SecureBus: Towards Application- Transparent Trusted Computing with Mandatory Access Control Xinwen Zhang 1, Songqing Chen 2 Michael J. Covington 3, and.

Slides:

Advertisements

Similar presentations

INSTITUTE FOR CYBER SECURITY 1 Trusted Computing Models Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University.

Advertisements

Privacy-Enhancing Models and Mechanisms for Securing Provenance and its Use October 2010 Lead PI: Ravi Sandhu (UT San Antonio) PIs: Elisa Bertino (Purdue),

Towards Secure Information Sharing Models for Community Cyber Security Ravi Sandhu, Ram Krishnan and Gregory B. White Institute for Cyber Security University.

Towards a VMM-based Usage Control Framework for OS Kernel Integrity Protection Min Xu George Mason University Xuxian Jiang George Mason University Ravi.

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu

A Usage-based Authorization Framework for Collaborative Computing Systems Xinwen Zhang George Mason University Masayuki Nakae NEC Corporation Michael J.

On the Design of a Web Browser: Lessons learned from Operating Systems Kapil Singh and Wenke Lee Georgia Institute of Technology Web 2.0 Security and Privacy.

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab

Trusted System Elements and Examples CS461/ECE422 Fall 2011.

Virtualization Dr. Michael L. Collard

Operating System Security

Trusted Ring: A Security Enhancing Software Architecture Michael DiRossi, Inventor The Johns Hopkins University Applied Physics Laboratory.

BIND: A F INE - GRAINED ATTESTATION S ERVICE FOR S ECURE D ISTRIBUTED S YSTEMS Presented by: Maryam Alipour-Aghdam University of Guelph.

Chapter 6 Security Kernels.

Title of Selected Paper: Design and Implementation of Secure Embedded Systems Based on Trustzone Authors: Yan-ling Xu, Wei Pan, Xin-guo Zhang Presented.

Preventing Theft of Quality of Service on Open Platforms Kwang-Hyun Baek and Sean W. Smith Department of Computer Science Dartmouth College

1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007.

Virtual Machine Security Design of Secure Operating Systems Summer 2012 Presented By: Musaad Alzahrani.

Fundamentals of Computer Security Geetika Sharma Fall 2008.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.

Towards Application Security On Untrusted OS

A. Frank - P. Weisberg Operating Systems Structure of Operating Systems.

ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.

Bootstrapping Trust in Commodity Computers Bryan Parno, Jonathan McCune, Adrian Perrig 1 Carnegie Mellon University.

Microkernels, virtualization, exokernels Tutorial 1 – CSC469.

Jakub Szefer, Eric Keller, Ruby B. Lee Jennifer Rexford Princeton University CCS October, 2011 報告人：張逸文.

Chapter 6 Operating System Support. This chapter describes how middleware is supported by the operating system facilities at the nodes of a distributed.

Operating System Support for Virtual Machines Samuel T. King, George W. Dunlap,Peter M.Chen Presented By, Rajesh 1 References [1] Virtual Machines: Supporting.

Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.

Information Assurance Research Group 1 NSA Security-Enhanced Linux (SELinux) Grant M. Wagner Information Assurance.

Virtual Machine Security Systems Presented by Long Song 08/01/2013 Xin Zhao, Kevin Borders, Atul Prakash.

Trusted Computing Or How I Learned to Stop Worrying and Love the MPAA.

Security Architecture and Design Chapter 4 Part 3 Pages 357 to 377.

1 NEW GENERATION SECURE COMPUTING BASE. 2 INTRODUCTION  Next Generation Secure Computing Base,formerly known as Palladium.  The aim for palladium is.

4P13 Week 1 Talking Points. Kernel Organization Basic kernel facilities: timer and system-clock handling, descriptor management, and process Management.

1 Grand Challenges in Authorization Systems Prof. Ravi Sandhu Executive Director and Endowed Chair November 14, 2011

Chapter 7 Securing Commercial Operating Systems. Chapter Overview Retrofitting Security into a Commercial OS History of Retrofitting Commercial OS's Commercial.

Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.

Virtual Workspaces Kate Keahey Argonne National Laboratory.

 Virtual machine systems: simulators for multiple copies of a machine on itself.  Virtual machine (VM): the simulated machine.  Virtual machine monitor.

0 Penn State, NSRC Industry Day, Trent Jaeger – Past Projects and Results Linux Security –Aim to Build Measurable, High Integrity Linux Systems.

Trusted OS Design and Evaluation CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University.

A. Frank - P. Weisberg Operating Systems Structure of Operating Systems.

AUTHORS – X. NIE, D. FENG, J. CHE, X. WANG PRESENTED BY- PREOYATI KHAN KENT STATE UNIVERSITY Design and Implementation of Security Operating System based.

Security Vulnerabilities in A Virtual Environment

Wireless and Mobile Security

Full and Para Virtualization

Protecting The Kernel Data through Virtualization Technology BY VENKATA SAI PUNDAMALLI id :

Trusted Operating Systems

2.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition System Programs (p73) System programs provide a convenient environment.

