Presentation is loading. Please wait.

Presentation is loading. Please wait.

Explicit Information Flow in the HiStar OS Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, David Mazières.

Published byCandice Baldwin Modified over 8 years ago

Similar presentations

Presentation on theme: "Explicit Information Flow in the HiStar OS Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, David Mazières."— Presentation transcript:

1 Explicit Information Flow in the HiStar OS Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, David Mazières

2 Too much trusted software ● Untrustworthy code a huge problem ● Users willingly run malicious software – Malware, spyware,... ● Even legitimate software is often vulnerable – Symantec remote vulnerability ● No sign that this problem is going away ● Can an OS make untrustworthy code secure?

3 Example: Virus Scanner Private User Files Virus Scanner /tmp Update Process Virus Database Network ● Goal: private files cannot go onto the network Symantec ™

4 Information Flow Control Private User Files Virus Scanner /tmp Update Process Virus Database Network ● Goal: private files cannot go onto the network

5 Buggy scanner leaks private data Private User Files Virus Scanner /tmp Update Process Virus Database Network ● Must restrict sockets to protect private data

6 Buggy scanner leaks private data Update Process Virus Database Network Private User Files Virus Scanner /tmp ● Must restrict scanner's ability to use IPC

7 Buggy scanner leaks private data Update Process Virus Database Network Private User Files Virus Scanner /tmp ● Must run scanner in chroot jail

8 Buggy scanner leaks private data Update Process Virus Database Network User Shel l ptrace Private User Files Virus Scanner /tmp ● Must run scanner with different UID

9 Buggy scanner leaks private data setproctitl e: 0x6e371b c2 Update Process Virus Database Network ps Private User Files /tmp ● Must restrict access to /proc,...

10 Buggy scanner leaks private data Update Process Virus Database Network disk usage Private User Files Private User Files Virus Scanner /tmp ● Must restrict FS'es that virus scanner can write

11 Buggy scanner leaks private data Update Process Virus Database Network fcntl locking Private User Files Virus Scanner /tmp ● List goes on – is there any hope?

12 What's going on? P1 Unix Kernel Unix P2P3 Hardware ● Kernel not designed to enforce these policies ● Retrofitting difficult – Need to track potentially any memory observed or modified by a system call! – Hard to even enumerate

13 What's going on? P1 Unix Kernel Unix P2P3 Hardware ● Kernel not designed to enforce these policies ● Retrofitting difficult – Need to track potentially any memory observed or modified by a system call! – Hard to even enumerate

14 HiStar Solution HiStar Kernel Unix HiStar Unix Library P1P2P3 U1U2U3 Hardware P1 Unix Kernel P2P3 Hardware ● Make all state explicit, track all communication

15 HiStar: Contributions ● Narrow kernel interface, few comm. channels – Minimal mechanism: enough for a Unix library – Strong control over information flow ● Unix support implemented as user-level library – Unix communication channels are made explicit, in terms of HiStar's mechanisms – Provides control over the gamut of Unix channels

16 HiStar kernel objects Segment (Data) Address Space Thread Gate (IPC) Container (Directory) Device (Network)

17 HiStar kernel objects Segment (Data) Address Space Thread Gate (IPC) Container (Directory) Device (Network) Label Think of labels as a “tainted” bit

18 HiStar: Unix process Code Segment Address Space Thread Process Container Data Segment

19 Unix File Descriptors Process AProcess B File Descriptor (O_RDONLY) Kernel State

20 Unix File Descriptors Process AProcess B File Descriptor (O_RDONLY) Kernel State ● Tainted process only talks to other tainted procs

21 Unix File Descriptors Process AProcess B File Descriptor (O_RDONLY) Seek pointer: 0xa32f Kernel State ● Lots of shared state in kernel, easy to miss

22 HiStar File Descriptors Address Space A Thread A File Descriptor Segment (O_RDONLY) Seek pointer: 0xa32f Address Space B Thread B

23 HiStar File Descriptors Address Space A Thread A File Descriptor Segment (O_RDONLY) Seek pointer: 0xa32f Address Space B Thread B ● All shared state is now explicitly labeled ● Just need segment read/write checks

24 Taint Tracking Strawman Tainted Thread A FileThread B write(File)

25 Taint Tracking Strawman Tainted Thread A Thread B write(File) File ● Propagate taint when writing to file

26 Taint Tracking Strawman Thread B read(File) ● Propagate taint when writing to file ● What happens when reading? Tainted Thread A File

27 Taint Tracking Strawman Thread B read(File) Tainted Thread A File

28 Strawman has Covert Channel Tainted Thread A File 0 File 1 Thread B Network Secret = 1 X

29 Strawman has Covert Channel Tainted Thread A Thread B File 0 File 1 Network write(File 1) Secret = 1

30 Strawman has Covert Channel Tainted Thread A Thread B File 0 File 1 Network read(File 0) read(File 1) Secret = 1

31 Strawman has Covert Channel Tainted Thread A Thread B File 0 File 1 Network send email: “secret=1” Secret = 1

32 Strawman has Covert Channel Tainted Thread A Thread B File 0 File 1 Network Secret = 1 read(File 0) read(File 1) ● What if we taint B when it reads File 1?

