JIGSAW: Protecting resource access by inferring programmer expectations

Hayawardh Vijayakumar, Xinyang Ge, Mathias Payer, Trent Jaeger

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Processes retrieve a variety of resources, such as files, from the operating system to function. However, securely accessing resources has proven to be a challenging task, accounting for 10-15% of vulnerabilities reported each year. Current defenses address only a subset of these vulnerabilities in ad-hoc and incomplete ways. In this paper, we provide a comprehensive defense against vulnerabilities during resource access. First, we identify a fundamental reason that resource access vulnerabilities exist - a mismatch between programmer expectations and the actual environment the program runs in. To address such mismatches, we propose JIGSAW, a system that can automatically derive programmer expectations and enforce it on the deployment. JIGSAW constructs programmer expectations as a name flow graph, which represents the data flows from the inputs used to construct file pathnames to the retrieval of system resources using those pathnames. We find that whether a program makes any attempt to filter such flows implies expectations about the threats the programmer expects during resource retrieval, the enabling JIGSAW to enforce those expectations. We evaluated JIGSAW on widely-used programs and found that programmers have many implicit expectations. These mismatches led us to discover two previously-unknown vulnerabilities and a default misconfiguration in the Apache webserver. JIGSAW enforces program expectations for approximately 5% overhead for Apache webservers, thus eliminating vulnerabilities due to resource access efficiently and in a principled manner.

Original languageEnglish (US)
Title of host publicationProceedings of the 23rd USENIX Security Symposium
PublisherUSENIX Association
Pages973-988
Number of pages16
ISBN (Electronic)9781931971157
StatePublished - Jan 1 2014
Event23rd USENIX Security Symposium - San Diego, United States
Duration: Aug 20 2014Aug 22 2014

Publication series

NameProceedings of the 23rd USENIX Security Symposium

Conference

Conference23rd USENIX Security Symposium
CountryUnited States
CitySan Diego
Period8/20/148/22/14

Fingerprint

Flow graphs

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications
  • Information Systems
  • Safety, Risk, Reliability and Quality

Cite this

Vijayakumar, H., Ge, X., Payer, M., & Jaeger, T. (2014). JIGSAW: Protecting resource access by inferring programmer expectations. In Proceedings of the 23rd USENIX Security Symposium (pp. 973-988). (Proceedings of the 23rd USENIX Security Symposium). USENIX Association.
Vijayakumar, Hayawardh ; Ge, Xinyang ; Payer, Mathias ; Jaeger, Trent. / JIGSAW : Protecting resource access by inferring programmer expectations. Proceedings of the 23rd USENIX Security Symposium. USENIX Association, 2014. pp. 973-988 (Proceedings of the 23rd USENIX Security Symposium).
@inproceedings{bde5c95433ec4a8eb64099ce5eec6838,
title = "JIGSAW: Protecting resource access by inferring programmer expectations",
abstract = "Processes retrieve a variety of resources, such as files, from the operating system to function. However, securely accessing resources has proven to be a challenging task, accounting for 10-15{\%} of vulnerabilities reported each year. Current defenses address only a subset of these vulnerabilities in ad-hoc and incomplete ways. In this paper, we provide a comprehensive defense against vulnerabilities during resource access. First, we identify a fundamental reason that resource access vulnerabilities exist - a mismatch between programmer expectations and the actual environment the program runs in. To address such mismatches, we propose JIGSAW, a system that can automatically derive programmer expectations and enforce it on the deployment. JIGSAW constructs programmer expectations as a name flow graph, which represents the data flows from the inputs used to construct file pathnames to the retrieval of system resources using those pathnames. We find that whether a program makes any attempt to filter such flows implies expectations about the threats the programmer expects during resource retrieval, the enabling JIGSAW to enforce those expectations. We evaluated JIGSAW on widely-used programs and found that programmers have many implicit expectations. These mismatches led us to discover two previously-unknown vulnerabilities and a default misconfiguration in the Apache webserver. JIGSAW enforces program expectations for approximately 5{\%} overhead for Apache webservers, thus eliminating vulnerabilities due to resource access efficiently and in a principled manner.",
author = "Hayawardh Vijayakumar and Xinyang Ge and Mathias Payer and Trent Jaeger",
year = "2014",
month = "1",
day = "1",
language = "English (US)",
series = "Proceedings of the 23rd USENIX Security Symposium",
publisher = "USENIX Association",
pages = "973--988",
booktitle = "Proceedings of the 23rd USENIX Security Symposium",

}

Vijayakumar, H, Ge, X, Payer, M & Jaeger, T 2014, JIGSAW: Protecting resource access by inferring programmer expectations. in Proceedings of the 23rd USENIX Security Symposium. Proceedings of the 23rd USENIX Security Symposium, USENIX Association, pp. 973-988, 23rd USENIX Security Symposium, San Diego, United States, 8/20/14.

