Tiffin and MGen: An Expressive Policy Language with Multiple Runtime Monitoring Tools

Abstract: Runtime monitoring for anomalous behavior of software systems is a critical validation technique as part of defense-in-depth cybersecurity solutions. Such techniques compliment static analyses and runtime pattern-matching based approaches that only identify known attacks and are thus likely to miss unknown or 0-day attacks. There exist many policy verification languages to support runtime validation and anomaly detection, but each is often tailored to a specific domain, making it difficult to express policies that embody multiple verification methods for a variety of problem areas. The specificity of these languages can often make it difficult for non-experts to understand, create and modify policies. Furthermore, the associated monitoring engines are often specific to a narrow set of programs and runtime environments, limiting broad applicability.

We introduce a new language, Tiffin, designed to express widely-scoped program behavior specifications as enforceable runtime policies. We also introduce a toolset that uses Tiffin policies as input to produce concrete application monitors encoding the developed policies. These monitors check adherence to the specification and respond appropriately when policies are violated. Tiffin is designed to express a wide variety of program behavior characteristics from extended finite automata and invariants, to enforcing interfaces and memory access constraints as well as guiding component-based fuzzing.The developed toolset consists of a policy compiler, mgen, with multiple backends, that can produce monitors in the form of application-level dynamic translation wrappers for monitoring specific standalone targets; hypervisors that can monitor firmware or operating systems; or binary rewriters that can permanently weave a policy into an application. Together, the developed technologies aim to provide autonomous runtime validation for a variety of program and deployment types that is easy to specify and deploy, even by non-experts.This presentation specifically describes use cases for applicationlevel policy enforcement, firmware-level policy violation detection and response, and how said policies can be used to identify bugs by fuzzing components to detect policy violations.

This material is based upon work supported by the Office of Naval Researchand the Air Force Research Laboratory under contracts N68335-19-C-0200,FA8650-20-C-1106, and FA8650-17-F-1056. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the Office of Naval Research or the Air Force Research Laboratory.

Dr. Zachary P Fry is a Senior Scientist at GrammaTech, having received his Ph.D. in Computer Science from the University of Virginia in 2014. As part of the autonomic team at GrammaTech, he has served as PI on several DOD contracts, including most recently "ARTCAT: Autonomic Response to [Disruptive] Cyber-Attacks", which directly supports the work to be presented.

License: Copyright GrammaTech Inc. 2022.