33 Strawman has Covert Channel Tainted Thread A Thread 0File 0 File 1Thread 1 Network Secret = 1 read(File 0) read(File 1) ● What if we taint B when it reads File 1?

34 Strawman has Covert Channel Tainted Thread A Thread 0File 0 File 1Thread 1 Network Secret = 1 send email: “secret=1” send email: “secret=0” ● What if we taint B when it reads File 1?

35 HiStar: Immutable File Labels Tainted Thread A Thread B read(...) Untainted File Tainted File write(...) ● Label (taint level) is state that must be tracked ● Immutable labels solve this problem!

36 Who creates tainted files? Tainted Thread A Untainted File Thread B DirectoryCreate Tainted File Tainted File ● Tainted thread can't modify untainted directory to place the new file there...

37 Thread B Tainted File Directory Tainted Thread A Create Tainted File Thread C HiStar: Untainted thread pre-creates tainted file ● Existence and label of tainted file provide no information about A Untainted File

38 Reading a tainted file Tainted Thread A Untainted File Thread B Tainted File Directory ● Existence and label of tainted file provide no information about A Thread C

39 Reading a tainted file Tainted Thread A Untainted File Thread B Tainted File Directory readdir(): T. File's label ● Existence and label of tainted file provide no information about A Thread C

40 Reading a tainted file Tainted Thread A Untainted File Thread B Tainted File Directory Taint self ● Existence and label of tainted file provide no information about A ● Neither does B's decision to taint Thread C

41 HiStar avoids file covert channels ● Immutable labels prevent covert channels that communicate through label state ● Untainted threads pre-allocate tainted files – File existence or label provides no secret information ● Threads taint themselves to read tainted files – Tainted file's label accessible via parent directory

42 Problems with IPC IP C Po rt DB Serve r Client Threa d Time ● IPC with tainted client – Taint server thread during request SELECT... Server Threads Create

43 Problems with IPC IP C Po rt IPC Ret urn DB Serve r Client Threa d Time ● IPC with tainted client – Taint server thread during request SELECT... Server Threads Create

44 Problems with IPC IP C Po rt IPC Ret urn DB Serve r Client Threa d Time ● IPC with tainted client – Taint server thread during request Results Server Threads Create

45 Problems with IPC IP C Po rt IPC Ret urn DB Serve r Client Threa d Time ● IPC with tainted client – Taint server thread during request – Secrecy preserved? Results Server Threads Create

46 Problems with IPC IP C Po rt IPC Ret urn DB Serve r Client Threa d Time ● IPC with tainted client – Taint server thread during request – Secrecy preserved? ● Lots of client calls – Limit server threads? Leaks information... – Otherwise, no control over resources! Create Results Server Threads

47 Gates make resources explicit ● Client donates initial resources (thread) Time Ga te DB Serve r Client Threa d SELECT... Server Threads Create

48 Gates make resources explicit ● Client donates initial resources (thread) ● Client thread runs in server address space, executing server code Time Ga te DB Serve r Client Threa d SELECT... Server Threads Create Server Code Re tur n Ga te

49 Gates make resources explicit ● Client donates initial resources (thread) ● Client thread runs in server address space, executing server code Time Ga te DB Serve r Client Threa d Results Server Threads Create Server Code Re tur n Ga te

50 Gates make resources explicit ● Client donates initial resources (thread) ● Client thread runs in server address space, executing server code ● No implicit resource allocation – no leaks Time Ga te DB Serve r Client Threa d Server Threads Create Server Code Re tur n Ga te Results

51 How do we get anything out? Network Virus Scanner Alice's Files

52 “Owner” privilege Alice's shell Network Virus Scanner Alice's Files ● Yellow objects can only interact with other yellow objects, or objects with yellow star ● Small, trusted shell can isolate a large, frequently-changing virus scanner

53 Multiple categories of taint Alice's shell Network Virus Scanner Alice's Files Bob's shell Bob's Files Virus Scanner ● Owner privilege and information flow control are the only access control mechanism ● Anyone can allocate a new category, gets star

