Information Flow Control for Standard OS Abstractions Landon Cox March 21, 2018
Access control and the kernel How does kernel know if system call is allowed? Looks are user id (uid) of process making the call Looks at resources accessed by call (e.g., file) Checks access-control policy associated with resource Decides if policy allows uid to access resources How is a uid normally assigned to a process? On fork, child inherits parent’s uid
MOO accounting problem Multi-player game called Moo Want to maintain high score in a file Should players be able to update score? Yes Do we trust users to write file directly? No, they could lie about their score Game client (uid x) High score Game client (uid y)
MOO accounting problem Multi-player game called Moo Want to maintain high score in a file Should players be able to update score? Yes Do we trust users to write file directly? No, they could lie about their score Could have a trusted process update scores Why isn’t this enough? Can’t be sure that reported score is genuine Also want to ensure that score was computed correctly Game client (uid x) Trusted process (root) High score Game client (uid y)
Access control Simple inheritance of uids is not sufficient for Tasks involving management of “user id” state Logging in (login) Changing passwords (passwd) Solution: setuid Executable files can have their setuid bit set If setuid bit is set, process inherits uid of image file’s owner on exec
MOO accounting problem Multi-player game called Moo Want to maintain high score in a file How does setuid allow us to know that score is correct? Game executable is owned by trusted entity Game cannot be modified by normal users Users can run executable though High-score is also owned by trusted entity This is a form of trustworthy computing High-score maintainer knows exactly which code will update score Ensures code integrity, even when run by untrusted users Also data confidentiality, since data accessed by code with integrity Game client (uid x) High score Game client (uid y)
Information Flow Control (IFC) Goal: track which secrets a process has seen Mechanism: each process gets a secrecy label Label summarizes which categories of data a process is assumed to have seen. Examples: { “Financial Reports” } { “HR Documents” } { “Financial Reports” and “HR Documents” } “tag” “label” Slide by Max Krohn
Secrecy, Integrity, and Privilege How did endorsements work in the Moo prob? Secrecy label (Sp) Specifies what data P has read “/usr/bin/login may read the password file” Integrity label (Ip) Used to endorse trustworthiness of P “/usr/bin/login can only be updated by root” Also limits what P can read “/usr/bin/login can only read user libs and config files endorsed by root” Ownership (Op) Regulates how P can update Sp and Ip Tags P can add to its labels (e.g., t+), i.e., endorse via integrity label Tags P can remove from its labels (e.g., t-), i.e., declassify via secrecy label Dp is the set of tags that P can both add and remove What is an endorsement? Why is this restriction necessary?
Secrecy, Integrity, and Privilege “At some point process p added data with tag s to its address space.” s ∈ Sp ∃(data) : p read data with tag s Integrity “All inputs to process p had tag i.” i ∈ Ip ∀(data) : p read data with tag i Privilege “p can remove tag s from Spand add tag i to Ip.” s ∈ t- p is trusted to declassify s i ∈ t+ p is trusted to endorse i t ∈ Dp t ∈ t- and t ∈ t+
Tags + Secrecy Labels Process p change_label({Finance}); Secrets P has viewed change_label({}); tag_t HR = create_tag(); change_label({Finance,HR}); Any process can add any tag to its label. Sp = { Finance, HR } Sp = { Finance } Sp = {} change_label({Finance}); DIFC Rule: A process can create a new tag; gets ability to declassify it. Dp = { HR } Dp = {} Same as Step 1. Tags P can add and remove from its label DIFC: Declassification in action. Finance HR Legal Universe of Tags: SecretProjects Slide by Max Krohn
Tags + Integrity Labels change_label({}); Process p Endorsements of P Any process can remove any tag from its label. Ip = {Apple} Dp = {} Tags P can add and remove from its label Finance Legal Universe of Tags: Apple Slide by Max Krohn
Tags + Integrity Labels change_label({}); Process p Ip = {} Dp = {} Finance Legal Universe of Tags: Apple Slide by Max Krohn