JIGSAW : Protecting resource access by inferring programmer expectations. / Vijayakumar, Hayawardh; Ge, Xinyang; Payer, Mathias; Jaeger, Trent.

Proceedings of the 23rd USENIX Security Symposium. USENIX Association, 2014. p. 973-988 (Proceedings of the 23rd USENIX Security Symposium).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - JIGSAW

T2 - Protecting resource access by inferring programmer expectations

AU - Vijayakumar, Hayawardh

AU - Ge, Xinyang

AU - Payer, Mathias

AU - Jaeger, Trent

PY - 2014/1/1

Y1 - 2014/1/1

N2 - Processes retrieve a variety of resources, such as files, from the operating system to function. However, securely accessing resources has proven to be a challenging task, accounting for 10-15% of vulnerabilities reported each year. Current defenses address only a subset of these vulnerabilities in ad-hoc and incomplete ways. In this paper, we provide a comprehensive defense against vulnerabilities during resource access. First, we identify a fundamental reason that resource access vulnerabilities exist - a mismatch between programmer expectations and the actual environment the program runs in. To address such mismatches, we propose JIGSAW, a system that can automatically derive programmer expectations and enforce it on the deployment. JIGSAW constructs programmer expectations as a name flow graph, which represents the data flows from the inputs used to construct file pathnames to the retrieval of system resources using those pathnames. We find that whether a program makes any attempt to filter such flows implies expectations about the threats the programmer expects during resource retrieval, the enabling JIGSAW to enforce those expectations. We evaluated JIGSAW on widely-used programs and found that programmers have many implicit expectations. These mismatches led us to discover two previously-unknown vulnerabilities and a default misconfiguration in the Apache webserver. JIGSAW enforces program expectations for approximately 5% overhead for Apache webservers, thus eliminating vulnerabilities due to resource access efficiently and in a principled manner.

AB - Processes retrieve a variety of resources, such as files, from the operating system to function. However, securely accessing resources has proven to be a challenging task, accounting for 10-15% of vulnerabilities reported each year. Current defenses address only a subset of these vulnerabilities in ad-hoc and incomplete ways. In this paper, we provide a comprehensive defense against vulnerabilities during resource access. First, we identify a fundamental reason that resource access vulnerabilities exist - a mismatch between programmer expectations and the actual environment the program runs in. To address such mismatches, we propose JIGSAW, a system that can automatically derive programmer expectations and enforce it on the deployment. JIGSAW constructs programmer expectations as a name flow graph, which represents the data flows from the inputs used to construct file pathnames to the retrieval of system resources using those pathnames. We find that whether a program makes any attempt to filter such flows implies expectations about the threats the programmer expects during resource retrieval, the enabling JIGSAW to enforce those expectations. We evaluated JIGSAW on widely-used programs and found that programmers have many implicit expectations. These mismatches led us to discover two previously-unknown vulnerabilities and a default misconfiguration in the Apache webserver. JIGSAW enforces program expectations for approximately 5% overhead for Apache webservers, thus eliminating vulnerabilities due to resource access efficiently and in a principled manner.

UR - http://www.scopus.com/inward/record.url?scp=84937690805&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84937690805&partnerID=8YFLogxK

M3 - Conference contribution

AN - SCOPUS:84937690805

T3 - Proceedings of the 23rd USENIX Security Symposium

SP - 973

EP - 988

BT - Proceedings of the 23rd USENIX Security Symposium

PB - USENIX Association

ER -

Vijayakumar H, Ge X, Payer M, Jaeger T. JIGSAW: Protecting resource access by inferring programmer expectations. In Proceedings of the 23rd USENIX Security Symposium. USENIX Association. 2014. p. 973-988. (Proceedings of the 23rd USENIX Security Symposium).