VMM Based Rootkit Detection on Android

Security-Enhanced Linux Stephanie Stelling Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK

PREPARED BY: MS. ANGELA R.ICO & MS. AILEEN E. QUITNO (MSE-COE) COURSE TITLE: OPERATING SYSTEM PROF. GISELA MAY A. ALBANO PREPARED BY: MS. ANGELA R.ICO.

INSTITUTE FOR CYBER SECURITY 1 Enforcement Architecture and Implementation Model for Group-Centric Information Sharing © Ravi Sandhu Ram Krishnan (George.

Chapter 29: Program Security Dr. Wayne Summers Department of Computer Science Columbus State University

1 Chapter 2: Operating-System Structures Services Interface provided to users & programmers –System calls (programmer access) –User level access to system.

MLS/MCS on SE Linux Russell Coker. What is SE Linux? A system for Mandatory Access Control (MAC) based on the Linux Security Modules (LSM) framework Uses.

Trusted? 05/4/2016 Charles Sheehe, CCSDS Security Working Group GRC POC All information covered is from public sources 1.

Trusted? 05/4/2016 Charles Sheehe, CCSDS Security Working Group GRC POC All information covered is from public sources.

Access Control Model SAM-5.

XACML and the Cloud.

Bastion secure processor architecture

THE ORANGE BOOK Ravi Sandhu

Outline Chapter 2 (cont) OS Design OS structure

Chapter 29: Program Security

Sai Krishna Deepak Maram, CS 6410

NSA Security-Enhanced Linux (SELinux)

Access Control What’s New?

Presentation transcript:

SecureBus: Towards Application- Transparent Trusted Computing with Mandatory Access Control Xinwen Zhang 1, Songqing Chen 2 Michael J. Covington 3, and Ravi Sandhu 2 1 Samsung Information Systems America, San Jose, CA, USA 2 George Mason University, Fairfax, VA USA 3 Intel Corporation, Hillsboro, OR, USA Effective June 1, 2007 I am leaving George Mason after 18 years to be Founding Director and Chief Scientist of the new Institute for Cyber-Security Research at the University of Texas, San Antonio

What is Trusted Computing (TC)? TC = TChw + TCsw TChw = TPM + (TXT or SEM) TCsw = whatever TPM: Trusted Platform Module –Standard defined by Trusted Computing Group (TCG) –Combines cryptography with access control –Root keys never leave TPM –Root keys can only be used by approved software (as measured by hash chains themselves rooted in TPM) –Remote attestation allows computer A to find out if computer B is running approved software TXT: Trusted eXecution Technology (Intel) SEM: Secure Execution Mode (AMD) –Isolates process memory much better than traditional x86 architecture –Trusted path for user I/O: to monitor from keyboard/mouse What can be beneficially done using TChw?

Trusted Applications (Processes) Trusted to handle data in conformance with security policy Trusted to interact with other applications (on same or other computers) in conformance with security policy Trusted TC Applications (Processes) Why bother about TC for Trusted Applications?

Benefits of TC for Trusted Applications Superior assurance for –Memory isolation –Trusted path for user I/O –Remote attestation for interaction with trusted applications on other computers Most prior TCsw work has focused on this case of TC for Trusted Applications –May be adequate for low-interaction applications –Does not scale to high-interactions applications

Partially Trusted Applications Control interactions by means of mandatory mediation to enforce information flow policies This contains damage due to malicious behavior (but does not eliminate it) –Information can leak from Secret to Secret but not from Secret to Unclassified –Viruses can propagate from Low Integrity to Low Integrity but not from Low Integrity to High Integrity Covert channel problem remains Partially Trusted TC Applications Why bother about TC for Partially Trusted Applications?

Benefits of TC for Trusted Applications Superior assurance for –Memory isolation –Trusted path for user I/O –Remote attestation for interaction with trusted applications on other computers Three additional tasks for TCsw –Attestation for interaction with partially trusted applications on the same computer –Integrity and authentication of interaction input and output –Mandatory mediation of interactions to conform with information flow policies Benefits of TC for Partially Trusted Applications partially

Application Transparency How do we inject TC into Partially Trusted Applications without modifying the OS or the Application while allowing interaction? Prior work suffers from one or more of –Modifies the OS –Modifies the Applications –Prohibits interaction –Permits unmediated interaction

Prior Work PERSEUS (WISA03) –Separation of conventional OS and applications from secure applications (e.g. DRM application) – Communication through the low-level kernel: not flexible BIND (Oakland05) –Use TCG/TPM as root of trust –Use secure kernel to allocate and enforce isolation of processes Only critical sections of a process run in isolated space. Process code needs to be modified by inserting functions to call BIND interfaces. –No communication between isolated processes. Linux Security Modules (LSM) (USENIX02) –Loadable security modules for enhanced security –No strong isolation

Related Work (cont) Low-level virtualization: strong isolation but not flexible interaction –Terra (SOSP03) –VMWare –Virtual PC Paravirtualized systems: need taming of legacy OS –Xen (SOSP03) –sHype (ACSAC05) High-level virtualization: simple but weak isolation –User-Mode-Linux (UML) –Proper in PlanetLab (USENIX05) Language-based virtualization –TrustedVM (USENIX VM05) –The trust of the VM itself is based on TPM.

