Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Flow Language and System Level 1Dennis Kafura – CS5204 – Operating Systems.

Published byBarry Ray Modified over 9 years ago

Similar presentations

Presentation on theme: "Information Flow Language and System Level 1Dennis Kafura – CS5204 – Operating Systems."— Presentation transcript:

1 Information Flow Language and System Level 1Dennis Kafura – CS5204 – Operating Systems

2 Information Flow Concept Information flow  Long-term confinement of information to authorized receivers  Controls how information moves among data handlers and data storage units  Applied at language, system, or application levels Examples:  Insure that “secret” data is only revealed to individuals with a suitably high clearance level  Guarantee that information available to a process cannot leak to the network  Certify that the outputs of a program only contain information derived from specified inputs Dennis Kafura – CS5204 – Operating Systems2

3 Information Flow System Example Guarantee that the anti-virus (AV) scanner cannot leak to the network any data found in its scan of user files Possible leak methods  Send data directly to a network connection  Conspire with other processes (e.g, sendmail or httpd)  Subvert another process and use its network access to send data  Leave data in /tmp for other processes (e.g., the AV update daemon) to send  Use other in/direct means of communication with the update daemon Dennis Kafura – CS5204 – Operating Systems3

4 Information Flow Denning Model Flow model where  N = {a,b,…} is a set of logical storage objects  P = {p,q,…} is a set of processes (active objects)  SC = {A.,B,…} is a set of security classes Disjoint classes of information Each is bound to a security class  Notation: a  may be static or dynamic (varies with content)  Class combining operator: a b N  Flow relation: iff information in class A is allowed to flow into class B Dennis Kafura – CS5204 – Operating Systems4

5 Information Flow Example Security Classes Dennis Kafura – CS5204 – Operating Systems5 public top secret confidential secret (TS,[dip]) (S,[]} (TS,[]) (S,[mil])(S,[dip]) (TS,[mil])(S,[dip,mil]) (TS,[dip,mil]) Adapted from K. Rosen Discrete Mathematics and its Applications, 2003.

6 Information Flow Class Combining Operations Dennis Kafura – CS5204 – Operating Systems6 (TS,[dip]) (S,[]} (TS,[]) (S,[mil])(S,[dip]) (TS,[mil])(S,[dip,mil]) (TS,[dip,mil]) least upper bound greatest lower bound

7 Information Flow Implicit/Explicit flows In the statement: a=b+c;  There is explicit flow from b to a and from c to a  Here written as a  b and a  c In the statement: if (a =0) {b = c;}  There is an explict flow from c to b (b  c)  There is an implicit flow from a to b (b  a) Because testing the value of b before and after the statement can reveal the value of a In the statement: if (c) {a=b+1;d=e+2;}  explicit flows from b to a and from e to d (a  b, e  d)  implicit flows from c to a and from c to d (a  c, d  c) Dennis Kafura – CS5204 – Operating Systems7

8 Information Flow Security Requirements Elementary statement  S: b  a 1,…,a n  is secure if b  a 1,…, b  a n are secure  i.e., if a 1  b,…, a n  b  i.e., if is allowed Sequence  S = S 1 ; S 2  Is secure if both S 1 and S 2 are secure Conditional  S = c: S 1,…, S n where S i updates b i  is secure if b i  c for i=1..n are secure  i.e. if is allowed Dennis Kafura – CS5204 – Operating Systems8

9 Information Flow Static Binding Access Control  Process p can read from a only if a  p  Process p can write to b only if p  b  In general, Data Mark Machine  Associate a security class with the program counter  For conditional statement c:S Push p onto the stack Set p to p c  For statement S that with b  a1,…,an Verify that Dennis Kafura – CS5204 – Operating Systems9 ⊕ ⊕

10 Information Flow Static Binding Compiler-based  For elementary statement S: f(a 1,…,a n )  b verify that is allowed Set S to b  For sequence S = S 1 ;S 2 Set S to S 1 S 2  For conditional structure S = c: S 1,…,S m Set S to S 1 … S m Verify that c  S Dennis Kafura – CS5204 – Operating Systems10

11 Information Flow Dynamic Binding A pure dynamic binding is not practical  Typical that some objects and most users have a static security class Dynamic Data Mark Machine  Difficult to account for implicit flows, so…  Compiler determines implicit flows and  Inserts additional instructions to update class associated with program counter accordingly  Accounts for implicit flows even if flow not executed Dennis Kafura – CS5204 – Operating Systems11

12 Information Flow HiStar : System Level Flow Control Basic ideas  Files and process are associated with a label whose taint restricts the flow to lesser tainted components  Many categories of taint each owned by its creator  Selected components (e.g., wrap) can be given untainting privileges Dennis Kafura – CS5204 – Operating Systems12

13 Information Flow Labels Structure  L = {c 1 l 1, c 2 l 2,…,c n l n,l default }  Each c i is a category and l i is the taint level in that category  l default is the default level for unnamed categories  L(c) = l i if c=c i for some i and l default otherwise Levels Dennis Kafura – CS5204 – Operating Systems13

14 Information Flow General rule:  information can flow from O 1 to O 2 only if O 2 is at least as tainted as O 1 in every category  Information cannot flow from O 1 to O 2 if O 1 is more tainted in some category than O 2  Example  Thread T with L T ={1}, object O with L O ={c3,1}  L T (c)=1 < 3=L O (c)  Flow is permitted from T to O (i.e., T can write to O)  No flow permitted from O to T (i.e., T cannot read/observe O) Dennis Kafura – CS5204 – Operating Systems14

15 Information Flow Example with Labels User data labels set so that only owner can read (b r 3) and write (b w 0) Wrap program has ownership to read (b r ⋆ ) user data which it delegates to scanner Wrap creates category v to (1) prevent the scanner from modifying User Data (since User Data has default level 1) and (2) prevent scanner from communicating with network Dennis Kafura – CS5204 – Operating Systems15

16 Information Flow Notation Information flow Treatment of level ⋆  ⋆ should be high for reading, but low for writing  Notation provides two ownership symbols  Used as L ⋆ and L ⍟ ; for example if L={a ⋆, b ⍟, 1} then L ⍟ = {a ⍟,b ⍟,1} and L ⋆ = {a ⋆,b ⋆,1} Flow restriction:  T can read/observe O only if  T can write/modify O only if Dennis Kafura – CS5204 – Operating Systems16

17 Information Flow Kernel Object Types Object structure  objectID (unique, 61 bit)  label (threads also have clearance label)  quota  metadata (64 bytes)  flags Dennis Kafura – CS5204 – Operating Systems17 Segment: variable-length byte array

18 Information Flow Design Rationale Kernel interface  The contents of object A can only affect object B if, for every category c in which A is more tainted than B, a thread owning c takes part in the process.  Provides end-to-end guarantee of which system components can affect which others without need to understand component details Application structure  Organize applications so that key categories are owned by small amounts of code  Bulk of the system is not security critical Dennis Kafura – CS5204 – Operating Systems18

19 Information Flow Threads Labels  normal label, L T  clearance label, C T, giving an upper bound on its own label and the label of objects it creates or grants storage to Category creation  Creates a random previously unused category  with L T (c)  ⋆ and C T (c)  3 Raise its own label to L provided Change clearance label to C provided Object with label L created by T have Spawned threads T’ have labels T can read label of T’ only if Have a one-page local segment for scratch space Dennis Kafura – CS5204 – Operating Systems19

20 Information Flow Containers Hierarchical object allocation/deallocation Creating object with label L in container D by thread T requires and object in a container is referenced by a container entry Automatic deallocation of objects unreachable from a specially-designated root container Quotas  Limits each objects storage usage  Container usage is its own space + quotas of all contained objects Dennis Kafura – CS5204 – Operating Systems20

21 Information Flow Address Spaces Associated with a running thread A collection of segments mapped via the list  VA   S =  offset, napges can specify subset of S  flags contain memory permission bits Thread T can  modify address space A only if  use or observe A only if Dennis Kafura – CS5204 – Operating Systems21

22 Information Flow Gates Provide protected control transfer Arguments and return values passed via thread local segment May be used to transfer privileges Dennis Kafura – CS5204 – Operating Systems22 [stack pointer] Gate L G, C G State address space entry point T closure arguments

23 Information Flow Invocation using Gates Invocation permitted when Note: L V used only for verification at Gate Dennis Kafura – CS5204 – Operating Systems23 [stack pointer] Gate L G, C G State address space entry point T closure arguments (L R, C R ) LVLV

24 Information Flow HiStar Implementation Design for a simple interface to a small fully-trusted kernel Typical Unix abstractions provided at the user level Dennis Kafura – CS5204 – Operating Systems24 15,200 lines 10,000 lines HiStar Kernel Linux sys call emulation uClibc network daemon authentication daemon

25 Information Flow Processes in HiStar Dennis Kafura – CS5204 – Operating Systems25 Note: a process is a user-level convention

26 Information Flow User Authentication No highly-trusted processes User supplied (tailorable) authentication service Director Service: maps user names to authentication service daemons (returns gate to user auth. service) Authentication service: owns categories and grants them to successful login clients Complication: login does not trust the authentication service with the user’s password! Dennis Kafura – CS5204 – Operating Systems26

27 Information Flow User Authentication Dennis Kafura – CS5204 – Operating Systems27 Solution: a three step process Key point: login and UAS collaborate to create trusted check gate  Login creates check code in segment marked immutable and a gate with clearance to have password  UAS can verify code to assure safe execution with user privileges

28 Information Flow Performance: microbenchmarks Dennis Kafura – CS5204 – Operating Systems28

29 Information Flow Performance: application-level Dennis Kafura – CS5204 – Operating Systems29

Download ppt "Information Flow Language and System Level 1Dennis Kafura – CS5204 – Operating Systems."

Similar presentations

Operating Systems Components of OS

Operating Systems Components of OS
Threads, SMP, and Microkernels

Threads, SMP, and Microkernels
Information Flow and Covert Channels November, 2006.

Information Flow and Covert Channels November, 2006.
CS426Fall 2010/Lecture 71 Computer Security CS 426 Lecture 7 Operating System Security Basics.

CS426Fall 2010/Lecture 71 Computer Security CS 426 Lecture 7 Operating System Security Basics.
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,

EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,
Bilkent University Department of Computer Engineering

Bilkent University Department of Computer Engineering
CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.
Processes CSCI 444/544 Operating Systems Fall 2008.

Processes CSCI 444/544 Operating Systems Fall 2008.
Assemblers Dr. Monther Aldwairi 10/21/20071Dr. Monther Aldwairi.

Assemblers Dr. Monther Aldwairi 10/21/20071Dr. Monther Aldwairi.
Verifiable Security Goals

Verifiable Security Goals
Variables Six properties: Binding times of properties:

Variables Six properties: Binding times of properties:
Home: www.cse.dmu.ac.uk/~pkang Phones OFF Please Unix Kernel Parminder Singh Kang Home: www.cse.dmu.ac.uk/~pkang Email: pkang@dmu.ac.uk.

Home: Phones OFF Please Unix Kernel Parminder Singh Kang Home:
Run time vs. Compile time

Run time vs. Compile time
Process in Unix, Linux and Windows CS-3013 C-term 20081 Processes in Unix, Linux, and Windows CS-3013 Operating Systems (Slides include materials from.

Process in Unix, Linux and Windows CS-3013 C-term Processes in Unix, Linux, and Windows CS-3013 Operating Systems (Slides include materials from.
The environment of the computation Declarations introduce names that denote entities. At execution-time, entities are bound to values or to locations:

The environment of the computation Declarations introduce names that denote entities. At execution-time, entities are bound to values or to locations:
1 CSE 380 Computer Operating Systems Instructor: Insup Lee and Dianna Xu University of Pennsylvania Fall 2003 Lecture Note: Protection Mechanisms.

1 CSE 380 Computer Operating Systems Instructor: Insup Lee and Dianna Xu University of Pennsylvania Fall 2003 Lecture Note: Protection Mechanisms.
1 Run time vs. Compile time The compiler must generate code to handle issues that arise at run time Representation of various data types Procedure linkage.

1 Run time vs. Compile time The compiler must generate code to handle issues that arise at run time Representation of various data types Procedure linkage.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
G22.3250-001 Robert Grimm New York University Protection and the Control of Information Sharing in Multics.

G Robert Grimm New York University Protection and the Control of Information Sharing in Multics.

Similar presentations

Ads by Google