54 What about “root”? ● Huge security hole for information flow control – Observe/modify anything – violate any security policy ● Make it explicit – Can be controlled as necessary

55 HiStar root privileges are explicit Alice's shell Bob's shell root's shell Alice's Files Bob's Files ● Kernel gives no special treatment to root

56 HiStar root privileges are explicit Bob's Secret Files Alice's shell Bob's shell root's shell Alice's Files Bob's Files ● Users can keep secret data inaccessible to root

57 What about inaccessible files? Bob's Secret Files Alice's shell Bob's shell root's shell Alice's Files Bob's Files ● Noone has privilege to access Bob's Secret Files

58 HiStar resource allocation Bob's Container Bob's Files Bob's shell

59 HiStar resource allocation Bob's Secret Container Bob's Container Bob's Files Bob's Secret Files Bob's shell ● Create a new sub-container for secret files

60 HiStar resource allocation Bob's Secret Container Bob's Container Bob's Files Bob's Secret Files Bob's shell ● Create a new sub-container for secret files

61 HiStar resource allocation Unlink ● Create a new sub-container for secret files ● Bob can delete sub-container even if he cannot otherwise access it! Bob's Secret Container Bob's Container Bob's Files Bob's Secret Files Bob's shell

62 HiStar resource allocation ● Create a new sub-container for secret files ● Bob can delete sub-container even if he cannot otherwise access it! Bob's Secret Container Bob's Container Bob's Files Bob's Secret Files Bob's shell

63 HiStar resource allocation ● Create a new sub-container for secret files ● Bob can delete sub-container even if he cannot otherwise access it! Bob's Container Bob's Files Bob's shell

64 HiStar resource allocation Bob's Container Bob's Files Bob's shell Root Container root's shell ● Root has control over all resources, via the root container

65 Persistent Storage ● Unix: file system implemented in the kernel – Many potential pitfalls leading to covert channels: mtime, atime, link counts,... – Would be great to implement it in user-space as well ● HiStar: Single-level store (ala Multics / EROS) – All kernel objects stored on disk – memory is a cache – No difference between disk & memory objects

66 File System Segment /tmp/one Container /tmp/two Filename Segment one two Container /tmp... ● Implemented at user-level, using same objects ● Security checks separate from FS implementation

67 HiStar kernel design ● Kernel operations make information flow explicit – Explicit operation for thread to taint itself ● Kernel never implicitly changes labels – Explicit resource allocation: gates, pre-created files ● Kernel never implicitly allocates resources ● Kernel has no concept of superuser – Users can explicitly grant their privileges to root – Root owns the top-level container

68 Applications ● Many Unix applications – gcc, gdb, openssh,... ● High-security applications alongside with Unix – Untrusted virus scanners (already described) – VPN/Internet data separation (see paper) – login with user-supplied authentication code (next)

69 Login on Unix ● Login must run as root – Only root can setuid() to grant user privileges ● Why is this bad? – Login is complicated (Kerberos, PAM,...) – Bugs lead to complete system compromise

70 Login on HiStar Login Process Alice's Auth. Service Bob's Auth. Service User: Bob Pass: 1bob PW: H(alic3) PW: H(1bob) ● Each user can provide their own auth. service

71 Login on HiStar Login Process Pass: 1bob Alice's Auth. Service Bob's Auth. Service PW: H(alic3) PW: H(1bob) ● Each user can provide their own auth. service

72 Login on HiStar Login Process OK Pass: 1bob Alice's Auth. Service Bob's Auth. Service PW: H(alic3) PW: H(1bob)

73 Password disclosure Login Process Pass: 1bob Alice's Auth. Service Bob's Auth. Service PW: H(alic3) PW: H(1bob) ● What if Bob mistypes his username as “alice”?

74 Password disclosure Login Process Pass: 1bob Alice's Auth. Service Bob's Auth. Service PW: H(alic3) PW: H(1bob) ● What if Bob mistypes his username as “alice”? Network

75 Avoiding password disclosure ● It's all about information flow – HiStar enforces: – “Password cannot go out onto the network” ● Details in the paper

76 Reducing trusted code ● HiStar allows developers to reduce trusted code – No code with every user's privilege during login – No trusted code needed to initiate authentication – 110-line trusted wrapper for complex virus scanner ● Small kernel: 16,000 lines of code

77 HiStar Conclusion ● HiStar reduces amount of trusted code – Enforce security properties on untrusted code using strict information flow control ● Kernel interface eliminates covert channels – Make everything explicit: labels, resources ● Unix library makes Unix information flow explicit – Superuser by convention, not by design

