 0"`: p   L RA ?linux-penguin" `    L RA ?linux-penguin"p @  fB  L 6Dp` pfB  L 6D0 ` 0 fB L 6D@   L ^A( ?double-fishing-hook" @   L 0D"``  p  D0   L <"`    B0 fB L 6D p fB L 6D 0 fB L 6D   L s *(3"``   D0   L ^A( ?double-fishing-hook" `  L < "` j ` B0 H L 0޽h ? ___f3̙;/f9___PPT10i.Y+D=' = @B +   P:(  Pr P S |0`    P S `  Analyze Linux kernel to determine the security-sensitive operations performed by each function. More challenging than hook analysis. Example:P P 6 Pg Virtual File System Code for Directory Removal int vfs_rmdir (struct inode *dir, struct dentry *dentry) { ... dir->i_op->rmdir(dir, dentry); ... }t00g00 ?0    P <'GWH "` ` [#Points to physical file system code$0$C F  00 P 0}N   P  00 P <,  s ATAHOE 0!n  P 0"`: p   P RA ?linux-penguin" `    P RA ?linux-penguin"p @  fB  P 6Dp` pfB  P 6D0 ` 0 fB P 6D@   P ^A( ?double-fishing-hook" @   P s *3!"``  p  D0   P <7"`    B0 fB P 6D p fB P 6D 0 fB P 6D   P s *:3"``   D0   P ^A( ?double-fishing-hook" `  P <|="` j ` B0 H P 0޽h ?P ___f3̙;/f9___PPT10i.f[+D=' = @B +  @X>(  Xr X S F0`   9 X S PH`  YHow to infer the security-sensitive operations performed by dir->i_op->rmdir(dir,dentry)?*Z<,AC F  00 X 0}N   X  00 X <O  s ATAHOE 0!n X 0"`: p  X RA ?linux-penguin" `    X RA ?linux-penguin"p @  fB  X 6Dp` pfB  X 6D0 ` 0 fB  X 6D@    X ^A( ?double-fishing-hook" @   X s *V!"``  p  D0   X <LZ"`    B0 fB X 6D p fB X 6D 0 fB X 6D   X s *\3"``   D0   X ^A( ?double-fishing-hook" `  X <`"` j ` B0   X 6ddP fint vfs_rmdir (struct inode *dir, struct dentry *dentry) { ... dir->i_op->rmdir(dir, dentry); ... }f;0,0 ?    X 6dp"` F >  z$ ls foo/ bar/0,H X 0޽h ? ___f3̙;/f9___PPT10i.𣟪+D=' = @B +~  pd (  dx d c ${0`   ? d c $`  YHow to infer the security-sensitive operations performed by dir->i_op->rmdir(dir,dentry)?*Z<,A F  00 d 0N   d  00 d <  s ATAHOE 0!n d 0"`: p  d"  |A ?linux-penguin" `    d"  |A ?linux-penguin"p @  fB  d 6Dp` pfB  d 6D0 ` 0 fB  d 6D@    d"  A( ?double-fishing-hook" @   d s *!"``  p  D0   d <"`    B0 fB d 6D p fB d 6D 0 fB d 6D   d s *3"``   D0   d ^A( ?double-fishing-hook" `  d <"` j ` B0   d 6P fint vfs_rmdir (struct inode *dir, struct dentry *dentry) { ... dir->i_op->rmdir(dir, dentry); ... }f;0,0 ?    d 6"` H >  $ cd foo/ $ rmdir bar/0>6F  p  d  p lB d <DjJ @ lB d <DjJ p H d 0޽h ? ___f3̙;/f9___PPT10n.𣟪+DB' = @B D' = @BA?%,( < +O%,( < +D4' =%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*d%(+%  7/P\(  \x \ c $0`   @ \ c $0`  How to infer the security-sensitive operations performed by dir->i_op->rmdir(dir,dentry)? Removing bar from foo involves: Lookup of entry for bar in foo. Removing (and hence writing to) foo s data structures. rmdir involves DIR_SEARCH, DIR_RMDIR and DIR_WRITE..}W4;  "f    tA&"/ F  00 \ 0N   \  00 \ <  s ATAHOE 0!n \ 0"`: p  \"  |A ?linux-penguin" `    \"  |A ?linux-penguin"p @  fB  \ 6Dp` pfB  \ 6D0 ` 0 fB  \ 6D@    \"  A( ?double-fishing-hook" @   \ s *L!"