Presentation is loading. Please wait.

Presentation is loading. Please wait.

Faculty of Computer Science Institute for System Architecture, Operating Systems Group Information Flow Control for Standard OS Abstractions Dresden,

Published byEllen Strickland Modified over 7 years ago

Similar presentations

Presentation on theme: "Faculty of Computer Science Institute for System Architecture, Operating Systems Group Information Flow Control for Standard OS Abstractions Dresden,"— Presentation transcript:

1 Faculty of Computer Science Institute for System Architecture, Operating Systems Group Information Flow Control for Standard OS Abstractions Dresden, 2007-08-29 Maxwell Krohn, M. Frans Kaashoek et. al. (presented by Stefan Kalkowski)

2 TU Dresden, 2007-08-29Information Flow Control for Standard OS Abstractions Slide 2 von 34 What is it about? Decentralized Information Flow –A. Myers and B. Liskov (MIT) '00 –related to Originator Controlled Access Control Graubart '89

3 TU Dresden, 2007-08-29Information Flow Control for Standard OS Abstractions Slide 3 von 34 What is it about? Decentralized Information Flow –A. Myers and B. Liskov (MIT) '00 –related to Originator Controlled Access Control Graubart '89 Solution to Declassification Problem –centralized trusted subjects –in mutual distrust environment they are useless –decentralize authority for declassifying

4 TU Dresden, 2007-08-29Information Flow Control for Standard OS Abstractions Slide 4 von 34 Declassification Problem Secrecy rule

5 TU Dresden, 2007-08-29Information Flow Control for Standard OS Abstractions Slide 5 von 34 Declassification Problem Integrity rule

6 TU Dresden, 2007-08-29Information Flow Control for Standard OS Abstractions Slide 6 von 34 Idea behind DIFC Object creator organizes policy Alic e

7 TU Dresden, 2007-08-29Information Flow Control for Standard OS Abstractions Slide 7 von 34 Idea behind DIFC Object creator organizes policy creates Alic e curious object

8 TU Dresden, 2007-08-29Information Flow Control for Standard OS Abstractions Slide 8 von 34 Idea behind DIFC spread upgrading and downgrading capabilities while object creation creates Alicecurious object Activitie s

9 TU Dresden, 2007-08-29Information Flow Control for Standard OS Abstractions Slide 9 von 34 DIFC – basic approaches Language based: Myer, Liskov developed Java extension called JIF

10 TU Dresden, 2007-08-29Information Flow Control for Standard OS Abstractions Slide 10 von 34 DIFC – basic approaches Language based: Myer, Liskov developed Java extension called JIF OS based: –AsbestOS (MIT) – experiment from the scratch –HiStar (Stanford) – IFC-kernel with UNIX layer –Flume (MIT) – do it in UNIX like systems

11 TU Dresden, 2007-08-29Information Flow Control for Standard OS Abstractions Slide 11 von 34 Flume Abstractions Tags and Labels for integrity and secrecy Process Integrity Secrecy Labe l Tag s

12 TU Dresden, 2007-08-29Information Flow Control for Standard OS Abstractions Slide 12 von 34 Flume Secrecy Rules Example: process p with I p and S p and some object o with tag t (I p, S p є Label)

13 TU Dresden, 2007-08-29Information Flow Control for Standard OS Abstractions Slide 13 von 34 Flume Secrecy Rules Example: process p with I p and S p and some object o with tag t (I p, S p є Label) The following rules apply: I.if p reads o, then t є S p

14 TU Dresden, 2007-08-29Information Flow Control for Standard OS Abstractions Slide 14 von 34 Flume Secrecy Rules Example: process p with I p and S p and some object o with tag t (I p, S p є Label) The following rules apply: I.if p reads o, then t є S p II.if p writes to q and t є S p, then t є S q

15 TU Dresden, 2007-08-29Information Flow Control for Standard OS Abstractions Slide 15 von 34 Flume Secrecy Rules Example: process p with I p and S p and some object o with tag t (I p, S p є Label) The following rules apply: I.if p reads o, then t є S p II.if p writes to q and t є S p, then t є S q III.p cannot remove t from S p

16 TU Dresden, 2007-08-29Information Flow Control for Standard OS Abstractions Slide 16 von 34 Flume Secrecy Rules Example: process p with I p and S p and some object o with tag t (I p, S p є Label) The following rules apply: I.if p reads o, then t є S p II.if p writes to q and t є S p, then t є S q III.p cannot remove t from S p IV.if S p ≠{}, then p cannot transmit information over uncontrolled channels

