Enforcing Security Policies using Transactional Memory Introspection Vinod Ganapathy Rutgers University Arnar BirgissonMohan Dhawan Ulfar ErlingssonLiviu.

Slides:



Advertisements
Similar presentations
Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu
Advertisements

Copyright 2008 Sun Microsystems, Inc Better Expressiveness for HTM using Split Hardware Transactions Yossi Lev Brown University & Sun Microsystems Laboratories.
Time-based Transactional Memory with Scalable Time Bases Torvald Riegel, Christof Fetzer, Pascal Felber Presented By: Michael Gendelman.
Two phase commit. Failures in a distributed system Consistency requires agreement among multiple servers –Is transaction X committed? –Have all servers.
The Case for JavaScript Transactions Mohan Dhawan, Chung-chieh Shan, Vinod Ganapathy Department of Computer Science Rutgers University PLAS 2010.
Monitoring Data Structures Using Hardware Transactional Memory Shakeel Butt 1, Vinod Ganapathy 1, Arati Baliga 2 and Mihai Christodorescu 3 1 Rutgers University,
Transactional Memory Supporting Large Transactions Anvesh Komuravelli Abe Othman Kanat Tangwongsan Hardware-based.
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Department of Computer Science and Engineering University of Washington Brian N. Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,
Kernel memory allocation
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Remote Procedure Call Design issues Implementation RPC programming
Thread-Level Transactional Memory Decoupling Interface and Implementation UW Computer Architecture Affiliates Conference Kevin Moore October 21, 2004.
Transactional Memory (TM) Evan Jolley EE 6633 December 7, 2012.
PARALLEL PROGRAMMING with TRANSACTIONAL MEMORY Pratibha Kona.
Database Administration Chapter Six DAVID M. KROENKE’S DATABASE CONCEPTS, 2 nd Edition.
Two phase commit. What we’ve learnt so far Sequential consistency –All nodes agree on a total order of ops on a single object Crash recovery –An operation.
EPFL - March 7th, 2008 Interfacing Software Transactional Memory Simplicity vs. Flexibility Vincent Gramoli.
Scheduler Activations Effective Kernel Support for the User-Level Management of Parallelism.
Threads 1 CS502 Spring 2006 Threads CS-502 Spring 2006.
Extensibility, Safety and Performance in the SPIN Operating System Brian Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,
1 I/O Management in Representative Operating Systems.
CS 3013 & CS 502 Summer 2006 Threads1 CS-3013 & CS-502 Summer 2006.
CS533 Concepts of OS Class 16 ExoKernel by Constantia Tryman.
CSE 490dp Resource Control Robert Grimm. Problems How to access resources? –Basic usage tracking How to measure resource consumption? –Accounting How.
File Systems (2). Readings r Silbershatz et al: 11.8.
KAUSHIK LAKSHMINARAYANAN MICHAEL ROZYCZKO VIVEK SESHADRI Transactional Memory: Hybrid Hardware/Software Approaches.
Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.
Highly Available ACID Memory Vijayshankar Raman. Introduction §Why ACID memory? l non-database apps: want updates to critical data to be atomic and persistent.
IMPROVING THE RELIABILITY OF COMMODITY OPERATING SYSTEMS Michael M. Swift Brian N. Bershad Henry M. Levy University of Washington.
Automatic Data Partitioning in Software Transactional Memories Torvald Riegel, Christof Fetzer, Pascal Felber (TU Dresden, Germany / Uni Neuchatel, Switzerland)