``  p  D0   \ <"`    B0 fB \ 6D p fB \ 6D 0 fB \ 6D   \ s *L3"``   D0   \ ^A( ?double-fishing-hook" `  \ <"` j ` B0   \ 6P fint vfs_rmdir (struct inode *dir, struct dentry *dentry) { ... dir->i_op->rmdir(dir, dentry); ... }f;0,0 ?   l ` \`,$D 0n \ 0jJ"` ` \ BXGHjJ "`  Z How to extract this information?!0!H \ 0޽h ?\ ___f3̙;/f9___PPT10n.𣟪+Y DB' = @B D' = @BA?%,( < +O%,( < +D4' =%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*\%(+  tW(  t~ t s *(0`   N t s *`  lEach security sensitive operation typically involves certain idiomatic events. Examples: DIR_WRITE :- Set inode->i_ctime & Call address_space_ops->prepare_write() DIR_SEARCH :- Read inode->i_mapping DIR_RMDIR :- Set inode->i_size TO 0 & Decrement inode->i_nlink These rules are called Idioms: Boolean combination of code-patterns. Idiom language resembles Datalog.~YH= - Hj  _C F  00 t 0}N   t  00 t <  s ATAHOE 0!n t 0"`: p  t RA ?linux-penguin" `    t RA ?linux-penguin"p @  fB  t 6Dp` pfB  t 6D0 ` 0 fB  t 6D@    t ^A( ?double-fishing-hook" @   t s *8&!"``  p  D0   t <@)"`    B0 fB t 6D p fB t 6D 0 fB t 6D   t s *\,3"``   D0   t ^A( ?double-fishing-hook" `  t <0"` j ` B0 H t 0޽h ? ___f3̙;/f9___PPT10i.^B+D=' = @B +[ ZK0 ZR(  x  c $H90`     c $@`  dFlow-insensitive, inter-procedural search for code patterns. Example: Call-graph of ext2 file system0eD g F  00  0N     00  <hK  s ATAHOE 0!n  0"`: p  " ^A ?linux-penguin" `    " ^A ?linux-penguin"p @  fB   6Dp` pfB   6D0 ` 0 fB   6D@    " jA( ?double-fishing-hook" @    s *(!"``  p  D0    <Q"`    B0 fB  6D p fB  6D 0 fB  6D    s *$P3"``   D0    ^A( ?double-fishing-hook" `   <lX"` j ` B0 F  <      0,\   D ext2_rmdir 0   <`    E ext2_unlink 0   <xdA 4 <  Hext2_dec_count0`B  0D8c0 `B  0D8c B `B B 0D8c  B   6HijJ"`x  dext2_rmdir (struct inode *dir, struct dentry *dentry) { ext2_unlink(& ); & ext2_dec_count(& ); }b0bb .H  0޽h ? ___f3̙;/f9___PPT10i.VM+D=' = @B + ZK0 |t$(  x  c $u0`     c $ w`  dFlow-insensitive, inter-procedural search for code patterns. Example: Call-graph of ext2 file system0eD g F  00  0N     00  <}  s ATAHOE 0!n  0"`: p  " ^A ?linux-penguin" `    " ^A ?linux-penguin"p @  fB   6Dp` pfB   6D0 ` 0 fB   6D@    " jA( ?double-fishing-hook" @    s *l!"``  p  D0    <"`    B0 fB  6D p fB  6D 0 fB  6D    s *l3"``   D0    ^A( ?double-fishing-hook" `   <8"` j ` B0 8  <  #   6   D ext2_rmdir 0   B    E ext2_unlink 0   BA 4 <  Hext2_dec_count0fB  6D8c0 fB  6D8c B fB B 6D8c  B  $ 6jJ"`x  dext2_rmdir (struct inode *dir, struct dentry *dentry) { ext2_unlink(& ); & ext2_dec_count(& ); }b0bb .H  0޽h ? ___f3̙;/f9___PPT10.VM+Da' = @B D' = @BA?%,( < +O%,( < +DS' =%(D' =%(D ' =4@BBBB%()?)?D`' =.