1 / 76

Securing the Web with Decentralized Information Flow Control

Securing the Web with Decentralized Information Flow Control. Maxwell Krohn (MIT)

dusty
Download Presentation

Securing the Web with Decentralized Information Flow Control

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing the Web with Decentralized Information Flow Control Maxwell Krohn (MIT) in cahoots with: Alex Yip , Micah Brodsky, PetrosEfstathopoulos (UCLA), Steve VanDeBogart (UCLA), FransKaashoek, Eddie Kohler (UCLA), David Mazières (Stanford), Robert Morris, Mike Walfish, NatanCliffer, Cliff Frey, David Ziegler

  2. A Computing Shift Classic PC

  3. 1. The “Classic” Attack Alice’s Data GET /xxXxxxXXxxX/Alice Web App Bob’s Data Alice’s Data Alice’s Data Chuck’s Data Doug’s Data Ed’s Data Bob

  4. Vulnerabilities in Websites  Exploits • “USAJobs.gov hit by Monster.com attack, 146,000 people affected” • “Payroll Site Closes on Security Worries” • “Hacker Accesses Thousands of Personal Data Files at CSU Chico” • “FTC Investigates PETCO.com Security Hole” • “Major Breach of UCLA’s Computer Files” • “UN Website is Defaced via SQL Injection” • “Harvard Security Breach Exposes Sensitive Student Data” • “Security Lapse Exposes Facebook Photos”

  5. 2. Server-Side Malware facebook Feature B Feature A GET /FeatureA GET /FeatureC Bob’s data Alice’s data Alice 3rd Party Feature C Bob

  6. From Bad To Worse! • The “Classic” Attack • Server-side Malware – NEW!! 3. Others Not Considered in this talk: • XSS • Phishing

  7. Two Options GREAT OPPORTUNITY FOR SYSTEMS BUILDERS!

  8. My Work in Web Security • TheSpark.com, OkCupid.com • New Web Server [USENIX ’04, USENIX ’07] • Limitations of Unix [HotOS ’05] • New OS, Attempt 1 [SOSP ’05*, TOCS ’07†] • New OS, Attempt 2: “Flume” [SOSP ’07] • Ideas for the Future Web [HotNets ’07] First author is *Petros Efstathopoulos and †Steve VanDeBogart. THIS TALK

  9. Why Is Web Security Difficult? Alice’s Data Bob’s Data Web App Storage (DB or FS) Web Server Service 4 (???) Service 1 (C++) Service 2 (Python) Service 3 (Java)

  10. New Proposal: End-to-End Web Security [HotOS ’05] Alice’s Data Bob’s Data Web App Storage (DB or FS) Web Server Gateway Alice’s Data Alice’s Data Service 4 (???) Service 1 (C++) Service 2 (Python) Service 3 (Java)

  11. Run-time or Compile-Time Tracking? • Web sites favor run-time tracking: • Use scripting languages • PHP, Python, Ruby, Perl, etc.. • Mix-and-match different languages • Use plug-ins and third-party software Bob’s Data Chuck’s Data Alice’s Data Doug’s Data Ed’s Data Alice’s Data

  12. Decentralized Information Flow Control (DIFC) for the OS Gateway (OS tracks data at run-time) • Inspired by PL-based DIFC [Myers ’97]

  13. Contributions • Idea: End-to-end Web security • Realization: Build Web sites with DIFC • Model for DIFC at the OS level • API: How to build apps (for non-experts) • Implementation on Linux, OpenBSD • Case Study: MoinMoin Wiki • Generalization: a secure, extendable Web platform

  14. Outline • Operating System Support for DIFC • Security improvement in a real Web site • Generalization

  15. DIFC By Example Alice’s Data P { Alice } Web App gateway Bob’s Data { Alice } { Bob } DIFC KERNEL

  16. Defining DIFC for the OS [SOSP ’07] 2. How does the kernel track data? Alice’s Data P { Alice } Web App gateway Bob’s Data { Alice } 1. How to label secret data? 3. How can the app legislate policy? { Bob } DIFC KERNEL

  17. 1. Labeling Data • Each process/file gets a secrecylabel • summarizes which categories of secret data a process is assumed to have seen. • Examples: • { “Alice’s Secrets” } • { “Financial Secrets” } • { “Alice’s Secrets” and “Financial Secrets” } “tag” “label”

  18. 2. Tracking Data • For p to write to network, Sp = {} • p can write to qiff: SpÍ Sq

  19. Tracking Data: File I/O P Alice’s Data Web App Sw= {a, b } Sf = { a }

  20. Tracking Data: IPC Helper Process p Web App Sw= {a} Sp = {b}

  21. Defining DIFC 2. How does the kernel track data? Alice’s Data P { Alice } Web App gateway Bob’s Data { Alice } 1. How to label secret data? 3. How can the app legislate policy? { Bob } DIFC KERNEL

  22. 3. Legislating data policies • Processes can: • change labels by adding tags • allocate tags • change labels by subtracting tags

  23. Any Processes Can Add Any Tag Web App change_label(S={b}) change_label(S={}) Sw= { b } Sw= {}

  24. Processes Can Allocate Tags • = {a } Web App gateway Sg= {} Bob’s Data Sw= {} S = { b } DIFC KERNEL

  25. Processes Can Allocate Tags a create_tag() “Secrecy” gateway Sg= {} Dg = { a } Sg= {} Dg = {} “Declassify”

  26. Some Processes Can Subtract Some Tags change_label(S={a}) change_label(S={}) gateway Sg= {} Dg = { a} Sg= { a } Dg = { a}

  27. Putting the Pieces Together helper P Alice’s Data Sp= { a } S = { a } Web App gateway Sg= {} Dg = { a, b } Sg= { a } Dg = { a, b } Sw= {} Sw= { a } Dw= {} DIFC KERNEL

  28. Advances Over Traditional IFC • Previous systems tracked information flow control at OS level [Bell-LaPadula, KeyKOS, Orange Book, IX, SELinux, TrustedBSD, …] • Now, apps can “legislate” security policies: • create_tag() • change_label()

  29. Outline • Operating System Support for DIFC • High-Level Design and Model • API: How to build apps (for non-experts) • Implementation on Linux, OpenBSD • Security improvement in a real Web site • Generalization

  30. How To Build Apps [SOSP ’07 ] • Maintain existing API (Unix in our case) • “open file abstraction” • “reliable inter-process communication” • “network sockets” • “threads” • Add DIFC labels / rules • A road historically fraught with peril!

  31. Gotcha 1: Different Labels PW DB S = { d } Network Web App gateway S = { ? } D = { a, d} S = { a } S = {}

  32. Gotcha 2: Buggy Apps Top Secret File S = { t } Web App gateway S = { a} D = { a,d} S = { a, t} D = { a,d} S = { a }

  33. Solution: Endpoints PW DB S = { d} e3 Se3={d} Network Se1={a} Sf= {a} Web App gateway f e1 e2 Se2={} S = {} D = { a, d} S = { a } S = {}

  34. Kernel Controls Flow Between Endpoints SfÍ Se1 Se1 ÍSf Se1={a} Sf= {a} Web App gateway f e1 S = {} D = { a, d} S = { a }

  35. Endpoints Declassify Data Data enters gateway with secrecy { a } But gateway keeps its label S = {} Se1={a} Sf= {a} Web App gateway f e1 S = {} D = { a, d} S = { a } Thus gateway needs aÎ D

  36. Restrictions on Endpoints • For process p, endpoint e: • (Note, “ – ” is set-wise XOR) Sp – SeÍ Dp

  37. Endpoints Suppress Temptation Top Secret File { t} – { a} Í Dp S = { t } Se = {a} Sf = {a} Web App gateway X e f S = { a } S = { t} D = { a } S = {} D = { a }

  38. Endpoints Provably Fit DIFC Model • If kernel enforces endpoint restrictions • and kernel enforces subset rule between endpoints • then process-level subset rule is upheld • (i.e., p can send to qiffSpÍ Sq)

  39. Outline • Operating System Support for DIFC • High-Level Design and Model • Key detail: how apps manage resources • Implementation • Result: real Web security improvements • Generalization

  40. Flume: System Call Delegation open(“/alice/data”, O_WRONLY); Web App Flume Reference Monitor glibc Flume Libc Flume Kernel Module Linux Kernel • Works on Linux 2.6 and OpenBSD 3.9 Alice’s Data

  41. Endpoints In Flume • Endpoints for: • File descriptors • Signal receive / signal send • Parent wait / child exit • Network • System V IPC • …etc…

  42. Flume’s Place in the Software Stack Wiki Mobile Apps Online Banking General Web Computing Platform Etc… Flume Linux OpenBSD Windows Symbian HiStar Asbestos

  43. Outline • Operating System Support for DIFC • Security improvement in a real Web site • Generalization

  44. Example App: MoinMoin Wiki

  45. Example MoinMoin Use Alice’s Data MoinMoin Wiki Layoff Plans Free TShirts

  46. Threat Model Plug-in 1 Plug-in 2 VULNERABLE MoinMoin Wiki Apache Python libs Flume glibc SECURED Linux Kernel FS Compiler (gcc)

  47. Harden Biggest Pieces? Python Apache Plugins libs glibc MoinMoin Wiki Flume Linux Kernel FS gcc

  48. Harden What’s Hard To Secure • “USAJobs.gov hit by Monster.com attack, 146,000 people affected” • “Payroll Site Closes on Security Worries” • “Hacker Accesses Thousands of Personal Data Files at CSU Chico” • “FTC Investigates PETCO.com Security Hole” • “Major Breach of UCLA’s Computer Files” • “UN Website is Defaced via SQL Injection” • “Harvard Security Breach Exposes Sensitive Student Data” • “Security Lapse Exposes Facebook Photos” Plug-in 1 Plug-in 2 MoinMoin Wiki Kernel

  49. Implementation Strategy Alice’s Data Web App gateway Plugins Bob’s Data MoinMoinWiki 90 kLOC FlumeWiki Gateway (1 kLOC) Python Web Server DIFC KERNEL

  50. Implementation Flume Server UNTRUSTED Plugins MoinMoinWiki 90 kLOC Apache Web Server FlumeWiki Gateway 1 kLOC Alice’s Data Python Dg = { a, b } TRUSTED FLUME

More Related