Software security in the Internet of things

Similar documents
Security and the Average Programmer

Themes in OS research. Administrivia Last project due today. Functionality. Performance

1 HiStar OS. 2 Closing remarks. 3 Deian Stefan the industry perspective. - Software deployed on 200,000,000 systems

A Haskell and Information Flow Control Approach to Safe Execution of Untrusted Web Applications

Explicit Information Flow in the HiStar OS. Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, David Mazières

Flexible Dynamic Information Flow Control in Haskell

Securing Untrustworthy Software Using Information Flow Control

Hails: Protecting Data Privacy in Untrusted Web Applications Submission to special issue on Verified Information Flow Security

Asbestos Operating System

Building Secure Web Applications: Practical Principles. Deian Stefan

8.3 Mandatory Flow Control Models

Information Flow Control For Standard OS Abstractions

The Most Dangerous Code in the Browser. Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan

Labels and Information Flow

Protecting Users by Confining JavaScript with COWL

Hails: Protecting Data Privacy in Untrusted Web Applications

Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan. Stanford University, Chalmers University of Technology

C1: Define Security Requirements

Cyber security tips and self-assessment for business

Outline. 1 Mandatory access control. 2 Labels and lattices 3 LOMAC. 4 SELinux 1 / 43

Information Flow Control

CIS 5373 Systems Security

Mandatory access control (MAC) can restrict propagation

- Unix permission bits are an example - E.g., might set file private so that only group friends can read it:

Operating System Security

Making Information Flow Explicit in HiStar

Advanced Systems Security: Principles

1 / Must not leak contents of your files to network - Must not tamper with contents of your files 3 / 42

Advanced Systems Security: Principles

Stanford University, Computer Science Department Phone: (650) Serra Mall, Room 288

Secure Programming Lecture 15: Information Leakage

Protection. CSE473 - Spring Professor Jaeger. CSE473 Operating Systems - Spring Professor Jaeger

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Architecture. Steven M. Bellovin October 31,

Last time. User Authentication. Security Policies and Models. Beyond passwords Biometrics

Tolerating Malicious Drivers in Linux. Silas Boyd-Wickizer and Nickolai Zeldovich

ARM Security Solutions and Numonyx Authenticated Flash

SECURITY ARCHITECTURES CARSTEN WEINHOLD

OS Security III: Sandbox and SFI

Access control models and policies. Tuomas Aura T Information security technology

Web Servers and Security

Security Architecture

Secure Architecture Principles

NLUUG, Bunnik CloudABI: safe, testable and maintainable software for UNIX Speaker: Ed Schouten,

Architecture. Steven M. Bellovin October 27,

Web Servers and Security


HikCentral V1.3 for Windows Hardening Guide

Technical Brief Distributed Trusted Computing

Securing Distributed Systems with Information Flow Control

DAC vs. MAC. Most people familiar with discretionary access control (DAC)

Computer Security and Privacy

CS 1653: Applied Cryptography and Network Security Fall Term Project, Phase 2

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Meltdown and Spectre - understanding and mitigating the threats

Cloudy with a chance of hack. OWASP November, The OWASP Foundation Lars Ewe CTO / VP of Eng. Cenzic

2/9/2013 LAB OUTLINE INTRODUCTION TO VCS WHY VERSION CONTROL SYSTEM(VCS)? II SENG 371 SOFTWARE EVOLUTION VERSION CONTROL SYSTEMS

Advanced Systems Security: Securing Commercial Systems

Graphene-SGX. A Practical Library OS for Unmodified Applications on SGX. Chia-Che Tsai Donald E. Porter Mona Vij

Hackveda Training - Ethical Hacking, Networking & Security

Logging. Steven M. Bellovin December 6,

Advanced Systems Security: Ordinary Operating Systems

C and C++ Secure Coding 4-day course. Syllabus

Keys and Passwords. Steven M. Bellovin October 17,

Network Control, Con t

Last time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control

EasyCrypt passes an independent security audit

19.1. Security must consider external environment of the system, and protect it from:

Sandboxing untrusted code: policies and mechanisms

Secure Architecture Principles

CloudSky: A Controllable Data Self-Destruction System for Untrusted Cloud Storage Networks

Meltdown and Spectre - understanding and mitigating the threats (Part Deux)

Advanced Systems Security: Ordinary Operating Systems

Introduction to Security and User Authentication

Advanced Systems Security: Multics

CSE 565 Computer Security Fall 2018

Backend IV: Authentication, Authorization and Sanitization. Tuesday, January 13, 15

TIBCO Cloud Integration Security Overview

Outline. Security as an economic good. Risk budgeting with ALE. Failure: Risk compensation. Failure: Displacement activity

Making Information Flow Explicit in HiStar By Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, and David Mazières

Introduction. Goal of This Book. Audience for This Book

Information Flow Control and Privacy. Dennis Chen Ming Chow

Think Small to Scale Big

Fall 2005 Joseph/Tygar/Vazirani/Wagner Final

What Makes Up the Modern Linux OS?