(7 BBBBBaM -3.88889E-6 3.8817E-7 L -3.88889E-6 -0.16636 *3>*B ppt_xB ppt_y=0BBAA<*#D' =A@BBBB0B%(D' =1:Bhidden*o3>+B#style.visibility<*$%(+8+0+$ + ZK0 ""pG(  pr p S 0`    p S `  dFlow-insensitive, inter-procedural search for code patterns. Example: Call-graph of ext2 file system0eD C F  00 p 0}N   p  00 p <  s ATAHOE 0!n p 0"`: p  p RA ?linux-penguin" `    p RA ?linux-penguin"p @  fB  p 6Dp` pfB  p 6D0 ` 0 fB  p 6D@    p ^A( ?double-fishing-hook" @   p s *!"``  p  D0   p <t"`    B0 fB p 6D p fB p 6D 0 fB p 6D   p s *3"``   D0   p ^A( ?double-fishing-hook" `  p <"` j ` B0 ,8   "p   p 0C  D ext2_rmdir 0  p < d  G ext2_get_page0 p 0 Kext2_delete_entry0 p < C  E ext2_unlink 0  p < 4  Hext2_dec_count0 p <l    Iext2_find_entry0`B p 0D8c0 `B p 0D8c  `B pB 0D8c  `B p 0D8c @`B  p 0D8c 0  `B !p 0D8c p  H p 0޽h ? ___f3̙;/f9___PPT10i.VM+D=' = @B +(  ?7&&x(  xx x c $0`    x c $``  dFlow-insensitive, inter-procedural search for code patterns. Example: Call-graph of ext2 file system0eD  F  00 x 0N   x  00 x <  s ATAHOE 0!n x 0"`: p  x"  |A ?linux-penguin" `    x"  |A ?linux-penguin"p @  fB  x 6Dp` pfB  x 6D0 ` 0 fB  x 6D@    x"  A( ?double-fishing-hook" @   x s *4!"``  p  D0   x <"`    B0 fB x 6D p fB x 6D 0 fB x 6D   x s *43"``   D0   x ^A( ?double-fishing-hook" `  x <"` j ` B0 :F   x    x 0C  D ext2_rmdir 0  x < d  G ext2_get_page0 x 0l Kext2_delete_entry0 x <4  C  E ext2_unlink 0  x < 4  Hext2_dec_count0 x <T    Iext2_find_entry0`B x 0D8c0 `B x 0D8c  `B xB 0D8c  `B  x 0D8c @`B !x 0D8c 0  `B "x 0D8c p   #x 6"`0  %page->mapping->a_ops->prepare_write()&0&,  $x 6X"`  mapping = inode->i_mapping0,   %x 6!"`` P* M  tinode->i_nlink--0$ &x 6`&"`@P-  uinode->i_size = 00$H x 0޽h ? ___f3̙;/f9___PPT10i.VM+D=' = @B +]  og**|(  |x | c $00`    | c $1`  dFlow-insensitive, inter-procedural search for code patterns. Example: Call-graph of ext2 file system0eD  F  00 | 0N   |  00 | <8  s ATAHOE 0!n | 0"`: p  |"  |A ?linux-penguin" `    |"  |A ?linux-penguin"p @  fB  | 6Dp` pfB  | 6D0 ` 0 fB  | 6D@    |"  A( ?double-fishing-hook" @   | s *t?!"``  p  D0   | <A"`    B0 fB | 6D p fB | 6D 0 fB | 6D   | s *E3"``   D0   | ^A( ?double-fishing-hook" `  | <J"` j ` B0 :F   |    | 0MC  D ext2_rmdir 0  | <DQ d  G ext2_get_page0 | 0LU Kext2_delete_entry0 | <HX C  E ext2_unlink 0  | <P\ 4  Hext2_dec_count0 | <_    Iext2_find_entry0`B | 0D8c0 `B | 0D8c  `B |B 0D8c  `B  | 0D8c @`B !| 0D8c 0  `B "| 0D8c p   #| 6d"`0  %page->mapping->a_ops->prepare_write()&0&,  $| 6Hi"`  mapping = inode->i_mapping0,   %| 6m"`` P* M  tinode->i_nlink--0$ &| 6r"`@P-  uinode->i_size = 00$ '| s *v"`@@L \>DIR_RMDIR :- Set inode->i_size to 0 & Decrement inode->i_nlink?0   P\l 0`  *|0` ,$D 0lB (| <D8c ` lB )|B <D8c0@@H | 0޽h ? ___f3̙;/f9___PPT10n.VM+ !7DB' = @B D' = @BA?