Retrofitting Legacy Code for Security

[ Motivation | Overview | People | Papers | Talks | Related work ]

Motivation

Research in computer security has historically advocated design for security, i.e., proactive integration of security to create robust and secure systems. While examples exist in the research literature of systems that have been designed to be secure from the ground up, there are few examples of such systems deployed in the real world. Economic and practical considerations force developers to abandon security and focus instead on functionality and performance, which are more tangible than security. As a result, there are large bodies of code that have inadequate (or completely lack) security mechanisms. Security mechanisms are added to legacy code on-demand using ad hoc techniques. Not surprisingly, the resulting systems are insecure.

The goal of our research is to develop automated techniques to transform legacy programs by retrofitting them with security mechanisms that they lack.

Overview

Problem: Our focus so far has been on adding authorization policy checks to legacy server programs. Servers manage resources for multiple clients and must thus have mechanisms to regulate how these resources are accessed. Examples of such servers include web-, database-, online game- and window management servers. For example, the X window server manages multiple X clients simultaneously, but lacks mechanisms to enforce authorization policies on them. As a result, a malicious X client can compromise the confidentiality and integrity of other X clients connected to the X server. For example, it could possibly read input meant for another X client. Such an attack can be prevented by enforcing authorization policies that disallow an X client from accessing inputs meant for other X clients.

The main problem with retrofitting a legacy server for authorization policy enforcement is to identify security-sensitive operations and locate where they are performed by the server. The term security-sensitive operation refers to the different ways in which a resource can be accessed. For example, in the case of the X server, an X client can create, destroy, read/set attributes, and send different kinds of events to the Window resource. The idea is that such locations can then be protected with calls to a reference monitor that consults an authorization policy to ensure that the security-sensitive operation is allowed for the client requesting the operation.

Approach: We use program analysis to automate identification of security-sensitive operations in legacy code. The cornerstone of our techniques is a formalism called fingerprints. Each fingerprint is a code-level signature of a security-sensitive operation. Fingerprints can directly be matched against the source-code of the server, and each location that matches a fingerprint performs the corresponding security-sensitive operation. We have designed both static and dynamic program analysis techniques to automatically mine fingerprints from the server's source code.

All our techniques have been prototyped and have been applied to large, real-world servers. Fingerprints were introduced in our 2005 ACM Conference on Computer and Communications Security paper. This paper also showed how fingerprints and showed how fingerprints can be matched against source code and be used to locate security-sensitive operations. Our 2006 IEEE Symposium on Security and Privacy paper presents a dynamic approach to to mine fingerprints from source code. The paper demonstrates the use of the technique in the X server. The static approach overcomes certain shortcomings of the dynamic technique, and is presented in our 29th International Conference on Software Engineering paper. We have applied this approach to secure the X server, a game server called PennMUSH and subsystems of the Linux kernel.

People

Publications

Presentations

Related work
Back to my home page