1 / 35

PhD Defense Mohit Tiwari University of California, Santa Barbara

Design and Verification of Information Flow Secure Systems. PhD Defense Mohit Tiwari University of California, Santa Barbara. Design and Verification of Information Flow Secure Systems. Committee Tim Sherwood (Chair) Frederic T Chong

noma
Download Presentation

PhD Defense Mohit Tiwari University of California, Santa Barbara

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Design and Verification ofInformation Flow Secure Systems PhD Defense MohitTiwari University of California, Santa Barbara

  2. Design and Verification ofInformation Flow Secure Systems Committee Tim Sherwood (Chair) Frederic T Chong TevfikBultan Ben Hardekopf Ryan Kastner UC Santa Barbara UC Santa Barbara UC Santa Barbara UC Santa Barbara UC San Diego

  3. Passenger Network Flight Control Network Confidential Data Open Network High Assurance Systems Enforce policies on final system implementation

  4. High Assurance for All Sensitive data. Untrusted services. Confinement Problem [Lampson’73]

  5. High X Low Low Non-Interference • Non-Interference: a change in a High input can never be observed or inferred from changes in the Low output. That is, Highdata should never leak to Low • Confidentiality-Integrity Duality: “High” is more conservative label. Secretor Tainted/Untrusted. “system” Real-world systems need both Confidentiality and Integrity

  6. Example MLS System Example Satellite Application. [TzvetanMetodi, Aerospace Corp.] Interrupt Handlers (Sensitive) Interrupt Handlers (Non-sensitive) Kernel and Diagnostics Time Keeping Crypto CommandTelemetry Interface I/O Secret Mission Secret Mission Unclass. Primary Execution Schedule Execution Time Note: Since this is not a real schedule, the processes are not in any sensible execution order Non-sensitive Sensitive

  7. Example: Satellite System Untrusted & Secret Libraries (e.g. encryption) that operate on Secret data Trusted & Secret Untrusted & Unclassified Custom code on Secret data Diagnostics, Telemetry Interfaces Trusted & Unclassified Kernel, Interrupt Handlers (Unclassified), Time Keeping Programs But assurance is not cheap

  8. The Price of Assurance • Evaluation Assurance Levels (EAL 1—7) • Evaluation of process, not end artifact • RedHat Linux: EAL 4+ • $30-$40 per LOC • Integrity RTOS: EAL 6+ • $10,000 per LOC … and increasing. Many approaches.

  9. Traditional Information Flow Security Applications Volpano96, Jif99, Slam98, FlowCaml03 HiStar 06, Flume 07, Laminar 09 Taintcheck 04, LIFT 06, Dytan 07 DIFT 04, Minos 04, LBA 06, Raksha 07 Prog. Language Compiler/OS Cache-flush: Osvik et. al. 2006... BP Scrub: Aciicmez et al. 2007... Exe Normalize: Kocher 1996… Cache Rand: Lee et al. 2005... Instruction Set Microarchitecture Functional Units Logic Gates Closer look at IF analysis.

  10. Memory CPU A CPU B Information Flow Analysis • Information flows through Space • Registers, Memory, Micro-architectural state etc. • Information flows through Time • Observable events such as PC, I/O channels etc. if (untrusted == 1) out1 = 1 else out2 = 0 (implicit flow) How to accountfor all information flows in a system? out =untrusted (explicit flow) How to construct practical systems that won’t leak?

  11. Outline of this talk • High Assurance Systems • Information flow security • Analysis Technique: • Gate-Level Information Flow Tracking • Architecture • Execution Leases

  12. Analysis: Track all flows • Flatten design to a (giant) state machine • Does every output have desired label? clock external inputs P1 P0 state 001000101 10011101011110110001011001111111 Separation Kernel S/W H/W CombinationalLogic I/O Dev Mem CPU externaloutputs Secure System Equivalent State Machine

  13. Analysis: Track all flows • Insight: All flows explicit at the gate level clock external inputs P1 P0 state 001000101 10011101011110110001011001111111 Separation Kernel S/W H/W I/O Dev Mem CPU externaloutputs Secure System Equivalent State Machine

  14. Analysis: Track all flows • Outputs: Logic function of state and inputs • Output Labels: Logic func. of state, inputs, and labels clock external inputs P1 P0 state 001000101 10011101011110110001011001111111 Separation Kernel S/W H/W I/O Dev Mem CPU externaloutputs Secure System Equivalent State Machine

  15. Analysis: Track all flows • Does not include physical side-channels • Power draw, Thermal fingerprint, EM radiation clock external inputs P1 P0 state 001000101 10011101011110110001011001111111 Separation Kernel S/W H/W CombinationalLogic I/O Dev Mem CPU externaloutputs Secure System Equivalent State Machine

  16. Timing Channels Memory Bus Arbiter Request A Request B CPU B CPU A Grant A Grant B …Will look at implicit flows in a few slides.