78 What about Asbestos? ● Different goal: Unix vs. specialized web server – HiStar closes covert channels inherent in the Asbestos design (mutable labels, IPC,...) – Lower-level kernel interface ● Process vs Container+Thread+AS+Segments+Gates ● 2 times less kernel code than Asbestos ● Generality shown by the user-space Unix library – System-wide support for persistent storage ● Asbestos uses trusted user-space file server – Resources are manageable ● In Asbestos, reboot to kill runaway process

79 How is this different from EROS? ● To isolate in EROS, must strictly partition the capabilities between isolated applications ● Labels enforce policy without affecting structure – Can impose policies on existing code (see paper)

80 Benchmarks, relative to Linux Comparable performance to Linux and OpenBSD Application-level benchmarks and disk benchmarks

81 Benchmarks, relative to Linux 217x faster! Synchronous creation of 10,000 files HiStar allows use of group sync. Application either runs to completion, or appears to never start (single-level store)

82 Benchmarks, relative to Linux 7.5x slower Linux: 9 syscalls per iteration HiStar: 317 syscalls per iteration

Download ppt "Explicit Information Flow in the HiStar OS Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, David Mazières."

Similar presentations

More on File Management

More on File Management
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
PlanetLab Operating System support* *a work in progress.

PlanetLab Operating System support* *a work in progress.
CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.
1 Emulab Security. 2 Current Security Model Threat model: No malicious authenticated users, Bad Guys are all “outside” –Protect against accidents on the.

1 Emulab Security. 2 Current Security Model Threat model: No malicious authenticated users, Bad Guys are all “outside” –Protect against accidents on the.
Virtual Memory Virtual Memory Management in Mach Labels and Event Processes in Asbestos Ingar Arntzen.

Virtual Memory Virtual Memory Management in Mach Labels and Event Processes in Asbestos Ingar Arntzen.
Building Secure Software Chapter 9 Race Conditions.

Building Secure Software Chapter 9 Race Conditions.
1 CSE 380 Computer Operating Systems Instructor: Insup Lee and Dianna Xu University of Pennsylvania Fall 2003 Lecture Note: Protection Mechanisms.

1 CSE 380 Computer Operating Systems Instructor: Insup Lee and Dianna Xu University of Pennsylvania Fall 2003 Lecture Note: Protection Mechanisms.
1 Course Outline Processes & Threads CPU Scheduling Synchronization & Deadlock Memory Management File Systems & I/O Networks, Protection and Security.

1 Course Outline Processes & Threads CPU Scheduling Synchronization & Deadlock Memory Management File Systems & I/O Networks, Protection and Security.
Operating System Organization

Operating System Organization
G22.3250-001 Robert Grimm New York University Protection and the Control of Information Sharing in Multics.

G Robert Grimm New York University Protection and the Control of Information Sharing in Multics.
Highly Available ACID Memory Vijayshankar Raman. Introduction §Why ACID memory? l non-database apps: want updates to critical data to be atomic and persistent.

Highly Available ACID Memory Vijayshankar Raman. Introduction §Why ACID memory? l non-database apps: want updates to critical data to be atomic and persistent.
Chapter 6 Operating System Support. This chapter describes how middleware is supported by the operating system facilities at the nodes of a distributed.

Chapter 6 Operating System Support. This chapter describes how middleware is supported by the operating system facilities at the nodes of a distributed.
M i SMob i S Mob i Store - Mobile i nternet File Storage Platform Chetna Kaur.

M i SMob i S Mob i Store - Mobile i nternet File Storage Platform Chetna Kaur.
Controlling Files Richard Newman based on Smith “Elementary Information Security”

Controlling Files Richard Newman based on Smith “Elementary Information Security”
CMSC 414 Computer (and Network) Security Lecture 14 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 14 Jonathan Katz.
Cosc 4010 Sandboxing. Last lecture Last time, we covered chroot, which is a method to sandbox a problem. –Not full proof by any means. Many simple mistakes.

Cosc 4010 Sandboxing. Last lecture Last time, we covered chroot, which is a method to "sandbox" a problem. –Not full proof by any means. Many simple mistakes.
4P13 Week 1 Talking Points. Kernel Organization Basic kernel facilities: timer and system-clock handling, descriptor management, and process Management.

4P13 Week 1 Talking Points. Kernel Organization Basic kernel facilities: timer and system-clock handling, descriptor management, and process Management.
Background: Operating Systems Brad Karp UCL Computer Science CS GZ03 / M030 30 th November, 2008.

Background: Operating Systems Brad Karp UCL Computer Science CS GZ03 / M th November, 2008.

Similar presentations

Ads by Google