Containment and Integrity for Mobile Code Status Report to DARPA ISO: Feb. 2000 Fred B. Schneider Andrew Myers Department of Computer Science Cornell University.

Slides:



Advertisements
Similar presentations
Operating Systems Components of OS
Advertisements

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu
Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.
Operating System Security
Logical Attestation: An Authorization Architecture for Trustworthy Computing Emin Gün Sirer Willem de Bruijn †, Patrick Reynolds *, Alan Shieh ‡, Kevin.
Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.
Dr. Kalpakis CMSC 621, Advanced Operating Systems. Fall 2003 URL: Distributed System Architectures.
SPORC: Group Collaboration using Untrusted Cloud Resources Ariel J. Feldman, William P. Zeller, Michael J. Freedman, Edward W. Felten Published in OSDI’2010.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Trustworthy Services from Untrustworthy Components: Overview Fred B. Schneider Department of Computer Science Cornell University Ithaca, New York
New Direction for Software Protection in Embedded Systems Department of EECS University of Michigan Feb 22, 2007 Kang G. Shin.
Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu
8.2 Discretionary Access Control Models Weiling Li.
Attacking Malicious Code: A Report to the Infosec Research Council Kim Sung-Moo.
CS 582 / CMPE 481 Distributed Systems Fault Tolerance.
1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.
Chapter 1 Introduction. Chapter Overview Overview of Operating Systems Secure Operating Systems Basic Concepts in Information Security Design of a Secure.
Policy-Carrying, Policy-Enforcing Digital Objects Sandra Payette and Carl Lagoze Cornell Digital Library Research Group ECDL2000 Lisbon, Portugal September.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
A Type System for Expressive Security Policies David Walker Cornell University.
Exokernel: An Operating System Architecture for Application-Level Resource Management Dawson R. Engler, M. Frans Kaashoek, and James O’Toole Jr. M.I.T.
Policy-Carrying, Policy-Enforcing Digital Objects Sandra Payette Project Prism - Cornell University DLI2 All-Projects Meeting June 14, 2000.
Trustworthy Services from Untrustworthy Components: Overview Fred B. Schneider Department of Computer Science Cornell University Ithaca, New York
1 The Problem o Fluid software cannot be trusted to behave as advertised unknown origin (must be assumed to be malicious) known origin (can be erroneous.
Copyright Arshi Khan1 System Programming Instructor Arshi Khan.
The Impact of Programming Language Theory on Computer Security Drew Dean Computer Science Laboratory SRI International.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.
University of Kansas Electrical Engineering Computer Science Jerry James and Douglas Niehaus Information and Telecommunication Technology Center Electrical.
Fault Tolerance via the State Machine Replication Approach Favian Contreras.
G53SEC 1 Reference Monitors Enforcement of Access Control.
Where Fault-tolerance and Security Meet DARPA PI Meeting, July 2001 Fred B. Schneider Department of Computer Science Cornell University Ithaca, New York.
Computer Science Open Research Questions Adversary models –Define/Formalize adversary models Need to incorporate characteristics of new technologies and.
Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.
Containment and Integrity for Mobile Code Security policies as types Andrew Myers Fred Schneider Department of Computer Science Cornell University.
Csi315csi315 Client/Server Models. Client/Server Environment LAN or WAN Server Data Berson, Fig 1.4, p.8 clients network.
KATHOLIEKE UNIVERSITEIT LEUVEN 1 Run time enforcement of security policies on the.NET framework Frank Piessens Joint work with many people including Lieven.
Flexible and Extensible Digital Object and Repository Architecture (FEDORA) Sandra Payette Cornell University CS 502 Computing Methods.
Advanced Computer Networks Topic 2: Characterization of Distributed Systems.
Containment and Integrity for Mobile Code End-to-end security, untrusted hosts Andrew Myers Fred Schneider Department of Computer Science Cornell University.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
CE Operating Systems Lecture 3 Overview of OS functions and structure.
SECURE WEB APPLICATIONS VIA AUTOMATIC PARTITIONING S. Chong, J. Liu, A. C. Myers, X. Qi, K. Vikram, L. Zheng, X. Zheng Cornell University.
1 ACTIVE FAULT TOLERANT SYSTEM for OPEN DISTRIBUTED COMPUTING (Autonomic and Trusted Computing 2006) Giray Kömürcü.
G53SEC 1 Reference Monitors Enforcement of Access Control.
Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.
Virtual Workspaces Kate Keahey Argonne National Laboratory.
Distribution and components. 2 What is the problem? Enterprise computing is Large scale & complex: It supports large scale and complex organisations Spanning.
Lecture 8 Page 1 CS 111 Online Other Important Synchronization Primitives Semaphores Mutexes Monitors.
Operating Systems Security
Chapter 4 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University Building Dependable Distributed Systems.
Application Communities Phase II Technical Progress, Instrumentation, System Design, Plans March 10, 2009.
SASI Enforcement of Security Policies : A Retrospective* PSLab 오민경.
Design Principles and Common Security Related Programming Problems
Institute for Visualization and Perception Research 1 © Copyright 1999 Haim Levkowitz Java-based mobile agents.
Containment and Integrity for Mobile Code Fred Schneider Andrew Myers Computer Science Department Cornell University.
Problem: Replication versus Confidentiality
EEC 688/788 Secure and Dependable Computing Lecture 9 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
From Natural Language to LTL: Difficulties Capturing Natural Language Specification in Formal Languages for Automatic Analysis Elsa L Gunter NJIT.
PREPARED BY: MS. ANGELA R.ICO & MS. AILEEN E. QUITNO (MSE-COE) COURSE TITLE: OPERATING SYSTEM PROF. GISELA MAY A. ALBANO PREPARED BY: MS. ANGELA R.ICO.
Chapter 29: Program Security Dr. Wayne Summers Department of Computer Science Columbus State University
Fail-Stop Processors UNIVERSITY of WISCONSIN-MADISON Computer Sciences Department CS 739 Distributed Systems Andrea C. Arpaci-Dusseau One paper: Byzantine.
Fundamentals of Fault-Tolerant Distributed Computing In Asynchronous Environments Paper by Felix C. Gartner Graeme Coakley COEN 317 November 23, 2003.
Intrusion Tolerant Architectures
EEC 688/788 Secure and Dependable Computing
EEC 688/788 Secure and Dependable Computing
Chapter 29: Program Security
EEC 688/788 Secure and Dependable Computing
Presentation transcript:

Containment and Integrity for Mobile Code Status Report to DARPA ISO: Feb Fred B. Schneider Andrew Myers Department of Computer Science Cornell University Ithaca, New York 14853

1 Trustworthy Networked Information Systems: New Challenges l Extensible components –flexible, efficient fine-grained access control –application-specific security policies l Mistrustful (cooperating) hosts –source and contents of information for authorization –decentralized trust management l Interactions of fault-tolerance and security –replication increases opportunities for compromise –code mobility adds new dimensions to fault-tolerance

2 Trustworthy Networked Information Systems: New Solutions Under investigation: l In-lined reference monitors l Secrecy via annotated-program rewriting l Asynchronous proactive secret sharing l Gossip protocols l Mobile code integrity: –NAP protocols (primary-backup revisited) –Cryptographic-based privilege management

3 Reference Monitor Monitors execution to prevent bad behavior. Implementation requires... –Capturing policy-relevant events –Protecting reference monitor from subversion Program RM Kernel RM Program Kernel Program Kernel RM Kernel supportedInterpreterModified application

4 In-lined Reference Monitors When mechanism inserted into the application... –Allows policies in terms of application abstractions. –Pay only for what you need. –Enforcement without context switches into kernel. –Isolates state of enforcement mechanism. Program Kernel RM

5 Building In-lined Reference Monitors l Implemented by object-code modification. l Fundamental issues: –Does the application behave the same? –Can the application subvert the reference monitor? l Pragmatic issues: –What polices can be enforced? –What is the overhead of enforcement? App P Policy Rewriter Secure App

6 What Policies can be Enforced? Class EM enforcement mechanisms: Monitor a target system and terminate any execution that is about to violate the security policy. EM includes reference monitors and other operating systems and hardware-supported mechanisms. EM allows … Principle of Least Privilege: Allow only those accesses needed to get the job done.