  17. a a b b t t o o t Analysis Technique: GLIFT AND Shadow AND

  18. Required: Precise Information Flow • Conventional OR-ing of labels monotonic 010101… D Q reset clock

  19. Precise Information Flow: AND Gate a b o 1 0 0 0 0 1 1 1 0 0 1 0 0 0 0 a b 0 1 0 1 0 0 1 1 1 o 0 0 0 0 0 0 0 1 0 0 0 1 Use both inputs and input labels

  20. a b a b a b a b t t t t o o t o t Analysis Technique: GLIFT

  21. s s a a s b s b a b t t t t s t1 t2 o o t Sound Composition of Shadow Logic t2 t1

  22. a b a b b a * 1 0 s s s o o o MUX: gatekeeper of trust

  23. All Executions: Track “Unknowns” 0 • Known bits at security evaluation time • Software kernel • Hardware design • Unknown bits • External inputs • User processes • Verify policy upheld for all unknown bits • Use abstract interpretation to prove soundness * a 0 1 * a *

  24. GLIFT Verification Flow Digital Design Abstract Design Augmented Design U U * * labeled inputs abstract inputs test inputs ** clock clock 01 clock U T U T 10 * * 10 ** 1011 state state state a a L L 2. Augmentation 1. Abstraction T U a L * 1 output abstract output ** labeled output ** 10 state input T U * 1 Information flow lattice Specification of unknown bits • Concrete state must be enumerable. E.g. Scheduler loop

  25. Outline of this talk • High Assurance Systems • Information flow security • Analysis Technique: • Gate-Level Information Flow Tracking • Architecture • Execution Leases

  26. +4 PC jump target is jump? Instr Mem RegFile R2 throughdecode R1 Implicit Information Flows out tmp if (untrusted==1) out = 1 tmp = 5 PC Conditional execution taints critical state (PC)

  27. Untrusted Code and Conditionals • Leasethe CPU to programs for fixed timewithbounded memory access • Problem: Critical CPU state becomes untrusted Lease = Space-Time Sandbox Stack of Nested Leases Memory Time

  28. Lease Unit 0 1 Timer PC Memory Execution Lease Architecture timer expired? restore PC +4 0 PC jump target 1 old value InstrMem Predicates Reg File Data Memory high low R2 throughdecode R1

  29. Lease Unit 0 1 Timer PC Memory Execution Lease Architecture timer expired? restore PC +4 0 PC jump target 1 old value InstrMem Predicates Reg File Data Memory high low R2 throughdecode R1

  30. Lease Unit 0 1 Timer PC Memory Execution Lease Architecture timer expired? Restore PC +4 0 PC jump target 1 old value InstrMem Predicates Reg File Data Memory high low R2 throughdecode R1 Registers become untainted with trusted loads

  31. Lease Unit 0 1 Timer PC Range Designing for GLIFT- 1. Trusted Reset timer exprired? Restore PC +4 0 PC jump target 1 old value InstrMem Predicates Reg File Data Memory high low R2 throughdecode R1

  32. Designing for GLIFT: 2. Isolation Store value Mem Bound Start … Address Comparators 0b10 WL EN >= ADDR 0b00 <= Tainted Store Addr 0b11 … Mem Bound End Decoder BL BL

  33. Designing for GLIFT: 2. Isolation Store value … Address Bit-Mask WL 0b1* EN Address Mem Bound Range 0 0b1 0b00 Tainted Store Addr … Decoder BL BL

  34. Lease Unit 0 1 Timer PC Range Designing for GLIFT: 3. Critical State timer exprired? Restore PC +4 0 PC jump target 1 old value Instr Mem Predicates RegFile DataMemory highlow R2 throughdecode R1

  35. Lease Unit Timer PC Range Designing for GLIFT: 3. Critical State • Stack of Nested Timers • Timer values: bad • Stack pointer: good • Huge effect on software • Arbitrary timer values => no encoding overhead • Save and restore timers => multi-level schedulers timer exprired? Restore PC

More Related