Asbestos Operating System

Similar documents
Information Flow Control

Labels and Information Flow

DAC vs. MAC. Most people familiar with discretionary access control (DAC)

Last time. User Authentication. Security Policies and Models. Beyond passwords Biometrics

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

Inline Reference Monitoring Techniques

Software security in the Internet of things

Last time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control

Explicit Information Flow in the HiStar OS. Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, David Mazières

Mandatory Security and Performance of Services in Asbestos. David Patrick Ziegler

Discretionary Vs. Mandatory

Security and the Average Programmer

System design issues

Chapter 9: Database Security: An Introduction. Nguyen Thi Ai Thao

Wedge: Splitting Applications into Reduced-Privilege Compartments

Computer Science and Artificial Intelligence Laboratory Technical Report. MIT-CSAIL-TR August 6, 2007

Access Control Models

Access Control. Discretionary Access Control

Advanced Systems Security: Ordinary Operating Systems

The Most Dangerous Code in the Browser. Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan

Advanced Systems Security: Multics

Security Architecture

Hardware Acceleration for Tagging

Mandatory access control and information flow control

Chapter 7: Hybrid Policies

Information Flow Control For Standard OS Abstractions

Issues of Operating Systems Security

Lecture 21. Isolation: virtual machines, sandboxes Covert channels. The pump Why assurance? Trust and assurance Life cycle and assurance

PROCESS VIRTUAL MEMORY PART 2. CS124 Operating Systems Winter , Lecture 19

Advanced Systems Security: Ordinary Operating Systems

CIS433/533 - Introduction to Computer and Network Security. Access Control

CS 162 Operating Systems and Systems Programming Professor: Anthony D. Joseph Spring Lecture 18: Naming, Directories, and File Caching

CS 162 Operating Systems and Systems Programming Professor: Anthony D. Joseph Spring Lecture 18: Naming, Directories, and File Caching

Themes in OS research. Administrivia Last project due today. Functionality. Performance

Qualifying exam: operating systems, 1/6/2014

Complex Access Control. Steven M. Bellovin September 10,

Secure Programming Lecture 15: Information Leakage

CCM Lecture 12. Security Model 1: Bell-LaPadula Model

CHAPTER 8 FIREWALLS. Firewall Design Principles

1 HiStar OS. 2 Closing remarks. 3 Deian Stefan the industry perspective. - Software deployed on 200,000,000 systems

Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI)

Operating systems and security - Overview

Operating systems and security - Overview

Making Information Flow Explicit in HiStar

Operating System Security. Access control for memory Access control for files, BLP model Access control in Linux file systems (read on your own)

Flexible Dynamic Information Flow Control in Haskell

Access Control Part 3 CCM 4350

Course 834 EC-Council Certified Secure Programmer Java (ECSP)

Access Control (slides based Ch. 4 Gollmann)

Asset Analysis -I. 1. Fundamental business processes 2.Critical ICT resources for these processes 3.The impact for the organization if

A Survey of Access Control Policies. Amanda Crowell

Meltdown or "Holy Crap: How did we do this to ourselves" Meltdown exploits side effects of out-of-order execution to read arbitrary kernelmemory

6.858 Quiz 2 Review. Android Security. Haogang Chen Nov 24, 2014

Lecture 4: Bell LaPadula

Secure Architecture Principles

CIS 5373 Systems Security

Buffer overflow background

Hardware Enforcement of Application Security Policies Using Tagged Memory

8.3 Mandatory Flow Control Models

CSCI 420: Mobile Application Security. Lecture 7. Prof. Adwait Nadkarni. Derived from slides by William Enck, Patrick McDaniel and Trent Jaeger

Least-Privilege Isolation: The OKWS Web Server

CONIKS: Bringing Key Transparency to End Users

Access control models and policies. Tuomas Aura T Information security technology

