Browsers: Critical Infrastructure Ubiquitous: many platforms, - - PowerPoint PPT Presentation

browsers critical infrastructure
SMART_READER_LITE
LIVE PREVIEW

Browsers: Critical Infrastructure Ubiquitous: many platforms, - - PowerPoint PPT Presentation

Mar 14, 2024 119 likes •864 views

Browser Security Guarantees through Formal Shim Verification Zachary Tatlock Dongseok Jang Sorin Lerner UC San Diego Browsers: Critical Infrastructure Ubiquitous: many platforms, sensitive apps Vulnerable: Pwn2Own, just a click to

slide-1
SLIDE 1

Browser Security Guarantees

through Formal Shim Verification

Dongseok Jang

Zachary Tatlock

Sorin Lerner

UC San Diego

slide-2
SLIDE 2

Browsers: Critical Infrastructure

Ubiquitous: many platforms, sensitive apps

Vulnerable: Pwn2Own, just a click to exploit Reactive Defenses: many ad hoc, bug triage, regressions

slide-3
SLIDE 3

Fully Formal Verification

Fully formal, machine checkable proof Develop correctness proof in synch Code in language that eases reasoning

slide-4
SLIDE 4

Fully Formal Verification

Success story: CompCert C compiler OS (seL4), RDBMS & HTTPD (YNot)

realistic implementations guaranteed bug free

Compiler Bugs Found GCC 122 LLVM 181 CompCert

[Yang et al. PLDI 11]

slide-5
SLIDE 5

Fully Formal Verification

Success story: CompCert C compiler OS (seL4), DB, HTTPD (YNot)

realistic implementations guaranteed bug free

Compiler Bugs Found GCC 100 LLVM 150 CompCert

[Yang et al. PLDI 11]

?

The Catch

Throw away all your code Rewrite in unfamiliar language Formally specify correctness Prove every detail correct Heroic effort

slide-6
SLIDE 6

Formally Verify a Browser?!

Complex parts Subtle interactions Loose access policy Constant evolution

Resources

JavaScript Interpreter JPEG Decoder HTML Renderer

slide-7
SLIDE 7

Formally Verify a Browser?!

Resources

Shim

JavaScript Interpreter JPEG Decoder HTML Renderer

Insert shim

guards resource access

Verify shim

prove security props

Isolate

sandbox untrusted code

Formal Shim Verification

slide-8
SLIDE 8

Formally Verify a Browser?!

Resources

Shim

JavaScript Interpreter JPEG Decoder HTML Renderer

QUARK

formally verified browser

Formal Shim Verification

Security Props

1. Tab isolation

  • 2. Cookie integrity
  • 3. Addr bar correctness

Prove code correct

machine checkable proof

slide-9
SLIDE 9

Fully Formal Verification

slide-10
SLIDE 10

Fully Formal Verification

Code

in language supporting reasoning

slide-11
SLIDE 11

Fully Formal Verification

Code Spec

logical properties characterizing correctness

slide-12
SLIDE 12

Fully Formal Verification

Code Spec

Proof Assistant

Coq Theorem Prover

slide-13
SLIDE 13

Fully Formal Verification

Code Spec

Proof Assistant

interactively show code satisfies specification Coq Theorem Prover

slide-14
SLIDE 14

Fully Formal Verification

Code Spec

ML x86

Proof Assistant

compile down to machine code

slide-15
SLIDE 15

Fully Formal Verification

Code Spec

Proof Assistant

ML x86

Extremely strong guarantees about actual system!

slide-16
SLIDE 16

Fully Formal Verification

Code Spec

Proof Assistant

ML x86

Rewrite entire system!

