Presentation is loading. Please wait.

Presentation is loading. Please wait.

PhD Defense Mohit Tiwari University of California, Santa Barbara Design and Verification of Information Flow Secure Systems.

Published byAnne Rich Modified over 9 years ago

Similar presentations

Presentation on theme: "PhD Defense Mohit Tiwari University of California, Santa Barbara Design and Verification of Information Flow Secure Systems."— Presentation transcript:

1 PhD Defense Mohit Tiwari University of California, Santa Barbara Design and Verification of Information Flow Secure Systems

2 Committee Tim Sherwood (Chair) Frederic T Chong Tevfik Bultan Ben Hardekopf Ryan Kastner UC Santa Barbara UC San Diego UC Santa Barbara

3 High Assurance Systems Flight Control Network Passenger Network Confidential Data Open Network Enforce policies on final system implementation

4 High Assurance for All Sensitive data. Untrusted services. Confinement Problem [Lampson’73]

5 Non-Interference Non-Interference: a change in a High input can never be observed or inferred from changes in the Low output. That is, High data should never leak to Low Confidentiality-Integrity Duality: “High” is more conservative label. Secret or Tainted/Untrusted. High Low X “system” Real-world systems need both Confidentiality and Integrity

6 Example MLS System Example Satellite Application. [Tzvetan Metodi, Aerospace Corp.] Kernel and Diagnostics Kernel and Diagnostics Crypto Command Telemetry Interface Command Telemetry Interface Time Keeping I/O Secret I/O Secret Mission Secret Mission Secret Mission Unclass. Mission Unclass. Interrupt Handlers (Sensitive) Non-sensitive Sensitive Note: Since this is not a real schedule, the processes are not in any sensible execution order Execution Time Primary Execution Schedule Interrupt Handlers (Non-sensitive)

7 Example: Satellite System Untrusted & Unclassified Untrusted & Secret Trusted & Unclassified Trusted & Secret Kernel, Interrupt Handlers (Unclassified), Time Keeping Programs Diagnostics, Telemetry Interfaces Custom code on Secret data Libraries (e.g. encryption) that operate on Secret data But assurance is not cheap

8 The Price of Assurance Evaluation Assurance Levels (EAL 1—7) – Evaluation of process, not end artifact RedHat Linux: EAL 4+ – $30-$40 per LOC Integrity RTOS: EAL 6+ – $10,000 per LOC … and increasing. Many approaches.

9 Prog. Language Traditional Information Flow Security Logic Gates Functional Units Microarchitecture Instruction Set Compiler/OS Applications Cache-flush: Osvik et. al. 2006... BP Scrub: Aciicmez et al. 2007... Exe Normalize: Kocher 1996… Cache Rand: Lee et al. 2005... Volpano96, Jif99, Slam98, FlowCaml03 HiStar 06, Flume 07, Laminar 09 Taintcheck 04, LIFT 06, Dytan 07 DIFT 04, Minos 04, LBA 06, Raksha 07 Closer look at IF analysis.

10 Information Flow Analysis Information flows through Space – Registers, Memory, Micro-architectural state etc. Information flows through Time – Observable events such as PC, I/O channels etc. if (untrusted == 1) out1 = 1 else out2 = 0 (implicit flow) out = untrusted (explicit flow) Memory CPU A CPU B How to account for all information flows in a system? How to construct practical systems that won’t leak?

11 Outline of this talk High Assurance Systems – Information flow security Analysis Technique: – Gate-Level Information Flow Tracking Architecture – Execution Leases

12 Analysis: Track all flows Flatten design to a (giant) state machine Does every output have desired label? Separation Kernel P0 P1 CPU Mem I/O Dev S/W H/W Secure System 001000101 external inputs Combinational Logic external outputs clock state Equivalent State Machine 1001110101111011 0001011001111111

13 Analysis: Track all flows Insight: All flows explicit at the gate level Separation Kernel P0 P1 CPU Mem I/O Dev S/W H/W Secure System 001000101 external inputs external outputs clock state Equivalent State Machine 1001110101111011 0001011001111111

14 Analysis: Track all flows Outputs: Logic function of state and inputs Output Labels: Logic func. of state, inputs, and labels Separation Kernel P0 P1 CPU Mem I/O Dev S/W H/W Secure System 001000101 external inputs external outputs clock state Equivalent State Machine 1001110101111011 0001011001111111

15 Analysis: Track all flows Does not include physical side-channels – Power draw, Thermal fingerprint, EM radiation Separation Kernel P0 P1 CPU Mem I/O Dev S/W H/W Secure System 001000101 external inputs Combinational Logic external outputs clock state Equivalent State Machine 1001110101111011 0001011001111111

16 CPU B CPU A Memory Bus Arbiter Request ARequest B Grant AGrant B Timing Channels …Will look at implicit flows in a few slides.

17 Analysis Technique: GLIFT ab o t o a b t t Shadow ANDAND

18 Required: Precise Information Flow Conventional OR-ing of labels monotonic clock reset DQ 010101…

19 1 10 Precise Information Flow: AND Gate 00 0 01 10 1 1 001 00 01 00 0 1 0 0 0 1 0 0 0 0 1 0 0 01 a b o a b o Use both inputs and input labels

20 Analysis Technique: GLIFT a b o t o a b t t b a o b t t a t

21 Sound Composition of Shadow Logic b a o s t1 t2 t o a s a t t s b s b t t s t1 t2

22 MUX: gatekeeper of trust a b s 0 o a b s 1 o a b s * o

23 All Executions: Track “Unknowns” Known bits at security evaluation time – Software kernel – Hardware design Unknown bits – External inputs – User processes Verify policy upheld for all unknown bits – Use abstract interpretation to prove soundness 0 * 0 a * * 1 a

24 GLIFT Verification Flow Digital Design 1011 clock test inputs state output 01 Specification of unknown bits 1. Abstraction 10 clock abstract inputs state abstract output ** a a a 10 state input ** * 1 Abstract Design 2. Augmentation 1 0 clock labeled inputs state labeled output * L L L T T U U U U 1 U T * U T Information flow lattice Augmented Design Concrete state must be enumerable. E.g. Scheduler loop

25 Outline of this talk High Assurance Systems – Information flow security Analysis Technique: – Gate-Level Information Flow Tracking Architecture – Execution Leases

26 Implicit Information Flows Instr Mem +4 jump target R1 R2 Reg File is jump? through decode PC if (untrusted==1) out = 1 tmp = 5 out tmp Conditional execution taints critical state (PC)

27 Problem: Critical CPU state becomes untrusted Untrusted Code and Conditionals Lease the CPU to programs for fixed time with bounded memory access Time Memory Stack of Nested Leases Lease = Space-Time Sandbox

28 Execution Lease Architecture Instr Mem +4 jump target R1 R2 through decode PC Predicates Reg File old value Data Memory high low Lease Unit Timer PC Memory 0 1 0 1 timer expired? restore PC

29 Execution Lease Architecture Instr Mem +4 jump target R1 R2 through decode PC Predicates Reg File old value Data Memory high low Lease Unit Timer PC Memory 0 1 0 1 timer expired? restore PC

30 Execution Lease Architecture Instr Mem +4 jump target R1 R2 through decode PC Predicates Reg File old value Data Memory high low Lease Unit Timer PC Memory 0 1 0 1 timer expired? Restore PC Registers become untainted with trusted loads

31 Designing for GLIFT- 1. Trusted Reset Instr Mem +4 jump target R1 R2 through decode PC Predicates Reg File old value Data Memory high low Lease Unit Lease Unit Timer PC Range 0 1 0 1 timer exprired? Restore PC

32 0b10 0b11 >= <= 0b00 EN ADDR Store value BL WL … … Mem Bound Start Mem Bound End Tainted Store Addr Decoder Address Comparators Designing for GLIFT: 2. Isolation

33 0b1* 0b00 BL WL … … Address Mem Bound Range Tainted Store Addr EN Store value Decoder Address Bit-Mask 0b1 Designing for GLIFT: 2. Isolation 0