Chapter 3: Processes. Operating System Concepts 8 th Edition,

CS 356 Operating System Security. Fall 2013

Mandatory Access Control

Secure Architecture Principles

Secure Architecture Principles

Security Philosophy. Humans have difficulty understanding risk

Confinement (Running Untrusted Programs)

Outline. Operating System Security CS 239 Computer Security February 23, Introduction. Server Machines Vs. General Purpose Machines

Outline. 1 Mandatory access control. 2 Labels and lattices 3 LOMAC. 4 SELinux 1 / 43

CMPSC 497 Attack Surface

Internet Engineering Task Force (IETF) Request for Comments: 7204 Category: Informational April 2014 ISSN:

Meltdown and Spectre - understanding and mitigating the threats (Part Deux)

Identity-based Access Control

Intergrity Policies CS3SR3/SE3RA3. Ryszard Janicki. Outline Integrity Policies The Biba Integrity Model

Chapter 4: Multithreaded Programming. Operating System Concepts 8 th Edition,

2 Lecture Embedded System Security A.-R. Darmstadt, Android Security Extensions

Module 4: Access Control

Access control models and policies

Multics C H A P T E R MULTICS HISTORY

Processes. CS3026 Operating Systems Lecture 05

Verifiable Security Goals

CSE Computer Security

1 / Must not leak contents of your files to network - Must not tamper with contents of your files 3 / 42

CSE 565 Computer Security Fall 2018

Process! Process Creation / Termination! Process Transitions in" the Two-State Process Model! A Two-State Process Model!

Processes. Process Concept

Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan. Stanford University, Chalmers University of Technology

Introduction to Security and User Authentication

Securing Untrustworthy Software Using Information Flow Control

Virtual Machine Security

Information Security Theory vs. Reality

CS 471 Operating Systems. Yue Cheng. George Mason University Fall 2017

Introduction to Computer Security

Plugging Side-Channel Leaks with Timing Information Flow Control

CPSC/ECE 3220 Fall 2017 Exam Give the definition (note: not the roles) for an operating system as stated in the textbook. (2 pts.

Securing Distributed Systems with Information Flow Control

Secure Architecture Principles

Transcription:

Asbestos Operating System Presented by Sherley Codio and Tom Dehart

This Talk Recap on Information Flow Asbestos Overview Labels Special Rules Discretionary Contamination Declassification/Decontamination Preventing Contamination Implementation

Information Flow Information flow Long-term confinement of information to authorized receivers Controls how information moves among data handlers and data storage units Applied at language, system, or application levels

Information Flow - Example Guarantee that the anti-virus (AV) scanner cannot leak to the network any data found in its scan of user files Possible leak methods Send data directly to a network connection Conspire with other processes (e.g, sendmail or httpd) Subvert another process and use its network access to send data Leave data in /tmp for other processes (e.g., the AV update daemon) to send Use other in/direct means of communication with the update daemon Fall, 2011 - Privacy&Security 4 - Virginia Tech Computer Science

Information Flow Lattice least upper bound (TS,[dip,mil]) (TS,[dip]) (TS,[mil]) (S,[dip,mil]) greatest lower bound (TS,[]) (S,[mil]) (S,[dip]) (S,[]} Fall, 2011 - Privacy&Security 5 - Virginia Tech Computer Science

Problem Web servers regularly divulge private information through exploitable software flaws (SQL injection, buffer overruns, etc). Instead of trying to fix all exploits, design a system that limits the impact of exploits.

Solution The principle of least privilege: each system component should have the minimum privilege required to accomplish its task. We still have a problem: current operating systems can t enforce the principle of least privilege.

Labels and Event Processes in the Asbestos Operating System A prototype operating system that provides labeling and isolation mechanisms that help contain the effects of exploitable software flaws. Labels Event Processes

Asbestos Labels Asbestos labels determine which services a process can invoke and with which other processes it can interact. Labels can also track and limit the flow of information within system- and applicationdefined compartments.

Asbestos Event Processes Asbestos event processes lets server applications isolate many concurrent users. Event processes keep a private state for every user but isolates each state so that exploits affect only one user s data.