Software Transactional Memory for Dynamic-Sized Data Structures Maurice Herlihy, Victor Luchangco, Mark Moir, William Scherer Presented by: Gokul Soundararajan.
Sofia, Bulgaria | 9-10 October SQL Server 2005 High Availability for developers Vladimir Tchalkov Crossroad Ltd. Vladimir Tchalkov Crossroad Ltd.
15-740/ Oct. 17, 2012 Stefan Muller.  Problem: Software is buggy!  More specific problem: Want to make sure software doesn’t have bad property.
Enforcing Security Policies using Transactional Memory Introspection Vinod Ganapathy Rutgers University Arnar BirgissonMohan Dhawan Ulfar ErlingssonLiviu.
Extending Open64 with Transactional Memory features Jiaqi Zhang Tsinghua University.
Transparent Process Migration: Design Alternatives and the Sprite Implementation Fred Douglis and John Ousterhout.
A Qualitative Survey of Modern Software Transactional Memory Systems Virendra J. Marathe Michael L. Scott.
Introduction to DFS. Distributed File Systems A file system whose clients, servers and storage devices are dispersed among the machines of a distributed.
Colorama: Architectural Support for Data-Centric Synchronization Luis Ceze, Pablo Montesinos, Christoph von Praun, and Josep Torrellas, HPCA 2007 Shimin.
Aritra Sengupta, Swarnendu Biswas, Minjia Zhang, Michael D. Bond and Milind Kulkarni ASPLOS 2015, ISTANBUL, TURKEY Hybrid Static-Dynamic Analysis for Statically.
G53SEC 1 Reference Monitors Enforcement of Access Control.
Low-Overhead Software Transactional Memory with Progress Guarantees and Strong Semantics Minjia Zhang, 1 Jipeng Huang, Man Cao, Michael D. Bond.
A summary by Nick Rayner for PSU CS533, Spring 2006
Enhancing JavaScript with Transactions Mohan Dhawan †, Chung-chieh Shan ‡ and Vinod Ganapathy † † Department of Computer Science, Rutgers University ‡
MOSS Design Presentation -Senior Project-. MOSS MOSS Server System 1. MOSS Application 2. Server 3. Client SIU-E Code Cop System 1. SIU-E.
CS162 Week 5 Kyle Dewey. Overview Announcements Reactive Imperative Programming Parallelism Software transactional memory.
M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.
CS510 Concurrent Systems Why the Grass May Not Be Greener on the Other Side: A Comparison of Locking and Transactional Memory.
GLOBAL EDGE SOFTWERE LTD1 R EMOTE F ILE S HARING - Ardhanareesh Aradhyamath.
StealthTest: Low Overhead Online Software Testing Using Transactional Memory Jayaram Bobba, Weiwei Xiong*, Luke Yen †, Mark D. Hill, and David A. Wood.
© 2008 Multifacet ProjectUniversity of Wisconsin-Madison Pathological Interaction of Locks with Transactional Memory Haris Volos, Neelam Goyal, Michael.
Hardware and Software transactional memory and usages in MRE
Implementing Remote Procedure Call Landon Cox February 12, 2016.
Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()
Chapter 29: Program Security Dr. Wayne Summers Department of Computer Science Columbus State University
Introduction to threads
Maurice Herlihy and J. Eliot B. Moss,  ISCA '93
Distributed Shared Memory
Minh, Trautmann, Chung, McDonald, Bronson, Casper, Kozyrakis, Olukotun
Introduction to Operating Systems
Preventing Performance Degradation on Operating System Reboots
Multithreaded Programming
Chapter 2: Operating-System Structures
Prof. Leonardo Mostarda University of Camerino
Chapter 29: Program Security
Developing and testing enterprise Java applications
Deferred Runtime Pipelining for contentious multicore transactions
Chapter 2: Operating-System Structures
Presentation transcript:

