1 / 30

Make Least Privilege A Right (Not a Privilege)

Make Least Privilege A Right (Not a Privilege). Petros Efstathopoulos, Cliff Frey, Frans Kaashoek, Eddie Kohler , Max Krohn , David Mazières , Robert Morris, Michelle Osborne, Steve VanDeBogart , David Ziegler (MIT, NYU, UCLA). Giving Talk at HotOS at HotOS but not in program. Key:.

kasi
Download Presentation

Make Least Privilege A Right (Not a Privilege)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Make Least Privilege A Right (Not a Privilege) Petros Efstathopoulos, Cliff Frey, Frans Kaashoek, Eddie Kohler, Max Krohn, David Mazières, Robert Morris, Michelle Osborne, Steve VanDeBogart, David Ziegler (MIT, NYU, UCLA) Giving Talk at HotOS at HotOS but not in program Key:

  2. HotOS Talk Template • Technique T was tried before but didn't catch on, but the emergence of X suggests we should try T again. • Instantiate With: T="MANDATORY ACCESS CONTROL" X="THE INTERNET SECURITY MORASS"

  3. The Problem • Stolen credit cards and SSNs • Alice can get Bob's data

  4. How can she? • Buffer overruns • Trojaned machines • SQL injection • Misapplied Access Controls • Social Engineering • Find a UPS box full of hard drives • Sniffed passwords SORRY!

  5. Application Developers Need… • To create policies to control data flow through a complex system. • Alice can't read Bob's data. • To express policy in a simple way

  6. Outline • Achievable on UNIX? • If not UNIX then what? Running example: Web server serving private customer data

  7. Apache Apache Alice Alice Bob Bob Charlie Charlie Doug Doug Process 1 Process 2 Apache Alice Bob Charlie Doug Process 3 sh sendmail r00t sh database

  8. Apache Apache Alice Alice Bob Bob Charlie Charlie Doug Doug Process 2 Process 1 /etc/passwd /bin/su /etc/ssh/ssh_host_key /usr/lib/sendmail Apache Alice Bob Charlie Doug Process 3 database

  9. Apache Recap • Process boundaries don't align with security goals. • What about a separate process per user? • Need a helper "demux" process to route connections.

  10. GET /home?u=ALICE&p=PASS demux Apache++ Apache++ Apache++ Alice Bob Charlie Process 1 Process 2 Process 3 database

  11. "SHOW ME YOUR ID" UID=0 demux Apache++ Apache++ Apache++ Alice Bob Charlie Process 1 Process 2 Process 3 "LET'S SEE SOME ID" logger database

  12. UNIX Shortcomings • Programming • Separation of processes is unnatural • Performance • memory + CPU • Security • Privileged launcher process • Access control scattered throughout • All shared resources are in the TCB

  13. II. Asbestos: A New OS • Mandatory access control (MAC) • Use compartments to track (and control) data flow. • Previous systems don't fit the bill: • rigid policies determined by kernel • centralized declassification • taint accumulation

  14. Alice sh sendmail

  15. Asbestos Feature • Applications can introduce compartments • Process owns a compartment it creates • system ensures data does not escape compartment without the owner's permission

  16. GET /home?u=ALICE&p=PASS "GRANT Privilege To Escape Red Compartment" Userland TCP restore() data tagger AsbestosWS restore() Database restore()

  17. GET /home?u=BOB&p=PFASS Userland TCP data tagger AsbestosWS Database

  18. GET /home?u=ALICE&p=PASS&kiLL=BaBieS Userland TCP Userland TCP data tagger AsbestosWS AsbestosWS Database

  19. GET /home?u=ALICE&p=PASS&SQL=SELECT+*+ TCP TCP data tagger AsbestosWS AsbestosWS sh sh DB client DB client Database Database

  20. The Asbestos Web Server • Trusted components: • What to audit: • What can be buggy • everything else THE KERNEL data tagger stats collectors high-perf DB THE KERNEL data tagger stats collectors high-perf DB

  21. Asbestos Recap • Programming • Separation is natural • Performance • Probably scalable (memory and CPU) • Security – The tagger: • has no privileges with respect to the rest of the system (i.e., /etc/passwd) • is a small program • solely in charge of access control

  22. Conclusion • Need a new OS • Keeping Alice away from Bob's data is hard and unnatural on UNIX • Let's try MAC again! • more flexible for application designers.

  23. Thank you asbestos@scs.cs.nyu.edu

  24. demux Apache++ Apache++ Apache++ Alice Bob Charlie Process 1 Process 2 Process 3 database

  25. demux/VMM Apache++ Apache++ Apache++ Alice Bob Charlie VM 2 VM 1 VM3 database

  26. Capabilities? • Apache++ / database communicate over an FD even though Apache++ is jailed

  27. demux Apache++ Apache++ Apache++ Alice Bob Charlie Process 1 Process 2 Process 3 database

  28. Related Work • Capabilities • ErOS, KeyKOS, L4 • Virtual-machine based isolation • MAC • IX, Orange Book, Jif • Trusted BSD, SE Linux, Trusted Solaris • Language-based approaches • Java, Singularity, Cyotos, Perl

More Related