Rebecca "bx" Shapiro - Part 1 - Regions are types, types are policy, and other ramblings

hear me

so I wanted to kind of go back and just think about a trustworthy software user the classical view of confidentiality availability and integrity but I don't really think that's enough just to really show what we want from trustworthy software what we wanted sucker-head behaves as we expected doesn't have any unexpected behaviors predictable and reliable and to really get at that and to be able to really create prosperity software especially out of the complexity that we're seeing these days we didn't think about the policies we applied to it what we expect are possible not gonna do what we allow it to do and I think a lot about is there an ideal size granularity for policy objects and so through this taco

people talking a little bit about type theory I'll talk about litters bootloader you motor drought then I will kind of go into my memory regions text picture policy and make a little more about this one-size-fits-all like how we can get away from that and start having policy objects that really better encode our attentions in what the software should be doing this doesn't look so nice but finding the right granularity so when I talk about tape systems I kind of generalize a little more most folks usage of types is programming language centric and it really applies to programming language constructs of the data and function calls function parameters are sorry parameters of a function are silent type return values

and it's up to the compiler or the runtime to really ensure that data the correct type are being processed function and being returned from that function and these type rules will of course these relationship between the different constructs but there's so many other things that kind of seem like types to me really put takes generally define what operations are allowed on objects what you need gears are allowed and there's what constructs that exists outside of programming languages that really have this feel to them and for example when we're loading data into memory space instead of a process really the regions that we're copying over our objects they have each of them kind of have a purpose

to this group to this region back and just to give you a little more sense of where types are used so interpreted languages there is types sometimes these are often dynamically dynamically stores tested so if I try to you to say at an institute to this treatment PyCon complain in Ruby there's a similar thing if I try to do the same JavaScript that has a lot of pure gifts I couldn't really define two good examples and there's a great pop up that we see FPS on YouTube has a lot of interesting we're dissing have a script so I thought if you make the string you'll tell your stream but if you ask it if the street is an

instance of street it will take balls so types aren't out like pipes have this purpose though I'll be really bring the attention like explicitly into our code but maybe for some languages that don't do it as well as others and then press your CLI compiled languages and what would happen is if you don't appear to the tight constraints you'll see compiler warnings or errors it seems mostly warnings like well you didn't cast them into here's what we could treat it as one if you do and so job is a little more just so I'll see conversion double the hips and rust has a lot of really interesting uses of pipes nuture currency had been received beyond what we seen just Java

taxi types and so forth and rust is really been in a language that they've been pushing to do systems programming low local stuff and you know as an alternative to see but hasn't really been picked up by the general public so parts a lot use a lot of Firefox donors other types of types and also going to make a gif types and picking up and Plyler injected policy so stack Canaries are one of this type enforcement of the stack so if you know some important function for gets over right Enders to take bearer at runtime that's like us you know buffer overflow dependent types are kind of interesting they're the example ire it doesn't actually compiled of anything

but it depending types the idea is your cyclic check types are actually dependent on runtime value so you might not actually know at build time that it take text properly but with one thing you can do with dependent types I have a list I have a list of length two and have that be a spike in our breath you know if you try to create a list that has be more or less than two elements a dissapointment entire moon is alone this has not been used too much really generally [Music]

the idea is you define it if you have an object of at Whitefoot sort of the functions you can call on the option to put in on the students currently it so you can maybe maybe are highly Keating something and deallocating it and after you've allocated you can read and write or deallocate but if it's not ready in that state the only thing you can do is allocate so that is definitely an eisley contention based policy right there it's not always chuckle at compile time but there's of course a lot oh there is it was sort of an older idea in programming languages and not sort of research it a lot of popularity buzz yes

something that's very interesting to me control flow integrity which we see we see use these days and so I I kind of pick it as a compiler injection pump policy so there are kind of branches along your control photograph that you think that are valid that you're allowed and the idea profile integrity is that you disallow jumps across branches or things that are not explicitly allowed in this policy and so if it looks like that the quacks like a duck beneath batteries probably have the wrong abstraction so I'm when it comes to tech policies they definitely are useful in helping you write code or especially the text that we use most most pens we use they help you break

code that kind of keep with your attention of what this function is supposed to do but it's very much on this functional module level and it doesn't necessarily easily like expand to enjoy your program behaviors and ones that we're interested in it and that's what I want to try to get at with some of the work that have been a presents types outside of programming languages you know once it are all these things I consider types in their own ways that file permissions are can be felt like a type and there's some enforcement there by the kernel su Linux sort of is this very fine-grain and click system on syscalls over in linux and then you know

like this coarser one read/write/execute Commission's across pages so moving now from this TED talk to a policy how is policy like training a puppy well it helps that your apology of policy objects or file size so if you're Alice and you shrunk down and you just drank I miss dog it's not going to like you want to put the candlestick inter-process I kind of thinking a lot of work has been done on into your process and like in process of so inter process we have UNIX file Commission's that are fairly coarse and the protections are against you know labels on the file depending and then versus the process you know a label of the processes running who own stacks and

