Presentation is loading. Please wait.

Presentation is loading. Please wait.

Enforcing Security Policies using Transactional Memory Introspection Vinod Ganapathy Rutgers University Arnar BirgissonMohan Dhawan Ulfar ErlingssonLiviu.

Published byEthan Truman Modified over 9 years ago

Similar presentations

Presentation on theme: "Enforcing Security Policies using Transactional Memory Introspection Vinod Ganapathy Rutgers University Arnar BirgissonMohan Dhawan Ulfar ErlingssonLiviu."— Presentation transcript:

1 Enforcing Security Policies using Transactional Memory Introspection Vinod Ganapathy Rutgers University Arnar BirgissonMohan Dhawan Ulfar ErlingssonLiviu Iftode

2 Take-home slide Vinod Ganapathy Transactional Memory Introspection We can utilize the mechanisms of Software Transactional Memory to greatly improve security policy enforcement

3 Vinod Ganapathy X server with multiple X clients REMOTE LOCAL Transactional Memory Introspection

4 Vinod Ganapathy REMOTE Malicious remote X client LOCAL Transactional Memory Introspection

5 Vinod Ganapathy REMOTE Undesirable information flow LOCAL Transactional Memory Introspection

6 Vinod Ganapathy Desirable information flow LOCAL REMOTE Transactional Memory Introspection

7 Vinod Ganapathy X server X server with authorization X client Operation requestResponse Authorization policy Reference monitor Allowed? YES/NO Transactional Memory Introspection Security enforcement crosscuts application functionality

8 Vinod Ganapathy Outline Enforcing authorization policies Problems with existing techniques Transactional Memory Introspection Implementation and experiments Transactional Memory Introspection

9 Vinod Ganapathy Existing enforcement interface dispatch_request ( ) {... perform_request ( ); } perform_request ( ) {... perform_access (resource);... perform_access’(resource’); } Transactional Memory Introspection

10 Vinod Ganapathy Existing enforcement interface dispatch_request ( ) {... perform_request ( ); } perform_request ( ) {... if (allowed(principal,resource,access)){ perform_access (resource); } else { handle_auth_failure1(); };... if (allowed(principal,resource’,access’)){ perform_access’(resource’); } else { handle_auth_failure2(); }; } Transactional Memory Introspection

11 Vinod Ganapathy Three problems Violation of complete mediation Time-of-check to Time-of-use bugs Handing authorization failures Transactional Memory Introspection

12 Vinod Ganapathy I. Incomplete mediation dispatch_request ( ) { … perform_request ( ); } perform_request ( ) {... if (allowed(principal,resource,access)){ perform_access (resource); } else { handle_auth_failure1(); };... if (allowed(principal,resource’,access’)){ perform_access’(resource’); } else { handle_auth_failure2(); }; } Must guard each resource access to ensure complete mediation Transactional Memory Introspection

13 Vinod Ganapathy I. Incomplete mediation ssize_t vfs_read (struct file *file,...) {... if (check_permission(file, MAY_READ)) { file->f_op->read(file,...); }... } int page_cache_read (struct file *file,...) { struct address_space *mapping = file->f_dentry->d_inode->i_mapping;... mapping->a_ops->readpage(file,...); } [Zhang et al., USENIX Security ‘02] Transactional Memory Introspection

14 Vinod Ganapathy perform_request ( ) {... if (allowed(principal,resource,access)){ perform_access (resource); } else { handle_auth_failure1() };... if (allowed(principal,resource’,access’)){ perform_access’(resource’); } else { handle_auth_failure2() }; } II. TOCTTOU bugs Transactional Memory Introspection

15 Vinod Ganapathy perform_request ( ) {... if (allowed(principal,resource,access)){ perform_access (resource); } else { handle_auth_failure1() };... if (allowed(principal,resource’,access’)){ perform_access’(resource’); } else { handle_auth_failure2() }; } II. TOCTTOU bugs Similar race condition found in the Linux Security Modules framework [Zhang et al. USENIX Security ’02] Several similar bugs recently found in popular enforcement tools: [Watson, WOOT ’07] GSWTK Systrace [Provos, USENIX Security ’03] OpenBSD Sysjail [Johnson and Deksters ’07] Transactional Memory Introspection

