Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing the Web with Decentralized Information Flow Control Maxwell Krohn (MIT) in cahoots with: Alex Yip, Micah Brodsky, Petros Efstathopoulos (UCLA),

Published byGloria Melton Modified over 9 years ago

Similar presentations

Presentation on theme: "Securing the Web with Decentralized Information Flow Control Maxwell Krohn (MIT) in cahoots with: Alex Yip, Micah Brodsky, Petros Efstathopoulos (UCLA),"— Presentation transcript:

1 Securing the Web with Decentralized Information Flow Control Maxwell Krohn (MIT) in cahoots with: Alex Yip, Micah Brodsky, Petros Efstathopoulos (UCLA), Steve VanDeBogart (UCLA), Frans Kaashoek, Eddie Kohler (UCLA), David Mazières (Stanford), Robert Morris, Mike Walfish, Natan Cliffer, Cliff Frey, David Ziegler 1

2 A Computing Shift Classic PC 2

3 1. The “Classic” Attack 3 Bob’s Data Alice’s Data Bob GET /xxXxxxXXxxX/Alice Web App Alice’s Data Chuck’s Data Doug’s Data Ed’s Data

4 Vulnerabilities in Websites  Exploits – “USAJobs.gov hit by Monster.com attack, 146,000 people affected” – “Payroll Site Closes on Security Worries” – “Hacker Accesses Thousands of Personal Data Files at CSU Chico” – “FTC Investigates PETCO.com Security Hole” – “Major Breach of UCLA’s Computer Files” – “UN Website is Defaced via SQL Injection” – “Harvard Security Breach Exposes Sensitive Student Data” – “Security Lapse Exposes Facebook Photos” 4

5 2. Server-Side Malware facebook Feature BFeature A Alice’s data Alice’s data Bob’s data Bob’s data GET /FeatureA GET /FeatureC Alice Bob 5 3 rd Party Feature C

6 Same Problem / Same Broken Solutions 6

7 Not An Easy Decision to Make [Turing ’36] 7

8 From Bad To Worse! 1.The “Classic” Attack NEW!! 2.Server-side Malware – NEW!! 3. Others Not Considered in this talk: – XSS – Phishing 8

9 Two Options 9 GREAT OPPORTUNITY FOR SYSTEMS BUILDERS!

10 My Work in Web Security TheSpark.com, OkCupid.com New Web Server [USENIX ’04, USENIX ’07] Limitations of Unix [HotOS ’05] New OS, Attempt 1 [SOSP ’05*, TOCS ’07 † ] New OS, Attempt 2: “Flume” [SOSP ’07] Ideas for the Future Web [HotNets ’07] First author is *Petros Efstathopoulos and † Steve VanDeBogart. 10 THIS TALK

11 Web Server Web App Service 1 (C++) Service 2 (Python) Service 3 (Java) Service 3 (Java) 11 Why Is Web Security Difficult? Storage (DB or FS) Storage (DB or FS) Bob’s Data Alice’s Data Service 4 (???) Service 4 (???)

12 Web Server Web App Service 1 (C++) Service 2 (Python) Service 3 (Java) Service 3 (Java) 12 New Proposal: End-to-End Web Security [HotOS ’05] Storage (DB or FS) Storage (DB or FS) Bob’s Data Alice’s Data Service 4 (???) Service 4 (???) Gateway Alice’s Data

13 Run-time or Compile-Time Tracking? Web sites favor run-time tracking: – Use scripting languages PHP, Python, Ruby, Perl, etc.. – Mix-and-match different languages – Use plug-ins and third-party software 13 Bob’s Data Chuck’s Data Doug’s Data Ed’s Data Alice’s Data

14 Decentralized Information Flow Control (DIFC) for the OS 14 (OS tracks data at run-time) Gateway Inspired by PL-based DIFC [Myers ’97]

15 Contributions Idea: End-to-end Web security Realization: Build Web sites with DIFC – Model for DIFC at the OS level – API: How to build apps (for non-experts) – Implementation on Linux, OpenBSD – Case Study: MoinMoin Wiki Generalization: a secure, extendable Web platform 15

16 Outline 1.Operating System Support for DIFC 2.Security improvement in a real Web site 3.Generalization 16

17 What is DIFC? 17 JIF [Myers et al.] Asbestos [ SOSP ’05, TOCS ’07 ]

18 DIFC By Example  Web App 18 Bob’s Data Alice’s Data { Alice } { Bob } DIFC KERNEL { Alice } gateway

19 Defining DIFC for the OS [SOSP ’07]  gateway Web App 19 Bob’s Data Alice’s Data { Alice } DIFC KERNEL { Alice } 2. How does the kernel track data? 1. How to label secret data? 3. How can the app legislate policy? { Bob }

20 1. Labeling Data Each process/file gets a secrecy label – summarizes which categories of secret data a process is assumed to have seen. – Examples: { “Alice’s Secrets” } { “Financial Secrets” } { “Alice’s Secrets” and “Financial Secrets” } “tag” “label” 20

21 2. Tracking Data For p to write to network, S p = {} p can write to q iff: S p  S q 21

22 Tracking Data: File I/O S w = { a, b }  Web App S f = { a } Alice’s Data 22

23 Tracking Data: IPC S w = { a } S p = { b } Web App 23 Helper Process p

24 Defining DIFC  gateway Web App 24 Bob’s Data Alice’s Data { Alice } { Bob } DIFC KERNEL { Alice } 2. How does the kernel track data? 1. How to label secret data? 3. How can the app legislate policy?

25 3. Legislating data policies Processes can: – change labels by adding tags – allocate tags – change labels by subtracting tags 25

26 S w = { b }S w = {} Any Processes Can Add Any Tag  change_label( S={b} ) 26  change_label(S={}) Web App

27 Processes Can Allocate Tags 27 Bob’s Data gateway Web App S = { b } S g = {} S w = {} DIFC KERNEL = { a }

28 Processes Can Allocate Tags S g = {} D g = {} a  create_tag() S g = {} D g = { a } 28 gateway “Secrecy” “Declassify”

29 S g = {} D g = { a } S g = { a } D g = { a } Some Processes Can Subtract Some Tags  change_label(S={})  change_label( S={a} ) 29 gateway

30 D w = {} S = { a } S w = {}S w = { a } Alice’s Data Web App helper S p = { a } Putting the Pieces Together S g = {} D g = { a, b } S g = { a } D g = { a, b }  30 DIFC KERNEL gateway

31 Advances Over Traditional IFC Previous systems tracked information flow control at OS level [Bell-LaPadula, KeyKOS, Orange Book, IX, SELinux, TrustedBSD, …] Now, apps can “legislate” security policies: – create_tag() – change_label() 31

32 Advances Over Asbestos [SOSP ’05, TOCS ’07 ] Simplified label model Economy of mechanism 32

33 Outline 1.Operating System Support for DIFC – High-Level Design and Model – API: How to build apps (for non-experts) – Implementation on Linux, OpenBSD 2.Security improvement in a real Web site 3.Generalization 33

34 How To Build Apps [SOSP ’07 ] Maintain existing API (Unix in our case) – “open file abstraction” – “reliable inter-process communication” – “network sockets” – “threads” Add DIFC labels / rules A road historically fraught with peril! 34

35 Gotcha 1: Different Labels 35 gateway Web App PW DB Network S = { a } S = { d } S = {} S = { ? } D = { a, d }

36 Gotcha 2: Buggy Apps 36 Web App S = { a } D = { a, d } Top Secret File S = { t } gateway S = { a, t } D = { a, d }

37 Solution: Endpoints 37 gateway e1e1 Se1={a}Se1={a} Web App S = { a } e3e3 Se3={d}Se3={d} S = {} D = { a, d } PW DB S = { d } Network S = {} e2e2 S e 2 ={} f S f = {a}

38 Kernel Controls Flow Between Endpoints 38 e1e1 Se1={a}Se1={a} Web App S = { a } S = {} D = { a, d } f S f = {a} gateway S f  S e 1 S e 1  S f S f  S e 1 S e 1  S f

39 Endpoints Declassify Data 39 Thus gateway needs a  D Data enters gateway with secrecy { a } But gateway keeps its label S = {} e1e1 Se1={a}Se1={a} Web App S = { a } S = {} D = { a, d } f S f = {a} gateway

40 Restrictions on Endpoints For process p, endpoint e: (Note, “ – ” is set-wise XOR) 40 S p – S e  D p

41 Endpoints Suppress Temptation 41 gateway e S e = {a} Web App S = { a }S = {} D = { a } Top Secret File S = { t } D = { a } X { t } – { a }  D p f S f = {a}

42 Endpoints Provably Fit DIFC Model If kernel enforces endpoint restrictions and kernel enforces subset rule between endpoints then process-level subset rule is upheld – (i.e., p can send to q iff S p  S q ) 42

43 For Experts Only Asbestos [ SOSP ’05, TOCS ’07 ] – Message-passing OS; non-reliable messages HiStar [ Zeldovich et al. ] – Exokernel – Provides Unix interface as a library – DIFC programmers see kernel-level interface 43

