Explicit Information Flow in the HiStar OS. Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, David Mazières

Similar documents
Securing Untrustworthy Software Using Information Flow Control

Labels and Information Flow

Making Information Flow Explicit in HiStar

Security and the Average Programmer

Themes in OS research. Administrivia Last project due today. Functionality. Performance

Software security in the Internet of things

Secure Architecture Principles

CS140 Operating Systems Final December 12, 2007 OPEN BOOK, OPEN NOTES

Sandboxing. (1) Motivation. (2) Sandboxing Approaches. (3) Chroot

Information Flow Control For Standard OS Abstractions

Access Control. CMPSC Spring 2012 Introduction Computer and Network Security Professor Jaeger.

1 HiStar OS. 2 Closing remarks. 3 Deian Stefan the industry perspective. - Software deployed on 200,000,000 systems

CSE543 - Introduction to Computer and Network Security. Module: Operating System Security

Confinement (Running Untrusted Programs)

CIS 5373 Systems Security

6.858 Lecture 4 OKWS. Today's lecture: How to build a secure web server on Unix. The design of our lab web server, zookws, is inspired by OKWS.

Introduction to Computer Security

ECE 550D Fundamentals of Computer Systems and Engineering. Fall 2017

CSE 127: Computer Security. Security Concepts. Kirill Levchenko

Virtual File System. Don Porter CSE 506

Making Information Flow Explicit in HiStar By Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, and David Mazières

Data Security and Privacy. Unix Discretionary Access Control

Last time. User Authentication. Security Policies and Models. Beyond passwords Biometrics

[This link is no longer available because the program has changed.] II. Security Overview

Operating Systems Design Exam 3 Review: Spring Paul Krzyzanowski

Outline. Operating System Security CS 239 Computer Security February 23, Introduction. Server Machines Vs. General Purpose Machines

Qualifying exam: operating systems, 1/6/2014

Advanced Systems Security: Multics

Administrative Details. CS 140 Final Review Session. Pre-Midterm. Plan For Today. Disks + I/O. Pre-Midterm, cont.

RCU. ò Dozens of supported file systems. ò Independent layer from backing storage. ò And, of course, networked file system support

CSE 565 Computer Security Fall 2018

Virtual File System. Don Porter CSE 306

Protection. CSE473 - Spring Professor Jaeger. CSE473 Operating Systems - Spring Professor Jaeger

Advanced Systems Security: Ordinary Operating Systems

Operating Systems. Week 13 Recitation: Exam 3 Preview Review of Exam 3, Spring Paul Krzyzanowski. Rutgers University.

DAC vs. MAC. Most people familiar with discretionary access control (DAC)

CS 416: Operating Systems Design April 22, 2015

Secure Architecture Principles

Architecture. Steven M. Bellovin October 31,

OS Security III: Sandbox and SFI

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall 2008.

Security Architecture

We ve seen: Protection: ACLs, Capabilities, and More. Access control. Principle of Least Privilege. ? Resource. What makes it hard?

Unix Processes. What is a Process?

Operating system security models

Discretionary Access Control

COS 318: Operating Systems. File Systems. Topics. Evolved Data Center Storage Hierarchy. Traditional Data Center Storage Hierarchy

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

Web Servers and Security

Asbestos Operating System

Storage and File System

A Survey of Access Control Policies. Amanda Crowell

Protection and Security

Web Servers and Security

Privilege Separation

Architecture. Steven M. Bellovin October 27,

Last time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control

cs642 /operating system security computer security adam everspaugh

Operating System Architecture. CS3026 Operating Systems Lecture 03

Unix Basics. UNIX Introduction. Lecture 14

Outline. Last time. (System) virtual machines. Virtual machine technologies. Virtual machine designs. Techniques for privilege separation