Enforcing Security Policies using Transactional Memory Introspection Vinod Ganapathy Rutgers University Arnar BirgissonMohan Dhawan Ulfar ErlingssonLiviu Iftode

Take-home slide Vinod Ganapathy Transactional Memory Introspection We can utilize the mechanisms of Software Transactional Memory to greatly improve security policy enforcement

Vinod Ganapathy X server with multiple X clients REMOTE LOCAL Transactional Memory Introspection

Vinod Ganapathy REMOTE Malicious remote X client LOCAL Transactional Memory Introspection

Vinod Ganapathy REMOTE Undesirable information flow LOCAL Transactional Memory Introspection

Vinod Ganapathy Desirable information flow LOCAL REMOTE Transactional Memory Introspection

Vinod Ganapathy X server X server with authorization X client Operation requestResponse Authorization policy Reference monitor Allowed? YES/NO Transactional Memory Introspection Security enforcement crosscuts application functionality

Vinod Ganapathy Outline Enforcing authorization policies Problems with existing techniques Transactional Memory Introspection Implementation and experiments Transactional Memory Introspection

Vinod Ganapathy Existing enforcement interface dispatch_request ( ) {... perform_request ( ); } perform_request ( ) {... perform_access (resource);... perform_access’(resource’); } Transactional Memory Introspection

Vinod Ganapathy Existing enforcement interface dispatch_request ( ) {... perform_request ( ); } perform_request ( ) {... if (allowed(principal,resource,access)){ perform_access (resource); } else { handle_auth_failure1(); };... if (allowed(principal,resource’,access’)){ perform_access’(resource’); } else { handle_auth_failure2(); }; } Transactional Memory Introspection

Vinod Ganapathy Three problems Violation of complete mediation Time-of-check to Time-of-use bugs Handing authorization failures Transactional Memory Introspection

Vinod Ganapathy I. Incomplete mediation dispatch_request ( ) { … perform_request ( ); } perform_request ( ) {... if (allowed(principal,resource,access)){ perform_access (resource); } else { handle_auth_failure1(); };... if (allowed(principal,resource’,access’)){ perform_access’(resource’); } else { handle_auth_failure2(); }; } Must guard each resource access to ensure complete mediation Transactional Memory Introspection

Vinod Ganapathy I. Incomplete mediation ssize_t vfs_read (struct file *file,...) {... if (check_permission(file, MAY_READ)) { file->f_op->read(file,...); }... } int page_cache_read (struct file *file,...) { struct address_space *mapping = file->f_dentry->d_inode->i_mapping;... mapping->a_ops->readpage(file,...); } [Zhang et al., USENIX Security ‘02] Transactional Memory Introspection

Vinod Ganapathy perform_request ( ) {... if (allowed(principal,resource,access)){ perform_access (resource); } else { handle_auth_failure1() };... if (allowed(principal,resource’,access’)){ perform_access’(resource’); } else { handle_auth_failure2() }; } II. TOCTTOU bugs Transactional Memory Introspection

Vinod Ganapathy perform_request ( ) {... if (allowed(principal,resource,access)){ perform_access (resource); } else { handle_auth_failure1() };... if (allowed(principal,resource’,access’)){ perform_access’(resource’); } else { handle_auth_failure2() }; } II. TOCTTOU bugs Similar race condition found in the Linux Security Modules framework [Zhang et al. USENIX Security ’02] Several similar bugs recently found in popular enforcement tools: [Watson, WOOT ’07] GSWTK Systrace [Provos, USENIX Security ’03] OpenBSD Sysjail [Johnson and Deksters ’07] Transactional Memory Introspection

Vinod Ganapathy II. TOCTTOU bugs perform_request ( ) {... if (allowed(principal,resource,access)){ perform_access (resource); } else { handle_auth_failure1() };... if (allowed(principal,resource’,access’)){ perform_access’(resource’); } else { handle_auth_failure2() }; } Authorization check and resource access must be atomic Transactional Memory Introspection

Vinod Ganapathy III. Failure handling perform_request ( ) {... if (allowed(principal,resource,access)){ perform_access (resource); } else { handle_auth_failure1() };... if (allowed(principal,resource’,access’)){ perform_access’(resource’); } else { handle_auth_failure2() }; } Handling authorization failures is ad hoc and error prone Transactional Memory Introspection

Vinod Ganapathy III. Failure handling Exception-handling code accounts for a large fraction of server software –Over two-thirds of server software [IBM ’87] –Nearly 46% on several Java benchmarks [Weimer & Necula OOPSLA’04] Exception-handling code itself is error-prone [Fetzer and Felber ’04] SecurityException most often handled erroneously [Weimer & Necula OOPSLA’04] Transactional Memory Introspection

Vinod Ganapathy Summary of problems Violation of complete mediation –Need to identify all the resources accessed –Example: Bug in Linux Security Modules [Zhang et al., USENIX Security ‘02] Time-of-check to Time-of-use bugs –Examples: [Zhang et al., USENIX Security ‘02] [Watson, WOOT ‘07] Handing authorization failures – Large fraction of server code relates to error handling [IBM survey, ’87, Weimer and Necula, ‘04 ] –Error-handling code is error-prone! [Fetzer & Felber ’04] Security enforcement crosscuts application functionality Our solution: TMI Decouples security enforcement from application functionality Transactional Memory Introspection

Vinod Ganapathy Outline Enforcing authorization policies Problems with existing techniques Transactional Memory Introspection (TMI) –Programmer’s interface –Mechanics of TMI Implementation and experiments Transactional Memory Introspection

Vinod Ganapathy Transactional memory primer Alternative to lock-based programming Reason about atomic sections, not locks TM provides atomicity and isolation acquire(S1.lock) acquire(S2.lock) value = S1.pop() S2.push(value) Release(S2.lock) Release(S1.lock) transaction { value = S1.pop() S2.push(value) } Transactional Memory Introspection

Vinod Ganapathy Programmer’s interface to TMI dispatch_request ( ) { transaction [ principal ] {... perform_request ( ); } perform_request ( ) {... perform_access (resource);... perform_access’(resource’); } Transactional Memory Introspection

Vinod Ganapathy Programmer’s interface to TMI dispatch_request ( ) { transaction [ principal ] {... perform_request ( ); } perform_request ( ) {... perform_access (resource);... perform_access’(resource’); } Authorization manager: case (resource=R, access_type=A)  if (!allowed(principal, R, A)) then abort_tx allowed(principal, resource, access)? allowed(principal, resource’, access’)? Transactional Memory Introspection

Vinod Ganapathy I. Complete mediation for free dispatch_request ( ) { transaction [ principal ] {... perform_request ( ); } perform_request ( ) {... perform_access (resource);... perform_access’(resource’); } TMI automatically invokes authorization checks Transactional Memory Introspection

Vinod Ganapathy II. TOCTTOU-freedom for free dispatch_request ( ) { transaction [ principal ] {... perform_request ( ); } perform_request ( ) {... perform_access (resource);... perform_access’(resource’); } Conflicting resource accesses automatically abort transaction Transactional Memory Introspection

Vinod Ganapathy III. Error-handling for free dispatch_request ( ) { transaction [ principal ] {... perform_request ( ); } perform_request ( ) {... perform_access (resource);... perform_access’(resource’); } Unauthorized resource accesses automatically abort transaction Transactional Memory Introspection

Vinod Ganapathy Decouples functionality and security dispatch_request ( ) { transaction [ principal ] {... perform_request ( ); } perform_request ( ) {... perform_access (resource);... perform_access’(resource’); } Authorization manager Transactional Memory Introspection

Vinod Ganapathy Outline Enforcing authorization policies Problems with existing techniques Transactional Memory Introspection (TMI) –Programmer’s interface –Mechanics of TMI Implementation and experiments Transactional Memory Introspection

Vinod Ganapathy TM runtime system The TM runtime maintains per-transaction read/write sets and detects conflicts transaction { value = S1.pop() S2.push(value) } val1 = S1.pop() val2 = S1.pop() S2.push(val2) S2.push(val1) TransactionRead setWrite set Green S1.stkptr Red S1.stkptr, S2.stkptr Transactional Memory Introspection