%,( < +O%,( < +D4' =%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<**|%(+  */z(  x  c $̉0`     c $0`  }EFlow-insensitive, inter-procedural search for code patterns. Results:F6 F  00  0N     00  <  s ATAHOE 0!n  0"`: p  "  |A ?linux-penguin" `    "  |A ?linux-penguin"p @  fB   6Dp` pfB   6D0 ` 0 fB   6D@    "  A( ?double-fishing-hook" @    s *!"``  p  D0    <"`    B0 fB  6D p fB  6D 0 fB  6D    s *D3"``   D0    ^A( ?double-fishing-hook" `   <Ƞ"` j ` B0 :F        0C  D ext2_rmdir 0   <l d  G ext2_get_page0  04 Kext2_delete_entry0  < C  E ext2_unlink 0   < 4  Hext2_dec_count0  <    Iext2_find_entry0`B  0D8c0 `B  0D8c  `B B 0D8c  `B   0D8c @`B ! 0D8c 0  `B " 0D8c p   ' 6T"`=* A DIR_WRITE 0  ( 6P"`- 0  A DIR_WRITE 0  ) 6X"`  B DIR_SEARCH 0  * 6"`p '  NDIR_WRITE, DIR_SEARCH0 + 6"`   Z"DIR_RMDIR, DIR_WRITE, DIR_SEARCH#0#l P  / P ,$D 0fB , 6D   . 6"`P  Pointed to by dir->i_op->rmdir0,H  0޽h ? ___f3̙;/f9___PPT10n.VM+1ydDB' = @B D' = @BA?%,( < +O%,( < +D4' =%(D' =%(D' =4@BBBB%(D' =1:Bvisible*o3>+B#style.visibility<*/%(+    8 (  r  S 0`   ;  S <`  YCurrently specified manually by us: We wrote 150 idioms in a week. We expect that a kernel developer can write these faster and more precisely. Difference from manual hook placement: Only knowledge of kernel required. One-time activity for the kernel: can reuse results for different reference monitors. Current work: Automating idiom writing.`$m'y)$m'y)C F  00  0}N     00  <$  s ATAHOE 0!n  0"`: p   RA ?linux-penguin" `     RA ?linux-penguin"p @  fB   6Dp` pfB   6D0 ` 0 fB   6D@     ^A( ?double-fishing-hook" @    s *X!"``  p  D0    <"`    B0 fB  6D p fB  6D 0 fB  6D    s *X3"``   D0    ^A( ?double-fishing-hook" `   <$"` j ` B0 H  0޽h ? ___f3̙;/f9___PPT10i.pҟ+D=' = @B +  "~(  r  S 40`     S $`  4 From authorization hook analysisc F  00  0N     00  <"`  s ATAHOE 0!n  0"`: p   RA ?linux-penguin#" ` `     RA ?linux-penguin#" `p @  fB   6Dp` pfB   6D0 ` 0 fB   6D@     ^A( ?double-fishing-hook#" ` @    s *"``  p  D0    6@!"`    B0 fB  6D p fB  6D 0 fB  6D    s *43"``   D0    ^A( ?double-fishing-hook#" ` `   <P"` j ` B0   6@ ' nselinux_inode_permission 0f  B> %  iselinux_inode_rmdir 0f  B %P Bd  d*DIR_WRITE DIR_SEARCH DIR_READ DIR_RMDIR+0+jB  BDjJp P jB  BDjJ P PjB  BDjJ P jB  BDjJPP jB  BDjJ P   B*"`v h.Also know conditions on the formal parameters!/0/H  0޽h ? ___f3̙;/f9___PPT10i.P^ \+D=' = @B +k  80 #$(  x  c $40`     c $6`  (From kernel analysis F  00  09 N     00  <T9"`  s ATAHOE 0!n  0"`: p  " # A ?linux-penguin#" ` `    " # A ?linux-penguin#" `p @  fB   6Dp` pfB   6D0 ` 0 fB   6D@    " # A( ?double-fishing-hook#" ` @    s *@"``  p  D0    6C!"`    B0 fB  6D p fB  6D 0 fB  6D    s *G3"``   D0    ^A( ?double-fishing-hook#" ` `   <K"` j ` B0   0N@ ' nselinux_inode_permission 0f  <Q> %  iselinux_inode_rmdir 0f  <XVP Bd  d*DIR_WRITE DIR_SEARCH DIR_READ DIR_RMDIR+0+dB  <DjJp P dB  <DjJ P PdB  <DjJ P dB  <DjJPP dB  <DjJ P   <]"`v h.Also know conditions on the formal parameters!