information flow control for standard os abstractions l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Information Flow Control For Standard OS Abstractions PowerPoint Presentation
Download Presentation
Information Flow Control For Standard OS Abstractions

Loading in 2 Seconds...

play fullscreen
1 / 49

Information Flow Control For Standard OS Abstractions - PowerPoint PPT Presentation


  • 269 Views
  • Uploaded on

Information Flow Control For Standard OS Abstractions. Max Krohn , Alex Yip, Micah Brodsky, Natan Cliffer , Frans Kaashoek , Eddie Kohler, Robert Morris. Vulnerabilities in Websites  Exploits. Web software is buggy Attackers find and exploit these bugs Data is stolen / Corrupted

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Information Flow Control For Standard OS Abstractions' - paul


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
information flow control for standard os abstractions

Information Flow Control For Standard OS Abstractions

Max Krohn, Alex Yip, Micah Brodsky, NatanCliffer, FransKaashoek, Eddie Kohler, Robert Morris

vulnerabilities in websites exploits
Vulnerabilities in Websites  Exploits
  • Web software is buggy
  • Attackers find and exploit these bugs
  • Data is stolen / Corrupted
    • “USAJobs.gov hit by Monster.com attack, 146,000 people affected”
    • “UN Website is Defaced via SQL Injection”
    • “Payroll Site Closes on Security Worries”
    • “Hacker Accesses Thousands of Personal Data Files at CSU Chico”
    • “FTC Investigates PETCO.com Security Hole”
    • “Major Breach of UCLA’s Computer Files”
    • “Restructured Text Include Directive Does Not Respect ACLs”
decentralized information flow control difc
Decentralized Information Flow Control (DIFC)

CEO

“I am the CEO.

My PW is 123”

Layoff Plans

P

Web App

Web App

GET /LayoffPlans

“OK”

Declassifier

Free TShirts

Intern

decentralized information flow control difc4
Decentralized Information Flow Control (DIFC)

CEO

Layoff Plans

Web App

Web App

Declassifier

/tmpFile

Free TShirts

GET ^@^$^$#

GET /LayoffPlans

Helper Process

Intern

who needs to understand difc
Who Needs to Understand DIFC?

CEO

Layoff Plans

Web App

Web App

Declassifier

/tmpFile

Free TShirts

Helper Process

Intern

why is today s difc dif fi c ult
Why is Today’s DIFC DIFfiCult?
  • Label systems are complex
  • Unexpected program behavior
  • Cannot reuse existing code
    • Drivers, SMP support, standard libraries
unexpected program behavior unreliable communication
Unexpected Program Behavior (Unreliable Communication)

Process p

Process q

P

“Fire Alice, Bob, Charlie, Doug, Eddie, Frank, George, Hilda, Ilya…”

“I stopped reading”

“I crashed”

solution outline
Solution/Outline
  • Flume: Solves DIFC Problems
    • User-level implementation of DIFC on Linux
    • Simple label system
    • Endpoints: Glue Between Unix API and Labels
  • Application + Evaluation
    • Real Web software secured by Flume
outline
Outline
  • Flume: Solves DIFC Problems
    • User-level implementation of DIFC on Linux
    • Simple label system
    • Endpoints: Glue Between Unix API and Labels
  • Application + Evaluation
flume implementation
Flume Implementation
  • Goal: User-level implementation
    • apt-get install flume
  • Approach:
    • System Call Delegation [Ostia by Garfinkel et al, 2003]
    • Use Linux 2.6 (or OpenBSD 3.9)
system call delegation
System Call Delegation

open(“/hr/LayoffPlans”, O_RDONLY);

Web App

glibc

Linux Kernel

Layoff Plans

system call delegation14
System Call Delegation

open(“/hr/LayoffPlans”, O_RDONLY);

Web App

Web App

Flume Reference Monitor

Flume Libc

Linux Kernel

Layoff Plans

three classes of processes
Three Classes of Processes

Flume-Oblivious

Unconfined/

Mediators

Confined

Flume Reference Monitor

Flume Reference Monitor

Flume Reference Monitor

Process p

Process p

Process p

Linux Kernel

Linux Kernel

Linux Kernel

outline16
Outline
  • Flume: Solves DIFC Problems
    • User-level implementation of DIFC on Linux
    • Simple label system
    • Endpoints: Glue Between Unix API and Labels
  • Application + Evaluation
information flow control ifc
Information Flow Control (IFC)
  • Goal: track which secrets a process has seen
  • Mechanism: each process gets a secrecylabel
    • Label summarizes which categories of data a process is assumed to have seen.
    • Examples:
      • { “Financial Reports” }
      • { “HR Documents” }
      • { “Financial Reports” and “HR Documents” }

“tag”

“label”

tags labels
Tags + Labels

change_label({Finance});

Process p

tag_t HR = create_tag();

change_label({});

Any process can add any tag to its label.

change_label({Finance,HR});

Sp = { Finance, HR }

Sp = { Finance }

Sp = {}

DIFC Rule: A process can create a new tag; gets ability to declassify it.

change_label({Finance});

Dp = {}

Dp = { HR }

Same as Step 1.