slide-17
SLIDE 17

Fully Formal Verification

Code Spec

Proof Assistant

ML x86

Rewrite entire system! Prove every detail correct

slide-18
SLIDE 18

Formal Shim Verification

Resources

Shim

JavaScript Interpreter JPEG Decoder HTML Renderer

slide-19
SLIDE 19

Formal Shim Verification

Formally verify shim

ensure accesses secure

Adapt to sandbox

request access via shim

Write shim

design effective interface

Sandbox.. Shim

Resources Untrusted Code

slide-20
SLIDE 20

Formal Shim Verification

Formally verify shim

ensure accesses secure

Adapt to sandbox

request access via shim

Write shim

design effective interface

Sandbox.. Shim

Resources Untrusted Code

Key Insight

Guarantee sec props for entire system Only reason about small shim Radically ease verification burden Prove actual code correct

slide-21
SLIDE 21

Sandbox..

Quark: Verified Browser

Shim

Resources Untrusted Code

slide-22
SLIDE 22

Sandbox..

Quark: Verified Browser

Shim

Untrusted Code Resources

slide-23
SLIDE 23

Sandbox..

Quark: Verified Browser

Shim

Untrusted Code

Resources

persistent storage user interface network

Net

slide-24
SLIDE 24

Sandbox..

Quark: Verified Browser

Untrusted Code

Resources

Net

Shim

slide-25
SLIDE 25

Sandbox..

Quark: Verified Browser

Untrusted Code

Resources

Net

Quark Kernel ✔

Shim

code, spec, proof in Coq Quark browser kernel

slide-26
SLIDE 26

Quark: Verified Browser

Resources

Net

Quark Kernel ✔

Shim

Sandbox.. Untrusted Code

slide-27
SLIDE 27

Quark: Verified Browser

Resources

Net

Quark Kernel ✔

Shim

Sandbox.. Untrusted Code

Untrusted Code

run as separate procs strictly sandboxed browser components

slide-28
SLIDE 28

Quark: Verified Browser

Resources

Net

Quark Kernel ✔

Shim

Sandbox.. Untrusted Code

Untrusted Code

talk to kernel over pipe run as separate procs strictly sandboxed browser components

slide-29
SLIDE 29

Quark: Verified Browser

Resources

Net

Quark Kernel ✔

Shim

Sandbox.. Untrusted Code

Untrusted Code

two component types

slide-30
SLIDE 30

Quark: Verified Browser

Resources

Net

Quark Kernel ✔

Shim Untrusted Code

two component types WebKit Tab

modified WebKit, intercept accesses

slide-31
SLIDE 31

WebKit Tab

Quark: Verified Browser

Resources

Net

Quark Kernel ✔

Shim Untrusted Code

two component types

slide-32
SLIDE 32

WebKit Tab

Quark: Verified Browser

Resources

Net

Quark Kernel ✔

Shim Untrusted Code

Cookie Manager

two component types

written in Python, manages single domain

slide-33
SLIDE 33

Quark: Verified Browser

Resources Shim Untrusted Code

Net

Quark Kernel ✔

Cookie Manager WebKit Tab

WebKit tabs cookie managers two component types

slide-34
SLIDE 34

Quark: Verified Browser

Resources Shim Untrusted Code

Net

Quark Kernel ✔

Cookie Manager WebKit Tab WebKit Tab WebKit Tab Cookie Manager

several instances each WebKit tabs cookie managers two component types

slide-35
SLIDE 35

Quark: Verified Browser

Net

Quark Kernel ✔

Cookie Manager WebKit Tab WebKit Tab WebKit Tab Cookie Manager

slide-36
SLIDE 36

Quark Kernel: Code, Spec, Proof

Quark Kernel ✔

slide-37
SLIDE 37

Quark Kernel: Code, Spec, Proof

slide-38
SLIDE 38

Quark Kernel: Code, Spec, Proof

Definition kstep ...

slide-39
SLIDE 39

Quark Kernel: Code, Spec, Proof

Definition kstep(focused_tab, tabs) := ...

kernel state

slide-40
SLIDE 40

Quark Kernel: Code, Spec, Proof

Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); ...

Unix-style select to find a component pipe ready to read

slide-41
SLIDE 41

Quark Kernel: Code, Spec, Proof

Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); match f with | Stdin => ... | Tab t => ...

case: f is user input case: f is tab pipe

slide-42
SLIDE 42

Quark Kernel: Code, Spec, Proof

Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); match f with | Stdin => cmd <- read_cmd(stdin); ... | Tab t => ...

read command from user over stdin

slide-43
SLIDE 43

Quark Kernel: Code, Spec, Proof

Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); match f with | Stdin => cmd <- read_cmd(stdin); match cmd with | AddTab => ... | ... | Tab t => ...

user wants to create and focus a new tab

slide-44
SLIDE 44

Quark Kernel: Code, Spec, Proof

Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); match f with | Stdin => cmd <- read_cmd(stdin); match cmd with | AddTab => t <- mk_tab(); ... | ... | Tab t => ...

create a new tab

slide-45
SLIDE 45

Quark Kernel: Code, Spec, Proof

Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); match f with | Stdin => cmd <- read_cmd(stdin); match cmd with | AddTab => t <- mk_tab(); write_msg(t, Render); ... | ... | Tab t => ...

tell new tab to render itself

slide-46
SLIDE 46

Quark Kernel: Code, Spec, Proof

Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); match f with | Stdin => cmd <- read_cmd(stdin); match cmd with | AddTab => t <- mk_tab(); write_msg(t, Render); return (t, t::tabs) | ... | Tab t => ...

return updated state

slide-47
SLIDE 47

Quark Kernel: Code, Spec, Proof

Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); match f with | Stdin => cmd <- read_cmd(stdin); match cmd with | AddTab => t <- mk_tab(); write_msg(t, Render); return (t, t::tabs) | ... | Tab t => ...

handle other user commands

slide-48
SLIDE 48

Quark Kernel: Code, Spec, Proof

Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); match f with | Stdin => cmd <- read_cmd(stdin); match cmd with | AddTab => t <- mk_tab(); write_msg(t, Render); return (t, t::tabs) | ... | Tab t => ...

handle requests from tabs

slide-49
SLIDE 49

Quark Kernel: Code, Spec, Proof

Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); match f with | Stdin => cmd <- read_cmd(stdin); match cmd with | AddTab => t <- mk_tab(); write_msg(t, Render); return (t, t::tabs) | ... | Tab t => ...

slide-50
SLIDE 50

Quark Kernel: Code, Spec, Proof

slide-51
SLIDE 51

Quark Kernel: Code, Spec, Proof

Specify correct behavior wrt syscall seqs

read(), write(), open(), write(), ...

slide-52
SLIDE 52

Quark Kernel: Code, Spec, Proof

Specify correct behavior wrt syscall seqs

trace: all syscalls made

by Quark kernel during execution

slide-53
SLIDE 53

Quark Kernel: Code, Spec, Proof

Specify correct behavior wrt syscall seqs

kstep() kstep() kstep() kstep()

slide-54
SLIDE 54

Quark Kernel: Code, Spec, Proof

Specify correct behavior wrt syscall seqs

structure of produceable traces supports spec & proof

slide-55
SLIDE 55

Quark Kernel: Code, Spec, Proof

Specify correct behavior wrt syscall seqs

structure of produceable traces supports spec & proof

Example: address bar correctness

slide-56
SLIDE 56

Quark Kernel: Code, Spec, Proof

Specify correct behavior wrt syscall seqs

structure of produceable traces supports spec & proof

Example: address bar correctness

forall trace tab domain, ...

for any trace, tab, and domain where trace is a sequence of syscalls

slide-57
SLIDE 57

Quark Kernel: Code, Spec, Proof

Specify correct behavior wrt syscall seqs

structure of produceable traces supports spec & proof

Example: address bar correctness

forall trace tab domain, quark_produced(trace) / \ ...

