Presentation is loading. Please wait.

Presentation is loading. Please wait.

A NOTE ON THE CONFINEMENT PROBLEM Butler Lampson Xerox PARC.

Published byAndra O’Neal’ Modified over 9 years ago

Similar presentations

Presentation on theme: "A NOTE ON THE CONFINEMENT PROBLEM Butler Lampson Xerox PARC."— Presentation transcript:

1 A NOTE ON THE CONFINEMENT PROBLEM Butler Lampson Xerox PARC

2 IN BRIEF The paper discusses –How a server program (service) can leak information about its clients to other programs – How we can prevent these leaks Its main contribution is to make us realize the number of potential covert channels

3 THE MODEL A customer –has confidential data –does not trust the service processing its data –wants to prevent leaks CustomerService x

4 SEVEN POSSIBLE LEAKS (I) If the service has memory, it can collect data and keep them until its owner calls the service The service can write data into a permanent file that can be read by its owner The service can create a temporary file that can be read by its owner The service can send a message to a process controlled by its owner

5 SEVEN POSSIBLE LEAKS (II) The service can encode some data in the bill it sends to the customer –its owner must have a copy of that bill The service can play with locks controlling access to shared files The service can modulate its demands on the system’s resources

6 COUNTERMEASURES (I) Process must be stateless from one invocation to the other –No static variables and no globals Process must be confined First sufficient rule: A confined program shall make no calls on any other program

7 COUNTERMEASURES (II) First rule is very restrictive Transitivity rule: If a confined program calls on another program that is not trusted, the called program must also be confined

8 COUNTERMEASURES (III) We will assume that that untrustworthy service will run on the top of a trustworthy supervisor Trustworthy supervisor will block all possible channels that can be used to leak information These channels include –storage –legitimate channels –covert channels

9 COUNTERMEASURES (IV) Leaks through storage are not hard to prevent – If another process want to write into a file that is being read by the service, the supervisor will create a new copy of the file and let the service access that copy Problem is is how to identify all the kinds of storage accessed by the service

10 COUNTERMEASURES (V) Masking Principle: A program to be confined must allow its caller to determine all its inputs into legitimate and covert channels. the channels are said to be masked by the caller Requires the bill to be computed by the customer, not by the service

11 COUNTERMEASURES (VI) Enforcement: The supervisor must ensure that a confined program’s input to a covert channel satisfies the specifications of the customer May require slowing the program down and adding spurious requests Much less costly to limit the bandwidth of the covert channels

12 CONCLUSIONS The confinement problem can be solved as long as we can trust the supervisor of the system Total confinement can be costly Much cheaper to limit the bandwidth of possible leaks

Download ppt "A NOTE ON THE CONFINEMENT PROBLEM Butler Lampson Xerox PARC."

Similar presentations

Service Bus Service Bus Access Control.

Service Bus Service Bus Access Control.
Class-constrained Packing Problems with Application to Storage Management in Multimedia Systems Tami Tamir Department of Computer Science The Technion.

Class-constrained Packing Problems with Application to Storage Management in Multimedia Systems Tami Tamir Department of Computer Science The Technion.
Concurrency: Deadlock and Starvation Chapter 6. Deadlock Permanent blocking of a set of processes that either compete for system resources or communicate.

Concurrency: Deadlock and Starvation Chapter 6. Deadlock Permanent blocking of a set of processes that either compete for system resources or communicate.
CSI 3120, Implementing subprograms, page 1 Implementing subprograms The environment in block-structured languages The structure of the activation stack.

CSI 3120, Implementing subprograms, page 1 Implementing subprograms The environment in block-structured languages The structure of the activation stack.
Consistency and Replication Chapter 7 Part II Replica Management & Consistency Protocols.

Consistency and Replication Chapter 7 Part II Replica Management & Consistency Protocols.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5 Managing Server.

Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved Managing Server.
5/17/2015 9:36 AM Confinement James Hook CS 591: Introduction to Computer Security.

5/17/2015 9:36 AM Confinement James Hook CS 591: Introduction to Computer Security.
1 COVERT CHANNELS Ravi Sandhu. 2 COVERT CHANNELS A covert channel is a communication channel based on the use of system resources not normally intended.

1 COVERT CHANNELS Ravi Sandhu. 2 COVERT CHANNELS A covert channel is a communication channel based on the use of system resources not normally intended.
Trusted Computing Platforms Blessing or Curse? by Bastian Sopora, Seminar DRM 2006.

Trusted Computing Platforms Blessing or Curse? by Bastian Sopora, Seminar DRM 2006.
Programming Trustworthy Provenance Andy Cirillo Radha Jagadeesan Corin Pitcher James Riely School of CTI, DePaul University, Chicago Workshop on Principles.

Programming Trustworthy Provenance Andy Cirillo Radha Jagadeesan Corin Pitcher James Riely School of CTI, DePaul University, Chicago Workshop on Principles.
Title of Selected Paper: Design and Implementation of Secure Embedded Systems Based on Trustzone Authors: Yan-ling Xu, Wei Pan, Xin-guo Zhang Presented.

Title of Selected Paper: Design and Implementation of Secure Embedded Systems Based on Trustzone Authors: Yan-ling Xu, Wei Pan, Xin-guo Zhang Presented.
EEC 688/788 Secure and Dependable Computing Lecture 12 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

EEC 688/788 Secure and Dependable Computing Lecture 12 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
Ordering and Consistent Cuts Presented By Biswanath Panda.

Ordering and Consistent Cuts Presented By Biswanath Panda.
EEC 688/788 Secure and Dependable Computing Lecture 12 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

EEC 688/788 Secure and Dependable Computing Lecture 12 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
1 DISTRIBUTED SYSTEMS Principles and Paradigms Second Edition ANDREW S. TANENBAUM MAARTEN VAN STEEN Chapter 3 Processes Skip 3.1-3.3.

1 DISTRIBUTED SYSTEMS Principles and Paradigms Second Edition ANDREW S. TANENBAUM MAARTEN VAN STEEN Chapter 3 Processes Skip
Concurrency CS 510: Programming Languages David Walker.

Concurrency CS 510: Programming Languages David Walker.
I.1 ii.2 iii.3 iv.4 1+1=. i.1 ii.2 iii.3 iv.4 1+1=

I.1 ii.2 iii.3 iv.4 1+1=. i.1 ii.2 iii.3 iv.4 1+1=
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 12 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 12 Wenbing Zhao Department of Electrical and Computer Engineering.
Networks 1 CS502 Spring 2006 Network Input & Output CS-502 Operating Systems Spring 2006.

Networks 1 CS502 Spring 2006 Network Input & Output CS-502 Operating Systems Spring 2006.
I.1 ii.2 iii.3 iv.4 1+1=. i.1 ii.2 iii.3 iv.4 1+1=

I.1 ii.2 iii.3 iv.4 1+1=. i.1 ii.2 iii.3 iv.4 1+1=

Similar presentations

Ads by Google