Operating System Security: Building Secure Distributed Systems

Transcription

1 Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Operating System Security: Building Secure Distributed Systems Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Pennsylvania State University October 16, 2007

2 Trent Jaeger Past Projects/Results Linux Security Modules (source code analysis) Verify Complete Mediation of the Reference Monitor Interface Found and fixed six bugs [USENIX Sec 2002][ACM CCS 2002][ACM TISSEC 2004] SELinux Policy Analysis (policy analysis) Identify Low Integrity Flows to High Integrity Subjects Prove Integrity Protection of Apache, SSH, vsftp, and Linux TCB services [USENIX Sec 2003][ACM TISSEC 2003][NDSS 2006] Labeled IPsec (Linux kernel mechanism) Integration of IPsec and SELinux for Mandatory Network Control Accepted into mainline Linux kernel in [SecureComm 2006] applied to distribute systems access enforcement [ACSAC 2006] Lessons Learned Comprehensive Mandatory Access Control for Linux But Comprehensive MAC policies are complex And MAC is expanding to distributed systems Can We Provide Practical Integrity in Distributed System

3 Shared Reference Monitor (Shamon) Bad Appl (Jif) Appl Bad Appl (Jif) Appl TPM Monitor TPM Monitor Shared Reference Monitor (Shamon) Use virtual machines and remote attestation as basis for a distributed systems security architecture Sponsored by NSF (Cyber Trust) and IBM Research

4 Shamon Motivation Reference Monitor Goals Can be extended to distributed systems Tamperproofing: Remote Attestation Hardware-based integrity measurement Prove integrity to remote parties [USENIX Sec 2004][ACM CCS 2 Complete Mediation: Systems Coarse-grained Mandatory Access Control (Xen shype) Simplify MAC policies [ACSAC 2005] [ACSAC 2006] Comprehensive Verification: Information Flow Aware Software Development Generate secure code [IEEE S&P 2006][ICSE 2007][sub to ICSE 20 Verified MAC Policies [ACM TISSEC 2003][USENIX Sec 2003] Meet these requirements!

5 Shamon Systems Coalitions Properties Compatible Security Policies System 1 System 2 Attested Enforcement Alice Alice Isolated Workloads Secure Communication Promises to reduce the security-related complexity for distributed applications Alice Untrusted network Alice System 3 System 4

6 Shamon Core Goal: Verifiable MAC Enforcement Core [ACSAC 2007] High integrity software and data System protects itself from runtime or boot vulnerabilities Basis for Verification Root-of-Trust-Installer (ROTI) Systems and Internet Infrastructure Security (SIIS) Laboratory Page 6

7 System Policy Compliance Goal: Ensure that systems can verify an application s MAC enforcement [USENIX Tech 2007] [SACMAT 2007] Lots of applications that are trusted (over 30 in SELinux) Security-typed languages enable verification of enforcement Applied to real applications System services: logrotate Client programs: client and web browser DTO/IARPA Funded project policy Compliance Checker Allowed flows Shamon

8 High Integrity Systems Goal: Provide verifiable high integrity core in client systems Applied to cell phones Trusted software and random software SHIMA integrity measurement enables verification that trusted code is isolated from others Sponsored by Raytheon and Samsung Cell Platform Systems and Internet Infrastructure Security (SIIS) Laboratory Page 8

9 Summary Emerging Technology Enables Rethinking of Distributed MAC Enforcement Shared Reference Monitor Promote Correct Shamon Systems Root-of-Trust-Install (ROTI), Prescribed Software, Bootcycle Secrets Build Distributed Shamon Applications Coalition Repository Web Shamon Verifiable Integrity Cell Systems

10 Questions Shamon project Penn State SIIS Lab