if Quark could have produced this trace

slide-58
SLIDE 58

Quark Kernel: Code, Spec, Proof

Specify correct behavior wrt syscall seqs

structure of produceable traces supports spec & proof

Example: address bar correctness

forall trace tab domain, quark_produced(trace) / \ tab = cur_tab(trace) / \ ...

and tab is the selected tab in this trace

slide-59
SLIDE 59

Quark Kernel: Code, Spec, Proof

Specify correct behavior wrt syscall seqs

structure of produceable traces supports spec & proof

Example: address bar correctness

forall trace tab domain, quark_produced(trace) / \ tab = cur_tab(trace) / \ domain = addr_bar(trace) -> ...

and domain displayed in address bar for this trace

slide-60
SLIDE 60

Quark Kernel: Code, Spec, Proof

Specify correct behavior wrt syscall seqs

structure of produceable traces supports spec & proof

Example: address bar correctness

forall trace tab domain, quark_produced(trace) / \ tab = cur_tab(trace) / \ domain = addr_bar(trace) -> domain = tab_domain(tab)

then domain is the domain of the focused tab

slide-61
SLIDE 61

Quark Kernel: Code, Spec, Proof

Specify correct behavior wrt syscall seqs

structure of produceable traces supports spec & proof

Example: address bar correctness

forall trace tab domain, quark_produced(trace) / \ tab = cur_tab(trace) / \ domain = addr_bar(trace) -> domain = tab_domain(tab)

slide-62
SLIDE 62

Quark Kernel: Code, Spec, Proof

Formal Security Properties

Tab Non-Interference

no tab affects kernel interaction with another tab

Cookie Confidentiality and Integrity

cookies only accessed by tabs of same domain

Address Bar Integrity and Correctness

address bar accurate, only modified by user action

slide-63
SLIDE 63

Quark Kernel: Code, Spec, Proof

slide-64
SLIDE 64

Quark Kernel: Code, Spec, Proof

Prove kernel code satisfies sec props

by induction on traces Quark can produce

slide-65
SLIDE 65

Quark Kernel: Code, Spec, Proof

Prove kernel code satisfies sec props

induction hypothesis: trace valid up to this point

by induction on traces Quark can produce

slide-66
SLIDE 66

Quark Kernel: Code, Spec, Proof

Prove kernel code satisfies sec props

induction hypothesis: trace valid up to this point proof obligation: still valid after step?

+

by induction on traces Quark can produce

?

slide-67
SLIDE 67

Quark Kernel: Code, Spec, Proof

induction hypothesis: trace valid up to this point proof obligation: still valid after step?

+

?

Proceed by case analysis on kstep()

what syscalls can be appended to trace? will they still satisfy all security properties? prove each case using interactive proof assistant

slide-68
SLIDE 68

Quark Kernel: Code, Spec, Proof Key Insight

Guarantee sec props for browser Use state-of-the-art components Only prove simple browser kernel

slide-69
SLIDE 69

Usability Demo Video

slide-70
SLIDE 70

Trusted Computing Base

Infrastructure we assume correct

any bugs here can invalidate our formal guarantees

Statement of security properties Coq (soundness, proof checker) Fundamental OCaml [VeriML] Tab Sandbox [RockSalt] Operating System [seL4] ... Eventually Verified

[active research]

slide-71
SLIDE 71

Security Analysis

Formally prove important sec props WebKit defenses remain in effect Other desirable security policies

slide-72
SLIDE 72

Future Work

Liveness properties

formally prove that kernel never blocks

Finer grained resource accesses

support mashups and plugins

Filesystem access, sound, history

could be implemented w/out major redesign

slide-73
SLIDE 73

Conclusion

Quark: Verified Browser

Guarantee sec props for browser Only prove simple browser kernel Use state-of-the-art components

Formal Shim Verification

Guarantee sec props for entire system Only reason about small shim Radically ease verification burden

http://goto.ucsd.edu/quark