Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Framework for Enforcing Information Flow Policies Bhuvan Mital Secure Systems Laboratory, Stony Brook University A Thesis Presentation in Partial Fulfillment.

Published byAsher Cross Modified over 8 years ago

Similar presentations

Presentation on theme: "A Framework for Enforcing Information Flow Policies Bhuvan Mital Secure Systems Laboratory, Stony Brook University A Thesis Presentation in Partial Fulfillment."— Presentation transcript:

1 A Framework for Enforcing Information Flow Policies Bhuvan Mital Secure Systems Laboratory, Stony Brook University A Thesis Presentation in Partial Fulfillment of the Requirements for the Degree of Master of Science in Computer Science ADVISOR Prof. R.C. Sekar COMMITTEE Prof. Rob JohnsonProf. Scott Stoller

2 Outline of the presentation  Motivation for a new framework  Framework Design  Framework Implementation  Evaluation  Related Work  Conclusion  Future Work 2/24

3 Need for Information-Flow Techniques  Reactive approaches are ineffective  Code Encryption / Obfuscation evade Signature-based Scanning and Behavior Monitoring  Policy-based confinement is difficult  Policies are difficult to develop  Vulnerable to multi-step attacks  Mediation of writes alone is not the solution  Trojan Attack on Windows Vista Start Menu 3/24

4 Need for Information-Flow Techniques  The solution lies in mediating both reads and writes  Mediating read-downs and write-ups for Integrity Preservation.  Mediating read-ups and write-downs for Confidentiality Preservation. Information Flow Techniques can provide a solution 4/24

5 PPI's Information-Flow Approach  Premise of the PPI (Practical Proactive Integrity Preservation) approach  System Integrity is preserved as long as integrity-critical Objects (files, pipes, sockets, etc.) are not written by low-integrity Subjects (processes)‏  PPI thwarts malware and maintains flexibility 5/24

6 Challenge to Information Flow: Delayed Failures Editor opens file1 for writing 6/24

7 Editor reads file2 and gets downgraded Delayed Failures 7/24

8 Downgraded editor causes loss in usability Delayed Failures Solution : Make the application trusted Is Trusting all applications, a solution? 8/24

9 Motivation for a new Framework  Promote early failures to enhance usability  e.g. Deny opening a file for reading when a high integrity file is open in the editor.  Limit Trust  Only a few selected applications are Trusted.  Scalable and Flexible Design  Extensible Framework for enforcing policies for preserving Integrity as well as Confidentiality  Building a working model for a modern operating system  A scalable framework that adapts to a contemporary OS design 9/24

10 Basics about our framework  Built using the Linux Security Module (LSM) infrastructure  Entities in our framework  Objects : Files, pipes, sockets, IPC channels  Subjects : Processes  Handles : Indirection between objects and subjects  Labels : Abstract data-types for denoting object/subject integrity or confidentiality. current label: Basis for forward information flow min label: Basis for constraint propagation  Prevents undesirable downgrading 10/24

11 Tuple denotes Design of our framework  Promotes Early Failures by propagating Constraints 11/24

12 Design of our framework (contd.)‏  Trusting Applications  Some subjects can sanitize their inputs and must be trusted. e.g. ssh server trusted for all inputs on port 22 Input Validation: Integrity Model  Our Framework makes such subjects invulnerable Limits Trust by defining input invulnerability level 12/24

13 13/24

14 PPI Object Types : Some Examples  Symbolic Links  Have a context association  Attacker may create low integrity symlinks to a high integrity file  Solution : Virtually Downgrade Process  Named Pipes  Just like named files in the filesystem  Un-named Pipes  Special handling done in the framework for PPI Handle creation on Un-named pipes 14/24

15 Framework Implementation  Goals  Identifying the hooks for enforcement  Fitting the framework in the LSM infrastructure 15/24

16 Framework Implementation  Goals  Identifying the hooks for enforcement  Fitting the framework in the LSM infrastructure 16/24

17 Framework Implementation  Analysis of code flow. e.g. Task Exec 17/24

18 Framework Implementation  Analysis of code flow. e.g. Socket Accept 18/24

19 Framework Implementation  Key Challenges in mapping our framework to LSM  Hook selection  Overcoming the limitations of LSM  Example: No hook for mediating all sys_close events Problem of closing handles on objects by forked processes => stale handles in the system Solution: Validate handles before using them 19/24

20 Framework Evaluation  Test Setup  VMWare virtual machine with 2.6 GHz processor, 512MB RAM and 10 GB of free HD space  Implementation for Sockets / IPCs not complete  Full-System testing not done  Evaluation of Correctness  More than 50 use cases developed for testing  Our framework passes all tests  Evaluation of Performance  Testing with Core-Utils 6.10 standard test-suite passes all tests  Average overhead in CPU time : 30% 20/24