34 Designing for GLIFT: 3. Critical State Instr Mem +4 jump target R1 R2 through decode PC Predicates Reg File old value Data Memory high low Lease Unit Lease Unit Timer PC Range 0 1 0 1 timer exprired? Restore PC

35 Stack of Nested Timers Timer values: bad Stack pointer: good Huge effect on software Arbitrary timer values => no encoding overhead Save and restore timers => multi-level schedulers Designing for GLIFT: 3. Critical State Lease Unit Lease Unit Timer PC Range timer exprired? Restore PC

Download ppt "PhD Defense Mohit Tiwari University of California, Santa Barbara Design and Verification of Information Flow Secure Systems."

Similar presentations

Supporting Security at the Gate Level: Opportunities and Misconceptions Tim Sherwood UC Santa Barbara.

Supporting Security at the Gate Level: Opportunities and Misconceptions Tim Sherwood UC Santa Barbara.
Computer Architecture

Computer Architecture
1 Complete Information Flow Tracking from the Gates Up Tiwari, Wassel, Mazloom, Mysore, Chong, Sherwood, UCSB, ASPLOS 2009 Shimin Chen LBA Reading Group.

1 Complete Information Flow Tracking from the Gates Up Tiwari, Wassel, Mazloom, Mysore, Chong, Sherwood, UCSB, ASPLOS 2009 Shimin Chen LBA Reading Group.
1 (Review of Prerequisite Material). Processes are an abstraction of the operation of computers. So, to understand operating systems, one must have a.

1 (Review of Prerequisite Material). Processes are an abstraction of the operation of computers. So, to understand operating systems, one must have a.
Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3 3 Operating System Organization.

Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3 3 Operating System Organization.
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Computer Organization and Architecture

Computer Organization and Architecture
1/1/ / faculty of Electrical Engineering eindhoven university of technology Architectures of Digital Information Systems Part 1: Interrupts and DMA dr.ir.

1/1/ / faculty of Electrical Engineering eindhoven university of technology Architectures of Digital Information Systems Part 1: Interrupts and DMA dr.ir.
CS4315A. Berrached:CMS:UHD1 Operating Systems and Computer Organization Chapter 4.

CS4315A. Berrached:CMS:UHD1 Operating Systems and Computer Organization Chapter 4.
Computer System Overview

Computer System Overview
Chapter 6 Security Kernels.

Chapter 6 Security Kernels.
1/1/ / faculty of Electrical Engineering eindhoven university of technology Introduction Part 3: Input/output and co-processors dr.ir. A.C. Verschueren.

1/1/ / faculty of Electrical Engineering eindhoven university of technology Introduction Part 3: Input/output and co-processors dr.ir. A.C. Verschueren.
FIU Chapter 7: Input/Output Jerome Crooks Panyawat Chiamprasert

FIU Chapter 7: Input/Output Jerome Crooks Panyawat Chiamprasert
Chapter 6 Limited Direct Execution

Chapter 6 Limited Direct Execution
1 Soft Timers: Efficient Microsecond Software Timer Support For Network Processing Mohit Aron and Peter Druschel Rice University Presented By Jonathan.

1 Soft Timers: Efficient Microsecond Software Timer Support For Network Processing Mohit Aron and Peter Druschel Rice University Presented By Jonathan.
OS Spring’03 Introduction Operating Systems Spring 2003.

OS Spring’03 Introduction Operating Systems Spring 2003.
University College Cork IRELAND Hardware Concepts An understanding of computer hardware is a vital prerequisite for the study of operating systems.

University College Cork IRELAND Hardware Concepts An understanding of computer hardware is a vital prerequisite for the study of operating systems.
Computer System Organization S H Srinivasan

Computer System Organization S H Srinivasan
Midterm Wednesday 11/19 Overview: 25% First Midterm material - Number/character representation and conversion, number arithmetic - DeMorgan’s Law, Combinational.

Midterm Wednesday 11/19 Overview: 25% First Midterm material - Number/character representation and conversion, number arithmetic - DeMorgan’s Law, Combinational.
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

Similar presentations

Ads by Google