that's pretty porous and SEO makes is kind of pretty hard to work on is you know bag of permission so you really have to strictly defined across files Hegarty desist calls types of syscalls and domain which is you know sort of like the runtime label again into your process you will see read write execute permissions of pages in that can be two cars so we've seen there is a function pointer in writable area you don't always want to be able to overwrite that and there's you know the C type system which kind of seems neat you can know he's cast some thinking like then compiler well you can compile it anyway pablor but pretty much let you do

you tell it to you know make all whirring stairs and also you know screaming with all the warnings and I'm wondering now with region-based types when you think about regions of memory there is no actual like specific size it's very variable you can have a very large region of memory or you can think of a single object and maybe that's adjusted right and when we want this right granularity whatever it is it should really help us more easily describe what matters to us in software behavior so when we're correcting a policy if what is this wish list that we walked and I put about this term that Sergey used in a black hat topper that

this policy wish list we need to be able to really say to our policy it types or types with other things we want to say with relevance like what data is very sensitive and describe what matters and perhaps certain operations have to happen in a certain order it can be harder to describe that with the type system of these fine great wads of these course green wants that we have you know in practice another policy idea for policies or another thing we might want is to be able to be concise and describe only what matters because time well it's not evil we die avenged sorry to say but you can't take forever to write a policy or your software

because it needs to you know be used as a guest is probably reason while you're writing in so sometimes just need a focus on what matters and I'm picking on SELinux again but it requires you to to assign types to everything and to decide permissions to every single sis call that might be performed on any object that is part of its language which is usually files file so what does matter to me it really depends on the software and the larger context in which it's being run in which is being used and I'd like to explore that a little as I continue so what do we want intense level semantics again this is part from

Sergei that Bush Texas students the doshas so you don't really know what those words are we know the but there is a grammar between them that reveals relationships so even though we might not know exactly the layout of function etc what every single one does it's easier to understand the relationships between them and semantics can be derived from real relationships and the intent can be derived through these relationships and we can start using that to to create policy and not only that but code you know it executes to has different pages so perhaps an object at certain time in execution is not sensitive but eventually it will become a sensitive or maybe it needs to

be used so in some hypothetical email client if they initialize itself authenticate with some key and then after this authentication process you know to some remote server it will start processing input handling error is during a session it is eventually be authenticated why should it be able to ask question of the code that processes the input ever look at keys again it's already been authenticated there's probably a small session fee just for that but it's to treat it the same currently as every other object in memory as the email client executes and it was these different phases we should really be able to say this region these types of objects here are important and readable and writeable but while we're

executing this other phase where we're handling sensitive love well we're handling untrusted input let's lock down the of objects so that we don't you know so that's a runaway process because there's going to be like some issues with the parser right so something that happens doesn't necessarily week the keys so we don't want the keys to be leaked to the interwebs but because everything sits in a single address space it's happen I mean this is not hypothetical email client series but you know this is something that does happen and so why do we allow this Ubud is a food butter that's used in embedded devices and this is something that I dug into deeply when I was

thinking about regions as types so before you go a blue letter which I consider as a type of floater they're to me they're sort of the same thing so the loaders aren't you know the magic to transform a binary image into a running application and it sort of does this transduction based on metadata in the image and what it knows about the runtime in the binary image which I do what I mean by binary image is a static representation of the machine code so elf is the type used in like Unix Linux it's Pease Windows Paco or macho however that's it it is the one in OS X and then also two more things at his faces the

term design I used to refer to any addressable memory as you know the code is running anything that's reachable so it should be higher up your space memory map I think as a model of the address space that were there semantic labels of a different regions and this naturally happens whenever software is executed because there will be a chunk that's its code which chunk that's data and you know it's junk that's a stack so forth this is just natural who looks a loader well it's another loader it's loaders all the way down and the bootloader is just a term that I use it's you mean like the loader that executes before the kernel or the primary application is and

so we've seen plenty of them so what do we expect from our loot loaders and what are what's unexpected well I expect that it really any loader or mid letter will do the discovery and initialization sources in the add new space or the hardware is part of the larger system especially it's a bootloader he will prepare the outer space for whatever needs to be run next it might actually have to relocate itself to another place in memory especially with booth motors that are confined regions of it if there's good find resources early on a bootloader might be to move itself out of the way you know it might actually enable some more around coffee itself over there and

then continue on and also you expect the bootloader to prepare this image in memory and finally executed so I like to think of you know that is stages the loading seems to be a very you know for doing process you'll start and it'll do some bookkeeping and perhaps at some point the stack will be available to be available for the rest of the time and then you enter another phase where you're locating the target image but you know that's more bookkeeping and after you do that you'll see that there's more data there might be Heath available the through my feet of BSS region and that's zeroed out and ready and then I might be another face uploading the target image

