1 / 53

Information Flow Control for Standard OS Abstractions

Information Flow Control for Standard OS Abstractions. Landon Cox March 21, 2018. Access control and the kernel. How does kernel know if system call is allowed? Looks are user id ( uid ) of process making the call Looks at resources accessed by call (e.g., file)

arrington
Download Presentation

Information Flow Control for Standard OS Abstractions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Flow Control for Standard OS Abstractions Landon Cox March 21, 2018

  2. Access control and the kernel • How does kernel know if system call is allowed? • Looks are user id (uid) of process making the call • Looks at resources accessed by call (e.g., file) • Checks access-control policy associated with resource • Decides if policy allows uid to access resources • How is a uid normally assigned to a process? • On fork, child inherits parent’s uid

  3. MOO accounting problem Game client (uidx) • Multi-player game called Moo • Want to maintain high score in a file • Should players be able to update score? • Yes • Do we trust users to write file directly? • No, they could lie about their score High score Game client (uidy)

  4. MOO accounting problem Game client (uidx) • Multi-player game called Moo • Want to maintain high score in a file • Should players be able to update score? • Yes • Do we trust users to write file directly? • No, they could lie about their score • Could have a trusted process update scores • Why isn’t this enough? • Can’t be sure that reported score is genuine • Also want to ensure that score was computed correctly High score Trusted process (root) Game client (uidy)

  5. Access control • Simple inheritance of uids is not sufficient for • Tasks involving management of “user id” state • Logging in (login) • Changing passwords (passwd) • Solution: setuid • Executable files can have their setuid bit set • If setuid bit is set, process inherits uid of image file’s owner on exec

  6. MOO accounting problem Game client (uidx) • Multi-player game called Moo • Want to maintain high score in a file • How does setuid allow us to know that score is correct? • Game executable is owned by trusted entity • Game cannot be modified by normal users • Users can run executable though • High-score is also owned by trusted entity • This is a form of trustworthy computing • High-score maintainer knows exactly which code will update score • Ensures code integrity, even when run by untrusted users • Also data confidentiality, since data accessed by code with integrity High score Game client (uidy)

  7. Information Flow Control (IFC) • Goal: track which secrets a process has seen • Mechanism: each process gets a secrecylabel • Label summarizes which categories of data a process is assumed to have seen. • Examples: • { “Financial Reports” } • { “HR Documents” } • { “Financial Reports” and “HR Documents” } “tag” “label” Slide by Max Krohn

  8. Secrecy, Integrity, and Privilege How did endorsements work in the Moo prob? • Secrecy label (Sp) • Specifies what data P has read • “/usr/bin/login may read the password file” • Integrity label (Ip) • Used to endorse trustworthiness of P • “/usr/bin/login can only be updated by root” • Also limits what P can read • “/usr/bin/login can only read user libs and config files endorsed by root” • Ownership (Op) • Regulates how P can update Sp and Ip • Tags P can add to its labels (e.g., t+), i.e., endorse via integrity label • Tags P can remove from its labels (e.g., t-), i.e., declassify via secrecy label • Dp is the set of tags that P can both add and remove What is an endorsement? Why is this restriction necessary?

  9. Secrecy, Integrity, and Privilege • Secrecy • “At some point process p added data with tag s to its address space.” • s ∈ Sp∃(data) : p read data with tag s • Integrity • “All inputs to process p had tag i.” • i ∈ Ip∀(data) : p read data with tag i • Privilege • “p can remove tag s from Spand add tag i to Ip.” • s ∈ t- p is trusted to declassify s • i ∈ t+p is trusted to endorse i • t∈ Dpt ∈ t- and t ∈ t+

  10. Tags + Secrecy Labels change_label({Finance}); Process p Secrets P has viewed tag_t HR = create_tag(); change_label({}); Any process can add any tag to its label. change_label({Finance,HR}); Sp = { Finance, HR } Sp = { Finance } Sp = {} DIFC Rule: A process can create a new tag; gets ability to declassify it. change_label({Finance}); Dp = {} Dp = { HR } Same as Step 1. Tags P can add and remove from its label DIFC: Declassification in action. Finance Legal HR Universe of Tags: SecretProjects Slide by Max Krohn

  11. Tags + Integrity Labels change_label({}); Process p Endorsements of P Any process can remove any tag from its label. Ip = {Apple} Dp = {} Tags P can add and remove from its label Finance Legal Universe of Tags: Apple Slide by Max Krohn

  12. Tags + Integrity Labels change_label({}); Process p Ip = {} Dp = {} Finance Legal Universe of Tags: Apple Slide by Max Krohn

  13. Tags + Integrity Labels change_label({}); Process p tag_t HR = create_tag(); change_label({Microsoft}); Ip = {} Dp = {} Finance Legal Universe of Tags: Apple Slide by Max Krohn

  14. Tags + Integrity Labels change_label({}); Process p tag_t HR = create_tag(); Ip = {} Dp = {} Finance Legal Universe of Tags: Apple Slide by Max Krohn

  15. Tags + Integrity Labels change_label({}); Process p tag_t HR = create_tag(); Ip = {} DIFC Rule: A process can create a new tag; gets ability to endorse w/ it. Dp = {HR} Finance Legal HR Universe of Tags: Apple Slide by Max Krohn

  16. Tags + Integrity Labels change_label({}); Process p tag_t HR = create_tag(); change_label({HR}); Ip = {} Dp = {HR} Finance Legal HR Universe of Tags: Apple Slide by Max Krohn

  17. Tags + Integrity Labels change_label({}); Process p tag_t HR = create_tag(); change_label({HR}); Ip = {HR} Dp = {HR} DIFC: Endorsement in action. Finance Legal HR Universe of Tags: Apple Slide by Max Krohn

  18. Privilege in action (secrecy) Finance Universe of Secrecy Tags: HR Legal SecretProjects Process p Sp = {} Dp = { HR, Admin } Admin Microsoft Bob’s code Alice’s code Universe of Integrity Tags

  19. Privilege in action (secrecy) Finance Universe of Secrecy Tags: HR Legal SecretProjects Process p Sp = { HR } Dp = { HR, Admin } Admin Microsoft Bob’s code Why is this allowed? Alice’s code Universe of Integrity Tags

  20. Privilege in action (secrecy) Finance Universe of Secrecy Tags: HR Legal SecretProjects Process p Sp = { HR } Dp = { HR, Admin } Admin Microsoft Bob’s code What is the effect? Alice’s code Universe of Integrity Tags

  21. Privilege in action (secrecy) Finance Universe of Secrecy Tags: HR Legal SecretProjects Process p q Sp = { HR } Dp = { HR, Admin } Admin Sq = { HR } Microsoft Bob’s code What is the effect? Can now receive data from HR processes Alice’s code Universe of Integrity Tags

  22. Privilege in action (secrecy) Finance Universe of Secrecy Tags: HR Legal SecretProjects Process p q Sp = {} Dp = { HR, Admin } Admin Sq = { HR } Microsoft Bob’s code Why is this allowed? Alice’s code Universe of Integrity Tags

  23. Privilege in action (secrecy) Finance Universe of Secrecy Tags: HR Legal SecretProjects Process p q Sp = {} Dp = { HR, Admin } Admin Sq = { HR } Microsoft Bob’s code What is the effect? Alice’s code Universe of Integrity Tags

  24. Privilege in action (secrecy) r Finance Universe of Secrecy Tags: HR Legal Sr = {} SecretProjects Process p q Sp = {} Dp = { HR, Admin } Admin Sq = { HR } Microsoft Bob’s code What is the effect? Declassifies HR data received from q Alice’s code Universe of Integrity Tags

  25. Privilege in action (integrity) Finance Universe of Secrecy Tags: HR Legal SecretProjects Process p Ip = {Admin} Dp = { HR, Admin } Admin Microsoft Bob’s code Admin+ makes p a certifier Alice’s code Universe of Integrity Tags

  26. Privilege in action (integrity) Fake vi Ip = {} Process p vi Ip = {Admin} Dp = { HR, Admin } Ip = {Admin} libc /etc/rc Ip = {Admin} Ip = {Admin}

  27. Privilege in action (integrity) Fake vi Ip = {} Process p “Run vi” vi Ip = {Admin} Dp = { HR, Admin } Ip = {Admin} libc /etc/rc Ip = {Admin} Ip = {Admin}

  28. Privilege in action (integrity) Fake vi Ip = {Admin} Dp = { HR, Admin } q Ip = {} fork() Process p “Run vi” vi Ip = {Admin} Dp = { HR, Admin } Ip = {Admin} libc /etc/rc Ip = {Admin} Ip = {Admin}

  29. Privilege in action (integrity) Fake vi Ip = {Admin} Dp = { HR } q Why drop Admin+? Ip = {} fork() Process p “Run vi” vi Ip = {Admin} Dp = { HR, Admin } Ip = {Admin} libc /etc/rc Ip = {Admin} Ip = {Admin}

  30. Privilege in action (integrity) Should this work? Fake vi Ip = {Admin} Dp = { HR } q Ip = {} fork() exec(“vi”) Process p “Run vi” vi Ip = {Admin} Dp = { HR, Admin } Ip = {Admin} libc /etc/rc Ip = {Admin} Ip = {Admin}

  31. Privilege in action (integrity) Fake vi Ip = {Admin} Dp = { HR } q Ip = {} fork() load(“libc”) Process p “Run vi” vi Ip = {Admin} Dp = { HR, Admin } Ip = {Admin} libc /etc/rc Ip = {Admin} Ip = {Admin}

  32. Privilege in action (integrity) Fake vi Ip = {Admin} Dp = { HR } q Ip = {} fork() read(“/etc/rc”) Process p “Run vi” vi Ip = {Admin} Dp = { HR, Admin } Ip = {Admin} libc /etc/rc Ip = {Admin} Ip = {Admin}

  33. Privilege in action (integrity) Fake vi Ip = {} Process p “Run Fakevi” vi Ip = {Admin} Dp = { HR, Admin } Ip = {Admin} libc /etc/rc Ip = {Admin} Ip = {Admin}

  34. Privilege in action (integrity) Fake vi Ip = {Admin} Dp = { HR, Admin } q Ip = {} fork() Process p “Run Fakevi” vi Ip = {Admin} Dp = { HR, Admin } Ip = {Admin} libc /etc/rc Ip = {Admin} Ip = {Admin}

  35. Privilege in action (integrity) Fake vi Ip = {Admin} Dp = { HR } q Ip = {} fork() Process p “Run Fakevi” vi Ip = {Admin} Dp = { HR, Admin } Ip = {Admin} libc /etc/rc Ip = {Admin} Ip = {Admin}

  36. Privilege in action (integrity) Fake vi Ip = {Admin} Dp = { HR } q exec(“fakevi”) Ip = {} fork() Process p “Run Fakevi” vi Ip = {Admin} Dp = { HR, Admin } Ip = {Admin} libc /etc/rc Ip = {Admin} Ip = {Admin}

  37. Privilege in action (integrity) Should this work? Fake vi Ip = {Admin} Dp = { HR } q exec(“fakevi”) Ip = {} fork() Process p “Run Fakevi” vi Ip = {Admin} Dp = { HR, Admin } Ip = {Admin} libc /etc/rc Ip = {Admin} Ip = {Admin}

  38. Communication Rule P Process p Process q Sp = {HR} Sq = {HR, Finance} • p can send to q iff SpÍ Sq Slide by Max Krohn

  39. Flume Communication Rule P ? ? Database (q) • q changes to Sq = { Alice } • p sends to q • q changes back to Sq= {} MoinMoin (p) MoinMoin (r) Sr = { Bob } Sp = { Alice } Sq = {} Dq = { Alice, Bob } Sq = { Alice } Dq = { Alice, Bob } SpÍ Sq Slide by Max Krohn

  40. Flume Communication Rule P P Database (q) • p can send to qiff: • In IFC: SpÍ Sq • In Flume: Sp – DpÍ SqÈDq MoinMoin (p) MoinMoin (r) Sr = { Bob } Sp = { Alice } Sq = {} Dq= { Alice, Bob } Senders get extra latitude Receivers get extra latitude Slide by Max Krohn

  41. Unexpected Program Behavior (Unreliable Communication) Process p Process q P “Fire Alice, Bob, Charlie, Doug, Eddie, Frank, George, Hilda, Ilya…” “I stopped reading” “I crashed” Slide by Max Krohn

  42. Unreliable communication Process p Process q stdout stdin Sp = {} Dp = { HR } Sq = {HR} P “Fire Alice, Bob, Charlie, Doug, Eddie, Frank, George, Hilda, Ilya…” ? “SLOW DOWN!!” “I crashed” Slide by Max Krohn

  43. New Abstraction: Endpoints Process p Process q e f Se = { HR } Sf = { HR } Sp = {} Dp = { HR } Sq = {HR} P • If SeÍ Sf, then allow e to send to f • If SfÍ Se, then allow f to send to e • If Sf = Se , then allow bidirectional flow “Fire Alice, Bob, Charlie, Doug, Eddie, Frank, George, Hilda, Ilya…” P “SLOW DOWN!!” “I crashed” Slide by Max Krohn

  44. Endpoints Declassify Data Data enters process p with secrecy { HR } But p keeps its label Sp = {} Process p e Se = { HR } Sp = {} Dp = { HR } Thus p needs HRÎ Dp Slide by Max Krohn

  45. Endpoint Invariant Export inf. • For any tag tÎSp and tÏ Se • Or any tag tÎSe and t Ï Sp • It must be that tÎDp Import inf. Process p e Se = { HR } Sp = { Finance } Dp = { Finance, HR} Slide by Max Krohn

  46. Endpoints’ Labels Are Independent g Sg = {} Process p Process q e f Se = { HR } Sf = { HR } Sp = {} Dp = { HR } Sq = {HR} Slide by Max Krohn

  47. Example App: MoinMoin Wiki Slide by Max Krohn

  48. How Problems Arise… if not self.request.user.may.read(pagename): return self.notAllowedFault() x43 LayoffPlans MoinMoin Wiki (100 kLOC) FreeTShirts Slide by Max Krohn

  49. MoinMoin + DIFC LayoffPlans Apache Web Server MoinMoin Wiki (100 kLOC) Declassifier 1 kLOC FreeTShirts Trusted Untrusted Slide by Max Krohn

  50. FlumeWiki Flume-Oblivious unconfined confined reliable IPC Web Client GET /LayoffPlans?user=Intern&PW=abcd LayoffPlans S={ HR } Apache Declassifier 1 kLOC MoinMoin (100 kLOC) FreeTShirts S={} file I/O Slide by Max Krohn

More Related