44 Outline 1.Operating System Support for DIFC – High-Level Design and Model – Key detail: how apps manage resources – Implementation 2.Result: real Web security improvements 3.Generalization 44

45 Flume Kernel Module glibc Flume: System Call Delegation Web App Flume Libc Linux Kernel open(“/alice/data”, O_WRONLY); Flume Reference Monitor Alice’s Data 45 Works on Linux 2.6 and OpenBSD 3.9

46 Endpoints In Flume Endpoints for: – File descriptors – Signal receive / signal send – Parent wait / child exit – Network – System V IPC – …etc… 46

47 Flume’s Place in the Software Stack 47 Flume LinuxOpenBSDWindowsHiStarAsbestosSymbian Wiki General Web Computing Platform Online Banking Mobile Apps Etc…

48 Outline 1.Operating System Support for DIFC 2.Security improvement in a real Web site 3.Generalization 48

49 Example App: MoinMoin Wiki 49

50 MoinMoin Wiki Example MoinMoin Use Free TShirts 50 Alice’s Data Layoff Plans Layoff Plans

51 Threat Model Plug-in 1Plug-in 2 MoinMoin Wiki ApachePythonlibs glibc Linux KernelFS Compiler (gcc) 51 VULNERABLE SECURED Flume

52 Harden Biggest Pieces? Linux Kernel glibc Apache libs FS gcc Python MoinMoin Wiki Plugins 52 Flume

53 Harden What’s Hard To Secure Plug-in 1 Plug-in 2 Kernel 53 – “USAJobs.gov hit by Monster.com attack, 146,000 people affected” – “Payroll Site Closes on Security Worries” – “Hacker Accesses Thousands of Personal Data Files at CSU Chico” – “FTC Investigates PETCO.com Security Hole” – “Major Breach of UCLA’s Computer Files” – “UN Website is Defaced via SQL Injection” – “Harvard Security Breach Exposes Sensitive Student Data” – “Security Lapse Exposes Facebook Photos”

54 DIFC KERNEL Implementation Strategy Web App 54 Bob’s Data Alice’s Data gateway MoinMoin Wiki 90 kLOC MoinMoin Wiki 90 kLOC Python Plugins Web Server FlumeWiki Gateway (1 kLOC)

55 Implementation MoinMoin Wiki 90 kLOC MoinMoin Wiki 90 kLOC Python Plugins Apache Web Server FlumeWiki Gateway 1 kLOC Flume Server 55 Alice’s Data FLUME D g = { a, b } UNTRUSTED TRUSTED

56 Results Can Flume accommodate non-expert code? – only 1,000 out of 90,000 LOC in MoinMoin changed – Python interpreter, Apache, unchanged Does Flume perform reasonably? – 43% slower in read throughput – 34% slower in write throughput – Overhead from system call interposition – Scales up linearly with a cluster of Flume servers 56

57 Security Improvements Isolate security code: – Declassifier is 1/90 th the size of MoinMoin application FlumeWiki inherited 2 ACL bypass vulnerabilities from MoinMoin – e.g., Bug in MonthCalendar() macro 57

58 Bug In MonthCalendar 58 HTTP ERROR 500

59 Bug In MonthCalendar 59 HTTP ERROR 500

60 Security Improvements Exploits fail against FlumeWiki Related Bug-Stopping Techniques Won’t Work – Taint Tracking, SFI, PittSFIeld, XFI, Program Shepherding, Model-Checking, Non-DIFC PL techniques [SPIN, Java, Singularity], etc…. 60

61 Outline 1.Operating System Support for DIFC 2.Security improvement in a real Web site 3.Generalization: The W5 Platform 61

62 Recall: FlumeWiki Alice’s Data FlumeWiki Gateway 1 kLOC Flume Server Apache Web Server Bob’s Data MoinMoin Wiki 90 kLOC MoinMoin Wiki 90 kLOC Python Plugins 62 Security Guarantees FLUME

63 Proposal: W5 [HotNets ’07] FlumeWiki Gateway 1 kLOC Flume Server Apache Web Server Security Guarantees 63 Alice’s Data Bob’s Data Unvetted / Suspect / Uploaded Code

64 FLUME A New Architecture 64 Alice’s Data W5 Gateway Bob’s Data BlogPhotoSharing Flume Server MessagingMatching (Application writers)

65 “Declassifiers” Allow Data Sharing W5 Server Alice’s photo W5 Gateway PhotoSharing Alice’s Declassifier Chuck 65 S = { a } D = { a } S = { c } D = { a } FLUME