Vinod Ganapathy TM runtime system Transaction body Execution Read and Write Sets Validation Contention manager Retry Commit logic Commit Transactional Memory Introspection

Vinod Ganapathy Transactional Memory Introspection Transaction body Execution Read and Write Sets Validation Contention manager Retry Commit logic CommitAuthorization Auth. checks Auth. Manager Success Failure Abort Transactional Memory Introspection

Vinod Ganapathy perform_request ( ) {... perform_access (resource);... perform_access’(resource’); } Transactional Memory Introspection dispatch_request ( ) { transaction [ principal ] {... perform_request ( ); } Present in read/write set Accesses checked before tx commits Transactional Memory Introspection

Vinod Ganapathy Outline Enforcing authorization policies Problems with existing techniques Transactional Memory Introspection Implementation and experiments Transactional Memory Introspection

Vinod Ganapathy TMI Implementation: TMI/DSTM2 Implemented using Sun’s DSTM2 Object-based software TM system TM system modified to –Trigger authorization checks on additions to read/write set and upon transaction validation –Raise AccessDeniedException upon abort –Integrate transactional I/O libraries Fewer than 500 lines changed in DSTM2 Transactional Memory Introspection

Vinod Ganapathy Porting software to TMI/DSTM2 1.Mark transactional objects –Also wrappers for libraries: java.util.HashMap, java.util.Vector 2.Reads and writes to fields objects replaced with DSTM2 accessors 3.Place transaction{…} blocks around client requests 4.Write an authorization manager Transactional Memory Introspection

Vinod Ganapathy GradeSheet in TMI/DSTM2 Transactional Memory Introspection

Vinod Ganapathy Evaluation Ported four Java-based servers GradeSheet: A grade-management server FreeCS: A chat server WeirdX: An X window management server –Enforced a simple XACML based policy Tar: A tar archive service –Enforced Java stack inspection policy Transactional Memory Introspection

Vinod Ganapathy Modifications needed ServerLOCLines modifiedTransactions GradeSheet Tar service5,000< 501 FreeCS22, WeirdX27,0004, Authorization managers were approximately 200 lines of code in each case Transactional Memory Introspection

Vinod Ganapathy perform_request ( ) {... perform_access (resource);... perform_access’(resource’); } When to enforce policy? dispatch_request ( ) { transaction [ principal ] {... perform_request ( ); } allowed(principal, resource, access)? allowed(principal, resource’, access’)? Eager Transactional Memory Introspection

Vinod Ganapathy perform_request ( ) {... perform_access (resource);... perform_access’(resource’); } When to enforce policy? dispatch_request ( ) { transaction [ principal ] {... perform_request ( ); } allowed(principal, resource, access)? allowed(principal, resource’, access’)? Lazy Transactional Memory Introspection

Vinod Ganapathy perform_request ( ) {... perform_access (resource);... perform_access’(resource’); } When to enforce policy? dispatch_request ( ) { transaction [ principal ] {... perform_request ( ); } allowed(principal, resource, access)? allowed(principal, resource’, access’)? Parallel Transactional Memory Introspection

Vinod Ganapathy Performance overheads of TMI 10x -15.8% Transactional Memory Introspection

Vinod Ganapathy Performance overheads of STM Software transactional memory imposes a significant overhead ServerNativeTMI-portedOverhead GradeSheet395μs451μs14.7% Tar service4.96s15.40s2.1x FreeCS321μs3907μs11.2x WeirdX0.23ms6.40ms26.8x Hardware TMs reduce runtime overheads of TM runtime systems Transactional Memory Introspection

Take-home message Vinod Ganapathy Transactional Memory Introspection We can utilize the mechanisms of Software Transactional Memory to greatly improve security policy enforcement

Vinod Ganapathy Rutgers University Thank you! Reference: Enforcing Authorization Policies using Transactional Memory Introspection Proc. ACM CCS, October 2008

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.