Information Flow Control For Standard OS Abstractions - PowerPoint PPT Presentation

1 / 49
About This Presentation
Title:

Information Flow Control For Standard OS Abstractions

Description:

Information Flow Control For Standard OS Abstractions. Max Krohn, Alex ... 'FTC Investigates PETCO.com Security Hole' 'Major Breach of UCLA's Computer Files' ... – PowerPoint PPT presentation

Number of Views:317
Avg rating:3.0/5.0
Slides: 50
Provided by: maxwel
Category:

less

Transcript and Presenter's Notes

Title: Information Flow Control For Standard OS Abstractions


1
Information Flow Control For Standard OS
Abstractions
  • Max Krohn, Alex Yip, Micah Brodsky, Natan
    Cliffer, Frans Kaashoek, Eddie Kohler, Robert
    Morris

2
Vulnerabilities in Websites ? Exploits
  • Web software is buggy
  • Attackers find and exploit these bugs
  • Data is stolen / Corrupted
  • USAJobs.gov hit by Monster.com attack, 146,000
    people affected
  • UN Website is Defaced via SQL Injection
  • Payroll Site Closes on Security Worries
  • Hacker Accesses Thousands of Personal Data Files
    at CSU Chico
  • FTC Investigates PETCO.com Security Hole
  • Major Breach of UCLAs Computer Files
  • Restructured Text Include Directive Does Not
    Respect ACLs

3
Decentralized Information Flow Control (DIFC)
CEO
I am the CEO. My PW is 123
Layoff Plans
P
Web App
Web App
GET /LayoffPlans
OK
Declassifier
Free TShirts
Intern
4
Decentralized Information Flow Control (DIFC)
CEO
Layoff Plans
Web App
Web App
Declassifier
Free TShirts
/tmp File
GET _at_
GET /LayoffPlans
Helper Process
Intern
5
Why is DIFC a cult?
U.S.S. DIFC
6
Who Needs to Understand DIFC?
CEO
Layoff Plans
Web App
Web App
Declassifier
Free TShirts
/tmp File
Helper Process
Intern
7
Why is Todays DIFC DIFfiCult?
  • Label systems are complex
  • Unexpected program behavior
  • Cannot reuse existing code
  • Drivers, SMP support, standard libraries

8
Unexpected Program Behavior (Unreliable
Communication)
Process q
Process p
P
Fire Alice, Bob, Charlie, Doug, Eddie, Frank,
George, Hilda, Ilya
I stopped reading I crashed
9
Unexpected Program Behavior (Mysterious Failures)
File
Process p
Process q
10
Solution/Outline
  • Flume Solves DIFC Problems
  • User-level implementation of DIFC on Linux
  • Simple label system
  • Endpoints Glue Between Unix API and Labels
  • Application Evaluation
  • Real Web software secured by Flume

11
Outline
  • Flume Solves DIFC Problems
  • User-level implementation of DIFC on Linux
  • Simple label system
  • Endpoints Glue Between Unix API and Labels
  • Application Evaluation

12
Flume Implementation
  • Goal User-level implementation
  • apt-get install flume
  • Approach
  • System Call Delegation Ostia by Garfinkel et al,
    2003
  • Use Linux 2.6 (or OpenBSD 3.9)

13
System Call Delegation
open(/hr/LayoffPlans, O_RDONLY)
Web App
glibc
Linux Kernel
Layoff Plans
14
System Call Delegation
open(/hr/LayoffPlans, O_RDONLY)
Web App
Web App
Flume Reference Monitor
Flume Libc
Linux Kernel
Layoff Plans
15
Three Classes of Processes
Flume-Oblivious
Unconfined/ Mediators
Confined
Flume Reference Monitor
Flume Reference Monitor
Flume Reference Monitor
Process p
Process p
Process p
Linux Kernel
Linux Kernel
Linux Kernel
16
Outline
  • Flume Solves DIFC Problems
  • User-level implementation of DIFC on Linux
  • Simple label system
  • Endpoints Glue Between Unix API and Labels
  • Application Evaluation

