Toward Automated Information-Flow Integrity Verification for Security-Critical Applications

Similar documents
Advanced Systems Security: Principles

Advanced Systems Security: Integrity

Justifying Integrity Using a Virtual Machine Verifier

PRIMA: Policy-Reduced Integrity Measurement Architecture

Advanced Systems Security: Integrity

Advanced Systems Security: Ordinary Operating Systems

Advanced Systems Security: Integrity

Advanced Systems Security: Principles

Topics in Systems and Program Security

Integrity Policies. CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger.

IBM Research Report. PRIMA: Policy-Reduced Integrity Measurement Architecture. Trent Jaeger Pennsylvania State University

CIS433/533 - Introduction to Computer and Network Security. Access Control

Operating System Security: Building Secure Distributed Systems

Integrity Policies. Murat Kantarcioglu

Advanced Systems Security: Security-Enhanced Linux

Chapter 6: Integrity Policies

Advanced Systems Security: Principles

Advanced Systems Security: Multics

Transforming Commodity Security Policies to Enforce Clark-Wilson Integrity

Attack Graphs. Systems and Internet Infrastructure Security

Advanced Systems Security: Security Goals

Last time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control

May 1: Integrity Models

Justifying Integrity Using a Virtual Machine Verifier

CMPSC 497 Attack Surface

Advanced Systems Security: Securing Commercial Systems

Virtual Machine Security

Advanced Systems Security: Ordinary Operating Systems

CSE Computer Security

Advanced Systems Security: Future

Advanced Systems Security: Security-Enhanced Linux

Asset Analysis -I. 1. Fundamental business processes 2.Critical ICT resources for these processes 3.The impact for the organization if

SELinux Protected Paths Revisited

Advanced Systems Security: Security-Enhanced Linux

CSE509: (Intro to) Systems Security

Module: Operating System Security. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Advanced Systems Security: Virtual Machine Systems

Towards Formal Evaluation of a High-Assurance Guard

SELinux. Daniel J Walsh SELinux Lead Engineer

CCM Lecture 14. Security Models 2: Biba, Chinese Wall, Clark Wilson

Security Models Trusted Zones SPRING 2018: GANG WANG

CSE543 - Computer and Network Security Module: Virtualization

CSE Computer Security

Protection. CSE473 - Spring Professor Jaeger. CSE473 Operating Systems - Spring Professor Jaeger

Systems Security Research in SIIS Lab

Advanced Systems Security: Virtual Machine Systems

Towards System Integrity Protection with Graph-Based Policy Analysis

Politecnico di Torino. Porto Institutional Repository

The Evolution of Secure Operating Systems

IN distributed computing environments, it is crucial to

6.858 Quiz 2 Review. Android Security. Haogang Chen Nov 24, 2014

SEEdit: SELinux Security Policy Configuration System with Higher Level Language

CCM Lecture 12. Security Model 1: Bell-LaPadula Model

Integrating SELinux with Security-typed Languages

Topics in Systems and Program Security

MANDATORY ACCESS CONTROL SECURITY ENHANCED LINUX (SELINUX)

Policy Analysis for Security-Enhanced Linux

Policy, Models, and Trust

CSE543 - Computer and Network Security Module: Virtualization

Wrapup. CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger.

Verifying System Integrity by Proxy

SELinux: A New Approach to Secure Systems

IBM Research Report. Design and Implementation of a TCG-Based Integrity Measurement Architecture

SELinux type label enforcement

CSCI 420: Mobile Application Security. Lecture 7. Prof. Adwait Nadkarni. Derived from slides by William Enck, Patrick McDaniel and Trent Jaeger

8.3 Mandatory Flow Control Models

IBM Research Report. Bridging Mandatory Access Control Across Machines

CPSC 481/681 SPRING 2006 QUIZ #1 7 MAR 2006 NAME:

Verifiable Security Goals

CSE543 - Computer and Network Security Module: Virtualization

Configuring Cloud Deployments for Integrity

Asbestos Operating System

Introduce the major evaluation criteria. TCSEC (Orange book) ITSEC Common Criteria

Security Enhanced Linux

Access control models and policies. Tuomas Aura T Information security technology

Lecture 15 Designing Trusted Operating Systems

Using the MPU with an RTOS to Enhance System Safety and Security

Practical Verification of System Integrity in Cloud Computing Environments

Introduce the major evaluation criteria. TCSEC (Orange book) ITSEC Common Criteria

Computer Security. 02r. Assignment 1 & Access Control Review. Paul Krzyzanowski David Domingo Ananya Jana. Rutgers University.