16 Vinod Ganapathy II. TOCTTOU bugs perform_request ( ) {... if (allowed(principal,resource,access)){ perform_access (resource); } else { handle_auth_failure1() };... if (allowed(principal,resource’,access’)){ perform_access’(resource’); } else { handle_auth_failure2() }; } Authorization check and resource access must be atomic Transactional Memory Introspection

17 Vinod Ganapathy III. Failure handling perform_request ( ) {... if (allowed(principal,resource,access)){ perform_access (resource); } else { handle_auth_failure1() };... if (allowed(principal,resource’,access’)){ perform_access’(resource’); } else { handle_auth_failure2() }; } Handling authorization failures is ad hoc and error prone Transactional Memory Introspection

18 Vinod Ganapathy III. Failure handling Exception-handling code accounts for a large fraction of server software –Over two-thirds of server software [IBM ’87] –Nearly 46% on several Java benchmarks [Weimer & Necula OOPSLA’04] Exception-handling code itself is error-prone [Fetzer and Felber ’04] SecurityException most often handled erroneously [Weimer & Necula OOPSLA’04] Transactional Memory Introspection

19 Vinod Ganapathy Summary of problems Violation of complete mediation –Need to identify all the resources accessed –Example: Bug in Linux Security Modules [Zhang et al., USENIX Security ‘02] Time-of-check to Time-of-use bugs –Examples: [Zhang et al., USENIX Security ‘02] [Watson, WOOT ‘07] Handing authorization failures – Large fraction of server code relates to error handling [IBM survey, ’87, Weimer and Necula, ‘04 ] –Error-handling code is error-prone! [Fetzer & Felber ’04] Security enforcement crosscuts application functionality Our solution: TMI Decouples security enforcement from application functionality Transactional Memory Introspection

20 Vinod Ganapathy Outline Enforcing authorization policies Problems with existing techniques Transactional Memory Introspection (TMI) –Programmer’s interface –Mechanics of TMI Implementation and experiments Transactional Memory Introspection

21 Vinod Ganapathy Transactional memory primer Alternative to lock-based programming Reason about atomic sections, not locks TM provides atomicity and isolation acquire(S1.lock) acquire(S2.lock) value = S1.pop() S2.push(value) Release(S2.lock) Release(S1.lock) transaction { value = S1.pop() S2.push(value) } Transactional Memory Introspection

22 Vinod Ganapathy Programmer’s interface to TMI dispatch_request ( ) { transaction [ principal ] {... perform_request ( ); } perform_request ( ) {... perform_access (resource);... perform_access’(resource’); } Transactional Memory Introspection

23 Vinod Ganapathy Programmer’s interface to TMI dispatch_request ( ) { transaction [ principal ] {... perform_request ( ); } perform_request ( ) {... perform_access (resource);... perform_access’(resource’); } Authorization manager: case (resource=R, access_type=A)  if (!allowed(principal, R, A)) then abort_tx allowed(principal, resource, access)? allowed(principal, resource’, access’)? Transactional Memory Introspection

24 Vinod Ganapathy I. Complete mediation for free dispatch_request ( ) { transaction [ principal ] {... perform_request ( ); } perform_request ( ) {... perform_access (resource);... perform_access’(resource’); } TMI automatically invokes authorization checks Transactional Memory Introspection

25 Vinod Ganapathy II. TOCTTOU-freedom for free dispatch_request ( ) { transaction [ principal ] {... perform_request ( ); } perform_request ( ) {... perform_access (resource);... perform_access’(resource’); } Conflicting resource accesses automatically abort transaction Transactional Memory Introspection

26 Vinod Ganapathy III. Error-handling for free dispatch_request ( ) { transaction [ principal ] {... perform_request ( ); } perform_request ( ) {... perform_access (resource);... perform_access’(resource’); } Unauthorized resource accesses automatically abort transaction Transactional Memory Introspection

27 Vinod Ganapathy Decouples functionality and security dispatch_request ( ) { transaction [ principal ] {... perform_request ( ); } perform_request ( ) {... perform_access (resource);... perform_access’(resource’); } Authorization manager Transactional Memory Introspection

28 Vinod Ganapathy Outline Enforcing authorization policies Problems with existing techniques Transactional Memory Introspection (TMI) –Programmer’s interface –Mechanics of TMI Implementation and experiments Transactional Memory Introspection

