Presentation is loading. Please wait.

Presentation is loading. Please wait.

Enforcing Security Policies using Transactional Memory Introspection Vinod Ganapathy Rutgers University Arnar BirgissonMohan Dhawan Ulfar ErlingssonLiviu.

Similar presentations


Presentation on theme: "Enforcing Security Policies using Transactional Memory Introspection Vinod Ganapathy Rutgers University Arnar BirgissonMohan Dhawan Ulfar ErlingssonLiviu."— Presentation transcript:

1 Enforcing Security Policies using Transactional Memory Introspection Vinod Ganapathy Rutgers University Arnar BirgissonMohan Dhawan Ulfar ErlingssonLiviu Iftode

2 Take-home slide Vinod Ganapathy Transactional Memory Introspection We can utilize the mechanisms of Software Transactional Memory to greatly improve security policy enforcement

3 Vinod Ganapathy X server with multiple X clients REMOTE LOCAL Transactional Memory Introspection

4 Vinod Ganapathy REMOTE Malicious remote X client LOCAL Transactional Memory Introspection

5 Vinod Ganapathy REMOTE Undesirable information flow LOCAL Transactional Memory Introspection

6 Vinod Ganapathy Desirable information flow LOCAL REMOTE Transactional Memory Introspection

7 Vinod Ganapathy X server X server with authorization X client Operation requestResponse Authorization policy Reference monitor Allowed? YES/NO Transactional Memory Introspection Security enforcement crosscuts application functionality

8 Vinod Ganapathy Outline Enforcing authorization policies Problems with existing techniques Transactional Memory Introspection Implementation and experiments Transactional Memory Introspection

9 Vinod Ganapathy Existing enforcement interface dispatch_request ( ) {... perform_request ( ); } perform_request ( ) {... perform_access (resource);... perform_access’(resource’); } Transactional Memory Introspection

10 Vinod Ganapathy Existing enforcement interface dispatch_request ( ) {... perform_request ( ); } perform_request ( ) {... if (allowed(principal,resource,access)){ perform_access (resource); } else { handle_auth_failure1(); };... if (allowed(principal,resource’,access’)){ perform_access’(resource’); } else { handle_auth_failure2(); }; } Transactional Memory Introspection

11 Vinod Ganapathy Three problems Violation of complete mediation Time-of-check to Time-of-use bugs Handing authorization failures Transactional Memory Introspection

12 Vinod Ganapathy I. Incomplete mediation dispatch_request ( ) { … perform_request ( ); } perform_request ( ) {... if (allowed(principal,resource,access)){ perform_access (resource); } else { handle_auth_failure1(); };... if (allowed(principal,resource’,access’)){ perform_access’(resource’); } else { handle_auth_failure2(); }; } Must guard each resource access to ensure complete mediation Transactional Memory Introspection

13 Vinod Ganapathy I. Incomplete mediation ssize_t vfs_read (struct file *file,...) {... if (check_permission(file, MAY_READ)) { file->f_op->read(file,...); }... } int page_cache_read (struct file *file,...) { struct address_space *mapping = file->f_dentry->d_inode->i_mapping;... mapping->a_ops->readpage(file,...); } [Zhang et al., USENIX Security ‘02] Transactional Memory Introspection

14 Vinod Ganapathy perform_request ( ) {... if (allowed(principal,resource,access)){ perform_access (resource); } else { handle_auth_failure1() };... if (allowed(principal,resource’,access’)){ perform_access’(resource’); } else { handle_auth_failure2() }; } II. TOCTTOU bugs Transactional Memory Introspection

15 Vinod Ganapathy perform_request ( ) {... if (allowed(principal,resource,access)){ perform_access (resource); } else { handle_auth_failure1() };... if (allowed(principal,resource’,access’)){ perform_access’(resource’); } else { handle_auth_failure2() }; } II. TOCTTOU bugs Similar race condition found in the Linux Security Modules framework [Zhang et al. USENIX Security ’02] Several similar bugs recently found in popular enforcement tools: [Watson, WOOT ’07] GSWTK Systrace [Provos, USENIX Security ’03] OpenBSD Sysjail [Johnson and Deksters ’07] Transactional Memory Introspection

16 Vinod Ganapathy II. TOCTTOU bugs perform_request ( ) {... if (allowed(principal,resource,access)){ perform_access (resource); } else { handle_auth_failure1() };... if (allowed(principal,resource’,access’)){ perform_access’(resource’); } else { handle_auth_failure2() }; } Authorization check and resource access must be atomic Transactional Memory Introspection

