Information Flow Control For Standard OS Abstractions

Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, NatanCliffer, FransKaashoek, Eddie Kohler, Robert Morris

Vulnerabilities in Websites  Exploits • Web software is buggy • Attackers find and exploit these bugs • Data is stolen / Corrupted • “USAJobs.gov hit by Monster.com attack, 146,000 people affected” • “UN Website is Defaced via SQL Injection” • “Payroll Site Closes on Security Worries” • “Hacker Accesses Thousands of Personal Data Files at CSU Chico” • “FTC Investigates PETCO.com Security Hole” • “Major Breach of UCLA’s Computer Files” • “Restructured Text Include Directive Does Not Respect ACLs”

Decentralized Information Flow Control (DIFC) CEO “I am the CEO. My PW is 123” Layoff Plans P Web App Web App GET /LayoffPlans “OK” Declassifier Free TShirts Intern

Decentralized Information Flow Control (DIFC) CEO Layoff Plans Web App Web App Declassifier /tmpFile Free TShirts GET ^@^$^$# GET /LayoffPlans Helper Process Intern

Why is DIFC a cult? U.S.S. DIFC

Who Needs to Understand DIFC? CEO Layoff Plans Web App Web App Declassifier /tmpFile Free TShirts Helper Process Intern

Why is Today’s DIFC DIFfiCult? • Label systems are complex • Unexpected program behavior • Cannot reuse existing code • Drivers, SMP support, standard libraries

Unexpected Program Behavior (Unreliable Communication) Process p Process q P “Fire Alice, Bob, Charlie, Doug, Eddie, Frank, George, Hilda, Ilya…” “I stopped reading” “I crashed”

Unexpected Program Behavior (Mysterious Failures) File Process q Process p

Solution/Outline • Flume: Solves DIFC Problems • User-level implementation of DIFC on Linux • Simple label system • Endpoints: Glue Between Unix API and Labels • Application + Evaluation • Real Web software secured by Flume

Outline • Flume: Solves DIFC Problems • User-level implementation of DIFC on Linux • Simple label system • Endpoints: Glue Between Unix API and Labels • Application + Evaluation

Flume Implementation • Goal: User-level implementation • apt-get install flume • Approach: • System Call Delegation [Ostia by Garfinkel et al, 2003] • Use Linux 2.6 (or OpenBSD 3.9)

System Call Delegation open(“/hr/LayoffPlans”, O_RDONLY); Web App glibc Linux Kernel Layoff Plans

System Call Delegation open(“/hr/LayoffPlans”, O_RDONLY); Web App Web App Flume Reference Monitor Flume Libc Linux Kernel Layoff Plans

Three Classes of Processes Flume-Oblivious Unconfined/ Mediators Confined Flume Reference Monitor Flume Reference Monitor Flume Reference Monitor Process p Process p Process p Linux Kernel Linux Kernel Linux Kernel

Information Flow Control (IFC) • Goal: track which secrets a process has seen • Mechanism: each process gets a secrecylabel • Label summarizes which categories of data a process is assumed to have seen. • Examples: • { “Financial Reports” } • { “HR Documents” } • { “Financial Reports” and “HR Documents” } “tag” “label”

Tags + Labels change_label({Finance}); Process p tag_t HR = create_tag(); change_label({}); Any process can add any tag to its label. change_label({Finance,HR}); Sp = { Finance, HR } Sp = { Finance } Sp = {} DIFC Rule: A process can create a new tag; gets ability to declassify it. change_label({Finance}); Dp = {} Dp = { HR } Same as Step 1. DIFC: Declassification in action. Finance HR Legal Universe of Tags: SecretProjects

Communication Rule P Process p Process q Sp = {HR} Sq = {HR, Finance} p can send to qiffSpÍ Sq

Recall: Communication Problem Process p Process q stdout stdin Sp = {} Dp = { HR } Sq = {HR} P “Fire Alice, Bob, Charlie, Doug, Eddie, Frank, George, Hilda, Ilya…” ? “SLOW DOWN!!” “I crashed”

New Abstraction: Endpoints Process p Process q e f Se = { HR } Sf = { HR } Sp = {} Dp = { HR } Sq = {HR} P • If SeÍ Sf, then allow e to send to f • If SfÍ Se, then allow f to send to e • If Sf = Se , then allow bidirectional flow “Fire Alice, Bob, Charlie, Doug, Eddie, Frank, George, Hilda, Ilya…” P “SLOW DOWN!!” “I crashed”

Endpoints Declassify Data Data enters process p with secrecy { HR } But p keeps its label Sp = {} Process p e Se = { HR } Sp = {} Dp = { HR } Thus p needs HRÎDp

Endpoint Invariant Writing • For any tag tÎSp and tÏ Se • Or any tag tÎSe and t Ï Sp • It must be that tÎDp Reading Process p e Se = { HR } Sp = { Finance } Dp = { Finance, HR}

Endpoints Labels Are Independent g Sg = {} Process p Process q e f Se = { HR } Sf = { HR } Sp = {} Dp = { HR } Sq = {HR}

Recall: Mysterious Failures File Process q Process p

Endpoints Reveal Errors Eagerly Process p /tmp/public.dat Dp = {} e Se = {} Sp = {} Spublic.dat = {} ? Sp = { HR } Process q Violates endpoint invariant! Sp – Se = { HR} Í Dp Sq = { HR } • open(“/tmp/public.dat”, O_WRONLY); • change_label({HR})

Endpoints Reveal Errors Eagerly Process p /tmp/public.dat Dp = {} e Se = {} Sp = {} Spublic.dat = {} Sp = { HR } Process q Sq = { HR } • fd = open(“/tmp/public.dat”, O_WRONLY); • close(fd); • change_label({HR})

Outline • Flume: Solves DIFC Problems • Application + Evaluation

Questions for Evaluation • Does Flume allow adoption of Unix software? • Does Flume solve security vulnerabilities? • Does Flume perform reasonably?

Example App: MoinMoin Wiki

How Problems Arise… if not self.request.user.may.read(pagename): return self.notAllowedFault() x43 LayoffPlans MoinMoin Wiki (100 kLOC) FreeTShirts

MoinMoin + DIFC LayoffPlans Apache Web Server MoinMoin Wiki (100 kLOC) Declassifier 1 kLOC FreeTShirts Trusted Untrusted

FlumeWiki Flume-Oblivious unconfined confined reliable IPC Web Client GET /LayoffPlans?user=Intern&PW=abcd LayoffPlans S={ HR } Apache Declassifier 1 kLOC MoinMoin (100 kLOC) FreeTShirts S={} file I/O

Future Work Web Client GET /LayoffPlans?user=Intern&PW=abcd LayoffPlans Totally Suspect Software S={ HR } Apache Declassifier 1 kLOC FreeTShirts S={}

Results • Does Flume allow adoption of Unix software? • 1,000 LOC launcher/declassifier • 1,000 out of 100,000 LOC in MoinMoin changed • Python interpreter, Apache, unchanged • Does Flume solve security vulnerabilities? • Without our knowing, we inherited two ACL bypass bugs from MoinMoin • Both are not exploitable in Flume’s MoinMoin • Does Flume perform reasonably? • Performs within a factor of 2 of the original on read and write benchmarks

Most Related Work • Asbestos, HiStar: New DIFC OSes • Jif: DIFC at the language level • Ostia, Plash: Implementation techniques • Classical MAC literature (Bell-LaPadula, Biba, Orange Book MAC, Lattice Model, etc.)

Limitations • Bigger TCB than HiStar / Asbestos • Linux stack (Kernel + glibc + linker) • Reference monitor (~22 kLOC) • Covert channels via disk quotas • Confined processes like MoinMoin don’t get full POSIX API. • spawn() instead of fork()&exec() • flume_pipe() instead of pipe()

Summary • DIFC is a challenge to Programmers • Flume: DIFC in User-Level • Preserves legacy software • Complements today’s programming techniques • MoinMoin Wiki: Flume works as promised • Invite you to play around: http://flume.csail.mit.edu

Thanks! To: ITRI, Nokia, NSF and You

Reasons to Read the Paper • Generalized security properties • Including: Novel integrity policies • Support for very large labels • Support for clusters of Flume Machines

Flume’s Rule is Fast • Recall: p can send to qiff: Sp – DpÍ SqÈDq • To Compute: • for each tag tÎSp: • IftÏSqandt Ï Dpandt Ï Dq: • output “NO” • output “OK” • Runs in time proportional to size of Sp. • No need to enumerate Dp or Dq !!!

Flume Communication Rule P ? ? Database (q) • q changes to Sq = { Alice } • p sends to q • q changes back to Sq= {} MoinMoin (p) MoinMoin (r) Sr = { Bob } Sp = { Alice } Sq = {} Dq = { Alice, Bob } Sq = { Alice } Dq = { Alice, Bob } SpÍ Sq

Flume Communication Rule P P Database (q) • p can send to q iff: • In IFC: SpÍ Sq • In Flume: Sp – DpÍ SqÈ Dq MoinMoin (p) MoinMoin (r) Sr = { Bob } Sp = { Alice } Sq = {} Dq= { Alice, Bob } Senders get extra latitude Receivers get extra latitude

Flume Kernel Module open(“/alice/inbox.dat”, O_RDONLY); Web App Flume Reference Monitor mov $0x5, %eax int $0x80 open(…) P Flume Libc Flume Kernel Module Linux Kernel Alice’s Data

Reference Monitor Proxies Pipes write(0, “some data”, 10); Flume Reference Monitor Web App Helper Process Linux Kernel

Unconfined Processes “Unconfined processes get e ^endpoint.” stderr e ^ getpwent TCP Socket Se^ = {} /tmp/public.dat sendmail DIFC kill P mmap’ed memory P Spublic.dat = {} ioctl fork’ed child sigcatch • change_label({HR}) Process q Dp = { HR } Dp = {} Sp = {} Sp = { HR } Sq = { HR }

Endpoints Reveal Errors Eagerly Process p /tmp/public.dat Dp = {HR} e Se = {} P Sp = {} Spublic.dat = {} Sp = { HR } Process q Sq = { HR } P • open(“/tmp/public.dat”, O_WRONLY); • change_label({HR})

Why Do We Need Sp? Process p e Se = { Finance, HR } Sp = { Finance } Dp = { HR}

Information Flow Control For Standard OS Abstractions

Information Flow Control For Standard OS Abstractions

Presentation Transcript

Flow Control

Flow Control

Flow Control

Language-based Security: Information Flow Control

Information-Flow Control for Location-based Services

Flow Control

Standard OS maps

Information Flow Control

Information Flow Control

Flow Control

Standard Setting Process – Information Flow

Control flow

Flow Control

Adaptive Control for TCP Flow Control

Control Flow III: Control Flow Optimizations

OS abstractions

Control Flow

Flow Control

Control Flow

Flow control

Access Control Information-Flow Security

OS abstractions