17 TU Dresden, 2007-08-29Information Flow Control for Standard OS Abstractions Slide 17 von 34 Flume Integrity Rules I.if p modifies o, then t є I p

18 TU Dresden, 2007-08-29Information Flow Control for Standard OS Abstractions Slide 18 von 34 Flume Integrity Rules I.if p modifies o, then t є I p II.if t є I p, then p can only read from files and processes with t integrity

19 TU Dresden, 2007-08-29Information Flow Control for Standard OS Abstractions Slide 19 von 34 Flume Integrity Rules I.if p modifies o, then t є I p II.if t є I p, then p can only read from objects and processes with t integrity III.p cannot add t to I p

20 TU Dresden, 2007-08-29Information Flow Control for Standard OS Abstractions Slide 20 von 34 Flume Integrity Rules I.if p modifies o, then t є I p II.if t є I p, then p can only read from objects and processes with t integrity III.p cannot add t to I p IV.if I p ≠{}, then p cannot accept input from uncontrolled channels

21 TU Dresden, 2007-08-29Information Flow Control for Standard OS Abstractions Slide 21 von 34 Capabilities for label changes Allocation of tags determines the distribution of add and remove capabilities in the system Beside the local capability set of a process, there is one global for all Tag capabilities can be spread between processes

22 TU Dresden, 2007-08-29Information Flow Control for Standard OS Abstractions Slide 22 von 34 Flume's safety model Label changes have to be done explicitly by the process itself and only if it has proper capabilities

23 TU Dresden, 2007-08-29Information Flow Control for Standard OS Abstractions Slide 23 von 34 Flume's safety model Label changes have to be done explicitly by the process itself and only if it has proper capabilities p can send a message to q only if S p is in S q and I q is in I p

24 TU Dresden, 2007-08-29Information Flow Control for Standard OS Abstractions Slide 24 von 34 Flume's safety model Label changes have to be done explicitly by the process itself and only if it has proper capabilities p can send a message to q only if S p is in S q and I q is in I p any data sink or source outside of Flume's model is represented as a process r with S r = I r = {}

25 TU Dresden, 2007-08-29Information Flow Control for Standard OS Abstractions Slide 25 von 34 Flume's safety model Label changes have to be done explicitly by the process itself and only if it has proper capabilities p can send a message to q only if S p is in S q and I q is in I p any data sink or source outside of Flume's model is represented as a process r with S r = I r = {} files are processes with immutable secrecy and integrity labels

26 TU Dresden, 2007-08-29Information Flow Control for Standard OS Abstractions Slide 26 von 34 Flume in practice: Endpoints Endpoints are assigned to file-descriptors and inherit the labels of the process Processes can configure their endpoints labels accordingly to the communication that has to be done pipe endpoints are mutable, file endpoints are immutable label changes that break safety of an immutable endpoint are forbidden

27 TU Dresden, 2007-08-29Information Flow Control for Standard OS Abstractions Slide 27 von 34 Linux implementation

28 TU Dresden, 2007-08-29Information Flow Control for Standard OS Abstractions Slide 28 von 34 Confined Processes using LSM hooks for intercepting syscalls mediated to user-level reference monitor adapted C-library calls RM directly (dependent on syscall) some calls are simply forbidden (like fork) spawn creates a new confined process with the labels of the “parent” spawner process prepares the new process, forks it, enables LSM, closes file-descriptors...

29 TU Dresden, 2007-08-29Information Flow Control for Standard OS Abstractions Slide 29 von 34 IPC Reference monitor proxies all traffic of a pipe RM buffers messages and evaluates the whole processes label state (including endpoints) If communication is only allowed one way, RM silently drops messages from diligent producer, which floods the buffer using Unix domain sockets is analogous to using files

30 TU Dresden, 2007-08-29Information Flow Control for Standard OS Abstractions Slide 30 von 34 Files and persistence Restrictions: –writable file-descriptors are implicitly readable –files have an additional write-protect set containing tags Processes cannot create files within directories, that are less secret than themselves Tag registry maintains login tokens, capability groups and extended file attributes

31 TU Dresden, 2007-08-29Information Flow Control for Standard OS Abstractions Slide 31 von 34 Evaluation Detected two known and one unknown vulnerabilities within Wiki example application

32 TU Dresden, 2007-08-29Information Flow Control for Standard OS Abstractions Slide 32 von 34 Evaluation Detected two known and one unknown vulnerabilities within Wiki example application Additional complexity: –Flume's TCB: +21.500 LOC (mostly user-level) –Wiki-App: +1.000 LOC and 1.000 LOC changed

33 TU Dresden, 2007-08-29Information Flow Control for Standard OS Abstractions Slide 33 von 34 Evaluation Detected two known and one unknown vulnerabilities within Wiki example application Additional complexity: –Flume's TCB: +21.500 LOC (mostly user-level) –Wiki-App: +1.000 LOC and 1.000 LOC changed Overall performance overhead:

34 TU Dresden, 2007-08-29Information Flow Control for Standard OS Abstractions Slide 34 von 34 Questions Do we need DIFC within legacy operating systems, or are there more urgent security defects? Is the effort to make Unix Apps DIFC compliant really lesser than porting them to new OSes? Is it easy to apply that label model to L4env or Bastei?

Download ppt "Faculty of Computer Science Institute for System Architecture, Operating Systems Group Information Flow Control for Standard OS Abstractions Dresden,"

Similar presentations

Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.

Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris.

Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris.
Applications of Feather-Weight Virtual Machines (FVMs) Hadi Salimi Distributed Systems Lab, School of Computer Engineering, Iran University of Science.

Applications of Feather-Weight Virtual Machines (FVMs) Hadi Salimi Distributed Systems Lab, School of Computer Engineering, Iran University of Science.
Operating System Security

Operating System Security
CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Resource Containers: A new Facility for Resource Management in Server Systems G. Banga, P. Druschel,

CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Resource Containers: A new Facility for Resource Management in Server Systems G. Banga, P. Druschel,
1 Information Security – Theory vs. Reality 0368-4474-01, Winter 2011 Lecture 7: Information flow control Eran Tromer Slides credit: Max Krohn, MIT Ian.

1 Information Security – Theory vs. Reality , Winter 2011 Lecture 7: Information flow control Eran Tromer Slides credit: Max Krohn, MIT Ian.
Access Control Jeff Chase Duke University. The need for access control Processes run programs on behalf of users. (“subjects”) Processes create/read/write/delete.

Access Control Jeff Chase Duke University. The need for access control Processes run programs on behalf of users. (“subjects”) Processes create/read/write/delete.
Composable Metamodeling Environment Akos Ledeczi Institute for Software Integrated Systems Vanderbilt University

Composable Metamodeling Environment Akos Ledeczi Institute for Software Integrated Systems Vanderbilt University
SDN and Openflow.

SDN and Openflow.
Fundamentals of Computer Security Geetika Sharma Fall 2008.

Fundamentals of Computer Security Geetika Sharma Fall 2008.
By Ronny Bull, Chaitanya Pinnamaneni, Alex Stuart.

By Ronny Bull, Chaitanya Pinnamaneni, Alex Stuart.
ISBN 0-321-19362-8 Chapter 1 Preliminaries. Copyright © 2004 Pearson Addison-Wesley. All rights reserved.1-2 Chapter 1 Topics Motivation Programming Domains.

ISBN Chapter 1 Preliminaries. Copyright © 2004 Pearson Addison-Wesley. All rights reserved.1-2 Chapter 1 Topics Motivation Programming Domains.
Chapter 1 Introduction. Chapter Overview Overview of Operating Systems Secure Operating Systems Basic Concepts in Information Security Design of a Secure.

Chapter 1 Introduction. Chapter Overview Overview of Operating Systems Secure Operating Systems Basic Concepts in Information Security Design of a Secure.
Decentralized Robustness Stephen Chong Andrew C. Myers Cornell University CSFW 19 July 6 th 2006.

Decentralized Robustness Stephen Chong Andrew C. Myers Cornell University CSFW 19 July 6 th 2006.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.

1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
Polyglot: An Extensible Compiler Framework for Java Nathaniel Nystrom, Michael R. Clarkson, and Andrew C. Myers Presentation by Aaron Kimball & Ben Lerner.

Polyglot: An Extensible Compiler Framework for Java Nathaniel Nystrom, Michael R. Clarkson, and Andrew C. Myers Presentation by Aaron Kimball & Ben Lerner.
Type-Based Distributed Access Control Tom Chothia, Dominic Duggan, and Jan Vitek Presented by Morgan Kleene.

Type-Based Distributed Access Control Tom Chothia, Dominic Duggan, and Jan Vitek Presented by Morgan Kleene.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.

ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.
Paper by Engler, Kaashoek, O’Toole Presentation by Charles Haiber.

Paper by Engler, Kaashoek, O’Toole Presentation by Charles Haiber.

Similar presentations

Ads by Google