17 Vinod Ganapathy III. Failure handling perform_request ( ) {... if (allowed(principal,resource,access)){ perform_access (resource); } else { handle_auth_failure1() };... if (allowed(principal,resource’,access’)){ perform_access’(resource’); } else { handle_auth_failure2() }; } Handling authorization failures is ad hoc and error prone Transactional Memory Introspection

18 Vinod Ganapathy III. Failure handling Exception-handling code accounts for a large fraction of server software –Over two-thirds of server software [IBM ’87] –Nearly 46% on several Java benchmarks [Weimer & Necula OOPSLA’04] Exception-handling code itself is error-prone [Fetzer and Felber ’04] SecurityException most often handled erroneously [Weimer & Necula OOPSLA’04] Transactional Memory Introspection

19 Vinod Ganapathy Summary of problems Violation of complete mediation –Need to identify all the resources accessed –Example: Bug in Linux Security Modules [Zhang et al., USENIX Security ‘02] Time-of-check to Time-of-use bugs –Examples: [Zhang et al., USENIX Security ‘02] [Watson, WOOT ‘07] Handing authorization failures – Large fraction of server code relates to error handling [IBM survey, ’87, Weimer and Necula, ‘04 ] –Error-handling code is error-prone! [Fetzer & Felber ’04] Security enforcement crosscuts application functionality Our solution: TMI Decouples security enforcement from application functionality Transactional Memory Introspection

20 Vinod Ganapathy Outline Enforcing authorization policies Problems with existing techniques Transactional Memory Introspection (TMI) –Programmer’s interface –Mechanics of TMI Implementation and experiments Transactional Memory Introspection

21 Vinod Ganapathy Transactional memory primer Alternative to lock-based programming Reason about atomic sections, not locks TM provides atomicity and isolation acquire(S1.lock) acquire(S2.lock) value = S1.pop() S2.push(value) Release(S2.lock) Release(S1.lock) transaction { value = S1.pop() S2.push(value) } Transactional Memory Introspection

22 Vinod Ganapathy Programmer’s interface to TMI dispatch_request ( ) { transaction [ principal ] {... perform_request ( ); } perform_request ( ) {... perform_access (resource);... perform_access’(resource’); } Transactional Memory Introspection

23 Vinod Ganapathy Programmer’s interface to TMI dispatch_request ( ) { transaction [ principal ] {... perform_request ( ); } perform_request ( ) {... perform_access (resource);... perform_access’(resource’); } Authorization manager: case (resource=R, access_type=A)  if (!allowed(principal, R, A)) then abort_tx allowed(principal, resource, access)? allowed(principal, resource’, access’)? Transactional Memory Introspection

24 Vinod Ganapathy I. Complete mediation for free dispatch_request ( ) { transaction [ principal ] {... perform_request ( ); } perform_request ( ) {... perform_access (resource);... perform_access’(resource’); } TMI automatically invokes authorization checks Transactional Memory Introspection

25 Vinod Ganapathy II. TOCTTOU-freedom for free dispatch_request ( ) { transaction [ principal ] {... perform_request ( ); } perform_request ( ) {... perform_access (resource);... perform_access’(resource’); } Conflicting resource accesses automatically abort transaction Transactional Memory Introspection

26 Vinod Ganapathy III. Error-handling for free dispatch_request ( ) { transaction [ principal ] {... perform_request ( ); } perform_request ( ) {... perform_access (resource);... perform_access’(resource’); } Unauthorized resource accesses automatically abort transaction Transactional Memory Introspection

27 Vinod Ganapathy Decouples functionality and security dispatch_request ( ) { transaction [ principal ] {... perform_request ( ); } perform_request ( ) {... perform_access (resource);... perform_access’(resource’); } Authorization manager Transactional Memory Introspection

28 Vinod Ganapathy Outline Enforcing authorization policies Problems with existing techniques Transactional Memory Introspection (TMI) –Programmer’s interface –Mechanics of TMI Implementation and experiments Transactional Memory Introspection

29 Vinod Ganapathy TM runtime system The TM runtime maintains per-transaction read/write sets and detects conflicts transaction { value = S1.pop() S2.push(value) } val1 = S1.pop() val2 = S1.pop() S2.push(val2) S2.push(val1) TransactionRead setWrite set Green S1.stkptr Red S1.stkptr, S2.stkptr Transactional Memory Introspection