ELEC 377 Operating Systems. Week 12 Class 2

CS2028 -UNIX INTERNALS

P1L5 Access Control. Controlling Accesses to Resources

Process Time. Steven M. Bellovin January 25,

Least-Privilege Isolation: The OKWS Web Server

ENGR 3950U / CSCI 3020U Midterm Exam SOLUTIONS, Fall 2012 SOLUTIONS

CIS 5373 Systems Security

Securing Distributed Systems with Information Flow Control

Secure Architecture Principles

Processes and Threads

Security Philosophy. Humans have difficulty understanding risk

CS 326: Operating Systems. Process Execution. Lecture 5

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I Solutions

The Classical OS Model in Unix

Information Security CS 526

What is an Operating System? A Whirlwind Tour of Operating Systems. How did OS evolve? How did OS evolve?

Secure Architecture Principles

Introduction to Information Security

Secure Software Programming and Vulnerability Analysis

SysSec. Aurélien Francillon

CS61 Scribe Notes Lecture 18 11/6/14 Fork, Advanced Virtual Memory

UNIT I Linux Utilities

Introduction to File Systems

Information Security Theory vs. Reality

Exploiting Unix File-System Races via Algorithmic Complexity Attacks

File Systems. What do we need to know?

Exam Guide COMPSCI 386

MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz II

Secure Architecture Principles

Introduction to Security and User Authentication

Advanced Systems Security: Securing Commercial Systems

Sandboxing. CS-576 Systems Security Instructor: Georgios Portokalidis Spring 2018

Advanced Systems Security: Virtual Machine Systems

Wedge: Splitting Applications into Reduced-Privilege Compartments

Fault Isolation for Device Drivers

Information Security CS 526

CptS 360 (System Programming) Unit 6: Files and Directories

Information Flow Control for Standard OS Abstractions

Hardware Enforcement of Application Security Policies Using Tagged Memory

Transcription:

Explicit Information Flow in the HiStar OS Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, David Mazières

Too much trusted software Untrustworthy code a huge problem Users willingly run malicious software Malware, spyware,... Even legitimate software is often vulnerable Symantec remote vulnerability No sign that this problem is going away Can an OS make untrustworthy code secure?

Example: Virus Scanner Goal: private files cannot go onto the network Virus Scanner Update Process Symantec Private User Files /tmp Virus Database Network

Information Flow Control Goal: private files cannot go onto the network Virus Scanner Update Process Private User Files /tmp Virus Database Network

Buggy scanner leaks private data Virus Scanner Update Process Private User Files /tmp Virus Database Network Must restrict sockets to protect private data

Buggy scanner leaks private data Virus Scanner Update Process Private User Files /tmp Virus Database Must restrict scanner's ability to use IPC Network

Buggy scanner leaks private data Virus Scanner Update Process Private User Files /tmp Virus Database Must run scanner in chroot jail Network

Buggy scanner leaks private data Virus Scanner ptrace User Shell Update Process Private User Files /tmp Virus Database Must run scanner with different UID Network

Buggy scanner leaks private data setproctitle: 0x6e371bc2 ps Update Process Private User Files /tmp Virus Database Must restrict access to /proc,... Network

Buggy scanner leaks private data Virus Scanner disk usage Update Process Private User Files /tmp Virus Database Network Must restrict FS'es that virus scanner can write

Buggy scanner leaks private data Virus Scanner Update Process fcntl locking Private User Files /tmp Virus Database List goes on is there any hope? Network

What's going on? P1 P2 P3 Kernel not designed to enforce these policies Unix Kernel Hardware Retrofitting difficult Need to track potentially any memory observed or modified by a system call! Hard to even enumerate Unix

What's going on? P1 P2 P3 Kernel not designed to enforce these policies Unix Kernel Hardware Retrofitting difficult Need to track potentially any memory observed or modified by a system call! Hard to even enumerate Unix

HiStar Solution Make all state explicit, track all communication P1 P2 P3 P1 P2 P3 Unix Kernel Hardware U1 U2 U3 HiStar Kernel Hardware Unix Library Unix HiStar

HiStar: Contributions Narrow kernel interface, few comm. channels Minimal mechanism: enough for a Unix library Strong control over information flow Unix support implemented as user-level library Unix communication channels are made explicit, in terms of HiStar's mechanisms Provides control over the gamut of Unix channels

HiStar kernel objects Container (Directory) Device (Network) Segment (Data) Address Space Thread Gate (IPC)

HiStar kernel objects Think of labels as a tainted bit Label Container (Directory) Label Device (Network) Segment (Data) Address Space Thread Gate (IPC) Label Label Label Label

HiStar: Unix process Process Container Thread Address Space Code Segment Data Segment

Unix File Descriptors Process A Process B File Descriptor (O_RDONLY) Kernel State

Unix File Descriptors Tainted process only talks to other tainted procs Process A X Process B File Descriptor (O_RDONLY) Kernel State

Unix File Descriptors Process A X Process B File Descriptor (O_RDONLY) Seek pointer: 0xa32f Kernel State Lots of shared state in kernel, easy to miss

HiStar File Descriptors Thread A Thread B Address Space A Address Space B File Descriptor Segment (O_RDONLY) Seek pointer: 0xa32f

HiStar File Descriptors Thread A Thread B Address Space A Address Space B X File Descriptor Segment (O_RDONLY) Seek pointer: 0xa32f All shared state is now explicitly labeled Just need segment read/write checks

Taint Tracking Strawman write(file) Tainted Thread A File Thread B

Taint Tracking Strawman Propagate taint when writing to file write(file) Tainted Thread A File Thread B

Taint Tracking Strawman Propagate taint when writing to file What happens when reading? read(file) Tainted Thread A File Thread B

Taint Tracking Strawman read(file) Tainted Thread A File ACCESS X DENIED Thread B

Strawman has Covert Channel X Tainted Thread A File 0 File 1 Thread B Network Secret = 1

Strawman has Covert Channel write(file 1) Tainted Thread A File 0 File 1 Thread B Network Secret = 1

Strawman has Covert Channel Tainted Thread A File 0 File 1 read(file 0) read(file 1) Thread B Network Secret = 1

Strawman has Covert Channel Tainted Thread A File 0 File 1 Thread B send email: secret=1 Network Secret = 1

Strawman has Covert Channel What if we taint B when it reads File 1? Tainted Thread A File 0 File 1 read(file 0) read(file 1) Thread B X Network Secret = 1

Strawman has Covert Channel What if we taint B when it reads File 1? read(file 0) Tainted Thread A File 0 Thread 0 File 1 Thread 1 Network Secret = 1 read(file 1)

Strawman has Covert Channel What if we taint B when it reads File 1? send email: secret=1 Tainted Thread A File 0 Thread 0 File 1 Thread 1 X Network Secret = 1 send email: secret=0

HiStar: Immutable File Labels Label (taint level) is state that must be tracked Immutable labels solve this problem! Tainted Thread A write(...) X Untainted File Tainted File X read(...) Thread B

Who creates tainted files? Tainted thread can't modify untainted directory to place the new file there... Create Tainted File X Directory Tainted Thread A Untainted File Tainted File Thread B

HiStar: Untainted thread pre-creates tainted file Existence and label of tainted file Thread C provide no information about A Create Tainted File Directory Tainted Thread A Untainted File Tainted File Thread B

Reading a tainted file Thread C Existence and label of tainted file provide no information about A Directory Tainted Thread A X Untainted File Tainted File X Thread B

Reading a tainted file Thread C Existence and label of tainted file provide no information about A Directory readdir(): T. File's label Tainted Thread A X Untainted File Tainted File X Thread B

Reading a tainted file Thread C Existence and label of tainted file provide no information about A Neither does B's decision to taint Directory Taint self Tainted Thread A X Untainted File Tainted File Thread B

HiStar avoids file covert channels Immutable labels prevent covert channels that communicate through label state Untainted threads pre-allocate tainted files File existence or label provides no secret information Threads taint themselves to read tainted files Tainted file's label accessible via parent directory