Application Goal Asbestos should support efficient, unprivileged, and large-scale server applications whose application defined users are isolated from one another by the operating system, according to application policy.

Large-scale Network requests from a dynamically changing population of thousands or even hundreds of thousands of users Examples: web commerce, bulletin board systems, etc.

Efficient Asbestos server should be able to cache user data with low overhead. This would be simple with a trusted cache but we want to isolate each user s data (thus we use the event process abstraction).

Unprivileged The system administrator has granted the application the minimum privilege required to complete its job

Application-defined users Each application can define its own notion of principal. One application s users can be distinct from another s or they can overlap.

Isolated A process acting for one user cannot gain inappropriate access to other users data. The application defines which of its parts should be isolated, and how via application policies. Should also support flexible sharing among users for data that doesn t need isolation.

Ultimately Asbestos must support mandatory access control that isolates processes by tracking and limiting the flow of information.

Related Work Mandatory access control (MAC) systems provide enforcement of security policies by following links between processes. Operating systems have been using labels to enforce policies for a while.

Related Work Labels assign each subject and object a security level which usually consists of a hierarchical sensitivity classification (like unclassified, secret, top-secret) and a set of categories (nuclear, cypto, etc) To observe an object, a subject s security level must dominate the object s security level. For example, a file with secret, nuclear data should only be readable by processes whose clearance is at least secret and whose category set includes nuclear.

Related Work Asbestos labels differ from previous work since Asbestos lets any process create label categories, or compartments. It also provides a few novel features like temporary voluntary restrictions and split send/receive labels with different defaults.

Labels Each process in Asbestos has two labels Send label P S : tracking current contamination Receive label P R : tracking contamination limits (clearance) A process P may send to process Q if When the message is delivered, Qs send label is contaminated by Ps send label The least upper bound In Send label: lower levels are more permissive In Receive label: lower levels are more restrictive 21

Labels: A function from handles to levels. {a 0, b 1, 2} Handles: 61-bit unique identifiers to name compartments. Privileges are represented by Levels, members of the ordered set {*, 0, 1, 2, 3 } Label Comparison: Labels Least Upper Bound Greatest Lower Bound 22

Levels {*, 0, 1, 2, 3 } Send labels: is the lowest or most privileged level 1 usually corresponds to the absence of taint (default) 2 to a partial taint 3 to full taint, where most communication is prevented (least privileged level) Receive labels 1 prevents communication with any tainted process 2 is the default 3 indicates the right to be tainted arbitrarily 0 is used for integrity and capabilities 23

Labels Example U S UT R U S (u T ) = UT R (u T ), U can send to U T. V S is not UT S V S (v T ) = 3, UT R (v T ) = 2 V cannot send to U T 24

Labels Example To avoid the exploitation of covert channels 25

Special Rules Discretionary Contamination (Effective labels) Declassification/Decontamination (*-level) Integrity (Grant handles) Preventing Contamination (Ports)

Discretionary Contamination In order to maintain the system s information flow properties, the file server must label files. So a process that reads user u s files must become tainted with u T 3. But the file server must be able to taint different users processes in different ways.

Discretionary Contamination In Asbestos, the file server can selectively taint messages with the appropriate handle by providing an optional contamination label C s This label raises the sender s send label to a new effective send level E s = P s C s Thus, the effective label, not the true send label, is used to check information flow and contaminate the receiver s send label.

Discretionary Contamination 1. P S Q R 2. Q S Q S P S 3. E S Q R 4. Q S Q S E S

Discretionary Contamination Since contamination only restricts information flow, it requires no special privilege (i.e., we still maintain the idea of least privilege) Thus, processes can arbitrarily contaminate the messages they send. When processes can control their interactions with the label system (without violating information flow properties) the label system can implement more security policies.

