1 / 49

Information Flow Control For Standard OS Abstractions

Information Flow Control For Standard OS Abstractions. Max Krohn , Alex Yip, Micah Brodsky, Natan Cliffer , Frans Kaashoek , Eddie Kohler, Robert Morris. Vulnerabilities in Websites  Exploits. Web software is buggy Attackers find and exploit these bugs Data is stolen / Corrupted

katima
Download Presentation

Information Flow Control For Standard OS Abstractions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, NatanCliffer, FransKaashoek, Eddie Kohler, Robert Morris

  2. Vulnerabilities in Websites  Exploits • Web software is buggy • Attackers find and exploit these bugs • Data is stolen / Corrupted • “USAJobs.gov hit by Monster.com attack, 146,000 people affected” • “UN Website is Defaced via SQL Injection” • “Payroll Site Closes on Security Worries” • “Hacker Accesses Thousands of Personal Data Files at CSU Chico” • “FTC Investigates PETCO.com Security Hole” • “Major Breach of UCLA’s Computer Files” • “Restructured Text Include Directive Does Not Respect ACLs”

  3. Decentralized Information Flow Control (DIFC) CEO “I am the CEO. My PW is 123” Layoff Plans P Web App Web App GET /LayoffPlans “OK” Declassifier Free TShirts Intern

  4. Decentralized Information Flow Control (DIFC) CEO Layoff Plans Web App Web App Declassifier /tmpFile Free TShirts GET ^@^$^$# GET /LayoffPlans Helper Process Intern

  5. Why is DIFC a cult? U.S.S. DIFC

  6. Who Needs to Understand DIFC? CEO Layoff Plans Web App Web App Declassifier /tmpFile Free TShirts Helper Process Intern

  7. Why is Today’s DIFC DIFfiCult? • Label systems are complex • Unexpected program behavior • Cannot reuse existing code • Drivers, SMP support, standard libraries

  8. Unexpected Program Behavior (Unreliable Communication) Process p Process q P “Fire Alice, Bob, Charlie, Doug, Eddie, Frank, George, Hilda, Ilya…” “I stopped reading” “I crashed”

  9. Unexpected Program Behavior (Mysterious Failures) File Process q Process p

  10. Solution/Outline • Flume: Solves DIFC Problems • User-level implementation of DIFC on Linux • Simple label system • Endpoints: Glue Between Unix API and Labels • Application + Evaluation • Real Web software secured by Flume

  11. Outline • Flume: Solves DIFC Problems • User-level implementation of DIFC on Linux • Simple label system • Endpoints: Glue Between Unix API and Labels • Application + Evaluation

  12. Flume Implementation • Goal: User-level implementation • apt-get install flume • Approach: • System Call Delegation [Ostia by Garfinkel et al, 2003] • Use Linux 2.6 (or OpenBSD 3.9)

  13. System Call Delegation open(“/hr/LayoffPlans”, O_RDONLY); Web App glibc Linux Kernel Layoff Plans

  14. System Call Delegation open(“/hr/LayoffPlans”, O_RDONLY); Web App Web App Flume Reference Monitor Flume Libc Linux Kernel Layoff Plans

  15. Three Classes of Processes Flume-Oblivious Unconfined/ Mediators Confined Flume Reference Monitor Flume Reference Monitor Flume Reference Monitor Process p Process p Process p Linux Kernel Linux Kernel Linux Kernel

  16. Outline • Flume: Solves DIFC Problems • User-level implementation of DIFC on Linux • Simple label system • Endpoints: Glue Between Unix API and Labels • Application + Evaluation

  17. Information Flow Control (IFC) • Goal: track which secrets a process has seen • Mechanism: each process gets a secrecylabel • Label summarizes which categories of data a process is assumed to have seen. • Examples: • { “Financial Reports” } • { “HR Documents” } • { “Financial Reports” and “HR Documents” } “tag” “label”

  18. Tags + Labels change_label({Finance}); Process p tag_t HR = create_tag(); change_label({}); Any process can add any tag to its label. change_label({Finance,HR}); Sp = { Finance, HR } Sp = { Finance } Sp = {} DIFC Rule: A process can create a new tag; gets ability to declassify it. change_label({Finance}); Dp = {} Dp = { HR } Same as Step 1. DIFC: Declassification in action. Finance HR Legal Universe of Tags: SecretProjects

  19. Communication Rule P Process p Process q Sp = {HR} Sq = {HR, Finance} p can send to qiffSpÍ Sq

  20. Outline • Flume: Solves DIFC Problems • User-level implementation of DIFC on Linux • Simple label system • Endpoints: Glue Between Unix API and Labels • Application + Evaluation

  21. Recall: Communication Problem Process p Process q stdout stdin Sp = {} Dp = { HR } Sq = {HR} P “Fire Alice, Bob, Charlie, Doug, Eddie, Frank, George, Hilda, Ilya…” ? “SLOW DOWN!!” “I crashed”

  22. New Abstraction: Endpoints Process p Process q e f Se = { HR } Sf = { HR } Sp = {} Dp = { HR } Sq = {HR} P • If SeÍ Sf, then allow e to send to f • If SfÍ Se, then allow f to send to e • If Sf = Se , then allow bidirectional flow “Fire Alice, Bob, Charlie, Doug, Eddie, Frank, George, Hilda, Ilya…” P “SLOW DOWN!!” “I crashed”

  23. Endpoints Declassify Data Data enters process p with secrecy { HR } But p keeps its label Sp = {} Process p e Se = { HR } Sp = {} Dp = { HR } Thus p needs HRÎDp

  24. Endpoint Invariant Writing • For any tag tÎSp and tÏ Se • Or any tag tÎSe and t Ï Sp • It must be that tÎDp Reading Process p e Se = { HR } Sp = { Finance } Dp = { Finance, HR}

  25. Endpoints Labels Are Independent g Sg = {} Process p Process q e f Se = { HR } Sf = { HR } Sp = {} Dp = { HR } Sq = {HR}

  26. Recall: Mysterious Failures File Process q Process p

  27. Endpoints Reveal Errors Eagerly Process p /tmp/public.dat Dp = {} e Se = {} Sp = {} Spublic.dat = {} ? Sp = { HR } Process q Violates endpoint invariant! Sp – Se = { HR} Í Dp Sq = { HR } • open(“/tmp/public.dat”, O_WRONLY); • change_label({HR})

  28. Endpoints Reveal Errors Eagerly Process p /tmp/public.dat Dp = {} e Se = {} Sp = {} Spublic.dat = {} Sp = { HR } Process q Sq = { HR } • fd = open(“/tmp/public.dat”, O_WRONLY); • close(fd); • change_label({HR})

  29. Outline • Flume: Solves DIFC Problems • Application + Evaluation

  30. Questions for Evaluation • Does Flume allow adoption of Unix software? • Does Flume solve security vulnerabilities? • Does Flume perform reasonably?

  31. Example App: MoinMoin Wiki

  32. How Problems Arise… if not self.request.user.may.read(pagename): return self.notAllowedFault() x43 LayoffPlans MoinMoin Wiki (100 kLOC) FreeTShirts

  33. MoinMoin + DIFC LayoffPlans Apache Web Server MoinMoin Wiki (100 kLOC) Declassifier 1 kLOC FreeTShirts Trusted Untrusted

  34. FlumeWiki Flume-Oblivious unconfined confined reliable IPC Web Client GET /LayoffPlans?user=Intern&PW=abcd LayoffPlans S={ HR } Apache Declassifier 1 kLOC MoinMoin (100 kLOC) FreeTShirts S={} file I/O

  35. Future Work Web Client GET /LayoffPlans?user=Intern&PW=abcd LayoffPlans Totally Suspect Software S={ HR } Apache Declassifier 1 kLOC FreeTShirts S={}

  36. Results • Does Flume allow adoption of Unix software? • 1,000 LOC launcher/declassifier • 1,000 out of 100,000 LOC in MoinMoin changed • Python interpreter, Apache, unchanged • Does Flume solve security vulnerabilities? • Without our knowing, we inherited two ACL bypass bugs from MoinMoin • Both are not exploitable in Flume’s MoinMoin • Does Flume perform reasonably? • Performs within a factor of 2 of the original on read and write benchmarks

  37. Most Related Work • Asbestos, HiStar: New DIFC OSes • Jif: DIFC at the language level • Ostia, Plash: Implementation techniques • Classical MAC literature (Bell-LaPadula, Biba, Orange Book MAC, Lattice Model, etc.)

  38. Limitations • Bigger TCB than HiStar / Asbestos • Linux stack (Kernel + glibc + linker) • Reference monitor (~22 kLOC) • Covert channels via disk quotas • Confined processes like MoinMoin don’t get full POSIX API. • spawn() instead of fork()&exec() • flume_pipe() instead of pipe()

  39. Summary • DIFC is a challenge to Programmers • Flume: DIFC in User-Level • Preserves legacy software • Complements today’s programming techniques • MoinMoin Wiki: Flume works as promised • Invite you to play around: http://flume.csail.mit.edu

  40. Thanks! To: ITRI, Nokia, NSF and You

  41. Reasons to Read the Paper • Generalized security properties • Including: Novel integrity policies • Support for very large labels • Support for clusters of Flume Machines

  42. Flume’s Rule is Fast • Recall: p can send to qiff: Sp – DpÍ SqÈDq • To Compute: • for each tag tÎSp: • IftÏSqandt Ï Dpandt Ï Dq: • output “NO” • output “OK” • Runs in time proportional to size of Sp. • No need to enumerate Dp or Dq !!!

  43. Flume Communication Rule P ? ? Database (q) • q changes to Sq = { Alice } • p sends to q • q changes back to Sq= {} MoinMoin (p) MoinMoin (r) Sr = { Bob } Sp = { Alice } Sq = {} Dq = { Alice, Bob } Sq = { Alice } Dq = { Alice, Bob } SpÍ Sq

  44. Flume Communication Rule P P Database (q) • p can send to qiff: • In IFC: SpÍ Sq • In Flume: Sp – DpÍ SqÈDq MoinMoin (p) MoinMoin (r) Sr = { Bob } Sp = { Alice } Sq = {} Dq= { Alice, Bob } Senders get extra latitude Receivers get extra latitude

  45. Flume Kernel Module open(“/alice/inbox.dat”, O_RDONLY); Web App Flume Reference Monitor mov $0x5, %eax int $0x80 open(…) P Flume Libc Flume Kernel Module Linux Kernel Alice’s Data

  46. Reference Monitor Proxies Pipes write(0, “some data”, 10); Flume Reference Monitor Web App Helper Process Linux Kernel

  47. Unconfined Processes “Unconfined processes get e ^endpoint.” stderr e ^ getpwent TCP Socket Se^ = {} /tmp/public.dat sendmail DIFC kill P mmap’ed memory P Spublic.dat = {} ioctl sigcatch fork’ed child • change_label({HR}) Process q Dp = { HR } Dp = {} Sp = {} Sp = { HR } Sq = { HR }

  48. Endpoints Reveal Errors Eagerly Process p /tmp/public.dat Dp = {HR} e Se = {} P Sp = {} Spublic.dat = {} Sp = { HR } Process q Sq = { HR } P • open(“/tmp/public.dat”, O_WRONLY); • change_label({HR})

  49. Why Do We Need Sp? Process p e Se = { Finance, HR } Sp = { Finance } Dp = { HR}

More Related