30 Vinod Ganapathy TM runtime system Transaction body Execution Read and Write Sets Validation Contention manager Retry Commit logic Commit Transactional Memory Introspection

31 Vinod Ganapathy Transactional Memory Introspection Transaction body Execution Read and Write Sets Validation Contention manager Retry Commit logic CommitAuthorization Auth. checks Auth. Manager Success Failure Abort Transactional Memory Introspection

32 Vinod Ganapathy perform_request ( ) {... perform_access (resource);... perform_access’(resource’); } Transactional Memory Introspection dispatch_request ( ) { transaction [ principal ] {... perform_request ( ); } Present in read/write set Accesses checked before tx commits Transactional Memory Introspection

33 Vinod Ganapathy Outline Enforcing authorization policies Problems with existing techniques Transactional Memory Introspection Implementation and experiments Transactional Memory Introspection

34 Vinod Ganapathy TMI Implementation: TMI/DSTM2 Implemented using Sun’s DSTM2 Object-based software TM system TM system modified to –Trigger authorization checks on additions to read/write set and upon transaction validation –Raise AccessDeniedException upon abort –Integrate transactional I/O libraries Fewer than 500 lines changed in DSTM2 Transactional Memory Introspection

35 Vinod Ganapathy Porting software to TMI/DSTM2 1.Mark transactional objects –Also wrappers for libraries: java.util.HashMap, java.util.Vector 2.Reads and writes to fields objects replaced with DSTM2 accessors 3.Place transaction{…} blocks around client requests 4.Write an authorization manager Transactional Memory Introspection

36 Vinod Ganapathy GradeSheet in TMI/DSTM2 Transactional Memory Introspection

37 Vinod Ganapathy Evaluation Ported four Java-based servers GradeSheet: A grade-management server FreeCS: A chat server WeirdX: An X window management server –Enforced a simple XACML based policy Tar: A tar archive service –Enforced Java stack inspection policy Transactional Memory Introspection

38 Vinod Ganapathy Modifications needed ServerLOCLines modifiedTransactions GradeSheet Tar service5,000< 501 FreeCS22, WeirdX27,0004, Authorization managers were approximately 200 lines of code in each case Transactional Memory Introspection

39 Vinod Ganapathy perform_request ( ) {... perform_access (resource);... perform_access’(resource’); } When to enforce policy? dispatch_request ( ) { transaction [ principal ] {... perform_request ( ); } allowed(principal, resource, access)? allowed(principal, resource’, access’)? Eager Transactional Memory Introspection

40 Vinod Ganapathy perform_request ( ) {... perform_access (resource);... perform_access’(resource’); } When to enforce policy? dispatch_request ( ) { transaction [ principal ] {... perform_request ( ); } allowed(principal, resource, access)? allowed(principal, resource’, access’)? Lazy Transactional Memory Introspection

41 Vinod Ganapathy perform_request ( ) {... perform_access (resource);... perform_access’(resource’); } When to enforce policy? dispatch_request ( ) { transaction [ principal ] {... perform_request ( ); } allowed(principal, resource, access)? allowed(principal, resource’, access’)? Parallel Transactional Memory Introspection

42 Vinod Ganapathy Performance overheads of TMI 10x -15.8% Transactional Memory Introspection

43 Vinod Ganapathy Performance overheads of STM Software transactional memory imposes a significant overhead ServerNativeTMI-portedOverhead GradeSheet395μs451μs14.7% Tar service4.96s15.40s2.1x FreeCS321μs3907μs11.2x WeirdX0.23ms6.40ms26.8x Hardware TMs reduce runtime overheads of TM runtime systems Transactional Memory Introspection

44 Take-home message Vinod Ganapathy Transactional Memory Introspection We can utilize the mechanisms of Software Transactional Memory to greatly improve security policy enforcement

45 Vinod Ganapathy Rutgers University Thank you! Reference: Enforcing Authorization Policies using Transactional Memory Introspection Proc. ACM CCS, October 2008


Download ppt "Enforcing Security Policies using Transactional Memory Introspection Vinod Ganapathy Rutgers University Arnar BirgissonMohan Dhawan Ulfar ErlingssonLiviu."

Similar presentations


Ads by Google