Faculty of Computer Science Institute for System Architecture, Operating Systems Group Information Flow Control for Standard OS Abstractions Dresden,

Slides:



Advertisements
Similar presentations
Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
Advertisements

Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris.
Applications of Feather-Weight Virtual Machines (FVMs) Hadi Salimi Distributed Systems Lab, School of Computer Engineering, Iran University of Science.
Operating System Security
CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Resource Containers: A new Facility for Resource Management in Server Systems G. Banga, P. Druschel,
1 Information Security – Theory vs. Reality , Winter 2011 Lecture 7: Information flow control Eran Tromer Slides credit: Max Krohn, MIT Ian.
Access Control Jeff Chase Duke University. The need for access control Processes run programs on behalf of users. (“subjects”) Processes create/read/write/delete.
Composable Metamodeling Environment Akos Ledeczi Institute for Software Integrated Systems Vanderbilt University
SDN and Openflow.
Fundamentals of Computer Security Geetika Sharma Fall 2008.
By Ronny Bull, Chaitanya Pinnamaneni, Alex Stuart.
ISBN Chapter 1 Preliminaries. Copyright © 2004 Pearson Addison-Wesley. All rights reserved.1-2 Chapter 1 Topics Motivation Programming Domains.
Chapter 1 Introduction. Chapter Overview Overview of Operating Systems Secure Operating Systems Basic Concepts in Information Security Design of a Secure.
Decentralized Robustness Stephen Chong Andrew C. Myers Cornell University CSFW 19 July 6 th 2006.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
Polyglot: An Extensible Compiler Framework for Java Nathaniel Nystrom, Michael R. Clarkson, and Andrew C. Myers Presentation by Aaron Kimball & Ben Lerner.
Type-Based Distributed Access Control Tom Chothia, Dominic Duggan, and Jan Vitek Presented by Morgan Kleene.
3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.
Paper by Engler, Kaashoek, O’Toole Presentation by Charles Haiber.
Chapter 7: WORKING WITH GROUPS
© G. Dhillon, IS Department Virginia Commonwealth University Principles of IS Security Formal Models.
PRECIP: Towards Practical and Retrofittable Confidential Information Protection XiaoFeng Wang (IUB), Zhuowei Li (IUB), Ninghui Li (Purdue) and Jong Youl.
1 A pattern language for security models Eduardo B. Fernandez and Rouyi Pan Presented by Liping Cai 03/15/2006.
Security Architecture and Design Chapter 4 Part 3 Pages 357 to 377.
A Framework for Enforcing Information Flow Policies Bhuvan Mital Secure Systems Laboratory, Stony Brook University A Thesis Presentation in Partial Fulfillment.
Containment and Integrity for Mobile Code End-to-end security, untrusted hosts Andrew Myers Fred Schneider Department of Computer Science Cornell University.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Chapter 7 Securing Commercial Operating Systems. Chapter Overview Retrofitting Security into a Commercial OS History of Retrofitting Commercial OS's Commercial.
ADV. NETWORK SECURITY CODY WATSON What’s in Your Dongle and Bank Account? Mandatory and Discretionary Protections of External Resources.
Privilege separation in Condor Bruce Beckles University of Cambridge Computing Service.
SECURE WEB APPLICATIONS VIA AUTOMATIC PARTITIONING S. Chong, J. Liu, A. C. Myers, X. Qi, K. Vikram, L. Zheng, X. Zheng Cornell University.
A Secure JBoss Platform Nicola Mezzetti Acknowledgments: F. Panzieri.
Zeldovich et al. (both papers) Reading Group by Theo.
Kemal Baykal Rasim Ismayilov
Configuring, Managing and Maintaining Windows Server® 2008 Servers Course 6419A.
Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Decentralized Information Flow A paper by Myers/Liskov.
Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Securing Distributed Systems with Information Flow Control.
CS162 Week 8 Kyle Dewey. Overview Example online going over fail03.not (from the test suite) in depth A type system for secure information flow Implementing.
Lecture9 Page 1 CS 236 Online Operating System Security, Con’t CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Copyright 2002 Stephen F. Bush1 Three Points to Remember Active Networks Are Cool Active Networks Are Cool Active Networks Can Be At Least As Secure As.
Security-Enhanced Linux Stephanie Stelling Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK
Securing Access to Data Using IPsec Josh Jones Cosc352.
PREPARED BY: MS. ANGELA R.ICO & MS. AILEEN E. QUITNO (MSE-COE) COURSE TITLE: OPERATING SYSTEM PROF. GISELA MAY A. ALBANO PREPARED BY: MS. ANGELA R.ICO.
Information Flow Control for Standard OS Abstractions Landon Cox April 6, 2016.
Explicit Information Flow in the HiStar OS Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, David Mazières.
Analyzing Capsicum for Usability and Performance Ben Farley.
GridOS: Operating System Services for Grid Architectures
Enterprise Service Bus
Operating System Structures
University of Maryland College Park
CS408/533 Computer Networks Text: William Stallings Data and Computer Communications, 6th edition Chapter 1 - Introduction.
DIFC Programs by Automatic Instrumentation
IS301 – Software Engineering Dept of Computer Information Systems
Operating System Structure
Netconf 2006 Tokyo Paul Moore
2TCloud - Veeam Cloud Connect
Paper Reading Group:. Language-Based Information-Flow Security. A
Decentralized Information Flow Control
Virtual LANs.
Secure Programming via Visibly Pushdown Safety Games
Modern Systems: Security
The New Virtual Organization Membership Service (VOMS)
Interfaces.
Information Flow Control for Standard OS Abstractions
System calls….. C-program->POSIX call
O/S Organization © 2004, D. J. Foreman.
O/S Organization © 2004, D. J. Foreman.
Ponder policy toolkit Jovana Balkoski, Rashid Mijumbi
Presentation transcript:

Faculty of Computer Science Institute for System Architecture, Operating Systems Group Information Flow Control for Standard OS Abstractions Dresden, Maxwell Krohn, M. Frans Kaashoek et. al. (presented by Stefan Kalkowski)

TU Dresden, Information Flow Control for Standard OS Abstractions Slide 2 von 34 What is it about? Decentralized Information Flow –A. Myers and B. Liskov (MIT) '00 –related to Originator Controlled Access Control Graubart '89

TU Dresden, Information Flow Control for Standard OS Abstractions Slide 3 von 34 What is it about? Decentralized Information Flow –A. Myers and B. Liskov (MIT) '00 –related to Originator Controlled Access Control Graubart '89 Solution to Declassification Problem –centralized trusted subjects –in mutual distrust environment they are useless –decentralize authority for declassifying

TU Dresden, Information Flow Control for Standard OS Abstractions Slide 4 von 34 Declassification Problem Secrecy rule

TU Dresden, Information Flow Control for Standard OS Abstractions Slide 5 von 34 Declassification Problem Integrity rule

TU Dresden, Information Flow Control for Standard OS Abstractions Slide 6 von 34 Idea behind DIFC Object creator organizes policy Alic e

TU Dresden, Information Flow Control for Standard OS Abstractions Slide 7 von 34 Idea behind DIFC Object creator organizes policy creates Alic e curious object

TU Dresden, Information Flow Control for Standard OS Abstractions Slide 8 von 34 Idea behind DIFC spread upgrading and downgrading capabilities while object creation creates Alicecurious object Activitie s

TU Dresden, Information Flow Control for Standard OS Abstractions Slide 9 von 34 DIFC – basic approaches Language based: Myer, Liskov developed Java extension called JIF

TU Dresden, Information Flow Control for Standard OS Abstractions Slide 10 von 34 DIFC – basic approaches Language based: Myer, Liskov developed Java extension called JIF OS based: –AsbestOS (MIT) – experiment from the scratch –HiStar (Stanford) – IFC-kernel with UNIX layer –Flume (MIT) – do it in UNIX like systems

TU Dresden, Information Flow Control for Standard OS Abstractions Slide 11 von 34 Flume Abstractions Tags and Labels for integrity and secrecy Process Integrity Secrecy Labe l Tag s

TU Dresden, Information Flow Control for Standard OS Abstractions Slide 12 von 34 Flume Secrecy Rules Example: process p with I p and S p and some object o with tag t (I p, S p є Label)

TU Dresden, Information Flow Control for Standard OS Abstractions Slide 13 von 34 Flume Secrecy Rules Example: process p with I p and S p and some object o with tag t (I p, S p є Label) The following rules apply: I.if p reads o, then t є S p

TU Dresden, Information Flow Control for Standard OS Abstractions Slide 14 von 34 Flume Secrecy Rules Example: process p with I p and S p and some object o with tag t (I p, S p є Label) The following rules apply: I.if p reads o, then t є S p II.if p writes to q and t є S p, then t є S q

TU Dresden, Information Flow Control for Standard OS Abstractions Slide 15 von 34 Flume Secrecy Rules Example: process p with I p and S p and some object o with tag t (I p, S p є Label) The following rules apply: I.if p reads o, then t є S p II.if p writes to q and t є S p, then t є S q III.p cannot remove t from S p

TU Dresden, Information Flow Control for Standard OS Abstractions Slide 16 von 34 Flume Secrecy Rules Example: process p with I p and S p and some object o with tag t (I p, S p є Label) The following rules apply: I.if p reads o, then t є S p II.if p writes to q and t є S p, then t є S q III.p cannot remove t from S p IV.if S p ≠{}, then p cannot transmit information over uncontrolled channels