and doing preparations eventually the target ready and there's like this final phase that we can execute that's and jump into the targets and all the metadata weird machine is some of the work that vision Allah inspired me to think about me Jesus types so how a loner is expected to work is that it will read metadata in this file that it's parsing at us well first you might actually copy everything in memory and then I'll start reading up the metadata to figure out what it's supposed to do and it will search in regions of packages in memory as needed because the might need some absolute a business that are not known until runtime and then you might use it

if it continues and it looks to see with its own you know data structure is whether there is more than it needs to pass another library that's loaded but this doesn't have to work this way and some broken promises results in a turing-complete butter which I possess it before Amun at Def Con and GCC if you're interested in that I can give links later but in this particular like weird execution model or if you have weird metadata you might see the loader reading it writing all over the address space because of the met just telling it to do so and then it will end up reading it again and finding itself hatching again into the metadata

and actually running them as instructions and suddenly you get this you know argh you do arbitrary computation with this metadata but really the only thing they should have been doing is writing some very specific regions of memory so in my mind this is a type confusion issue these metadata are meant to end the face which the process is really only meant to like write to certain regions of memory which contain points to the places that should have to say absolute pointers but in this weird machine is writing to regions of memory that should never be right written to you while the loader after the loader you know reads and the metadata it's over writing its own

metadata and we're going to get the learner to do well journey complete computation and so that simply typed confusion to me so going to you I mean I didn't do anything as interesting with you good but there is a lot of trust in some instances or something muted how should it be hey I specifically looked at the u-boot SPL for people born XM the beagleboard-xm has multiple rounds or stages of blue glowing what is soda if it's on chip ROM then it invokes an SPL which is a smaller like in terms of hood size boo butter which then invokes a larger chunk of you boots entirely separate dimension and finally Linux so I was just looking

at the more simple one which is really a subset of the larger meaning boot image while looking at this I was wondering does this blue litter always behave or yes does it always behave as it's expected never be made unexpectedly at predictably astrologically and how does you go to accomplish what is expected of it within the context behaving expected as expected and never behaving unexpectedly you know you know one of the best vacations is to discover resources just to give you a sense of what it's doing was sources is that there is sort of parkland discovery where addresses of thank memory mapped Hardware memory mapped i/o is just known compiled and statically into the binary and it will

read a value to get say that's just boot status which is you know why is this bootloader to vote is it a cold boot or mood etc then there's sort of semi Ammar coded where you booth as it's running you know some values of a register in perhaps and use that to look up in the table to figure out how to use this hardware and Nanoha also needs some protocol based discovery it will know how to send and receive earths really work with MMC that going to call to the SD card and it has to in this case it knows how to read a fat file system in order to find this next stage so these

are the different discovery modes and how it uses resources is often based on what it discovered sometimes vixen herkimer actresses so this is an example of it setting up we're writing to the i2c bus and bottom the bottom table is just you know the documentation on the chip of the address of each of these memory mapped registers and it corresponds to like these magic numbers in the code itself in order to make use of these resources and again when including images it's crawling the filesystem person headers using that cutter information to figure out what to do next and donate this is just it also sometimes relocates and relocation is also based on hard coded information as well as pulp mostly hard

code as information it knows the size it is so we can move itself elsewhere and in each doesn't necessarily know how much room is available it just assumes it won't overlap with anything in this particular case so these are things you might see and along these things it does you'll see these are relationships between resources memory regions and then also the phase in which it's executing will use different resources so in other words it will focus on read and write to different memory regions and this is an overall address piece for this particular chip in people board this is from the documentation and there's you know obedia that there's a lot of reserve space but there's some

addresses physical addresses that beyond ship food from there are some physical addresses that are they are crayons and a lot of Regents that are for different hardware resources for different memory not registers and if we zoom in to one of these areas of memory map registers will start seeing you know the ICC they're just something for our to see something curves and timer registers and so really these regions memory are objects and these objects are part of can really be part of a policy and we can decide because region sizes can be as big or small as we've lost we can have a course policy that's like this region these are all registers at this place between not be touching those

or you can have a policy that's like this region of memory is the MMC registers and we're going to be able to be using those and we don't want for some reason to overwrite some other types of registers because you know how its interacting with the MMC and it is late with embedded stuff there's a lot of styling failures so you might not even see in your testing of it that you're writing to your spouse I go to a policy and interactive the reads and writes for you dudes and I actually had a script that went through all the tables in the documentation of registers found their addresses and look to see if any Abbas's that were not will any

read-only registers and Marin whoever and I also wanted to see if there is any episodes that were not specifically defined as a valid address in this you know in the documentation to see if any that was written and I actually