DIFC: Declassification in action.

Finance

HR

Legal

Universe of Tags:

SecretProjects

communication rule
Communication Rule

P

Process p

Process q

Sp = {HR}

Sq = {HR, Finance}

p can send to qiffSpÍ Sq

outline20
Outline
  • Flume: Solves DIFC Problems
    • User-level implementation of DIFC on Linux
    • Simple label system
    • Endpoints: Glue Between Unix API and Labels
  • Application + Evaluation
recall communication problem
Recall: Communication Problem

Process p

Process q

stdout

stdin

Sp = {}

Dp = { HR }

Sq = {HR}

P

“Fire Alice, Bob, Charlie, Doug, Eddie, Frank, George, Hilda, Ilya…”

?

“SLOW DOWN!!”

“I crashed”

new abstraction endpoints
New Abstraction: Endpoints

Process p

Process q

e

f

Se = { HR }

Sf = { HR }

Sp = {}

Dp = { HR }

Sq = {HR}

P

  • If SeÍ Sf, then allow e to send to f
  • If SfÍ Se, then allow f to send to e
  • If Sf = Se , then allow bidirectional flow

“Fire Alice, Bob, Charlie, Doug, Eddie, Frank, George, Hilda, Ilya…”

P

“SLOW DOWN!!”

“I crashed”

endpoints declassify data
Endpoints Declassify Data

Data enters process p with secrecy { HR }

But p keeps its label Sp = {}

Process p

e

Se = { HR }

Sp = {}

Dp = { HR }

Thus p needs

HRÎDp

endpoint invariant
Endpoint Invariant

Writing

  • For any tag tÎSp and tÏ Se
  • Or any tag tÎSe and t Ï Sp
  • It must be that tÎDp

Reading

Process p

e

Se = { HR }

Sp = { Finance }

Dp = { Finance, HR}

endpoints labels are independent
Endpoints Labels Are Independent

g

Sg = {}

Process p

Process q

e

f

Se = { HR }

Sf = { HR }

Sp = {}

Dp = { HR }

Sq = {HR}

recall mysterious failures
Recall: Mysterious Failures

File

Process q

Process p

endpoints reveal errors eagerly
Endpoints Reveal Errors Eagerly

Process p

/tmp/public.dat

Dp = {}

e

Se = {}

Sp = {}

Spublic.dat = {}

?

Sp = { HR }

Process q

Violates endpoint invariant!

Sp – Se = { HR} Í Dp

Sq = { HR }

  • open(“/tmp/public.dat”, O_WRONLY);
  • change_label({HR})
endpoints reveal errors eagerly28
Endpoints Reveal Errors Eagerly

Process p

/tmp/public.dat

Dp = {}

e

Se = {}

Sp = {}

Spublic.dat = {}

Sp = { HR }

Process q

Sq = { HR }

  • fd = open(“/tmp/public.dat”, O_WRONLY);
  • close(fd);
  • change_label({HR})
outline29
Outline
  • Flume: Solves DIFC Problems
  • Application + Evaluation
questions for evaluation
Questions for Evaluation
  • Does Flume allow adoption of Unix software?
  • Does Flume solve security vulnerabilities?
  • Does Flume perform reasonably?
how problems arise
How Problems Arise…

if not self.request.user.may.read(pagename):

return self.notAllowedFault()

x43

LayoffPlans

MoinMoin

Wiki

(100 kLOC)

FreeTShirts

moinmoin difc
MoinMoin + DIFC

LayoffPlans

Apache

Web Server

MoinMoin

Wiki

(100 kLOC)

Declassifier

1 kLOC

FreeTShirts

Trusted

Untrusted

flumewiki
FlumeWiki

Flume-Oblivious

unconfined

confined

reliable IPC

Web Client

GET /LayoffPlans?user=Intern&PW=abcd

LayoffPlans

S={ HR }

Apache

Declassifier

1 kLOC

MoinMoin

(100 kLOC)