Problems with IPC IPC with tainted client Client Thread Taint server thread during request SELECT... Create IPC Port DB Server Time Server Threads

Problems with IPC IPC with tainted client Taint server thread during request Client Thread Create IPC Port DB Server SELECT... IPC Return Time Server Threads

Problems with IPC IPC with tainted client Taint server thread during request Client Thread Create IPC Port DB Server IPC Return Results Time Server Threads

Problems with IPC IPC with tainted client Taint server thread during request Secrecy preserved? Client Thread Create IPC Port DB Server Time Results IPC Return Server Threads

Problems with IPC IPC with tainted client Taint server thread during request Secrecy preserved? Client Thread Create IPC Port DB Server Lots of client calls Limit server threads? Leaks information... Otherwise, no control over resources! Time Results IPC Return Server Threads

Gates make resources explicit Client donates initial resources (thread) Client Thread Create DB Server SELECT... Gate Time Server Threads

Gates make resources explicit Client donates initial resources (thread) Client Thread Create DB Server Client thread runs in server address space, executing server code SELECT... Server Code Gate Return Gate Time Server Threads

Gates make resources explicit Client donates initial resources (thread) Client Thread Create DB Server Client thread runs in server address space, executing server code Server Code Results Gate Return Gate Time Server Threads

Gates make resources explicit Client donates initial resources (thread) Client Thread Create DB Server Client thread runs in server address space, executing server code No implicit resource allocation no leaks Time Server Code Results Gate Return Gate Server Threads

How do we get anything out? X Network Alice's Files Virus Scanner

Owner privilege Yellow objects can only interact with other yellow objects, or objects with yellow star Small, trusted shell can isolate a large, frequently-changing virus scanner X Network Alice's Files Virus Scanner Alice's shell

Multiple categories of taint Bob's Files Virus Scanner Bob's shell X Network Alice's Files Virus Scanner Alice's shell Owner privilege and information flow control are the only access control mechanism Anyone can allocate a new category, gets star

What about root? Huge security hole for information flow control Observe/modify anything violate any security policy Make it explicit Can be controlled as necessary

HiStar root privileges are explicit Kernel gives no special treatment to root Alice's shell root's shell Bob's shell Alice's Files Bob's Files

HiStar root privileges are explicit Users can keep secret data inaccessible to root Alice's shell root's shell Bob's shell Alice's Files X Bob's Files Bob's Secret Files

What about inaccessible files? Noone has privilege to access Bob's Secret Files Alice's shell root's shell Bob's shell Alice's Files X Bob's Files X Bob's Secret Files

HiStar resource allocation Bob's Container Bob's Files Bob's shell

HiStar resource allocation Create a new sub-container for secret files Bob's Files Bob's Container Bob's shell Bob's Secret Container Bob's Secret Files

HiStar resource allocation Create a new sub-container for secret files Bob's Container Bob's Secret Container Bob's Files Bob's shell X Bob's Secret Files

HiStar resource allocation Create a new sub-container for secret files Bob can delete sub-container even if he cannot otherwise access it! Bob's Files Bob's Container Bob's shell Unlink X Bob's Secret Container Bob's Secret Files

HiStar resource allocation Create a new sub-container for secret files Bob can delete sub-container even if he cannot otherwise access it! Bob's Container Bob's Secret Container Bob's Files Bob's shell X Bob's Secret Files

HiStar resource allocation Create a new sub-container for secret files Bob can delete sub-container even if he cannot otherwise access it! Bob's Container Bob's Files Bob's shell

HiStar resource allocation Root has control over all resources, via the root container Root Container Bob's Container root's shell Bob's Files Bob's shell

Persistent Storage Unix: file system implemented in the kernel Many potential pitfalls leading to covert channels: mtime, atime, link counts,... Would be great to implement it in user-space as well HiStar: Single-level store (ala Multics / EROS) All kernel objects stored on disk memory is a cache No difference between disk & memory objects

File System Implemented at user-level, using same objects Security checks separate from FS implementation Container /tmp Filename Segment one two Segment /tmp/one Container /tmp/two...