Operating System Security. Access control for memory Access control for files, BLP model Access control in Linux file systems (read on your own)

The Case for Security Enhanced (SE) Android. Stephen Smalley Trusted Systems Research National Security Agency

Access Control/Capabili1es

The Evolution of Secure Operating Systems

Lecture 3 MOBILE PLATFORM SECURITY

Advanced Systems Security: Confused Deputy

Module: Future of Secure Programming

Operating systems and security - Overview

Operating systems and security - Overview

Operating System Security

Application Virtualization and Desktop Security

Inevitable Failure: The Flawed Trust Assumption in the Cloud

Access Control. Discretionary Access Control

Reference Policy for Security Enhanced Linux Christopher J. PeBenito, Frank Mayer, Karl MacMillan Tresys Technology

We ve seen: Protection: ACLs, Capabilities, and More. Access control. Principle of Least Privilege. ? Resource. What makes it hard?

SELinux. Don Porter CSE 506

Discretionary Vs. Mandatory

G/On OS Security Model

Policy Enforced Remote Login

Module: Future of Secure Programming

Transcription:

CSE 598A - Spring 2007 - Sandra Rueda Page 1 Toward Automated Information-Flow Integrity Verification for Security-Critical Applications Umesh Shankar, Trent Jaeger and Reiner Sailer Presented by Sandra Rueda

Integrity Adherence to a strict code The quality of being honest The condition of being free from flaws Why do we care? CSE 598A - Spring 2007 - Sandra Rueda Page 2

CSE 598A - Spring 2007 - Sandra Rueda Page 3 Biba i is a function that returns the integrity level of a subject or an object s can read o iff i (s) <= i (o) s can write o iff i (s) >= i (o) s1 can execute s2 iff i (s2) <= i (s1) o s o Is this a problem for some processes?

CSE 598A - Spring 2007 - Sandra Rueda Page 4 Information Flow Integrity There is an information flow between A and B if A can write to a resource on which B depends. There are transitive information flows A write-like read-like B The information flow integrity verification problem is to prove that a high integrity process does not depend on information flows from low integrity processes.

CSE 598A - Spring 2007 - Sandra Rueda Page 5 Clark-Wilson Clark-Wilson Integrity Model defines a set of certification and enforcement rules that guarantee integrity for constraint data items. Clark-Wilson requires: Verification of application (formal approach which is not possible with our current technology) Verification of information integrity properties of the inputs (filtering interfaces) Information Flow Integrity for inputs and outputs requires: Proper configuration Filtering code low-integrity In high-integrity application Out high-integrity high-integrity

CW-Lite CW-Lite vs. Clark Wilson Omits the formal semantics verification Retains the same inter-process dependency semantics Motivations behind CW-Lite Clark Wilson involves two goals that may be checked in a separate way High level integrity programs read low level integrity inputs from a small number of locations CSE 598A - Spring 2007 - Sandra Rueda Page 6

CW-Lite [2] Clark Wilson: Application developer does not know the flows allowed in the system in advance thus all inputs must be filtered CW-Lite: Use system knowledge to detect the inputs that must be filtered CW-Lite is preserved for a subject s if: All high integrity subjects meet integrity requirements initially All trusted code is identifiable as high integrity All information flows are from subjects of equal or higher integrity unless they are filtered CSE 598A - Spring 2007 - Sandra Rueda Page 7

CSE 598A - Spring 2007 - Sandra Rueda Page 8 CW-Lite Compliant Developers: Identify untrusted inputs and implement filtering interfaces for them Annotate those interfaces (DO_FILTER) Develop filtering interfaces Construct a policy to identify: Trusted inputs Untrusted inputs System Administrators: Define the system TCB (or per-application) Run the security policy analysis tool (Gokyo) for the target application The tool identifies integrity violations, decide how to remove the illegal flow

