Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris.

Published byBryana Digby Modified over 10 years ago

Similar presentations

Presentation on theme: "Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris."— Presentation transcript:

1 Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris

2 Vulnerabilities in Websites  Exploits Web software is buggy Attackers find and exploit these bugs Data is stolen / Corrupted – “USAJobs.gov hit by Monster.com attack, 146,000 people affected” – “UN Website is Defaced via SQL Injection” – “Payroll Site Closes on Security Worries” – “Hacker Accesses Thousands of Personal Data Files at CSU Chico” – “FTC Investigates PETCO.com Security Hole” – “Major Breach of UCLA’s Computer Files” – “Restructured Text Include Directive Does Not Respect ACLs”

3 Decentralized Information Flow Control (DIFC) Layoff Plans Free TShirts Web App Declassifier CEO  GET /LayoffPlans “I am the CEO. My PW is 123” “OK” Intern

4 Decentralized Information Flow Control (DIFC) Layoff Plans Free TShirts Web App Declassifier CEO Intern /tmp File Helper Process GET /LayoffPlans GET ^@^$^$#

5 Why is DIFC a cult?

6 Who Needs to Understand DIFC? Layoff Plans Free TShirts Web App Declassifier CEO Intern /tmp File Helper Process

7 Why is Today’s DIFC DIFfiCult? Label systems are complex Unexpected program behavior Cannot reuse existing code – Drivers, SMP support, standard libraries

8 Unexpected Program Behavior (Unreliable Communication) Process qProcess p “I stopped reading” “I crashed”  “Fire Alice, Bob, Charlie, Doug, Eddie, Frank, George, Hilda, Ilya…”

9 Unexpected Program Behavior (Mysterious Failures) Process pProcess q File

10 Solution/Outline 1.Flume: Solves DIFC Problems – User-level implementation of DIFC on Linux – Simple label system – Endpoints: Glue Between Unix API and Labels 2.Application + Evaluation – Real Web software secured by Flume

11 Outline 1.Flume: Solves DIFC Problems – User-level implementation of DIFC on Linux – Simple label system – Endpoints: Glue Between Unix API and Labels 2.Application + Evaluation

12 Flume Implementation Goal: User-level implementation – apt-get install flume Approach: – System Call Delegation [Ostia by Garfinkel et al, 2003] – Use Linux 2.6 (or OpenBSD 3.9)

13 System Call Delegation Web App glibc Linux Kernel Layoff Plans open(“/hr/LayoffPlans”, O_RDONLY);

14 System Call Delegation Web App Flume Libc Linux Kernel Layoff Plans open(“/hr/LayoffPlans”, O_RDONLY); Flume Reference Monitor Web App

15 Three Classes of Processes Flume Reference Monitor Linux Kernel Process p Flume Reference Monitor Linux Kernel Process p Flume Reference Monitor Linux Kernel Process p Flume-ObliviousUnconfined/ Mediators Confined

16 Outline 1.Flume: Solves DIFC Problems – User-level implementation of DIFC on Linux – Simple label system – Endpoints: Glue Between Unix API and Labels 2.Application + Evaluation

17 Information Flow Control (IFC) Goal: track which secrets a process has seen Mechanism: each process gets a secrecy label – Label summarizes which categories of data a process is assumed to have seen. – Examples: { “Financial Reports” } { “HR Documents” } { “Financial Reports” and “HR Documents” } “tag” “label”

18 Tags + Labels Process p tag_t HR = create_tag(); S p = {} D p = {} D p = { HR } Universe of Tags: Finance Legal SecretProjects change_label({Finance}); S p = { Finance }S p = { Finance, HR } HR change_label({Finance,HR}); change_label({Finance}); change_label({}); DIFC: Declassification in action. Same as Step 1. Any process can add any tag to its label. DIFC Rule: A process can create a new tag; gets ability to declassify it.

19 Communication Rule Process qProcess p S q = { HR, Finance } S p = { HR }  p can send to q iff S p  S q

20 Outline 1.Flume: Solves DIFC Problems – User-level implementation of DIFC on Linux – Simple label system – Endpoints: Glue Between Unix API and Labels 2.Application + Evaluation

21 Recall: Communication Problem Process p stdinstdout “Fire Alice, Bob, Charlie, Doug, Eddie, Frank, George, Hilda, Ilya…” “SLOW DOWN!!” “I crashed”  S q = { HR } ? S p = {} D p = { HR } Process q

22 New Abstraction: Endpoints f S f = { HR }S e = { HR } Process qProcess p S p = {} D p = { HR } e If S e  S f, then allow e to send to f If S f  S e, then allow f to send to e If S f = S e, then allow bidirectional flow If S e  S f, then allow e to send to f If S f  S e, then allow f to send to e If S f = S e, then allow bidirectional flow S q = { HR } “Fire Alice, Bob, Charlie, Doug, Eddie, Frank, George, Hilda, Ilya…” “SLOW DOWN!!” “I crashed”  

23 Thus p needs HR  D p Thus p needs HR  D p Endpoints Declassify Data Data enters process p with secrecy { HR } But p keeps its label S p = {} S e = { HR } Process p S p = {} D p = { HR } e

24 Endpoint Invariant For any tag t  S p and t  S e Or any tag t  S e and t  S p It must be that t  D p Process p e S p = { Finance } S e = { HR } D p = { Finance, HR} Writing Reading

25 Endpoints Labels Are Independent f g S f = { HR } S g = {} S e = { HR } Process qProcess p S q = { HR }S p = {} D p = { HR } e

26 Recall: Mysterious Failures Process p File Process q

27 Endpoints Reveal Errors Eagerly Process p S p = {} /tmp/public.dat S public.dat = {}  open(“/tmp/public.dat”, O_WRONLY);  change_label({HR}) e S e = {} Process q S q = { HR } D p = {} S p = { HR } ? Violates endpoint invariant! S p – S e = { HR }  D p Violates endpoint invariant! S p – S e = { HR }  D p

28 Endpoints Reveal Errors Eagerly Process p S p = {} /tmp/public.dat S public.dat = {}  fd = open(“/tmp/public.dat”, O_WRONLY);  close(fd);  change_label({HR}) e S e = {} Process q S q = { HR } D p = {} S p = { HR }

29 Outline 1.Flume: Solves DIFC Problems 2.Application + Evaluation

30 Questions for Evaluation Does Flume allow adoption of Unix software? Does Flume solve security vulnerabilities? Does Flume perform reasonably?

31 Example App: MoinMoin Wiki

32 How Problems Arise… MoinMoin Wiki (100 kLOC) MoinMoin Wiki (100 kLOC) FreeTShirts LayoffPlans if not self.request.user.may.read(pagename): return self.notAllowedFault() if not self.request.user.may.read(pagename): return self.notAllowedFault() x43

33 MoinMoin + DIFC Apache Web Server Apache Web Server MoinMoin Wiki (100 kLOC) MoinMoin Wiki (100 kLOC) FreeTShirts LayoffPlans Declassifier 1 kLOC UntrustedTrusted

34 FlumeWiki Apache MoinMoin (100 kLOC) FreeTShirts LayoffPlans Declassifier 1 kLOC Web Client GET /LayoffPlans?user=Intern&PW=abcd S={} S={ HR } reliable IPC file I/O Flume- Oblivious unconfined confined

35 Future Work Apache Totally Suspect Software FreeTShirts LayoffPlans Declassifier 1 kLOC Web Client GET /LayoffPlans?user=Intern&PW=abcd S={} S={ HR }

36 Results Does Flume allow adoption of Unix software? – 1,000 LOC launcher/declassifier – 1,000 out of 100,000 LOC in MoinMoin changed – Python interpreter, Apache, unchanged Does Flume solve security vulnerabilities? – Without our knowing, we inherited two ACL bypass bugs from MoinMoin – Both are not exploitable in Flume’s MoinMoin Does Flume perform reasonably? – Performs within a factor of 2 of the original on read and write benchmarks

37 Most Related Work Asbestos, HiStar: New DIFC OSes Jif: DIFC at the language level Ostia, Plash: Implementation techniques Classical MAC literature (Bell-LaPadula, Biba, Orange Book MAC, Lattice Model, etc.)

38 Limitations Bigger TCB than HiStar / Asbestos – Linux stack (Kernel + glibc + linker) – Reference monitor (~22 kLOC) Covert channels via disk quotas Confined processes like MoinMoin don’t get full POSIX API. – spawn() instead of fork() & exec() – flume_pipe() instead of pipe()

39 Summary DIFC is a challenge to Programmers Flume: DIFC in User-Level – Preserves legacy software – Complements today’s programming techniques MoinMoin Wiki: Flume works as promised Invite you to play around: http://flume.csail.mit.edu

40 Thanks! To: ITRI, Nokia, NSF and You

41 Reasons to Read the Paper Generalized security properties – Including: Novel integrity policies Support for very large labels Support for clusters of Flume Machines

42 Flume’s Rule is Fast Recall: p can send to q iff: S p – D p  S q  D q To Compute: – for each tag t  S p : If t  S q and t  D p and t  D q : – output “NO” – output “OK” Runs in time proportional to size of S p. No need to enumerate D p or D q !!!

