1. Information Flow Control for Standard OS Abstractions
Landon Cox
March 21, 2018

2. Access control and the kernel
How does kernel know if system call is allowed?
Looks are user id (uid) of process making the call
Looks at resources accessed by call (e.g., file)
Checks access-control policy associated with resource
Decides if policy allows uid to access resources
How is a uid normally assigned to a process?
On fork, child inherits parent’s uid

3. MOO accounting problem
Multi-player game called Moo
Want to maintain high score in a file
Should players be able to update score?
Yes
Do we trust users to write file directly?
No, they could lie about their score
Game client (uid x)
High score
Game client
(uid y)

4. MOO accounting problem
Multi-player game called Moo
Want to maintain high score in a file
Should players be able to update score?
Yes
Do we trust users to write file directly?
No, they could lie about their score
Could have a trusted process update scores
Why isn’t this enough?
Can’t be sure that reported score is genuine
Also want to ensure that score was computed correctly
Game client (uid x)
Trusted process
(root)
High score
Game client
(uid y)

5. Access control Simple inheritance of uids is not sufficient for
Tasks involving management of “user id” state
Logging in (login)
Changing passwords (passwd)
Solution: setuid
Executable files can have their setuid bit set
If setuid bit is set, process inherits uid of image file’s owner on exec

6. MOO accounting problem
Multi-player game called Moo
Want to maintain high score in a file
How does setuid allow us to know that score is correct?
Game executable is owned by trusted entity
Game cannot be modified by normal users
Users can run executable though
High-score is also owned by trusted entity
This is a form of trustworthy computing
High-score maintainer knows exactly which code will update score
Ensures code integrity, even when run by untrusted users
Also data confidentiality, since data accessed by code with integrity
Game client (uid x)
High score
Game client
(uid y)

7. Information Flow Control (IFC)
Goal: track which secrets a process has seen
Mechanism: each process gets a secrecy label
Label summarizes which categories of data a process is assumed to have seen.
Examples:
{ “Financial Reports” }
{ “HR Documents” }
{ “Financial Reports” and “HR Documents” }
“tag”
“label”
Slide by Max Krohn

8. Secrecy, Integrity, and Privilege
How did endorsements work in the Moo prob?
Secrecy label (Sp)
Specifies what data P has read
“/usr/bin/login may read the password file”
Integrity label (Ip)
Used to endorse trustworthiness of P
“/usr/bin/login can only be updated by root”
Also limits what P can read
“/usr/bin/login can only read user libs and config files endorsed by root”
Ownership (Op)
Regulates how P can update Sp and Ip
Tags P can add to its labels (e.g., t+), i.e., endorse via integrity label
Tags P can remove from its labels (e.g., t-), i.e., declassify via secrecy label
Dp is the set of tags that P can both add and remove
What is an endorsement?
Why is this restriction necessary?

9. Secrecy, Integrity, and Privilege
“At some point process p added data with tag s to its address space.”
s ∈ Sp  ∃(data) : p read data with tag s
Integrity
“All inputs to process p had tag i.”
i ∈ Ip  ∀(data) : p read data with tag i
Privilege
“p can remove tag s from Spand add tag i to Ip.”
s ∈ t-  p is trusted to declassify s
i ∈ t+  p is trusted to endorse i
t ∈ Dp  t ∈ t- and t ∈ t+

10. Tags + Secrecy Labels Process p change_label({Finance});
Secrets P has viewed
change_label({});
tag_t HR = create_tag();
change_label({Finance,HR});
Any process can add any tag to its label.
Sp = { Finance, HR }
Sp = { Finance }
Sp = {}
change_label({Finance});
DIFC Rule: A process can create a new tag; gets ability to declassify it.
Dp = { HR }
Dp = {}
Same as Step 1.
Tags P can add and remove from its label
DIFC: Declassification in action.
Finance HR
Legal
Universe of Tags:
SecretProjects
Slide by Max Krohn

11. Tags + Integrity Labels
change_label({});
Process p
Endorsements of P
Any process can remove any tag from its label.
Ip = {Apple}
Dp = {}
Tags P can add and remove from its label
Finance
Legal
Universe of Tags:
Apple
Slide by Max Krohn

12. Tags + Integrity Labels
change_label({});
Process p
Ip = {}
Dp = {}
Finance
Legal
Universe of Tags:
Apple
Slide by Max Krohn

13. Tags + Integrity Labels
change_label({});
Process p
change_label({Microsoft});
tag_t HR = create_tag();
Ip = {}
Dp = {}
Finance
Legal
Universe of Tags:
Apple
Slide by Max Krohn

14. Tags + Integrity Labels
change_label({});
Process p
tag_t HR = create_tag();
Ip = {}
Dp = {}
Finance
Legal
Universe of Tags:
Apple
Slide by Max Krohn

15. Tags + Integrity Labels
change_label({});
Process p
tag_t HR = create_tag();
Ip = {}
DIFC Rule: A process can create a new tag; gets ability to endorse w/ it.
Dp = {HR}
Finance HR
Legal
Universe of Tags:
Apple
Slide by Max Krohn

16. Tags + Integrity Labels
change_label({});
Process p
tag_t HR = create_tag();
change_label({HR});
Ip = {}
Dp = {HR}
Finance HR
Legal
Universe of Tags:
Apple
Slide by Max Krohn

17. Tags + Integrity Labels
change_label({});
Process p
tag_t HR = create_tag();
change_label({HR});
Ip = {HR}
Dp = {HR}
DIFC: Endorsement in action.
Finance HR
Legal
Universe of Tags:
Apple
Slide by Max Krohn

18. Privilege in action (secrecy)
Finance
Universe of Secrecy Tags: HR
Legal
SecretProjects
Process p
Sp = {}
Dp = { HR, Admin }
Admin
Microsoft
Bob’s code
Alice’s code
Universe of Integrity Tags

19. Privilege in action (secrecy)
Finance
Universe of Secrecy Tags: HR
Legal
SecretProjects
Process p
Sp = { HR }
Dp = { HR, Admin }
Admin
Microsoft
Bob’s code
Why is this allowed?
Alice’s code
Universe of Integrity Tags

20. Privilege in action (secrecy)
Finance
Universe of Secrecy Tags: HR
Legal
SecretProjects
Process p
Sp = { HR }
Dp = { HR, Admin }
Admin
Microsoft
Bob’s code
What is the effect?
Alice’s code
Universe of Integrity Tags

21. Privilege in action (secrecy)
Finance
Universe of Secrecy Tags: HR
Legal
SecretProjects
Process p q
Sp = { HR }
Dp = { HR, Admin }
Admin
Sq = { HR }
Microsoft
Bob’s code
What is the effect?
Can now receive data from HR processes
Alice’s code
Universe of Integrity Tags

22. Privilege in action (secrecy)
Finance
Universe of Secrecy Tags: HR
Legal
SecretProjects
Process p q
Sp = {}
Dp = { HR, Admin }
Admin
Sq = { HR }
Microsoft
Bob’s code
Why is this allowed?
Alice’s code
Universe of Integrity Tags

23. Privilege in action (secrecy)
Finance
Universe of Secrecy Tags: HR
Legal
SecretProjects
Process p q
Sp = {}
Dp = { HR, Admin }
Admin
Sq = { HR }
Microsoft
Bob’s code
What is the effect?
Alice’s code
Universe of Integrity Tags

24. Privilege in action (secrecy)
Finance
Universe of Secrecy Tags: HR
Legal
Sr = {}
SecretProjects
Process p q
Sp = {}
Dp = { HR, Admin }
Admin
Sq = { HR }
Microsoft
Bob’s code
What is the effect?
Declassifies HR data received from q
Alice’s code
Universe of Integrity Tags

25. Privilege in action (integrity)
Finance
Universe of Secrecy Tags: HR
Legal
SecretProjects
Process p
Ip = {Admin}
Dp = { HR, Admin }
Admin
Microsoft
Bob’s code
Admin+ makes p a certifier
Alice’s code
Universe of Integrity Tags

26. Privilege in action (integrity)
Fake vi
Ip = {}
Process p vi
Ip = {Admin}
Dp = { HR, Admin }
Ip = {Admin}
libc
/etc/rc
Ip = {Admin}
Ip = {Admin}

27. Privilege in action (integrity)
Fake vi
Ip = {}
Process p
“Run vi” vi
Ip = {Admin}
Dp = { HR, Admin }
Ip = {Admin}
libc
/etc/rc
Ip = {Admin}
Ip = {Admin}

28. Privilege in action (integrity)
Fake vi
Ip = {Admin}
Dp = { HR, Admin } q
Ip = {}
fork()
Process p
“Run vi” vi
Ip = {Admin}
Dp = { HR, Admin }
Ip = {Admin}
libc
/etc/rc
Ip = {Admin}
Ip = {Admin}

29. Privilege in action (integrity)
Fake vi
Ip = {Admin}
Dp = { HR } q
Why drop Admin+?
Ip = {}
fork()
Process p
“Run vi” vi
Ip = {Admin}
Dp = { HR, Admin }
Ip = {Admin}
libc
/etc/rc
Ip = {Admin}
Ip = {Admin}

30. Privilege in action (integrity)
Should this work?
Fake vi
Ip = {Admin}
Dp = { HR } q
Ip = {}
fork()
exec(“vi”)
Process p
“Run vi” vi
Ip = {Admin}
Dp = { HR, Admin }
Ip = {Admin}
libc
/etc/rc
Ip = {Admin}
Ip = {Admin}

31. Privilege in action (integrity)
Fake vi
Ip = {Admin}
Dp = { HR } q
Ip = {}
fork()
load(“libc”)
Process p
“Run vi” vi
Ip = {Admin}
Dp = { HR, Admin }
Ip = {Admin}
libc
/etc/rc
Ip = {Admin}
Ip = {Admin}

32. Privilege in action (integrity)
Fake vi
Ip = {Admin}
Dp = { HR } q
Ip = {}
fork()
read(“/etc/rc”)
Process p
“Run vi” vi
Ip = {Admin}
Dp = { HR, Admin }
Ip = {Admin}
libc
/etc/rc
Ip = {Admin}
Ip = {Admin}

33. Privilege in action (integrity)
Fake vi
Ip = {}
Process p
“Run Fakevi” vi
Ip = {Admin}
Dp = { HR, Admin }
Ip = {Admin}
libc
/etc/rc
Ip = {Admin}
Ip = {Admin}

34. Privilege in action (integrity)
Fake vi
Ip = {Admin}
Dp = { HR, Admin } q
Ip = {}
fork()
Process p
“Run Fakevi” vi
Ip = {Admin}
Dp = { HR, Admin }
Ip = {Admin}
libc
/etc/rc
Ip = {Admin}
Ip = {Admin}

35. Privilege in action (integrity)
Fake vi
Ip = {Admin}
Dp = { HR } q
Ip = {}
fork()
Process p
“Run Fakevi” vi
Ip = {Admin}
Dp = { HR, Admin }
Ip = {Admin}
libc
/etc/rc
Ip = {Admin}
Ip = {Admin}

36. Privilege in action (integrity)
Fake vi
Ip = {Admin}
Dp = { HR } q
exec(“fakevi”)
Ip = {}
fork()
Process p
“Run Fakevi” vi
Ip = {Admin}
Dp = { HR, Admin }
Ip = {Admin}
libc
/etc/rc
Ip = {Admin}
Ip = {Admin}

37. Privilege in action (integrity)
Should this work?
Fake vi
Ip = {Admin}
Dp = { HR } q
exec(“fakevi”)
Ip = {}
fork()
Process p
“Run Fakevi” vi
Ip = {Admin}
Dp = { HR, Admin }
Ip = {Admin}
libc
/etc/rc
Ip = {Admin}
Ip = {Admin}

38. P Communication Rule p can send to q iff Sp Í Sq Sp = { HR }
Process p
Process q
Sp = { HR }
Sq = { HR, Finance }
p can send to q iff Sp Í Sq
Slide by Max Krohn

39. Flume Communication RuleP ? ?
Database (q)
MoinMoin (p)
MoinMoin (r)
Sp = { Alice }
Sr = { Bob }
Sq = {}
Dq = { Alice, Bob }
Sq = { Alice }
Dq = { Alice, Bob }
Sp Í Sq
q changes to Sq = { Alice }
p sends to q
q changes back to Sq= {}
Slide by Max Krohn

40. Flume Communication RuleP P
Database (q)
MoinMoin (p)
MoinMoin (r)
Sp = { Alice }
Sr = { Bob }
Sq = {}
Dq= { Alice, Bob }
Senders get extra latitude
Receivers get extra latitude
p can send to q iff:
In IFC: Sp Í Sq
In Flume: Sp – Dp Í Sq È Dq
Slide by Max Krohn

41. Unexpected Program Behavior (Unreliable Communication)
Process p
Process q P
“Fire Alice, Bob, Charlie, Doug, Eddie, Frank, George, Hilda, Ilya…”
“I stopped reading”
“I crashed”
Slide by Max Krohn

42. Unreliable communication
Process p
Process q
stdout
stdin
Sp = {}
Dp = { HR }
Sq = { HR } P
“Fire Alice, Bob, Charlie, Doug, Eddie, Frank, George, Hilda, Ilya…” ?
“SLOW DOWN!!”
“I crashed”
Slide by Max Krohn

43. New Abstraction: Endpoints
Process p
Process q e f
Se = { HR }
Sf = { HR }
Sp = {}
Dp = { HR }
Sq = { HR } P
If Se Í Sf , then allow e to send to f
If Sf Í Se , then allow f to send to e
If Sf = Se , then allow bidirectional flow
“Fire Alice, Bob, Charlie, Doug, Eddie, Frank, George, Hilda, Ilya…” P
“SLOW DOWN!!”
“I crashed”
Slide by Max Krohn

44. Endpoints Declassify Data
Data enters process p with secrecy { HR }
But p keeps its label Sp = {}
Process p e
Se = { HR }
Sp = {}
Dp = { HR }
Thus p needs
HR Î Dp
Slide by Max Krohn

45. Endpoint Invariant For any tag t Î Sp and t Ï Se
Export inf.
For any tag t Î Sp and t Ï Se
Or any tag t Î Se and t Ï Sp
It must be that t Î Dp
Import inf.
Process p e
Se = { HR }
Sp = { Finance }
Dp = { Finance, HR}
Slide by Max Krohn

46. Endpoints’ Labels Are Independentg
Sg = {}
Process p
Process q e f
Se = { HR }
Sf = { HR }
Sp = {}
Dp = { HR }
Sq = { HR }
Slide by Max Krohn

47. Example App: MoinMoin Wiki
What are wikis used for? Say corporate data sharing.
Slide by Max Krohn

48. x43 How Problems Arise… if not self.request.user.may.read(pagename):
return self.notAllowedFault()
x43
LayoffPlans
MoinMoin
Wiki
(100 kLOC)
FreeTShirts
Slide by Max Krohn

49. MoinMoin + DIFC Trusted Untrusted MoinMoin Apache Wiki Web Server
LayoffPlans
Apache
Web Server
MoinMoin
Wiki
(100 kLOC)
Declassifier
1 kLOC
FreeTShirts
Trusted
Untrusted
Slide by Max Krohn

50. FlumeWiki reliable IPC file I/O MoinMoin Apache (100 kLOC)
Flume-Oblivious
unconfined
confined
reliable IPC
Web Client
GET /LayoffPlans?user=Intern&PW=abcd
LayoffPlans
S={ HR }
Apache
Declassifier
1 kLOC
MoinMoin
(100 kLOC)
FreeTShirts
S={}
file I/O
Slide by Max Krohn

51. Results Does Flume allow adoption of Unix software?
1,000 LOC launcher/declassifier
1,000 out of 100,000 LOC in MoinMoin changed
Python interpreter, Apache, unchanged
Does Flume solve security vulnerabilities?
Without our knowing, we inherited two ACL bypass bugs from MoinMoin
Both are not exploitable in Flume’s MoinMoin
Does Flume perform reasonably?
Performs within a factor of 2 of the original on read and write benchmarks
Slide by Max Krohn

52. Limitations Bigger TCB than HiStar / Asbestos
Linux stack (Kernel + glibc + linker)
Reference monitor (~22 kLOC)
Covert channels via disk quotas
Confined processes like MoinMoin don’t get full POSIX API.
spawn() instead of fork() & exec()
flume_pipe() instead of pipe()
Slide by Max Krohn

53. Summary DIFC is a challenge to Programmers Flume: DIFC in User-Level
Preserves legacy software
Complements today’s programming techniques
MoinMoin Wiki: Flume works as promised
Invite you to play around:
Slide by Max Krohn