Contributions of SecureBus Strong isolation with flexible interactions between process Process-level attestation Preserving binary code integrity Ensures data integrity and authenticity verification of interactions Mandatory mediation for controlled information flow between processes

Architecture SecureBus (SB): –Transparent to OS and applications –Provide application-level TC Hardware-based root of trust: –TPM/TXT –Secure kernel (SK) Trust Model: –SKs integrity measured by TPM, signed by TPM with some PCRs –SBs integrity measured by SK, signed by SK. –SBs runtime protection with SK, TPM, and other necessary trusted hardware. Isolated runtime environment No write access from external

Architecture (cont) Primitive functions of SB: –Allocate and maintain isolated memory space before launching a process. By calling functions of SK and trusted hardware –Measure code integrity before launching a process –Process-based attestation Intra- and inter-platform –Access and information flow control between processes

Data Authenticity between Processes 0. SB 1 has measured the integrity values of D 0 and P 1 1.P 1 takes input D 0 and generates output D 1 2.SB 1 measures integrity of D 1, and generates a signature of all these hash values V 1 –V 1 ={H(H(D 0 ) || H(P 1 ) || H(D 1 ))} k -1 3.SB1 send D1 and V1 to SB2, 4.SB 2 verifies the signature, and sends D 1 to P 2 if success 5.P 2 takes D 1 and generates output D 2, which can be verified by P 1

Mandatory Access Control between Processes Requirements: –Fine-grained –Configurable policies –Policy neutral: role/domain/type/history-based policies –Minimum of PEP – put policy management outside Features: –Separation of policy definition and application development enable parallel development –Support composition of PDPs

Access Control Model Attribute-based access control model Subjects: processes Subject attributes: the user (pid) context –domain/group, clearance, role –Application-specific –Can be from external attribute authorities Objects: processes and pure objects (e.g., files) Object attributes: –Type, directory, user context info of the processes –Application-specific: e.g., last accessing subject id Attribute values can be updated as side-effects of accesses –e.g., Labels for history-based policies User authentication: –To get valid user context info –Prerequisite for policy enforcement –Not included here

Chinese Wall Policies History-based access control policies Can be described with a lattice-based model (Sandhu93) –Create subject/object (u, s, create) L(s) L m (u),(u, s, create) L(s) L m (u), (s, o, create) L(o) L(s)(s, o, create) L(o) L(s) –No-read-up (simple property) (s, o, read) L(s) L(o)(s, o, read) L(s) L(o) –No-write-down (*-property) (s, o, write) L(s) L(o)(s, o, write) L(s) L(o) –High-watermark for subject label: Update of subject label (s, o, read) L(s) = (L(s) L(o)) (L(s) L m (u))(s, o, read) L(s) = (L(s) L(o)) (L(s) L m (u)) (s 1, s 2, write) L(s 2 ) = (L(s 1 ) L(s 2 )) (L(s 2 ) L m (u 2 ))(s 1, s 2, write) L(s 2 ) = (L(s 1 ) L(s 2 )) (L(s 2 ) L m (u 2 )) L m (u)Where L m (u) is the users maximum label of a process. SB provides mechanisms for recording security labels and trusted updates

Prototype Implementation Process isolation with virtualization –User-Mode-Linux (UML), user-space VMs SB is implemented as a daemon in host OS IPC with Socket –Communicate with Tun/Tap interface in host OS VM1 Tun/tap Reference Monitor Tun/tap VM2 token send/recv VMM Host OS Host OS user space so

Access Control Performance Read/Write accesses are implemented with send/recv method of TCP socket. Security labels: –Process security labels are set of groups names of the user –file/directory labels are defined with SB_LABEL file in the same directory A security token is issued by SB for an access request. Performance can be improved with a token caching mechanism.

Conclusions We propose SecureBus architecture: –Process-level isolation and attestation –Trusted communication between processes –Comprehensive integrity protection: Code integrity Input/output authenticity Mandatory access control of interactions –Can be built in a layer transparent to applications

Ongoing and Future Work XACML implementation of a general PDP for SB –OASIS standard access control policy specification and enforcement –Support general subject and object attributes –Can support multiple-level PDPs in distributed systems Support general MAC models –Lattice-based, Role-based, domain/type-based, history-based, and usage- based policies Trusted collaborative computing systems –Grids, Web Services, and P2P systems –Virtual domains/organizations/coalitions Prototype implementation with TPM/TXT-enabled platform

Thanks!