/0/  <_p@ F ext2_rmdir 0 fdB ! <DjJp@dB " <DjJP0p@dB #@ <DjJ@p  $ BdjJ"`} u,$D 0 $PProtect ext2_rmdir with selinux_inode_rmdir selinux_inode_permission(MAY_WRITE)081 f,f ,"H  0޽h ? ___f3̙;/f9___PPT10.P^ \+j܏DO' = @B D ' = @BA?%,( < +O%,( < +DA' =%(D' =%(D' =A@BBBB0B%(D' =1:Bvisible*o3>+B#style.visibility<*$%(+8+0+$ +z    @! (  r  S $v0`      S w`  Nave (but correct) approach: Place hooks at each function call in the kernel using join analysis results. May lead to redundant checks. TAHOE works differently: Identifies a small set of controlled functions. Suffices to place hooks to protect these. See paper for details.tk[k-] F  00  0N     00  <"`  s ATAHOE 0!n  0"`: p   RA ?linux-penguin#" ` `     RA ?linux-penguin#" `p @  fB   6Dp` pfB   6D0 ` 0 fB   6D@     ^A( ?double-fishing-hook#" ` @    s *$"``  p  D0    6!"`    B0 fB  6D p fB  6D 0 fB  6D    s *$3"``   D0    ^A( ?double-fishing-hook#" ` `   64!"` j ` B0 H  0޽h ? ___f3̙;/f9___PPT10i. U+D=' = @B +3  JBP?(  r  S P0`   x  c $$`   `  ? #"0l   * <x?   K0M ) <?   K4M ( <Ԭ?&  L12M ' <@?S &  L12M & <? S  RsocketM % <?  K4M $ <d?   L13M # <?&   L40M " <d?S&  L26M ! <(?S  kinodeM   <?` X False neg.  fM  <x? ` X False pos.  fM  <L?& `  y Num. Locs  fM  <?S`&  RNum.fM  <!?`S W Hook type  fM`B + 0o ?``ZB , s *1 ?ZB - s *1 ?  `B . 0o ?  `B / 0o ?` ZB 0 s *1 ?S`S ZB 1 s *1 ?& `& ZB 2 s *1 ? ` ZB 3 s *1 ?` `B 4 0o ?` H  0޽h ? ___f3̙;/f9___PPT10i.u+D=' = @B +$   $(  r  S 0`   r  S `  H  0޽h ? ___f3̙;/f980___PPT10.iO}  $(  r  S `B0`   r  S 4C`  H  0޽h ? ___f3̙;/f9___PPT10i.p~+D=' = @B +    8V (  8~ 8 s *@SP0   8 <$WP 7  |4Web-site http://www.cs.wisc.edu/~vg/papers/ccs2005a/,50 , l @@  8 #"Pr@@  68 <\? @  [jha@cs.wisc.eduM 58 <j?   P Somesh Jha  M 48 <t? @ tjaeger@cse.psu.edud 0M 38 <d?  R Trent Jaeger  M 28 <T? @@ vg@cs.wisc.edud 0M 18 <\?@  UVinod GanapathyM`B 78 01 ?@ @`B :8 01 ?  `B ;8 01 ?@`B =8 01 ?@@@`B z8 01 ? @@@`B {8 01 ?`B }8 01 ?@@`B 8 01 ? `B 8 01 ?@@ `B 8 01 ?  @  \8 <7 ]Contact Information.0H 8 0޽h ? 33___PPT10i.9 6+D=' = @B + 0 0T((  T^ T S 4XK    T c $4 )    H T 0.k ? 3380___PPT10.`$  0 l4(  ld l c $4XK    l s *4 )    H l 0.k ? 3380___PPT10.`"  0 t2(  td t c $4XK    t s *4 )   First discuss its architecture, as shown by the diagram here, and then talk about its popularity (how it s been deployed, and so on)H t 0.k ? 3380___PPT10.`$  0 4(  d  c $4XK     s *4 )    H  0.k ? 3380___PPT10.`$ 0 p4(  d  c $4XK     s *4 )    H  0.k ? 3380___PPT10.`$ 0 4(  d  c $4XK     s *4 )    H  0.k ? 3380___PPT10.`$ 0 4(  d  c $4XK     s *4 )    H  0.k ? 3380___PPT10.`$ 0 P4(  d  c $4XK     s *4 )    H  0.k ? 3380___PPT10.`" 0 2(  d  c $4XK     s *,4 )   First discuss its architecture, as shown by the diagram here, and then talk about its popularity (how it s been deployed, and so on)H  0.k ? 3380___PPT10.