66 Security in W5 Alice’s Declassifier BloggerPhotozFilterWikiDatingVampiresVideosCalendarEmail MsgBoard AquariumHot Or NotPokeTravel MapMusicQuizzes 66 Flume Platform W5 Gateway Trusted: if buggy, Alice might lose data Untrusted: cannot export/steal Alice’s data

67 End-to-End Security in W5 Two previously distinct security problems – Buggy server-side apps can be cracked/exploited – Server-side malware Secured by the same mechanism (DIFC) 67

68 “What Are You Doing Next?” Evangelize W5 (requires interview; in progress) Build it out (requires job) – Spell out appropriate IFC policies – SQL++ for mutually distrustful apps – Tackle browser and JavaScript – FS support for integrity / rollback – Economic model – Multiple providers – Resource allocation 68

69 Conclusions Idea: End-to-end Web security Realization: DIFC for the OS – Endpoints: Merge DIFC with standard API – Implementation for standard OS abstractions – MoinMoin Wiki secured New direction for Web platforms Download software: http://flume.csail.mit.edu 69

70 Privilege Separation: OKWS [USENIX ’04] DB OKWS demux search Search DB PW DB login inbox mail DB Python search login Apache inbox 70

71 MoinMoin Insight: Integrity Write /LayoffPlans MoinMoin LayoffPlans 71 Policy before: MoinMoin is not to be trusted. Policy now: Original MoinMoin is correct; plugins might be problematic

72 MoinMoin Insight: Integrity Write /LayoffPlans LayoffPlans MoinMoin 72

73 End-To-End Integrity Write /LayoffPlans MoinMoin moin.py os.py re.py sys.py XYZ.py libc.so libm.so libintl.so libXY.so resolv.conf tzdata XY.conf 2,000+ file opens 73

74 End-To-End Integrity Write /LayoffPlans MoinMoin moin.py os.py re.py sys.py XYZ.py libc.so libm.so libintl.so libXY.so resolv.conf tzdata XY.conf PYTHONPATH=??? 74

75 FlumeWiki Can Certify Results Write /LayoffPlans LayoffPlans MoinMoin FlumeWiki Declassifier sys.py 75

76 MoinMoin Growing Over Time 76

77 History of IFC 77 1968 Adept-50 [Weissman] 1973 Bell-LaPadula 1976 Lattice Model [Denning] IX [McIlroy + Reeds] 1992 SELinux [Loscocco + Smalley] 20011985 Orange Book [DoD] 1997 JIF [Myers] Asbestos [SOSP] 20052006 HiStar [Zeldovich] 2007 Flume [SOSP] Decentralized IFC: relaxed, more practical IFC

78 Why Asbestos Leaks Data 78 leaker Alice’s Data S = { a } b1b1 b2b2 b3b3 b4b4 S = {} 1011 Leak file S = {} 0000 S = {} 1011 S = { a }

79 79 leaker Alice’s Data S = { a } b1b1 b2b2 b3b3 b4b4 S = {} 1011 Leak file S = {} 0000 S = {} S = { a } Why Flume Doesn’t Leak Data [HiStar]

80 leaker S = { a } b2b2 S = {}S = { a } Why Flume Doesn’t Leak Data [HiStar] Leak file S = {}

81 Comparison With Other Security Techniques 81 DIFC [Asbestos, HiStar, Flume] Process Page Cacheline Word OS Taint Tracking [TaintCheck], Fault Analysis [SFI,XFI], Model Checking [RacerX] Bit PL [SPIN, Java, Singularity, JIF,…] VMs

82 Classic Attack, Revisited facebook Feature BFeature A Alice’s data Alice’s data Bob’s data Bob’s data Bob 82 3 rd Party Feature D GET /XxxXxx/FeatureD/Alice Alice’s Data

83 Web Server Web App Service 1 (C++) Service 2 (Python) Service 3 (Java) Service 3 (Java)... 83 Why Is Web Security Difficult? Storage (DB or FS) Storage (DB or FS) Bob’s Data Alice’s Data Service 4 (Ruby) Service 4 (Ruby)

84 84 Existing PL Solution [Myers ’97] Web Application Service 1 Service 2 Service 3 Plugin Storage Web Server Bob’s Data Alice’s Data “Declassifier”

85 DIFC On One Slide Review: – p can write to network iff S p = {} – p can send to q iff S p  S q – API: change_label() and create_tag() Key Property: – Suspect processes (e.g. Web app) can compute with sensitive data. – Assured processes (e.g. Gateway) control data disclosure 85