HiStar kernel design Kernel operations make information flow explicit Explicit operation for thread to taint itself Kernel never implicitly changes labels Explicit resource allocation: gates, pre-created files Kernel never implicitly allocates resources Kernel has no concept of superuser Users can explicitly grant their privileges to root Root owns the top-level container

Applications Many Unix applications gcc, gdb, openssh,... High-security applications alongside with Unix Untrusted virus scanners (already described) VPN/Internet data separation (see paper) login with user-supplied authentication code (next)

Login on Unix Login must run as root Only root can setuid() to grant user privileges Why is this bad? Login is complicated (Kerberos, PAM,...) Bugs lead to complete system compromise

Login on HiStar User: Bob Pass: 1bob Login Process Alice's Auth. Service Bob's Auth. Service PW: H(alic3) PW: H(1bob) Each user can provide their own auth. service

Login on HiStar Pass: 1bob Alice's Auth. Service PW: H(alic3) Login Process Bob's Auth. Service PW: H(1bob) Each user can provide their own auth. service

Login on HiStar Pass: 1bob Alice's Auth. Service PW: H(alic3) Login Process Bob's Auth. Service PW: H(1bob) OK

Password disclosure Pass: 1bob Alice's Auth. Service PW: H(alic3) Login Process Bob's Auth. Service PW: H(1bob) What if Bob mistypes his username as alice?

Password disclosure Pass: 1bob Alice's Auth. Service PW: H(alic3) Login Process Network Bob's Auth. Service PW: H(1bob) What if Bob mistypes his username as alice?

Avoiding password disclosure It's all about information flow HiStar enforces: Password cannot go out onto the network Details in the paper

Reducing trusted code HiStar allows developers to reduce trusted code No code with every user's privilege during login No trusted code needed to initiate authentication 110-line trusted wrapper for complex virus scanner Small kernel: 16,000 lines of code

HiStar Conclusion HiStar reduces amount of trusted code Enforce security properties on untrusted code using strict information flow control Kernel interface eliminates covert channels Make everything explicit: labels, resources Unix library makes Unix information flow explicit Superuser by convention, not by design

What about Asbestos? Different goal: Unix vs. specialized web server HiStar closes covert channels inherent in the Asbestos design (mutable labels, IPC,...) Lower-level kernel interface Process vs Container+Thread+AS+Segments+Gates 2 times less kernel code than Asbestos Generality shown by the user-space Unix library System-wide support for persistent storage Asbestos uses trusted user-space file server Resources are manageable In Asbestos, reboot to kill runaway process

How is this different from EROS? To isolate in EROS, must strictly partition the capabilities between isolated applications Labels enforce policy without affecting structure Can impose policies on existing code (see paper)

7.5 7 6.5 6 5.5 5 4.5 4 3.5 3 2.5 2 1.5 1 0.5 0 Benchmarks, relative to Linux Comparable performance to Linux and OpenBSD Application-level benchmarks and disk benchmarks gcc wget Clam AV pipe disk read disk write create 10k files fork exec Linux HiStar OpenBSD

7.5 7 6.5 6 5.5 5 4.5 4 3.5 3 2.5 2 1.5 1 0.5 0 Benchmarks, relative to Linux gcc wget Clam AV 217x faster! Synchronous creation of 10,000 files HiStar allows use of group sync. Application either runs to completion, or appears to never start (single-level store) pipe disk read disk write create 10k files fork exec Linux HiStar OpenBSD

7.5 7 6.5 6 5.5 5 4.5 4 3.5 3 2.5 2 1.5 1 0.5 0 Benchmarks, relative to Linux gcc wget Clam AV 7.5x slower Linux: 9 syscalls per iteration HiStar: 317 syscalls per iteration pipe disk read disk write create 10k files fork exec Linux HiStar OpenBSD

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback