350 likes | 510 Views
Design and Verification of Information Flow Secure Systems. PhD Defense Mohit Tiwari University of California, Santa Barbara. Design and Verification of Information Flow Secure Systems. Committee Tim Sherwood (Chair) Frederic T Chong
 
                
                E N D
Design and Verification ofInformation Flow Secure Systems PhD Defense MohitTiwari University of California, Santa Barbara
Design and Verification ofInformation Flow Secure Systems Committee Tim Sherwood (Chair) Frederic T Chong TevfikBultan Ben Hardekopf Ryan Kastner UC Santa Barbara UC Santa Barbara UC Santa Barbara UC Santa Barbara UC San Diego
Passenger Network Flight Control Network Confidential Data Open Network High Assurance Systems Enforce policies on final system implementation
High Assurance for All Sensitive data. Untrusted services. Confinement Problem [Lampson’73]
High X Low Low Non-Interference • Non-Interference: a change in a High input can never be observed or inferred from changes in the Low output. That is, Highdata should never leak to Low • Confidentiality-Integrity Duality: “High” is more conservative label. Secretor Tainted/Untrusted. “system” Real-world systems need both Confidentiality and Integrity
Example MLS System Example Satellite Application. [TzvetanMetodi, Aerospace Corp.] Interrupt Handlers (Sensitive) Interrupt Handlers (Non-sensitive) Kernel and Diagnostics Time Keeping Crypto CommandTelemetry Interface I/O Secret Mission Secret Mission Unclass. Primary Execution Schedule Execution Time Note: Since this is not a real schedule, the processes are not in any sensible execution order Non-sensitive Sensitive
Example: Satellite System Untrusted & Secret Libraries (e.g. encryption) that operate on Secret data Trusted & Secret Untrusted & Unclassified Custom code on Secret data Diagnostics, Telemetry Interfaces Trusted & Unclassified Kernel, Interrupt Handlers (Unclassified), Time Keeping Programs But assurance is not cheap
The Price of Assurance • Evaluation Assurance Levels (EAL 1—7) • Evaluation of process, not end artifact • RedHat Linux: EAL 4+ • $30-$40 per LOC • Integrity RTOS: EAL 6+ • $10,000 per LOC … and increasing. Many approaches.
Traditional Information Flow Security Applications Volpano96, Jif99, Slam98, FlowCaml03 HiStar 06, Flume 07, Laminar 09 Taintcheck 04, LIFT 06, Dytan 07 DIFT 04, Minos 04, LBA 06, Raksha 07 Prog. Language Compiler/OS Cache-flush: Osvik et. al. 2006... BP Scrub: Aciicmez et al. 2007... Exe Normalize: Kocher 1996… Cache Rand: Lee et al. 2005... Instruction Set Microarchitecture Functional Units Logic Gates Closer look at IF analysis.
Memory CPU A CPU B Information Flow Analysis • Information flows through Space • Registers, Memory, Micro-architectural state etc. • Information flows through Time • Observable events such as PC, I/O channels etc. if (untrusted == 1) out1 = 1 else out2 = 0 (implicit flow) How to accountfor all information flows in a system? out =untrusted (explicit flow) How to construct practical systems that won’t leak?
Outline of this talk • High Assurance Systems • Information flow security • Analysis Technique: • Gate-Level Information Flow Tracking • Architecture • Execution Leases
Analysis: Track all flows • Flatten design to a (giant) state machine • Does every output have desired label? clock external inputs P1 P0 state 001000101 10011101011110110001011001111111 Separation Kernel S/W H/W CombinationalLogic I/O Dev Mem CPU externaloutputs Secure System Equivalent State Machine
Analysis: Track all flows • Insight: All flows explicit at the gate level clock external inputs P1 P0 state 001000101 10011101011110110001011001111111 Separation Kernel S/W H/W I/O Dev Mem CPU externaloutputs Secure System Equivalent State Machine
Analysis: Track all flows • Outputs: Logic function of state and inputs • Output Labels: Logic func. of state, inputs, and labels clock external inputs P1 P0 state 001000101 10011101011110110001011001111111 Separation Kernel S/W H/W I/O Dev Mem CPU externaloutputs Secure System Equivalent State Machine
Analysis: Track all flows • Does not include physical side-channels • Power draw, Thermal fingerprint, EM radiation clock external inputs P1 P0 state 001000101 10011101011110110001011001111111 Separation Kernel S/W H/W CombinationalLogic I/O Dev Mem CPU externaloutputs Secure System Equivalent State Machine
Timing Channels Memory Bus Arbiter Request A Request B CPU B CPU A Grant A Grant B …Will look at implicit flows in a few slides.
a a b b t t o o t Analysis Technique: GLIFT AND Shadow AND
Required: Precise Information Flow • Conventional OR-ing of labels monotonic 010101… D Q reset clock
Precise Information Flow: AND Gate a b o 1 0 0 0 0 1 1 1 0 0 1 0 0 0 0 a b 0 1 0 1 0 0 1 1 1 o 0 0 0 0 0 0 0 1 0 0 0 1 Use both inputs and input labels
a b a b a b a b t t t t o o t o t Analysis Technique: GLIFT
s s a a s b s b a b t t t t s t1 t2 o o t Sound Composition of Shadow Logic t2 t1
a b a b b a * 1 0 s s s o o o MUX: gatekeeper of trust
All Executions: Track “Unknowns” 0 • Known bits at security evaluation time • Software kernel • Hardware design • Unknown bits • External inputs • User processes • Verify policy upheld for all unknown bits • Use abstract interpretation to prove soundness * a 0 1 * a *
GLIFT Verification Flow Digital Design Abstract Design Augmented Design U U * * labeled inputs abstract inputs test inputs ** clock clock 01 clock U T U T 10 * * 10 ** 1011 state state state a a L L 2. Augmentation 1. Abstraction T U a L * 1 output abstract output ** labeled output ** 10 state input T U * 1 Information flow lattice Specification of unknown bits • Concrete state must be enumerable. E.g. Scheduler loop
Outline of this talk • High Assurance Systems • Information flow security • Analysis Technique: • Gate-Level Information Flow Tracking • Architecture • Execution Leases
+4 PC jump target is jump? Instr Mem RegFile R2 throughdecode R1 Implicit Information Flows out tmp if (untrusted==1) out = 1 tmp = 5 PC Conditional execution taints critical state (PC)
Untrusted Code and Conditionals • Leasethe CPU to programs for fixed timewithbounded memory access • Problem: Critical CPU state becomes untrusted Lease = Space-Time Sandbox Stack of Nested Leases Memory Time
Lease Unit 0 1 Timer PC Memory Execution Lease Architecture timer expired? restore PC +4 0 PC jump target 1 old value InstrMem Predicates Reg File Data Memory high low R2 throughdecode R1
Lease Unit 0 1 Timer PC Memory Execution Lease Architecture timer expired? restore PC +4 0 PC jump target 1 old value InstrMem Predicates Reg File Data Memory high low R2 throughdecode R1
Lease Unit 0 1 Timer PC Memory Execution Lease Architecture timer expired? Restore PC +4 0 PC jump target 1 old value InstrMem Predicates Reg File Data Memory high low R2 throughdecode R1 Registers become untainted with trusted loads
Lease Unit 0 1 Timer PC Range Designing for GLIFT- 1. Trusted Reset timer exprired? Restore PC +4 0 PC jump target 1 old value InstrMem Predicates Reg File Data Memory high low R2 throughdecode R1
Designing for GLIFT: 2. Isolation Store value Mem Bound Start … Address Comparators 0b10 WL EN >= ADDR 0b00 <= Tainted Store Addr 0b11 … Mem Bound End Decoder BL BL
Designing for GLIFT: 2. Isolation Store value … Address Bit-Mask WL 0b1* EN Address Mem Bound Range 0 0b1 0b00 Tainted Store Addr … Decoder BL BL
Lease Unit 0 1 Timer PC Range Designing for GLIFT: 3. Critical State timer exprired? Restore PC +4 0 PC jump target 1 old value Instr Mem Predicates RegFile DataMemory highlow R2 throughdecode R1
Lease Unit Timer PC Range Designing for GLIFT: 3. Critical State • Stack of Nested Timers • Timer values: bad • Stack pointer: good • Huge effect on software • Arbitrary timer values => no encoding overhead • Save and restore timers => multi-level schedulers timer exprired? Restore PC