Declassification Privileges level is used for declassification P S (h) = has declassification privilege P cannot be contaminated by other processes If P R receives from Q S (h) = 3 P S (h) remains, the lowest level P can forward data from Q to less tainted processes (declassifying) 31

Declassification Privileges Only a process itself can remove levels from its send label 32

Decontamination Process with privilege can distribute privilege to other processes: Forking Using a mechanism called decontamination. A process with declassification privilege can decontaminate other processes labels by: Lowering their send labels Raising their receive labels Two more optional label arguments to the send system call: decontaminate-send label D S decontaminate-receive label D R. 33

Decontamination Decontaminate-send label : lower the receiver s send label Decontaminate-receive label: raise the receiver s receive label The operations make the system more permissive require special privilege with respect to the handle involved Whenever a decontamination label change the receiver s labels, the sender controls the relevant compartments: P S (h) = whenever D S (h) < 3 or D R (h) > 34

Integrity The file server can accept requests from any user without fear of contamination and can declassify user data when needed. But, any useful file server must also implement an integrity policy to prevent processes from overwriting users data. Two types of integrity: discretionary and mandatory.

Discretionary Integrity In a discretionary policy, only processes that speak for user u can write to u s files, but their writes are free to incorporate data from less trusted sources. Speaking for u is a positive right, not a taint. Thus, a process speaking for u does not imply that it has read any of u s secret data. So, we need a new compartment to represent speaking for a user u.

Discretionary Integrity Thus, we introduce a new handle u G, user u s grant handle. A process can speak for u only if P S (u G ) 0. Hence, the file server must verify P S (u G ) 0 before accepting a write to u s file from P. Asbestos supports such checks with an optional label argument to the send command, the verification label V.

Discretionary Integrity The verification label temporarily lowers (restricts) the receiver s effective receive label. The sender thus proves with V that its labels are below a constraint independent of the receive label. 6. E S Q R D R 8. E S (Q R D R ) V

Discretionary Integrity Since we know that E S = P S C S, we also know that P S V. Thus for the verification to succeed, V needs to be an upper bound on the sender s send label. In the file server example, a process writing to u s file must supply V = {u g 0, 3} to prove it speaks for u. The file server then verifies the process speaks for u by checking V(u g ) 0.

Mandatory Integrity The 0-level allows us to implement mandatory integrity policies. A process P with P s (u G ) = 0 can speak for u, but since 0 is less than the default send level of 1, it cannot further disseminate the privilege. For example, the moment P receives a message from Q that does not speak for u (Q S (u G ) 1), P s will become tainted and P will lose its ability to speak for u). This means that P can t act for Q and pass along low-integrity data into u s files.

Preventing Contamination Problem Application can choose to ignore message after examination Application s labels have already been contaminated with the message s taint. Taint cannot be undone Verification label can flexibly verify integrity, cannot prevent inappropriate contamination 41

Preventing Contamination Solution A way to shift a simple form of message filtering into the kernel In Asbestos, the integration of communication ports with the label system The result prevents undesired contamination 42

Preventing Contamination How do they do that? Port namespace, the same as the handle value space Port names can be used as label compartments Every port p is associated with a port receive label p r. p r is used to lower, or restrict, the process s receive label, for messages delivered to that port. It acts like a verification label imposed by the receiver E S (Q R D R ) V p R (label check equation) Port label restricts how much a receive label can be decontaminated Port labels, like verification labels, are entirely discretionary Each process controls the port labels for all ports for which it has receive rights 43

Event Process Labels alone don t work well for processes with multiple users private data since processes get over-contamined. Declassification privilege for each relevant user would leave them over-trusted and vulnerable. User-level threads are efficient, but don t provide isolation. Forking a separate process per user provides isolation, low performance. An abstraction combining performance benefits with isolation benefits. 44

Event Process Isolates different event process s state Each event process associated with one base process Event process s kernel state consists of: Send label, Receive label, Receive rights for a port and a set of memory pages and book keeping information. 45

Conclusion Asbestos labels make mandatory access control more practical Labels provide decentralized compartment creation & privilege Event processes avoid accumulation of contamination 46

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback