140 likes | 303 Views
A NOTE ON THE CONFINEMENT PROBLEM. Butler Lampson Xerox PARC. IN BRIEF. The paper discusses How a server program (service) can leak information about its clients to other programs How we can prevent these leaks
E N D
A NOTE ON THE CONFINEMENT PROBLEM Butler Lampson Xerox PARC
IN BRIEF • The paper discusses • How a server program (service) can leak information about its clients to other programs • How we can prevent these leaks • Its main contribution is to make us realize the number of potential covert channels
x Customer Service THE MODEL • A customer • has confidential data • does not trust the service processing its data • wants to prevent leaks
SEVEN POSSIBLE LEAKS (I) • If the service has memory, it can collect data and keep them until its owner calls the service • The service can write data into a permanent file that can be read by its owner • The service can create a temporary file that can be read by its owner • The service can send a message to a process controlled by its owner
SEVEN POSSIBLE LEAKS (II) • The service can encode some data in the bill it sends to the customer • its owner must have a copy of that bill • The service can play with locks controlling access to shared files • The service can modulate its demands on the system’s resources
COUNTERMEASURES (I) • Process must be stateless from one invocation to the other • No static variables and no globals • Process must be confined • First sufficient rule:A confined program shall make no calls on any other program
COUNTERMEASURES (II) • First rule is very restrictive • Transitivity rule:If a confined program calls on another program that is not trusted, the called program must also be confined
COUNTERMEASURES (III) • We will assume that that untrustworthy service will run on the top of a trustworthy supervisor • Trustworthy supervisor will block all possible channels that can be used to leak information • These channels include • storage • legitimate channels • covert channels
COUNTERMEASURES (IV) • Leaks through storage are not hard to prevent • If another process want to write into a file that is being read by the service, the supervisor will create anew copy of the file and let the service access that copy • Problem is is how to identify all the kinds of storage accessed by the service
COUNTERMEASURES (V) • Masking Principle:A program to be confined must allow its caller to determine all its inputs into legitimate and covert channels. the channels are said to be masked by the caller • Requires the bill to be computed by the customer, not by the service
COUNTERMEASURES (VI) • Enforcement:The supervisor must ensure that a confined program’s input to a covert channel satisfies the specifications of the customer • May require slowing the program down and adding spurious requests • Much less costly tolimit the bandwidth of the covert channels
CONCLUSIONS • The confinement problem can be solved as long as we can trust the supervisor of the system • Total confinement can be costly • Much cheaper to limit the bandwidth of possible leaks