86 Example Policies Flume Server 86 Alice’s Data FLUME S= { a } S = {} D = { a, HR } Layoff Plans S= { HR } S = { a } D = { a, HR } S = { HR } D = { a, HR } S = { a }S = { HR }S = {} S = { HR } D = { HR } FlumeWiki Gateway 1 kLOC MoinMoin Wiki 90 kLOC MoinMoin Wiki 90 kLOC Python Plugins S = {} D = { b }  HR

87 Why Endpoint Constraints Are Correct 87 e pq f Message sent from p to q: S p – S e  D p S f – S q  D q change_label (S e  S p ); change_label (S p ); change_label (S f  S q ); change_label (S q ); S e  S f S e  S p  S e  S f  S f  S q

Download ppt "Securing the Web with Decentralized Information Flow Control Maxwell Krohn (MIT) in cahoots with: Alex Yip, Micah Brodsky, Petros Efstathopoulos (UCLA),"

Similar presentations

Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris.

Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris.
Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.
CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Resource Containers: A new Facility for Resource Management in Server Systems G. Banga, P. Druschel,

CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Resource Containers: A new Facility for Resource Management in Server Systems G. Banga, P. Druschel,
1 Information Security – Theory vs. Reality 0368-4474-01, Winter 2011 Lecture 7: Information flow control Eran Tromer Slides credit: Max Krohn, MIT Ian.

1 Information Security – Theory vs. Reality , Winter 2011 Lecture 7: Information flow control Eran Tromer Slides credit: Max Krohn, MIT Ian.
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.

Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.
IFC Inside: Retrofitting Languages with Dynamic Information Flow Control Stefan Heule, Deian Stefan, Edward Z. Yang, John C. Mitchell, Alejandro Russo.

IFC Inside: Retrofitting Languages with Dynamic Information Flow Control Stefan Heule, Deian Stefan, Edward Z. Yang, John C. Mitchell, Alejandro Russo.
InkTag: Secure Applications on an Untrusted Operating system

InkTag: Secure Applications on an Untrusted Operating system
Privacy-Preserving Browser-Side Scripting With BFlow Alexander Yip, Neha Narula, Maxwell Krohn, Robert Morris Massachusetts Institute of Technology.

Privacy-Preserving Browser-Side Scripting With BFlow Alexander Yip, Neha Narula, Maxwell Krohn, Robert Morris Massachusetts Institute of Technology.
By Ronny Bull, Chaitanya Pinnamaneni, Alex Stuart.

By Ronny Bull, Chaitanya Pinnamaneni, Alex Stuart.
1 CS 502: Computing Methods for Digital Libraries Lecture 22 Web browsers.

1 CS 502: Computing Methods for Digital Libraries Lecture 22 Web browsers.
3.5 Interprocess Communication Many operating systems provide mechanisms for interprocess communication (IPC) –Processes must communicate with one another.

3.5 Interprocess Communication Many operating systems provide mechanisms for interprocess communication (IPC) –Processes must communicate with one another.
A Type System for Expressive Security Policies David Walker Cornell University.

A Type System for Expressive Security Policies David Walker Cornell University.
CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.
Early OS security Overview by: Greg Morrisett Cornell University, Edited (by permission) for CSUS CSc250 by Bill Mitchell.

Early OS security Overview by: Greg Morrisett Cornell University, Edited (by permission) for CSUS CSc250 by Bill Mitchell.
1 CS6320 – Why Servlets? L. Grewe 2 What is a Servlet? Servlets are Java programs that can be run dynamically from a Web Server Servlets are Java programs.

1 CS6320 – Why Servlets? L. Grewe 2 What is a Servlet? Servlets are Java programs that can be run dynamically from a Web Server Servlets are Java programs.
1 Labels and Event Processes in the Asbestos Operating System Petros Efstathopoulos * Maxwell Krohn † Steve VanDeBogart * Cliff Frey † David Ziegler †

1 Labels and Event Processes in the Asbestos Operating System Petros Efstathopoulos * Maxwell Krohn † Steve VanDeBogart * Cliff Frey † David Ziegler †
Exokernel: An Operating System Architecture for Application-Level Resource Management Dawson R. Engler, M. Frans Kaashoek, and James O’Toole Jr. M.I.T.

Exokernel: An Operating System Architecture for Application-Level Resource Management Dawson R. Engler, M. Frans Kaashoek, and James O’Toole Jr. M.I.T.
Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3 Operating System Organization.

Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3 Operating System Organization.
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

Similar presentations

Ads by Google