29 Vinod Ganapathy TM runtime system The TM runtime maintains per-transaction read/write sets and detects conflicts transaction { value = S1.pop() S2.push(value) } val1 = S1.pop() val2 = S1.pop() S2.push(val2) S2.push(val1) TransactionRead setWrite set Green S1.stkptr Red S1.stkptr, S2.stkptr Transactional Memory Introspection

30 Vinod Ganapathy TM runtime system Transaction body Execution Read and Write Sets Validation Contention manager Retry Commit logic Commit Transactional Memory Introspection

31 Vinod Ganapathy Transactional Memory Introspection Transaction body Execution Read and Write Sets Validation Contention manager Retry Commit logic CommitAuthorization Auth. checks Auth. Manager Success Failure Abort Transactional Memory Introspection

32 Vinod Ganapathy perform_request ( ) {... perform_access (resource);... perform_access’(resource’); } Transactional Memory Introspection dispatch_request ( ) { transaction [ principal ] {... perform_request ( ); } Present in read/write set Accesses checked before tx commits Transactional Memory Introspection

33 Vinod Ganapathy Outline Enforcing authorization policies Problems with existing techniques Transactional Memory Introspection Implementation and experiments Transactional Memory Introspection

34 Vinod Ganapathy TMI Implementation: TMI/DSTM2 Implemented using Sun’s DSTM2 Object-based software TM system TM system modified to –Trigger authorization checks on additions to read/write set and upon transaction validation –Raise AccessDeniedException upon abort –Integrate transactional I/O libraries Fewer than 500 lines changed in DSTM2 Transactional Memory Introspection

35 Vinod Ganapathy Porting software to TMI/DSTM2 1.Mark transactional objects with @atomic –Also require @atomic wrappers for libraries: java.util.HashMap, java.util.Vector 2.Reads and writes to fields of @atomic objects replaced with DSTM2 accessors 3.Place transaction{…} blocks around client requests 4.Write an authorization manager Transactional Memory Introspection

36 Vinod Ganapathy GradeSheet in TMI/DSTM2 Transactional Memory Introspection

37 Vinod Ganapathy Evaluation Ported four Java-based servers GradeSheet: A grade-management server FreeCS: A chat server WeirdX: An X window management server –Enforced a simple XACML based policy Tar: A tar archive service –Enforced Java stack inspection policy Transactional Memory Introspection

38 Vinod Ganapathy Modifications needed ServerLOCLines modifiedTransactions GradeSheet9003001 Tar service5,000< 501 FreeCS22,00086047 WeirdX27,0004,800108 Authorization managers were approximately 200 lines of code in each case Transactional Memory Introspection

39 Vinod Ganapathy perform_request ( ) {... perform_access (resource);... perform_access’(resource’); } When to enforce policy? dispatch_request ( ) { transaction [ principal ] {... perform_request ( ); } allowed(principal, resource, access)? allowed(principal, resource’, access’)? Eager Transactional Memory Introspection

40 Vinod Ganapathy perform_request ( ) {... perform_access (resource);... perform_access’(resource’); } When to enforce policy? dispatch_request ( ) { transaction [ principal ] {... perform_request ( ); } allowed(principal, resource, access)? allowed(principal, resource’, access’)? Lazy Transactional Memory Introspection

41 Vinod Ganapathy perform_request ( ) {... perform_access (resource);... perform_access’(resource’); } When to enforce policy? dispatch_request ( ) { transaction [ principal ] {... perform_request ( ); } allowed(principal, resource, access)? allowed(principal, resource’, access’)? Parallel Transactional Memory Introspection

42 Vinod Ganapathy Performance overheads of TMI 10x -15.8% Transactional Memory Introspection

43 Vinod Ganapathy Performance overheads of STM Software transactional memory imposes a significant overhead ServerNativeTMI-portedOverhead GradeSheet395μs451μs14.7% Tar service4.96s15.40s2.1x FreeCS321μs3907μs11.2x WeirdX0.23ms6.40ms26.8x Hardware TMs reduce runtime overheads of TM runtime systems Transactional Memory Introspection

44 Take-home message Vinod Ganapathy Transactional Memory Introspection We can utilize the mechanisms of Software Transactional Memory to greatly improve security policy enforcement

45 Vinod Ganapathy Rutgers University vinodg@cs.rutgers.edu http://www.cs.rutgers.edu/~vinodg Thank you! Reference: Enforcing Authorization Policies using Transactional Memory Introspection Proc. ACM CCS, October 2008

Download ppt "Enforcing Security Policies using Transactional Memory Introspection Vinod Ganapathy Rutgers University Arnar BirgissonMohan Dhawan Ulfar ErlingssonLiviu."