`" 0 02(  d  c $4XK     s *4 )   First discuss its architecture, as shown by the diagram here, and then talk about its popularity (how it s been deployed, and so on)H  0.k ? 3380___PPT10.`3 0 80(  ^  S 4XK   *  c $4 )   Explain the implication of false positives Explain the implication of false negatives. Explain the cause of false positives and false negatives. H  0.k ? 3380___PPT10.3r$`2u<4LZ } ?@ϏJn` :f&`<a]/ 1p3A">Kn^[&o9F;0?pKG "7;Z|xGIs>\F fR 0eS9Oh+'0 x $DT lx   Sautomatic placement of authorization hooks in the linux security modules frameworke%presentation slides for acm ccs 2005hooVINOD GANAPATHYLSM, static analysisor EdgestaVinod Ganapathy259Microsoft Office PowerPoint@=@=9@GEG g  R9  --$--'@Times New Roman-. !*2 Automatic Placement of VB(=a<)!5I!<57b6B(<(."Systemi-@Times New Roman-. !92 !Authorization Hooks in the Linux VB(B<5!5<(!<B]<<B.!B(C5O"BB<.-@Times New Roman-. !.2 "Security Modules FrameworkB55B5!(<p<BB"5.J5=b5W<5A.-@"Microsoft Sans Serif-. 72 5 University of Wisconsin, Madison(  4  / .-@"Microsoft Sans Serif-. 32 5Pennsylvania State Universitys%  $(  .-@Arial-. 2 | Somesh Jha0,@((,(,(.-@"Microsoft Sans Serif-. 2 jha@cs.wisc.edu&%D"!0""%%%.-@Arial-. 2 |R Trent Jaeger,(,()(,(.-@"Microsoft Sans Serif-. $2 tjaeger@cse.psu.edu %%%&D""$%"$%%%.-@Times New Roman-. 2 Joint work with $$0$ 0$.-@Arial-. 2 Vinod Ganapathy0,,,8(-(,(-'.-@"Microsoft Sans Serif-. 2 +vg@cs.wisc.edu"%D!!0""%%%.-@"Microsoft Sans Serif-. 72 }P University of Wisconsin, Madison(  4  / .-՜.+,D՜.+,X   $ ,4<D L operating system securityaOn-screen ShowmUNIVERSITY OF WISCONSINx,) O 0ArialGeorgiaTimes New RomanMicrosoft Sans Serif Wingdings Courier NewEdgeSAutomatic Placement of Authorization Hooks in the Linux Security Modules FrameworkContext of this talk!Enforcing authorization policies!Linux security modules framework!Linux security modules framework!Linux security modules frameworkExampleExampleExampleExampleExampleHook placement is crucialMain message of this talkMain message of this talkMain message of this talkKey intuition: Matchmaking&Tool for Authorization Hook Placement&Tool for Authorization Hook Placement&Tool for Authorization Hook PlacementSecurity-sensitive operationsAuthorization hook analysisAuthorization hook analysisLinux kernel analysisExampleExampleExampleKey observationLinux kernel analysisLinux kernel analysisLinux kernel analysisLinux kernel analysisLinux kernel analysisResult with ext2_rmdir IdiomsCombining resultsCombining resultsPlacing hooksResults Future workSummary of important ideas Thank You  Fonts UsedDesign Template Slide Titles) :B_PID_LINKBASEA6http://www.cs.wisc.edu/~vg'_*Vinod GanapathyVinod Ganapathy  !"#$%&'()*+,-./0123456789;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~Root EntrydO)PicturesrCurrent UserSummaryInformation(PowerPoint Document(:NDocumentSummaryInformation8