ABSTRACT

Modern commodity systems now have several security enforcement mechanisms to limit adversary access to processes, yet security practitioners still work reactively, responding to vulnerabilities as adversaries identify them.  A problem is that these available security enforcement mechanisms are deployed independently of one another, so adversaries take advantage of inconsistencies and invalid assumption to further attacks.  To address this problem, we are developing a theory of integrity safety that enables reasoning about adversary access across security mechanisms.  Using this theory, we will aim to develop methods that evaluate whether a program can be safely deployed in particular deployments relative to integrity safety.

In this talk, I will discuss our progress thus far on identifying candidate integrity safety properties in systems and programs and in applying them to protect process integrity.  First, I will describe our experiences evaluating the integrity of running code, which will highlight several integrity safety properties.  One specific topic will be our recent work in detecting name resolution vulnerabilities in programs.  Second, I will outline how we envision using such integrity safety properties to protect process integrity.  For example, I will show how to use security policies and runtime analysis to compute program attack surfaces, which identify the individual program system calls accessible to adversaries.  Using this knowledge, information flow models of programs can be constructed to evaluate program integrity safety, but the challenge is to deal with adversary access (i.e., choose endorsers and where to place them).  We will discuss possible program integrity safety properties to limit adversary access in programs, with the goal of maintaining integrity safety for system objects.  The resulting combination system and program integrity safety enforcement enables end-to-end evaluation of integrity protection using commodity system policies and legacy code.