Tags + Integrity Labels change_label({}); Process p change_label({Microsoft}); tag_t HR = create_tag(); Ip = {} Dp = {} Finance Legal Universe of Tags: Apple Slide by Max Krohn
Tags + Integrity Labels change_label({}); Process p tag_t HR = create_tag(); Ip = {} Dp = {} Finance Legal Universe of Tags: Apple Slide by Max Krohn
Tags + Integrity Labels change_label({}); Process p tag_t HR = create_tag(); Ip = {} DIFC Rule: A process can create a new tag; gets ability to endorse w/ it. Dp = {HR} Finance HR Legal Universe of Tags: Apple Slide by Max Krohn
Tags + Integrity Labels change_label({}); Process p tag_t HR = create_tag(); change_label({HR}); Ip = {} Dp = {HR} Finance HR Legal Universe of Tags: Apple Slide by Max Krohn
Tags + Integrity Labels change_label({}); Process p tag_t HR = create_tag(); change_label({HR}); Ip = {HR} Dp = {HR} DIFC: Endorsement in action. Finance HR Legal Universe of Tags: Apple Slide by Max Krohn
Privilege in action (secrecy) Finance Universe of Secrecy Tags: HR Legal SecretProjects Process p Sp = {} Dp = { HR, Admin } Admin Microsoft Bob’s code Alice’s code Universe of Integrity Tags
Privilege in action (secrecy) Finance Universe of Secrecy Tags: HR Legal SecretProjects Process p Sp = { HR } Dp = { HR, Admin } Admin Microsoft Bob’s code Why is this allowed? Alice’s code Universe of Integrity Tags
Privilege in action (secrecy) Finance Universe of Secrecy Tags: HR Legal SecretProjects Process p Sp = { HR } Dp = { HR, Admin } Admin Microsoft Bob’s code What is the effect? Alice’s code Universe of Integrity Tags
Privilege in action (secrecy) Finance Universe of Secrecy Tags: HR Legal SecretProjects Process p q Sp = { HR } Dp = { HR, Admin } Admin Sq = { HR } Microsoft Bob’s code What is the effect? Can now receive data from HR processes Alice’s code Universe of Integrity Tags
Privilege in action (secrecy) Finance Universe of Secrecy Tags: HR Legal SecretProjects Process p q Sp = {} Dp = { HR, Admin } Admin Sq = { HR } Microsoft Bob’s code Why is this allowed? Alice’s code Universe of Integrity Tags
Privilege in action (secrecy) Finance Universe of Secrecy Tags: HR Legal SecretProjects Process p q Sp = {} Dp = { HR, Admin } Admin Sq = { HR } Microsoft Bob’s code What is the effect? Alice’s code Universe of Integrity Tags
Privilege in action (secrecy) Finance Universe of Secrecy Tags: HR Legal Sr = {} SecretProjects Process p q Sp = {} Dp = { HR, Admin } Admin Sq = { HR } Microsoft Bob’s code What is the effect? Declassifies HR data received from q Alice’s code Universe of Integrity Tags
Privilege in action (integrity) Finance Universe of Secrecy Tags: HR Legal SecretProjects Process p Ip = {Admin} Dp = { HR, Admin } Admin Microsoft Bob’s code Admin+ makes p a certifier Alice’s code Universe of Integrity Tags
Privilege in action (integrity) Fake vi Ip = {} Process p vi Ip = {Admin} Dp = { HR, Admin } Ip = {Admin} libc /etc/rc Ip = {Admin} Ip = {Admin}
Privilege in action (integrity) Fake vi Ip = {} Process p “Run vi” vi Ip = {Admin} Dp = { HR, Admin } Ip = {Admin} libc /etc/rc Ip = {Admin} Ip = {Admin}
Privilege in action (integrity) Fake vi Ip = {Admin} Dp = { HR, Admin } q Ip = {} fork() Process p “Run vi” vi Ip = {Admin} Dp = { HR, Admin } Ip = {Admin} libc /etc/rc Ip = {Admin} Ip = {Admin}
Privilege in action (integrity) Fake vi Ip = {Admin} Dp = { HR } q Why drop Admin+? Ip = {} fork() Process p “Run vi” vi Ip = {Admin} Dp = { HR, Admin } Ip = {Admin} libc /etc/rc Ip = {Admin} Ip = {Admin}
Privilege in action (integrity) Should this work? Fake vi Ip = {Admin} Dp = { HR } q Ip = {} fork() exec(“vi”) Process p “Run vi” vi Ip = {Admin} Dp = { HR, Admin } Ip = {Admin} libc /etc/rc Ip = {Admin} Ip = {Admin}
Privilege in action (integrity) Fake vi Ip = {Admin} Dp = { HR } q Ip = {} fork() load(“libc”) Process p “Run vi” vi Ip = {Admin} Dp = { HR, Admin } Ip = {Admin} libc /etc/rc Ip = {Admin} Ip = {Admin}
Privilege in action (integrity) Fake vi Ip = {Admin} Dp = { HR } q Ip = {} fork() read(“/etc/rc”) Process p “Run vi” vi Ip = {Admin} Dp = { HR, Admin } Ip = {Admin} libc /etc/rc Ip = {Admin} Ip = {Admin}
Privilege in action (integrity) Fake vi Ip = {} Process p “Run Fakevi” vi Ip = {Admin} Dp = { HR, Admin } Ip = {Admin} libc /etc/rc Ip = {Admin} Ip = {Admin}
Privilege in action (integrity) Fake vi Ip = {Admin} Dp = { HR, Admin } q Ip = {} fork() Process p “Run Fakevi” vi Ip = {Admin} Dp = { HR, Admin } Ip = {Admin} libc /etc/rc Ip = {Admin} Ip = {Admin}