17
Information Flow Control (IFC)
  • Goal track which secrets a process has seen
  • Mechanism each process gets a secrecy label
  • Label summarizes which categories of data a
    process is assumed to have seen.
  • Examples
  • Financial Reports
  • HR Documents
  • Financial Reports and HR Documents

tag
label
18
Tags Labels
change_label(Finance)
Process p
tag_t HR create_tag()
change_label()
change_label(Finance,HR)
Any process can add any tag to its label.
Sp
Sp Finance
Sp Finance, HR
change_label(Finance)
DIFC Rule A process can create a new tag gets
ability to declassify it.
Dp
Dp HR
Same as Step 1.
DIFC Declassification in action.
Finance
Legal
HR
Universe of Tags
SecretProjects
19
Communication Rule
P
Process q
Process p
Sp HR
Sq HR, Finance
p can send to q iff Sp Í Sq
20
Outline
  • Flume Solves DIFC Problems
  • User-level implementation of DIFC on Linux
  • Simple label system
  • Endpoints Glue Between Unix API and Labels
  • Application Evaluation

21
Recall Communication Problem
Process p
Process q
stdin
stdout
Sq HR
Sp Dp HR
P
Fire Alice, Bob, Charlie, Doug, Eddie, Frank,
George, Hilda, Ilya
?
SLOW DOWN!! I crashed
22
New Abstraction Endpoints
Process q
Process p
f
e
Sf HR
Se HR
Sp Dp HR
Sq HR
P
  • If Se Í Sf , then allow e to send to f
  • If Sf Í Se , then allow f to send to e
  • If Sf Se , then allow bidirectional flow

Fire Alice, Bob, Charlie, Doug, Eddie, Frank,
George, Hilda, Ilya
P
SLOW DOWN!! I crashed
23
Endpoints Declassify Data
Data enters process p with secrecy HR
But p keeps its label Sp
Process p
e
Se HR
Sp Dp HR
Thus p needs HR Î Dp
24
Endpoint Invariant
Writing
  • For any tag t Î Sp and t Ï Se
  • Or any tag t Î Se and t Ï Sp
  • It must be that t Î Dp

Reading
Process p
e
Se HR
Sp Finance
Dp Finance, HR
25
Endpoints Labels Are Independent
g
Sg
Process q
Process p
f
e
Sf HR
Se HR
Sq HR
Sp Dp HR
26
Recall Mysterious Failures
File
Process p
Process q
27
Endpoints Reveal Errors Eagerly
Process p
/tmp/public.dat
Dp
e
Se
Sp
Spublic.dat
?
Sp HR
Process q
Sq HR
  • open(/tmp/public.dat, O_WRONLY)
  • change_label(HR)

28
Endpoints Reveal Errors Eagerly
Process p
/tmp/public.dat
Dp
e
Se
Sp
Spublic.dat
Sp HR
Process q
Sq HR
  • fd open(/tmp/public.dat, O_WRONLY)
  • close(fd)
  • change_label(HR)

29
Outline
  • Flume Solves DIFC Problems
  • Application Evaluation

30
Questions for Evaluation
  • Does Flume allow adoption of Unix software?
  • Does Flume solve security vulnerabilities?
  • Does Flume perform reasonably?

31
Example App MoinMoin Wiki
32
How Problems Arise
if not self.request.user.may.read(pagename)
return self.notAllowedFault()
x43
LayoffPlans
MoinMoin Wiki (100 kLOC)
FreeTShirts
33
MoinMoin DIFC
LayoffPlans
Apache Web Server
MoinMoin Wiki (100 kLOC)
Declassifier 1 kLOC
FreeTShirts
Untrusted
Trusted
34
FlumeWiki
Flume-Oblivious
unconfined
confined
reliable IPC
Web Client
GET /LayoffPlans?userInternPWabcd
LayoffPlans
S HR
Apache
MoinMoin (100 kLOC)
Declassifier 1 kLOC
FreeTShirts
S
file I/O
35
Future Work
Web Client
GET /LayoffPlans?userInternPWabcd
LayoffPlans
Totally Suspect Software
S HR
Apache
Declassifier 1 kLOC
FreeTShirts
S
36
Results
  • Does Flume allow adoption of Unix software?
  • 1,000 LOC launcher/declassifier
  • 1,000 out of 100,000 LOC in MoinMoin changed
  • Python interpreter, Apache, unchanged
  • Does Flume solve security vulnerabilities?
  • Without our knowing, we inherited two ACL bypass
    bugs from MoinMoin
  • Both are not exploitable in Flumes MoinMoin
  • Does Flume perform reasonably?
  • Performs within a factor of 2 of the original on
    read and write benchmarks

37
Most Related Work
  • Asbestos, HiStar New DIFC OSes
  • Jif DIFC at the language level
  • Ostia, Plash Implementation techniques
  • Classical MAC literature (Bell-LaPadula, Biba,
    Orange Book MAC, Lattice Model, etc.)

38
Limitations
  • Bigger TCB than HiStar / Asbestos
  • Linux stack (Kernel glibc linker)
  • Reference monitor (22 kLOC)
  • Covert channels via disk quotas
  • Confined processes like MoinMoin dont get full
    POSIX API.
  • spawn() instead of fork() exec()
  • flume_pipe() instead of pipe()

39
Summary
  • DIFC is a challenge to Programmers
  • Flume DIFC in User-Level
  • Preserves legacy software
  • Complements todays programming techniques
  • MoinMoin Wiki Flume works as promised
  • Invite you to play around
  • http//flume.csail.mit.edu

40
Thanks!
  • To ITRI, Nokia, NSF and You

41
Reasons to Read the Paper
  • Generalized security properties
  • Including Novel integrity policies
  • Support for very large labels
  • Support for clusters of Flume Machines

42
Flumes Rule is Fast
  • Recall
  • p can send to q iff Sp Dp Í Sq È Dq
  • To Compute
  • for each tag t Î Sp
  • If t Ï Sq and t Ï Dp and t Ï Dq
  • output NO
  • output OK
  • Runs in time proportional to size of Sp.
  • No need to enumerate Dp or Dq !!!

43
Flume Communication Rule
P
?
?
Database (q)
MoinMoin (r)
MoinMoin (p)
Sr Bob
Sp Alice
Sq Dq Alice, Bob
Sq Alice Dq Alice, Bob
  • q changes to Sq Alice
  • p sends to q
  • q changes back to Sq

44
Flume Communication Rule
P
P
Database (q)
MoinMoin (r)
MoinMoin (p)
Sr Bob
Sp Alice
Sq Dq Alice, Bob
Senders get extra latitude
Receivers get extra latitude
  • p can send to q iff
  • In IFC Sp Í Sq
  • In Flume Sp Dp Í Sq È Dq

45
Flume Kernel Module
open(/alice/inbox.dat, O_RDONLY)
Web App
Flume Reference Monitor
mov 0x5, eax int 0x80
open()
P
Flume Libc
Flume Kernel Module
Linux Kernel
Alices Data
46
Reference Monitor Proxies Pipes
write(0, some data, 10)
Flume Reference Monitor
Web App
Helper Process
Linux Kernel
47
Unconfined Processes
Unconfined processes get e endpoint.
stderr
e
getpwent
TCP Socket
Se
/tmp/public.dat
sendmail
DIFC
kill
P
mmaped memory
Spublic.dat
P
ioctl
forked child
sigcatch
  • change_label(HR)

Process q
Sp
Dp
Dp HR
Sp HR
Sq HR
48
Endpoints Reveal Errors Eagerly
Process p
/tmp/public.dat
Dp HR
e
Se
P
Sp
Spublic.dat
Sp HR
Process q
Sq HR
P
  • open(/tmp/public.dat, O_WRONLY)
  • change_label(HR)

49
Why Do We Need Sp?
Process p
e
Se Finance, HR
Sp Finance
Dp HR
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Information Flow Control For Standard OS Abstractions" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!