1 / 31

Noninterference for a Practical DIFC-Based OS

Noninterference for a Practical DIFC-Based OS. Maxwell Krohn (CMU) & Eran Tromer (MIT). DIFC: A TCB-Minimization Technique. Alice’s Data. Bob’s Data. P. DB. Gateway. Alice’s Data. Alice’s Data. 1. Data tracking. 2. Isolated declassification . Language vs. OS.

telma
Download Presentation

Noninterference for a Practical DIFC-Based OS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Noninterference for a Practical DIFC-Based OS Maxwell Krohn (CMU) & EranTromer (MIT)

  2. DIFC: A TCB-Minimization Technique Alice’s Data Bob’s Data P DB Gateway Alice’s Data Alice’s Data 1. Data tracking 2. Isolated declassification

  3. Language vs. OS • Language-based DIFC (JIF & others) • Compile-time tracking for Java, Haskell • Provable security • OS-based DIFC (Asbestos, HiStar, Flume) • Run-time tracking enforced by a trusted kernel • Works with any language, compiled or scripting, closed or open • “Just trust us”

  4. Contribution • Proof of security for a DIFC-based OS.

  5. What is a DIFC OS? Alice’s Data Alice’s Data p q d Sp = {a} Sd = {} Sq = {} Sq = {a} KERNEL

  6. Our Question: • What interface should the kernel expose to applications? • Easier question than “is my OS implementation secure” • More general: applies to traditional OSes as well as “cloud” platforms. • Easy to get it wrong! (i.e., you shouldn’t have been trusting us)

  7. Approach 1: “Floating Labels” [IX,Asbestos] p q Sq = {} Sq = {a} Sp = {a} KERNEL

  8. Floaters Leaks Data b0 attacker Leak file Alice’s Data S = {} b1 S = {} S = {a} S = {} S = {a} S = {} S = {a} b2 1001 0000 1001 S = {} S = {a} b3 S = {}

  9. Approach 2: “Set Your Own” [HiStar/Flume] Sp = {a} Op = {a-,a+} Sq = {} Oq = {a+} Sq = {a} Oq = {a+} p q KERNEL Rule: SpÍ Sq necessary precondition for send

  10. Review • Two OS interface ideas: “floating” and “set-your-own” • The latter feels more secure • Is it secure in general? • How to prove it?

  11. How To Prove • Property: Noninterference • Process Algebra model for a DIFC OS • Communicating Sequential Processes (CSP) • Proof that the model fits the definition

  12. Noninterference[Goguen & Meseguer ’82] Experiment #1: p q Sq = {} Sp = {a} = “HIGH” “LOW” Experiment #2: q p’ Sq = {} Sp’ = {a}

  13. CSP Model Uq Up System call interface Userland Kernel IPC Channel p:K q:K Label Manager Process ID Manager

  14. System Calls • IPC: read, write, select • Process management: fork, exit, getpid • DIFC: create tag, change label, fetch label, send capabilities, receive capabilities

  15. Example: read/write Uq Up Sp = {a} Op={a+} Sq = {} Oq= {} (read,q,“hello”) (write,p,“hello”) (“hello”) p:K{a},{a+} q:K{},{}

  16. Example: create/grant/change Uq Up Sp = {} Op={} Sp = {} Op={t-,t+} Sq = {} Oq= {t+} Sq = {t} Oq= {t+} Sq = {} Oq= {} (grant,q,t+) (create) (create,t) (change,{t}) (grant,t+) p:K{},{t-,t+} p:K{},{} q:K{t},{t+} q:K{},{t+} q:K{},{}

  17. How The Proof Works • Consider any possible system (with arbitrary user applications) • Induction over all possible sequences of moves a system can make (i.e., traces) • At each step, case-by-case analysis of all system calls in the interface. • Prove no “interference”

  18. What Interference Looks Like CALL: getlabel CALL: getlabel branch CALL: float_write NOOP RET: {a} RET: {} LOW HIGH LOW HIGH Timeline 2 Timeline 1

  19. A Example Complication Uq Up Solution: modify tag allocation scheme to partition candidate tags. (create,t) (create,t) Retire t LOW HIGH Label Manager

  20. Many Details Elided • Why tag sequence cannot be predictable • How to indentify messages as “hi” or “low” • Tweaks to accepted definitions of noninterference • How to deal with input and output to declassifiers • Process forking / exit • System startup

  21. Open Questions • SMP, multicoreand parallelism • Machine checkable proof (in FDR, etc) • Modelling hardware and hardware covert channels

  22. Related Work • Hoare (CSP), Roscoe (CCS) • Goguen and Meseguer (noninterference) • Ryan and Schneider (CSP + noninterference + process equivalence) • Zheng and Myers (JIF + noninterference) • Bossi, Piazza, Rossi (noninterference + downgrading)

  23. Conclusions • DIFC OS Interface Design: can get it wrong • Floaters vs. “set-your own” • Provably secure model for DIFC OS is possible • model kernel state machine, not user processes

  24. </talk>

  25. (Sidebar: Declassification) p q Sq = {a} Oq = {a+} Sp = {a} Op = {a-,a+} Sp = {} Op = {a-,a+} KERNEL

  26. DIFC vs. Traditional MAC

  27. Complication 1: Is this Interference? Uq Up Sp = {a} Op={a-} Sq = {} Oq= {} Answer: NO! ({a},{a-},write,p,“hello”) ({},{},read,q,“hello”) ({},{},p,“hello”) p:K{a},{a-} q:K{},{}

  28. Complication 2: Is this Interference? Uq Up Sp = {a} Op={} Sq = {} Oq= {a-} Answer: NO! ({a},{},write,p,“hello”) ({},{a-},read,q,“hello”) ({},{},p,“hello”) p:K{a},{} q:K{},{a-}

  29. Modified Definition of Interference ({a},{},syscall) ({},{},syscall) MID LOW HI ({},{a-},syscall)

  30. Interesting Case (2) Uq Up Solution: make tag allocations unpredictable! P (create,t) (change,{t}) Globals={t+} p:K{a},{t-} p:K{a},{} q:K{},{} Label Manager

  31. DIFC Labels Alice’s Data p q Sq = {} Sq = {a} Sp = {a} KERNEL We want: Globally: If p knows Alice’s secret, then a in Sp Stepwise: No later than p  q completing, SpÍ Sq

More Related