Presentation is loading. Please wait.

Presentation is loading. Please wait.

5/17/2015 9:36 AM Confinement James Hook CS 591: Introduction to Computer Security.

Published byArthur Patterson Modified over 9 years ago

Similar presentations

Presentation on theme: "5/17/2015 9:36 AM Confinement James Hook CS 591: Introduction to Computer Security."— Presentation transcript:

1 5/17/2015 9:36 AM Confinement James Hook CS 591: Introduction to Computer Security

2 5/17/2015 9:36 AM The Confinement Problem Lampson, “A Note on the Confinement Problem”, CACM, 1973. This note explores the problem of confining a program during its execution so that it canot transmit information to any other program except its caller. A set of examples attempts to stake out the boundaries of the problem. Necessary conditions for a solution are stated and informally justified.

3 5/17/2015 9:36 AM Possible Leaks 0. If a service has memory, it can collect data, wait for its owner to call it, then return the data 1.The service may write into a permanent file 2.The service may create a temporary file 3.The service may send a message to a process controlled by its owner [via ipc] 4.More subtly, the information may be encoded in the bill rendered for the service…

4 5/17/2015 9:36 AM Possible Leaks (cont) 5. If the system has interlocks which prevent files from being open for writing and reading at the same time, the service can leak data if it is merely allowed to read files which can be written by the owner.

5 5/17/2015 9:36 AM Leak 5 (cont) The interlocks allow a file to simulate a shared Boolean variable which one program can set and the other can’t Given a procedure open (file, error) which does goto error if the file is already open, the following procedures will perform this simulation: procedure settrue (file); begin loop1: open (file, loop1) end; procedure setfalse (file); begin close (file) end; Boolean procedure value (file); begin value : = true; open (file, loop2); value := false; close (file); loop2: end;

6 5/17/2015 9:36 AM Leak 5 (cont) Using these procedures and three files called data, sendclock, and receiveclock, a service can send a stream of bits to another concurrently running program. Referencing the files as though they were variables of this rather odd kind, then, we can describe the sequence of events for transmitting a single bit: sender: data : = bit being sent; sendclock : = true receiver:wait for sendclock = true; received bit : = data; receive clock : = true; sender:wait for receive clock = true; sendclock : = false; receiver:wait for sendclock = false; receiveclock : = false; sender:wait for receiveclock = false;

7 5/17/2015 9:36 AM Leak 6 6.By varying its ratio of computing to input/output or its paging rate, the service can transmit information which a concurrently running process can receive by observing the performance of the system. …

8 5/17/2015 9:36 AM One solution Just say no! Total isolation: A confined program shall make no calls on any other program Impractical

9 5/17/2015 9:36 AM Confinement rule Transitivity: If a confined program calls another program which is not trusted, the called program must also be confined.

10 5/17/2015 9:36 AM Classification of Channels: Storage Legitimate (such as the bill) Covert –I.e. those not intended for information transfer at all, such as the service program’s effect on the system load In which category does Lampson place 5?

11 5/17/2015 9:36 AM Root Problem: Resource sharing enables covert channels The more our operating systems and hardware enable efficient resource sharing the greater the risk of covert channels

12 5/17/2015 9:36 AM Resources Lampson, A note on the Confinement Problem, CACM Vol 16, no. 10, October 1973.Lampson, A note on the Confinement Problem, CACM Vol 16, no. 10, October 1973. –http://doi.acm.org/10.1145/362375.362389http://doi.acm.org/10.1145/362375.362389

13 5/17/2015 9:36 AM Discussion Bishop’s slides for Chapter 16 (with some minor modifications to one example)Chapter 16

14 5/17/2015 9:36 AM Virtualization Virtualization is returning to the mainstream with Intel’s Virtualization Technology (aka Vanderpool) Discussion following Bishop’s slides for Chapter 29 Chapter 29 –Secret decoder ring: PSL = Processor Status Longword (a vax status register)

15 5/17/2015 9:36 AM Applications of Virtualization Workload isolation Workload consolidation Workload migration (See Uhlig, et al, Fig 1)

16 5/17/2015 9:36 AM Virtualizing Intel architectures As is, Intel architectures do not meet the two requirements: –Nonfaulting access to privileged state IA-32 has registers that describe and manipulate the “global descriptor table” These registers can only be set in ring 0 They can be queried in any ring without generating a fault –This violates rule 2 (all references to sensitive data traps) Software products to virtualize Intel hardware had to get around this. –Vmware dynamically rewrote code!

17 5/17/2015 9:36 AM Intel solutions VT-x, virtualization for IA-32 VT-i, virtualization for Itanium Changed architecture to meet the criteria

18 5/17/2015 9:36 AM Ring aliasing and ring compression Solution is to allow guest to run at intended privilege level by augmenting privilege levels. See Figure 2(d).

19 5/17/2015 9:36 AM Nonfaulting access to privileged state Two kinds of changes –Make access fault to the VM –Allow nonfaulting access, but to state under the control of the VMM

20 5/17/2015 9:36 AM Intel Virtualization Paper –ftp://download.intel.com/technology/comp uting/vptech/vt-ieee-computer-final.pdfftp://download.intel.com/technology/comp uting/vptech/vt-ieee-computer-final.pdf

Download ppt "5/17/2015 9:36 AM Confinement James Hook CS 591: Introduction to Computer Security."

Similar presentations

System Integration and Performance

System Integration and Performance
Hardware-assisted Virtualization

Hardware-assisted Virtualization
More on Processes Chapter 3. Process image _the physical representation of a process in the OS _an address space consisting of code, data and stack segments.

More on Processes Chapter 3. Process image _the physical representation of a process in the OS _an address space consisting of code, data and stack segments.
Input and Output CS 215 Lecture #20.

Input and Output CS 215 Lecture #20.
Chap 2 System Structures.

Chap 2 System Structures.
 2004 Deitel & Associates, Inc. All rights reserved. 1 Chapter 3 – Process Concepts Outline 3.1 Introduction 3.1.1Definition of Process 3.2Process States:

 2004 Deitel & Associates, Inc. All rights reserved. 1 Chapter 3 – Process Concepts Outline 3.1 Introduction 3.1.1Definition of Process 3.2Process States:
A NOTE ON THE CONFINEMENT PROBLEM Butler Lampson Xerox PARC.

A NOTE ON THE CONFINEMENT PROBLEM Butler Lampson Xerox PARC.
Process Description and Control

Process Description and Control
DIRECT MEMORY ACCESS CS 147 Thursday July 5,2001 SEEMA RAI.

DIRECT MEMORY ACCESS CS 147 Thursday July 5,2001 SEEMA RAI.
CS-3013 & CS-502, Summer 2006 Virtual Machine Systems1 CS-502 Operating Systems Slides excerpted from Silbershatz, Ch. 2.

CS-3013 & CS-502, Summer 2006 Virtual Machine Systems1 CS-502 Operating Systems Slides excerpted from Silbershatz, Ch. 2.
Architectural Support for OS March 29, 2000 Instructor: Gary Kimura Slides courtesy of Hank Levy.

Architectural Support for OS March 29, 2000 Instructor: Gary Kimura Slides courtesy of Hank Levy.
Figure 2.8 Compiler phases. 2.8.1 Compiling. Figure 2.9 Object module. 2.8.2 Linking.

Figure 2.8 Compiler phases Compiling. Figure 2.9 Object module Linking.
OS Fall ’ 02 Introduction Operating Systems Fall 2002.

OS Fall ’ 02 Introduction Operating Systems Fall 2002.
Silberschatz, Galvin and Gagne  2002 2.1 Operating System Concepts Chapter 2: Computer-System Structures Computer System Operation I/O Structure Storage.

Silberschatz, Galvin and Gagne  Operating System Concepts Chapter 2: Computer-System Structures Computer System Operation I/O Structure Storage.
Operating System Structure. Announcements Make sure you are registered for CS 415 First CS 415 project is up –Initial design documents due next Friday,

Operating System Structure. Announcements Make sure you are registered for CS 415 First CS 415 project is up –Initial design documents due next Friday,
OS Spring’03 Introduction Operating Systems Spring 2003.

OS Spring’03 Introduction Operating Systems Spring 2003.
Figure 1.1 Interaction between applications and the operating system.

Figure 1.1 Interaction between applications and the operating system.
1 Process Description and Control Chapter 3 = Why process? = What is a process? = How to represent processes? = How to control processes?

1 Process Description and Control Chapter 3 = Why process? = What is a process? = How to represent processes? = How to control processes?
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #29-1 Chapter 33: Virtual Machines Virtual Machine Structure Virtual Machine.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #29-1 Chapter 33: Virtual Machines Virtual Machine Structure Virtual Machine.
LINUX Virtualization Running other code under LINUX.

LINUX Virtualization Running other code under LINUX.

Similar presentations

Ads by Google