TU Dresden, Information Flow Control for Standard OS Abstractions Slide 17 von 34 Flume Integrity Rules I.if p modifies o, then t є I p

TU Dresden, Information Flow Control for Standard OS Abstractions Slide 18 von 34 Flume Integrity Rules I.if p modifies o, then t є I p II.if t є I p, then p can only read from files and processes with t integrity

TU Dresden, Information Flow Control for Standard OS Abstractions Slide 19 von 34 Flume Integrity Rules I.if p modifies o, then t є I p II.if t є I p, then p can only read from objects and processes with t integrity III.p cannot add t to I p

TU Dresden, Information Flow Control for Standard OS Abstractions Slide 20 von 34 Flume Integrity Rules I.if p modifies o, then t є I p II.if t є I p, then p can only read from objects and processes with t integrity III.p cannot add t to I p IV.if I p ≠{}, then p cannot accept input from uncontrolled channels

TU Dresden, Information Flow Control for Standard OS Abstractions Slide 21 von 34 Capabilities for label changes Allocation of tags determines the distribution of add and remove capabilities in the system Beside the local capability set of a process, there is one global for all Tag capabilities can be spread between processes

TU Dresden, Information Flow Control for Standard OS Abstractions Slide 22 von 34 Flume's safety model Label changes have to be done explicitly by the process itself and only if it has proper capabilities

TU Dresden, Information Flow Control for Standard OS Abstractions Slide 23 von 34 Flume's safety model Label changes have to be done explicitly by the process itself and only if it has proper capabilities p can send a message to q only if S p is in S q and I q is in I p

TU Dresden, Information Flow Control for Standard OS Abstractions Slide 24 von 34 Flume's safety model Label changes have to be done explicitly by the process itself and only if it has proper capabilities p can send a message to q only if S p is in S q and I q is in I p any data sink or source outside of Flume's model is represented as a process r with S r = I r = {}

TU Dresden, Information Flow Control for Standard OS Abstractions Slide 25 von 34 Flume's safety model Label changes have to be done explicitly by the process itself and only if it has proper capabilities p can send a message to q only if S p is in S q and I q is in I p any data sink or source outside of Flume's model is represented as a process r with S r = I r = {} files are processes with immutable secrecy and integrity labels

TU Dresden, Information Flow Control for Standard OS Abstractions Slide 26 von 34 Flume in practice: Endpoints Endpoints are assigned to file-descriptors and inherit the labels of the process Processes can configure their endpoints labels accordingly to the communication that has to be done pipe endpoints are mutable, file endpoints are immutable label changes that break safety of an immutable endpoint are forbidden

TU Dresden, Information Flow Control for Standard OS Abstractions Slide 27 von 34 Linux implementation

TU Dresden, Information Flow Control for Standard OS Abstractions Slide 28 von 34 Confined Processes using LSM hooks for intercepting syscalls mediated to user-level reference monitor adapted C-library calls RM directly (dependent on syscall) some calls are simply forbidden (like fork) spawn creates a new confined process with the labels of the “parent” spawner process prepares the new process, forks it, enables LSM, closes file-descriptors...

TU Dresden, Information Flow Control for Standard OS Abstractions Slide 29 von 34 IPC Reference monitor proxies all traffic of a pipe RM buffers messages and evaluates the whole processes label state (including endpoints) If communication is only allowed one way, RM silently drops messages from diligent producer, which floods the buffer using Unix domain sockets is analogous to using files

TU Dresden, Information Flow Control for Standard OS Abstractions Slide 30 von 34 Files and persistence Restrictions: –writable file-descriptors are implicitly readable –files have an additional write-protect set containing tags Processes cannot create files within directories, that are less secret than themselves Tag registry maintains login tokens, capability groups and extended file attributes

TU Dresden, Information Flow Control for Standard OS Abstractions Slide 31 von 34 Evaluation Detected two known and one unknown vulnerabilities within Wiki example application

TU Dresden, Information Flow Control for Standard OS Abstractions Slide 32 von 34 Evaluation Detected two known and one unknown vulnerabilities within Wiki example application Additional complexity: –Flume's TCB: LOC (mostly user-level) –Wiki-App: LOC and LOC changed

TU Dresden, Information Flow Control for Standard OS Abstractions Slide 33 von 34 Evaluation Detected two known and one unknown vulnerabilities within Wiki example application Additional complexity: –Flume's TCB: LOC (mostly user-level) –Wiki-App: LOC and LOC changed Overall performance overhead:

TU Dresden, Information Flow Control for Standard OS Abstractions Slide 34 von 34 Questions Do we need DIFC within legacy operating systems, or are there more urgent security defects? Is the effort to make Unix Apps DIFC compliant really lesser than porting them to new OSes? Is it easy to apply that label model to L4env or Bastei?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.