FreeTShirts

S={}

file I/O

future work
Future Work

Web Client

GET /LayoffPlans?user=Intern&PW=abcd

LayoffPlans

Totally

Suspect

Software

S={ HR }

Apache

Declassifier

1 kLOC

FreeTShirts

S={}

results
Results
  • Does Flume allow adoption of Unix software?
    • 1,000 LOC launcher/declassifier
    • 1,000 out of 100,000 LOC in MoinMoin changed
    • Python interpreter, Apache, unchanged
  • Does Flume solve security vulnerabilities?
    • Without our knowing, we inherited two ACL bypass bugs from MoinMoin
    • Both are not exploitable in Flume’s MoinMoin
  • Does Flume perform reasonably?
    • Performs within a factor of 2 of the original on read and write benchmarks
most related work
Most Related Work
  • Asbestos, HiStar: New DIFC OSes
  • Jif: DIFC at the language level
  • Ostia, Plash: Implementation techniques
  • Classical MAC literature (Bell-LaPadula, Biba, Orange Book MAC, Lattice Model, etc.)
limitations
Limitations
  • Bigger TCB than HiStar / Asbestos
    • Linux stack (Kernel + glibc + linker)
    • Reference monitor (~22 kLOC)
  • Covert channels via disk quotas
  • Confined processes like MoinMoin don’t get full POSIX API.
    • spawn() instead of fork()&exec()
    • flume_pipe() instead of pipe()
summary
Summary
  • DIFC is a challenge to Programmers
  • Flume: DIFC in User-Level
    • Preserves legacy software
    • Complements today’s programming techniques
  • MoinMoin Wiki: Flume works as promised
  • Invite you to play around:

http://flume.csail.mit.edu

thanks

Thanks!

To: ITRI, Nokia, NSF and You

reasons to read the paper
Reasons to Read the Paper
  • Generalized security properties
    • Including: Novel integrity policies
  • Support for very large labels
  • Support for clusters of Flume Machines
flume s rule is fast
Flume’s Rule is Fast
  • Recall:

p can send to qiff: Sp – DpÍ SqÈDq

  • To Compute:
    • for each tag tÎSp:
      • IftÏSqandt Ï Dpandt Ï Dq:
        • output “NO”
    • output “OK”
  • Runs in time proportional to size of Sp.
  • No need to enumerate Dp or Dq !!!
flume communication rule
Flume Communication Rule

P

?

?

Database (q)

  • q changes to Sq = { Alice }
  • p sends to q
  • q changes back to Sq= {}

MoinMoin (p)

MoinMoin (r)

Sr = { Bob }

Sp = { Alice }

Sq = {}

Dq = { Alice, Bob }

Sq = { Alice }

Dq = { Alice, Bob }

SpÍ Sq

flume communication rule44
Flume Communication Rule

P

P

Database (q)

  • p can send to q iff:
    • In IFC: SpÍ Sq
    • In Flume: Sp – DpÍ SqÈ Dq

MoinMoin (p)

MoinMoin (r)

Sr = { Bob }

Sp = { Alice }

Sq = {}

Dq= { Alice, Bob }

Senders get extra latitude

Receivers get extra latitude

flume kernel module
Flume Kernel Module

open(“/alice/inbox.dat”, O_RDONLY);

Web App

Flume Reference Monitor

mov $0x5, %eax

int $0x80

open(…)

P

Flume Libc

Flume Kernel Module

Linux Kernel

Alice’s Data

reference monitor proxies pipes
Reference Monitor Proxies Pipes

write(0, “some data”, 10);

Flume Reference Monitor

Web App

Helper Process

Linux Kernel

unconfined processes
Unconfined Processes

“Unconfined processes get e ^endpoint.”

stderr

e ^

getpwent

TCP Socket

Se^ = {}

/tmp/public.dat

sendmail

DIFC

kill

P

mmap’ed memory

P

Spublic.dat = {}

ioctl

fork’ed

child

sigcatch

  • change_label({HR})

Process q

Dp = { HR }

Dp = {}

Sp = {}

Sp = { HR }

Sq = { HR }

endpoints reveal errors eagerly48
Endpoints Reveal Errors Eagerly

Process p

/tmp/public.dat

Dp = {HR}

e

Se = {}

P

Sp = {}

Spublic.dat = {}

Sp = { HR }

Process q

Sq = { HR }

P

  • open(“/tmp/public.dat”, O_WRONLY);
  • change_label({HR})
why do we need s p
Why Do We Need Sp?

Process p

e

Se = { Finance, HR }

Sp = { Finance }

Dp = { HR}