7 Security automata Thm: Every EM enforceable security policy can be characterized by some security automaton. Thm: EM enforceable security policies = safety properties. read not read not send

8 Policy Specification Example /* Macros */ push() ::= op == “push”; ret() ::= op == “ret”; /* ** Security Automaton */ start ::= !(push() || ret()) -> start push() -> hasPushed ; hasPushed ::= !push() -> hasPushed ; 0 1 “ Push exactly once before returning ”

9 Enforcement Overhead? l Insert check before each machine instruction. l Eliminate unnecessary checks by partial evaluation (using local knowledge about insertion point).

10 Initial Prototype: SASI Handles: –gcc output for x86 –Java VM Object code satisfying policy rewriter program Security policy

11 Evaluation of SASI prototypes l Reproduce MiSFIT [Small ‘96] functionality for x86 with SASI. –SASI clearer: 2 page automaton specification. –SASI sometimes more expensive: SASI doesn’t change code... just inserts instructions. l Delete Java security manager and run only SASI’d applets and SASI’d library. –SASI clearer: 5 page automaton specification. –SASI can be slightly cheaper: deletes calls and checks. –SASI more expressive: checks can be anywhere. –Java SM: No added code or c-time overhead.

12 Lessons Learned from SASI l Checking machine instructions problematic: –Applications use abstractions (e.g., methods) –Must add code for some events (e.g., interrupts) –Must synthesize policy-level events  Specifying policies requires general computation and structured state l Can build on language-based guarantees –Also works for x86: Typed Assembly Language, ECC,...

13 Second Prototype: PoET/PSLang JVML class files satisfying policy rewriter program Security policy Policy Enforcement Toolkit Policy Specification Language … handles JVML class files

14 ADD STATE { boolean did_read = false; } ON EVENT methodCall FileInputStream.read { did_read = true; } ON EVENT methodCall Network.send CONDITION did_read { FAIL; } l Subset of Java. (TCB is thus small) l Event-driven programming model binds program actions (events) to security state updates. l Policy expressible using application abstractions. PSLang: Policy Specification Language

15 PoET: Policy Enforcement Toolkit l Routines for accessing state and events. l Rewrites JVM class files and eliminates redundant checks. (17.5K loc = TCB) l Program must obey certain constraints so code inserted works properly: –JVM verifier already provides necessary guarantees! l Allows policy composition (conjunction): –Used in Prism Digital Library project for “loaning” digital objects. Manages security and preservation policies.

16 Trustworthy Networked Information Systems: New Solutions Under investigation: l In-lined reference monitors l Secrecy via annotated-program rewriting l Asynchronous proactive secret sharing l Gossip protocols l Mobile code integrity: –NAP protocols (primary-backup revisited) –Cryptographic-based privilege management

17 Secure and Fault-tolerant Replication server failure replication server compromise secret sharing mobile attack proactive secret sharing (PSS) WAN setting asynchronous PSS Servers Client

18 Application of asynchronous PSS: Secure and Fault-tolerant Repository l Data integrity protected. yclient provides access control rules l Data secrecy protected. yclient provides blinding function l Prototype deployment (in progress): –instances running on different platforms –instances running under different admin control y“trusted admins” assumed not to collude!

19 And still more to come… l Gossip: Allows weaker assumptions about communications. (Provides weaker guarantees.) yControlling the U.S. power distribution grid. yNetwork-wide clock synchronization. l Mobile code integrity: yreplication management -plus- ydecentralized access control. l “Trust management” logics: View network- wide authorization policies as formulas. yWhat should certificates say/mean? yEnforcement as theorem proving (and proof as audit)!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.