CSE 598A - Spring 2007 - Sandra Rueda Page 9 SELinux Linux Security Module developed by the NSA Implements Mandatory Access Control (MAC) on Linux Every subject and object in the system is assigned a collection of security attributes known as security context When a security decision is required, the security contexts of the subject and the objects are given to the security server, based on that and some predefined rules the security server makes the decision acc_request(sc1,sc2) 1 Subject sc1 3 access 2 granted/denied Object sc2 SELinux Kernel (Policy Enforcement Point) query(sc1,sc2) answer Security Server (Policy Decision Point)

Gokyo Access Control Space: set of permissions assigned to a subject Constraints Prohibited Unknown Permissible Assignments Specified Obligated Gokyo may be used to manage Access Control Policies Gokyo may also be used to check integrity constraints Integrity constraints enforce Biba-style integrity semantics CSE 598A - Spring 2007 - Sandra Rueda Page 10

Gokyo [2] Integrity Checking Define the set of constraints For each read permission of the higher integrity subject type, the corresponding write permissions are added to the constrained set of the lower integrity subject type For each write permission of the lower integrity subject type, the corresponding read permissions are added to the constrained set of the higher integrity subject type CSE 598A - Spring 2007 - Sandra Rueda Page 11

CSE 598A - Spring 2007 - Sandra Rueda Page 12 Example [Jaeger et al. SACMAT02] Object Type httpd_log_files_t Description Application Logs Subject Type admin_t httpd_t user_script_t sys_script_t Perm Web Server file system permission assignments cr a a a Node1 admin_t admin_t admin_t Node2 http_d user_script_t sys_script_t Type integrity integrity integrity Aspect perms perms perms Initial web server policy constraints httpd_log_files_t admin_t 1a. specified: cr httpd_t 1b. prohibited: wa 2. specified: a Conflict

Supporting Filtering Interfaces MAC Operating System : SELinux SELinux access control system was modified to enforce CW-Lite Two subject types per process instead of one The default type allows inputs only from subjects in the TCB The filtering subject type is used for interfaces annotated with DO_FILTER Gokyo checks that there is no untrusted input to the application s default type It computes the set F = { s mod(s,o) obs(s,o) } settraceonerror is used to detect untrusted interfaces without the annotation CSE 598A - Spring 2007 - Sandra Rueda Page 13

CSE 598A - Spring 2007 - Sandra Rueda Page 14 Example Before After Source Code Source Code conn = accept() get_http_request_sanitized(conn) DO_FILTER(conn = accept()) get_http_request_sanitized(conn) Policy Policy Apache: allow read httpd.conf Apache: allow accept Apache: allow read httpd.conf Apache-filter: allow accept

CSE 598A - Spring 2007 - Sandra Rueda Page 15 Evaluation OpenSSH and vsftpd Goal: check that all information flows into privileged components are high integrity level or filtered via declared interfaces The server-side daemon was decomposed into privileged and unprivileged components Add default and filtered types to the OS policy Define the TCB Add annotations to the privileged components inputs from network inputs from unprivileged components Verify interfaces with settraceonerror The developer must build the filtering interfaces Run Gokyo 21 conflicts for OpenSSH 8 conflicts for vsftpd Conflict resolution requires system/application knowledge

Future Work Apply CW-Lite to the TCB of the system Is it possible to prove that filtering interfaces are semantically correct? CSE 598A - Spring 2007 - Sandra Rueda Page 16

Take Away Anything about Integrity Verification is important Big problem in computer science Verification of integrity for a given system is not an easy task CW-Lite applies divide and conquer (check only inputs) It also defines area of improvement (check only untrusted inputs) CW-Lite identifies sub-problems and propose a way to solve one of them it is SELinux-based. May be extended to MAC-based From comments in class: Who defines what is integrity? This property is evaluated based on parameters (looks like there is no universal definition) CSE 598A - Spring 2007 - Sandra Rueda Page 17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback