310 likes | 472 Views
Noninterference for a Practical DIFC-Based OS. Maxwell Krohn (CMU) & Eran Tromer (MIT). DIFC: A TCB-Minimization Technique. Alice’s Data. Bob’s Data. P. DB. Gateway. Alice’s Data. Alice’s Data. 1. Data tracking. 2. Isolated declassification . Language vs. OS.
E N D
Noninterference for a Practical DIFC-Based OS Maxwell Krohn (CMU) & EranTromer (MIT)
DIFC: A TCB-Minimization Technique Alice’s Data Bob’s Data P DB Gateway Alice’s Data Alice’s Data 1. Data tracking 2. Isolated declassification
Language vs. OS • Language-based DIFC (JIF & others) • Compile-time tracking for Java, Haskell • Provable security • OS-based DIFC (Asbestos, HiStar, Flume) • Run-time tracking enforced by a trusted kernel • Works with any language, compiled or scripting, closed or open • “Just trust us”
Contribution • Proof of security for a DIFC-based OS.
What is a DIFC OS? Alice’s Data Alice’s Data p q d Sp = {a} Sd = {} Sq = {} Sq = {a} KERNEL
Our Question: • What interface should the kernel expose to applications? • Easier question than “is my OS implementation secure” • More general: applies to traditional OSes as well as “cloud” platforms. • Easy to get it wrong! (i.e., you shouldn’t have been trusting us)
Approach 1: “Floating Labels” [IX,Asbestos] p q Sq = {} Sq = {a} Sp = {a} KERNEL
Floaters Leaks Data b0 attacker Leak file Alice’s Data S = {} b1 S = {} S = {a} S = {} S = {a} S = {} S = {a} b2 1001 0000 1001 S = {} S = {a} b3 S = {}
Approach 2: “Set Your Own” [HiStar/Flume] Sp = {a} Op = {a-,a+} Sq = {} Oq = {a+} Sq = {a} Oq = {a+} p q KERNEL Rule: SpÍ Sq necessary precondition for send
Review • Two OS interface ideas: “floating” and “set-your-own” • The latter feels more secure • Is it secure in general? • How to prove it?
How To Prove • Property: Noninterference • Process Algebra model for a DIFC OS • Communicating Sequential Processes (CSP) • Proof that the model fits the definition
Noninterference[Goguen & Meseguer ’82] Experiment #1: p q Sq = {} Sp = {a} = “HIGH” “LOW” Experiment #2: q p’ Sq = {} Sp’ = {a}
CSP Model Uq Up System call interface Userland Kernel IPC Channel p:K q:K Label Manager Process ID Manager
System Calls • IPC: read, write, select • Process management: fork, exit, getpid • DIFC: create tag, change label, fetch label, send capabilities, receive capabilities
Example: read/write Uq Up Sp = {a} Op={a+} Sq = {} Oq= {} (read,q,“hello”) (write,p,“hello”) (“hello”) p:K{a},{a+} q:K{},{}
Example: create/grant/change Uq Up Sp = {} Op={} Sp = {} Op={t-,t+} Sq = {} Oq= {t+} Sq = {t} Oq= {t+} Sq = {} Oq= {} (grant,q,t+) (create) (create,t) (change,{t}) (grant,t+) p:K{},{t-,t+} p:K{},{} q:K{t},{t+} q:K{},{t+} q:K{},{}
How The Proof Works • Consider any possible system (with arbitrary user applications) • Induction over all possible sequences of moves a system can make (i.e., traces) • At each step, case-by-case analysis of all system calls in the interface. • Prove no “interference”
What Interference Looks Like CALL: getlabel CALL: getlabel branch CALL: float_write NOOP RET: {a} RET: {} LOW HIGH LOW HIGH Timeline 2 Timeline 1
A Example Complication Uq Up Solution: modify tag allocation scheme to partition candidate tags. (create,t) (create,t) Retire t LOW HIGH Label Manager
Many Details Elided • Why tag sequence cannot be predictable • How to indentify messages as “hi” or “low” • Tweaks to accepted definitions of noninterference • How to deal with input and output to declassifiers • Process forking / exit • System startup
Open Questions • SMP, multicoreand parallelism • Machine checkable proof (in FDR, etc) • Modelling hardware and hardware covert channels
Related Work • Hoare (CSP), Roscoe (CCS) • Goguen and Meseguer (noninterference) • Ryan and Schneider (CSP + noninterference + process equivalence) • Zheng and Myers (JIF + noninterference) • Bossi, Piazza, Rossi (noninterference + downgrading)
Conclusions • DIFC OS Interface Design: can get it wrong • Floaters vs. “set-your own” • Provably secure model for DIFC OS is possible • model kernel state machine, not user processes
(Sidebar: Declassification) p q Sq = {a} Oq = {a+} Sp = {a} Op = {a-,a+} Sp = {} Op = {a-,a+} KERNEL
Complication 1: Is this Interference? Uq Up Sp = {a} Op={a-} Sq = {} Oq= {} Answer: NO! ({a},{a-},write,p,“hello”) ({},{},read,q,“hello”) ({},{},p,“hello”) p:K{a},{a-} q:K{},{}
Complication 2: Is this Interference? Uq Up Sp = {a} Op={} Sq = {} Oq= {a-} Answer: NO! ({a},{},write,p,“hello”) ({},{a-},read,q,“hello”) ({},{},p,“hello”) p:K{a},{} q:K{},{a-}
Modified Definition of Interference ({a},{},syscall) ({},{},syscall) MID LOW HI ({},{a-},syscall)
Interesting Case (2) Uq Up Solution: make tag allocations unpredictable! P (create,t) (change,{t}) Globals={t+} p:K{a},{t-} p:K{a},{} q:K{},{} Label Manager
DIFC Labels Alice’s Data p q Sq = {} Sq = {a} Sp = {a} KERNEL We want: Globally: If p knows Alice’s secret, then a in Sp Stepwise: No later than p q completing, SpÍ Sq