21 Framework Evaluation  Performance Graph (Limited testing for Core-Utils 6.10) 21/24

22  Biba Integrity Model [ Biba '77]  Strict Model, enforces No read downs and No write ups  LOMAC [Fraser 2000]  Integrity Preservation for Linux by enforcing Low Watermark policy  Windows Vista  Only No write up policy, subject to indirect attacks  Back to the future [ACSAC 2006]  Only No read down policy, impact system availability  SELinux [Loscocco 2001]  Primary focus on servers, not safe to use for untrusted applications. Related Work 22/24

23 Conclusion  Our Framework Preserves Usability  Promote Early Failures by propagation constraint  Limits Trust  Invulnerability of applications can be restricted  Scalable and Flexible Design  Extensible Framework for enforcing policies for preserving Integrity as well as Confidentiality  Implementation of Label as an abstract data type  Our framework fits well into a contemporary OS  Current implementation uses the LSM framework 23/24

24  Implementation to be completed for Sockets and IPC objects  Full system evaluation and benchmarking  Reducing the CPU time overhead by optimizations  Enforcing Confidentiality policies through the framework  Mapping the framework to other operating systems Future Work 24/24

25 Your Questions Please !!! 25/25

26 Thank you!!

Download ppt "A Framework for Enforcing Information Flow Policies Bhuvan Mital Secure Systems Laboratory, Stony Brook University A Thesis Presentation in Partial Fulfillment."

Similar presentations

Operating System Security

Operating System Security
Hi-Fi: Collecting High-Fidelity Whole-System Provenance Devin J.Pohly 1, Stephen McLaughlin 1, Patrick McDaniel 1, Kevin Butler 2 1 Pennsylvania State.

Hi-Fi: Collecting High-Fidelity Whole-System Provenance Devin J.Pohly 1, Stephen McLaughlin 1, Patrick McDaniel 1, Kevin Butler 2 1 Pennsylvania State.
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Department of Computer Science and Engineering University of Washington Brian N. Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,

Department of Computer Science and Engineering University of Washington Brian N. Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Deploying GMP Applications Scott Fry, Director of Professional Services.

Deploying GMP Applications Scott Fry, Director of Professional Services.
PlanetLab Operating System support* *a work in progress.

PlanetLab Operating System support* *a work in progress.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Title of Selected Paper: Design and Implementation of Secure Embedded Systems Based on Trustzone Authors: Yan-ling Xu, Wei Pan, Xin-guo Zhang Presented.

Title of Selected Paper: Design and Implementation of Secure Embedded Systems Based on Trustzone Authors: Yan-ling Xu, Wei Pan, Xin-guo Zhang Presented.
Preventing Theft of Quality of Service on Open Platforms Kwang-Hyun Baek and Sean W. Smith Department of Computer Science Dartmouth College

Preventing Theft of Quality of Service on Open Platforms Kwang-Hyun Baek and Sean W. Smith Department of Computer Science Dartmouth College
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
IT Infrastructure: Software September 18, 2014. LEARNING GOALS Identify the different types of systems software. Explain the main functions of operating.

IT Infrastructure: Software September 18, LEARNING GOALS Identify the different types of systems software. Explain the main functions of operating.
Secure Off Site Backup at CERN Katrine Aam Svendsen.

Secure Off Site Backup at CERN Katrine Aam Svendsen.
Chapter 1 Introduction. Chapter Overview Overview of Operating Systems Secure Operating Systems Basic Concepts in Information Security Design of a Secure.

Chapter 1 Introduction. Chapter Overview Overview of Operating Systems Secure Operating Systems Basic Concepts in Information Security Design of a Secure.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.

1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
outline Purpose Design Implementation Market Conclusion presentation Outline.

outline Purpose Design Implementation Market Conclusion presentation Outline.
Exokernel: An Operating System Architecture for Application-Level Resource Management Dawson R. Engler, M. Frans Kaashoek, and James O’Toole Jr. M.I.T.

Exokernel: An Operating System Architecture for Application-Level Resource Management Dawson R. Engler, M. Frans Kaashoek, and James O’Toole Jr. M.I.T.
1 Routing as a Service Karthik Lakshminarayanan (with Ion Stoica and Scott Shenker) Sahara/i3 retreat, January 2004.

1 Routing as a Service Karthik Lakshminarayanan (with Ion Stoica and Scott Shenker) Sahara/i3 retreat, January 2004.
CS4315A. Berrached:CMS:UHD1 Operating System Structures Chapter 3.

CS4315A. Berrached:CMS:UHD1 Operating System Structures Chapter 3.
Alex Crowell, Rutgers University Computer Science and Mathematics Advisor: Prof. Danfeng Yao, Computer Science Department.

Alex Crowell, Rutgers University Computer Science and Mathematics Advisor: Prof. Danfeng Yao, Computer Science Department.

Similar presentations

Ads by Google