1 / 12

A NOTE ON THE CONFINEMENT PROBLEM

A NOTE ON THE CONFINEMENT PROBLEM. Butler Lampson Xerox PARC. IN BRIEF. The paper discusses How a server program (service) can leak information about its clients to other programs How we can prevent these leaks

sharis
Download Presentation

A NOTE ON THE CONFINEMENT PROBLEM

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. A NOTE ON THE CONFINEMENT PROBLEM Butler Lampson Xerox PARC

  2. IN BRIEF • The paper discusses • How a server program (service) can leak information about its clients to other programs • How we can prevent these leaks • Its main contribution is to make us realize the number of potential covert channels

  3. x Customer Service THE MODEL • A customer • has confidential data • does not trust the service processing its data • wants to prevent leaks

  4. SEVEN POSSIBLE LEAKS (I) • If the service has memory, it can collect data and keep them until its owner calls the service • The service can write data into a permanent file that can be read by its owner • The service can create a temporary file that can be read by its owner • The service can send a message to a process controlled by its owner

  5. SEVEN POSSIBLE LEAKS (II) • The service can encode some data in the bill it sends to the customer • its owner must have a copy of that bill • The service can play with locks controlling access to shared files • The service can modulate its demands on the system’s resources

  6. COUNTERMEASURES (I) • Process must be stateless from one invocation to the other • No static variables and no globals • Process must be confined • First sufficient rule:A confined program shall make no calls on any other program

  7. COUNTERMEASURES (II) • First rule is very restrictive • Transitivity rule:If a confined program calls on another program that is not trusted, the called program must also be confined

  8. COUNTERMEASURES (III) • We will assume that that untrustworthy service will run on the top of a trustworthy supervisor • Trustworthy supervisor will block all possible channels that can be used to leak information • These channels include • storage • legitimate channels • covert channels

  9. COUNTERMEASURES (IV) • Leaks through storage are not hard to prevent • If another process want to write into a file that is being read by the service, the supervisor will create anew copy of the file and let the service access that copy • Problem is is how to identify all the kinds of storage accessed by the service

  10. COUNTERMEASURES (V) • Masking Principle:A program to be confined must allow its caller to determine all its inputs into legitimate and covert channels. the channels are said to be masked by the caller • Requires the bill to be computed by the customer, not by the service

  11. COUNTERMEASURES (VI) • Enforcement:The supervisor must ensure that a confined program’s input to a covert channel satisfies the specifications of the customer • May require slowing the program down and adding spurious requests • Much less costly tolimit the bandwidth of the covert channels

  12. CONCLUSIONS • The confinement problem can be solved as long as we can trust the supervisor of the system • Total confinement can be costly • Much cheaper to limit the bandwidth of possible leaks

More Related