Privilege in action (integrity) Fake vi Ip = {Admin} Dp = { HR } q Ip = {} fork() Process p “Run Fakevi” vi Ip = {Admin} Dp = { HR, Admin } Ip = {Admin} libc /etc/rc Ip = {Admin} Ip = {Admin}
Privilege in action (integrity) Fake vi Ip = {Admin} Dp = { HR } q exec(“fakevi”) Ip = {} fork() Process p “Run Fakevi” vi Ip = {Admin} Dp = { HR, Admin } Ip = {Admin} libc /etc/rc Ip = {Admin} Ip = {Admin}
Privilege in action (integrity) Should this work? Fake vi Ip = {Admin} Dp = { HR } q exec(“fakevi”) Ip = {} fork() Process p “Run Fakevi” vi Ip = {Admin} Dp = { HR, Admin } Ip = {Admin} libc /etc/rc Ip = {Admin} Ip = {Admin}
P Communication Rule p can send to q iff Sp Í Sq Sp = { HR } Process p Process q Sp = { HR } Sq = { HR, Finance } p can send to q iff Sp Í Sq Slide by Max Krohn
Flume Communication Rule P ? ? Database (q) MoinMoin (p) MoinMoin (r) Sp = { Alice } Sr = { Bob } Sq = {} Dq = { Alice, Bob } Sq = { Alice } Dq = { Alice, Bob } Sp Í Sq q changes to Sq = { Alice } p sends to q q changes back to Sq= {} Slide by Max Krohn
Flume Communication Rule P P Database (q) MoinMoin (p) MoinMoin (r) Sp = { Alice } Sr = { Bob } Sq = {} Dq= { Alice, Bob } Senders get extra latitude Receivers get extra latitude p can send to q iff: In IFC: Sp Í Sq In Flume: Sp – Dp Í Sq È Dq Slide by Max Krohn
Unexpected Program Behavior (Unreliable Communication) Process p Process q P “Fire Alice, Bob, Charlie, Doug, Eddie, Frank, George, Hilda, Ilya…” “I stopped reading” “I crashed” Slide by Max Krohn
Unreliable communication Process p Process q stdout stdin Sp = {} Dp = { HR } Sq = { HR } P “Fire Alice, Bob, Charlie, Doug, Eddie, Frank, George, Hilda, Ilya…” ? “SLOW DOWN!!” “I crashed” Slide by Max Krohn
New Abstraction: Endpoints Process p Process q e f Se = { HR } Sf = { HR } Sp = {} Dp = { HR } Sq = { HR } P If Se Í Sf , then allow e to send to f If Sf Í Se , then allow f to send to e If Sf = Se , then allow bidirectional flow “Fire Alice, Bob, Charlie, Doug, Eddie, Frank, George, Hilda, Ilya…” P “SLOW DOWN!!” “I crashed” Slide by Max Krohn
Endpoints Declassify Data Data enters process p with secrecy { HR } But p keeps its label Sp = {} Process p e Se = { HR } Sp = {} Dp = { HR } Thus p needs HR Î Dp Slide by Max Krohn
Endpoint Invariant For any tag t Î Sp and t Ï Se Export inf. For any tag t Î Sp and t Ï Se Or any tag t Î Se and t Ï Sp It must be that t Î Dp Import inf. Process p e Se = { HR } Sp = { Finance } Dp = { Finance, HR} Slide by Max Krohn
Endpoints’ Labels Are Independent g Sg = {} Process p Process q e f Se = { HR } Sf = { HR } Sp = {} Dp = { HR } Sq = { HR } Slide by Max Krohn
Example App: MoinMoin Wiki What are wikis used for? Say corporate data sharing. Slide by Max Krohn
x43 How Problems Arise… if not self.request.user.may.read(pagename): return self.notAllowedFault() x43 LayoffPlans MoinMoin Wiki (100 kLOC) FreeTShirts Slide by Max Krohn
MoinMoin + DIFC Trusted Untrusted MoinMoin Apache Wiki Web Server LayoffPlans Apache Web Server MoinMoin Wiki (100 kLOC) Declassifier 1 kLOC FreeTShirts Trusted Untrusted Slide by Max Krohn
FlumeWiki reliable IPC file I/O MoinMoin Apache (100 kLOC) Flume-Oblivious unconfined confined reliable IPC Web Client GET /LayoffPlans?user=Intern&PW=abcd LayoffPlans S={ HR } Apache Declassifier 1 kLOC MoinMoin (100 kLOC) FreeTShirts S={} file I/O Slide by Max Krohn
Results Does Flume allow adoption of Unix software? 1,000 LOC launcher/declassifier 1,000 out of 100,000 LOC in MoinMoin changed Python interpreter, Apache, unchanged Does Flume solve security vulnerabilities? Without our knowing, we inherited two ACL bypass bugs from MoinMoin Both are not exploitable in Flume’s MoinMoin Does Flume perform reasonably? Performs within a factor of 2 of the original on read and write benchmarks Slide by Max Krohn
Limitations Bigger TCB than HiStar / Asbestos Linux stack (Kernel + glibc + linker) Reference monitor (~22 kLOC) Covert channels via disk quotas Confined processes like MoinMoin don’t get full POSIX API. spawn() instead of fork() & exec() flume_pipe() instead of pipe() Slide by Max Krohn
Summary DIFC is a challenge to Programmers Flume: DIFC in User-Level Preserves legacy software Complements today’s programming techniques MoinMoin Wiki: Flume works as promised Invite you to play around: http://flume.csail.mit.edu Slide by Max Krohn