Similar presentations

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu www.list.gmu.edu.

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu
Copyright 2008 Sun Microsystems, Inc Better Expressiveness for HTM using Split Hardware Transactions Yossi Lev Brown University & Sun Microsystems Laboratories.

Copyright 2008 Sun Microsystems, Inc Better Expressiveness for HTM using Split Hardware Transactions Yossi Lev Brown University & Sun Microsystems Laboratories.
Time-based Transactional Memory with Scalable Time Bases Torvald Riegel, Christof Fetzer, Pascal Felber Presented By: Michael Gendelman.

Time-based Transactional Memory with Scalable Time Bases Torvald Riegel, Christof Fetzer, Pascal Felber Presented By: Michael Gendelman.
Two phase commit. Failures in a distributed system Consistency requires agreement among multiple servers –Is transaction X committed? –Have all servers.

Two phase commit. Failures in a distributed system Consistency requires agreement among multiple servers –Is transaction X committed? –Have all servers.
The Case for JavaScript Transactions Mohan Dhawan, Chung-chieh Shan, Vinod Ganapathy Department of Computer Science Rutgers University PLAS 2010.

The Case for JavaScript Transactions Mohan Dhawan, Chung-chieh Shan, Vinod Ganapathy Department of Computer Science Rutgers University PLAS 2010.
Monitoring Data Structures Using Hardware Transactional Memory Shakeel Butt 1, Vinod Ganapathy 1, Arati Baliga 2 and Mihai Christodorescu 3 1 Rutgers University,

Monitoring Data Structures Using Hardware Transactional Memory Shakeel Butt 1, Vinod Ganapathy 1, Arati Baliga 2 and Mihai Christodorescu 3 1 Rutgers University,
Transactional Memory Supporting Large Transactions Anvesh Komuravelli Abe Othman Kanat Tangwongsan Hardware-based.

Transactional Memory Supporting Large Transactions Anvesh Komuravelli Abe Othman Kanat Tangwongsan Hardware-based.
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Department of Computer Science and Engineering University of Washington Brian N. Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,

Department of Computer Science and Engineering University of Washington Brian N. Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,
Kernel memory allocation

Kernel memory allocation
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Remote Procedure Call Design issues Implementation RPC programming

Remote Procedure Call Design issues Implementation RPC programming
Thread-Level Transactional Memory Decoupling Interface and Implementation UW Computer Architecture Affiliates Conference Kevin Moore October 21, 2004.

Thread-Level Transactional Memory Decoupling Interface and Implementation UW Computer Architecture Affiliates Conference Kevin Moore October 21, 2004.
Transactional Memory (TM) Evan Jolley EE 6633 December 7, 2012.

Transactional Memory (TM) Evan Jolley EE 6633 December 7, 2012.
PARALLEL PROGRAMMING with TRANSACTIONAL MEMORY Pratibha Kona.

PARALLEL PROGRAMMING with TRANSACTIONAL MEMORY Pratibha Kona.
Database Administration Chapter Six DAVID M. KROENKE’S DATABASE CONCEPTS, 2 nd Edition.

Database Administration Chapter Six DAVID M. KROENKE’S DATABASE CONCEPTS, 2 nd Edition.
Two phase commit. What we’ve learnt so far Sequential consistency –All nodes agree on a total order of ops on a single object Crash recovery –An operation.

Two phase commit. What we’ve learnt so far Sequential consistency –All nodes agree on a total order of ops on a single object Crash recovery –An operation.
EPFL - March 7th, 2008 Interfacing Software Transactional Memory Simplicity vs. Flexibility Vincent Gramoli.

EPFL - March 7th, 2008 Interfacing Software Transactional Memory Simplicity vs. Flexibility Vincent Gramoli.
Scheduler Activations Effective Kernel Support for the User-Level Management of Parallelism.

Scheduler Activations Effective Kernel Support for the User-Level Management of Parallelism.

Similar presentations

Ads by Google