43 Flume Communication Rule 1.q changes to S q = { Alice } 2.p sends to q 3.q changes back to S q = {} MoinMoin (r) MoinMoin (p) S r = { Bob } S p = { Alice } Database (q) S q = {} D q = { Alice, Bob } ?? S p  S q S q = { Alice } D q = { Alice, Bob } 

44 Flume Communication Rule MoinMoin (r) MoinMoin (p) S r = { Bob } S p = { Alice } Database (q) S q = {} D q = { Alice, Bob }   Senders get extra latitude Receivers get extra latitude p can send to q iff: – In IFC: S p  S q – In Flume: S p – D p  S q  D q

45 Flume Kernel Module Flume Libc Linux Kernel Alice’s Data open(“/alice/inbox.dat”, O_RDONLY); Flume Reference Monitor Web App mov $0x5, %eax int $0x80 open(…) 

46 Reference Monitor Proxies Pipes Linux Kernel write(0, “some data”, 10); Flume Reference Monitor Web AppHelper Process

47 Unconfined Processes sendmail stderr TCP Socket mmap ’ed memory ioctl fork ’ed child kill sigcatch getpwent e  S e   = {} /tmp/public.dat S public.dat = {} S p = {}D p = {} Process q S q = { HR } DIFC “Unconfined processes get e  endpoint.”  change_label({HR}) D p = { HR }S p = { HR }  

48 Endpoints Reveal Errors Eagerly Process p S p = {} /tmp/public.dat S public.dat = {}  open(“/tmp/public.dat”, O_WRONLY);  change_label({HR}) e S e = {} Process q S q = { HR } D p = {HR} S p = { HR }  

49 Why Do We Need S p ? Process p e S p = { Finance } S e = { Finance, HR } D p = { HR }

Download ppt "Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris."

Similar presentations

MicroKernel Pattern Presented by Sahibzada Sami ud din Kashif Khurshid.

MicroKernel Pattern Presented by Sahibzada Sami ud din Kashif Khurshid.
Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.

Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.
1 Information Security – Theory vs. Reality 0368-4474-01, Winter 2011 Lecture 7: Information flow control Eran Tromer Slides credit: Max Krohn, MIT Ian.

1 Information Security – Theory vs. Reality , Winter 2011 Lecture 7: Information flow control Eran Tromer Slides credit: Max Krohn, MIT Ian.
Chapter 6 Security Kernels.

Chapter 6 Security Kernels.
SilverLine: Preventing Data Leaks from Compromised Web Applications Yogesh Mundada Anirudh Ramachandran Nick Feamster Georgia Tech 1 Appeared in Annual.

SilverLine: Preventing Data Leaks from Compromised Web Applications Yogesh Mundada Anirudh Ramachandran Nick Feamster Georgia Tech 1 Appeared in Annual.
Introduction to Operating Systems CS-2301 B-term 20081 Introduction to Operating Systems CS-2301, System Programming for Non-majors (Slides include materials.

Introduction to Operating Systems CS-2301 B-term Introduction to Operating Systems CS-2301, System Programming for Non-majors (Slides include materials.
By Ronny Bull, Chaitanya Pinnamaneni, Alex Stuart.

By Ronny Bull, Chaitanya Pinnamaneni, Alex Stuart.
Operating Systems - Introduction S H Srinivasan

Operating Systems - Introduction S H Srinivasan
1 Labels and Event Processes in the Asbestos Operating System Petros Efstathopoulos * Maxwell Krohn † Steve VanDeBogart * Cliff Frey † David Ziegler †

1 Labels and Event Processes in the Asbestos Operating System Petros Efstathopoulos * Maxwell Krohn † Steve VanDeBogart * Cliff Frey † David Ziegler †
CS-3013 & CS-502, Summer 2006 Network Input & Output1 CS-3013 & CS-502, Summer 2006.

CS-3013 & CS-502, Summer 2006 Network Input & Output1 CS-3013 & CS-502, Summer 2006.
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.
File Systems (2). Readings r Silbershatz et al: 11.8.

File Systems (2). Readings r Silbershatz et al: 11.8.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
Stack Management Each process/thread has two stacks  Kernel stack  User stack Stack pointer changes when exiting/entering the kernel Q: Why is this necessary?

Stack Management Each process/thread has two stacks  Kernel stack  User stack Stack pointer changes when exiting/entering the kernel Q: Why is this necessary?
Vision/Benefits/Introduction Randy Armstrong (OPC Foundation)

Vision/Benefits/Introduction Randy Armstrong (OPC Foundation)
Address Space Layout Permutation

Address Space Layout Permutation
Securing the Web with Decentralized Information Flow Control Maxwell Krohn (MIT) in cahoots with: Alex Yip, Micah Brodsky, Petros Efstathopoulos (UCLA),

Securing the Web with Decentralized Information Flow Control Maxwell Krohn (MIT) in cahoots with: Alex Yip, Micah Brodsky, Petros Efstathopoulos (UCLA),
Protecting Web 2.0 Services from Botnet Exploitations Cybercrime and Trustworthy Computing Workshop (CTC), 2010 Second Nguyen H Vo, Josef Pieprzyk Department.

Protecting Web 2.0 Services from Botnet Exploitations Cybercrime and Trustworthy Computing Workshop (CTC), 2010 Second Nguyen H Vo, Josef Pieprzyk Department.
Systems Security & Audit Operating Systems security.

Systems Security & Audit Operating Systems security.
Unix Pipes Pipe sets up communication channel between two (related) processes. 37 Two processes connected by a pipe.

Unix Pipes Pipe sets up communication channel between two (related) processes. 37 Two processes connected by a pipe.

Similar presentations

Ads by Google