Automated Generation of Event-Oriented Exploits in Android Hybrid Apps

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

Case Study: Access Control. Steven M. Bellovin October 4,

Chapter 2. Operating-System Structures

Streaming Prevention in Cb Defense. Stop malware and non-malware attacks that bypass machine-learning AV and traditional AV

SilverCreek The World s Best-Selling SNMP Test Suite

Hardware Enforcement of Application Security Policies Using Tagged Memory

Extending the browser to secure applications

High-Assurance Cyber Space Systems (HACSS) for Small Satellite Mission Integrity

HPE Intelligent Management Center

Introduction to Ardora

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Advanced Systems Security: Principles

Robust Defenses for Cross-Site Request Forgery

Transcription:

Software security in the Internet of things Silas Boyd-Wickizer, Pablo Buiras*, Daniel Giffin, Stefan Heule, Eddie Kohler, Amit Levy, David Mazières, John Mitchell, Alejandro Russo*, Amy Shen, Deian Stefan, David Terei, Edward Yang, and Nickolai Zeldovich Stanford and *Chalmers Tuesday, April 15, 2014

Software vulnerabilities are everywhere High-profile software (nginx, Symantec) But also web applications (Paymaxx) - One-off designs receive little outside scrutiny - See a wide range of programmer abilities (unlike core components such as kernels) Now embedded systems (fridge, TV, car) - Internet of things? remote exploitability of things - New mindset for embedded programmers 2 / 30

The only solution The median programmer must build secure systems. Information flow control (IFC) has made progress towards the goal Can IFC help in the Internet of things? 3 / 30

Steps towards the goal Allow experts to incorporate third-party code into secure systems - Achievable if you are willing to use a new operating system (HiStar) - Compatibility issues make it hard to deploy a new OS Allow experts to manage non-experts building secure systems - Possible if you teach people a new language (Haskell) - Ideas are transferable to mainstream languages (JavaScript) Allow anyone to hire non-experts to build secure systems - This is the big open problem - IFC is a plausible approach, and we have some experience pointing to the remaining difficulties 4 / 30

Outline 1 Background: Information flow control 2 HiStar & Hails 3 Experience 4 IFC in the Internet of things 5 / 30

Example: Anti-virus software AV Helper AV Scanner User TTY Update Daemon /tmp User Data Virus DB Network Symantec AV (deployed on 200M machines) had remote exploit Can the OS provide security despite Symantec s programmers? - Prevent leaking contents of private files to network - Prevent tampering with contents of files 6 / 30

Example: Anti-virus software AV Helper AV Scanner User TTY Update Daemon /tmp User Data Virus DB Network Scanner can write your private data to network Prevent scanner from invoking any system call that might send a network message? 6 / 30

Example: Anti-virus software AV Helper AV Scanner User TTY Update Daemon /tmp User Data Virus DB Network Scanner can send private data to update daemon Update daemon sends data over network - Can cleverly disguise secrets in order/timing of update requests Block IPC & shared memory system calls in scanner? 6 / 30

Example: Anti-virus software AV Helper AV Scanner User TTY Update Daemon /tmp User Data Virus DB Network Scanner can write data to world-readable file in /tmp Update daemon later reads and discloses file Prevent update daemon from using /tmp? 6 / 30

Example: Anti-virus software AV Helper AV Scanner User TTY Update Daemon /tmp User Data Virus DB Network Scanner can acquire read locks on virus database - Encode secret user data by locking various ranges of file Update daemon decodes data by detecting locks - Discloses private data over the network Have trusted software copy virus DB for scanner? 6 / 30

The list goes on Scanner can call setproctitle with user data - Update daemon extracts data by running ps Scanner can bind particular TCP or UDP port numbers - Sends no network traffic, but detectable by update daemon Scanner can relay data through another process - Call ptrace to take over process, then write to network - Use sendmail, httpd, or portmap to reveal data Disclose data by modulating free disk space Can we ever convince ourselves we ve covered all possible communication channels? - Not without a more systematic approach to the problem 7 / 30

Background: Information flow control AV Scanner L S L S L U L U L S L S? User Data L U Every piece of data in the system has a label Every process/thread/subject has a label Labels are partially ordered by ("can flow to") Example: Scanner (labeled L S ) accesses user file (labeled L U ) - Check permission by comparing L S and L U - File read? Information flows from file to scanner. Require: L U L S. - File write? Information flows in both directions. Require: L U L S and L S L U. 8 / 30

Background: Information flow control AV Scanner L S L S L U L U L S L S? User Data L U Every piece of data in the system has a label Every process/thread/subject has a label Labels are partially ordered by ("can flow to") Example: Scanner (labeled L S ) accesses user file (labeled L U ) - Check permission by comparing L S and L U - File read? Information flows from file to scanner. Require: L U L S. - File write? Information flows in both directions. Require: L U L S and L S L U. 8 / 30

Background: Information flow control AV Scanner L S L S L U L U L S L S? User Data L U Every piece of data in the system has a label Every process/thread/subject has a label Labels are partially ordered by ("can flow to") Example: Scanner (labeled L S ) accesses user file (labeled L U ) - Check permission by comparing L S and L U - File read? Information flows from file to scanner. Require: L U L S. - File write? Information flows in both directions. Require: L U L S and L S L U. 8 / 30

is transitive L U L bug L bug L net User data L U L U L bug L bug LU L net L bug L net Internet L net Transitivity makes it easier to reason about security Example: Label user data so it cannot flow to Internet (L U L net ) - Policy holds regardless of what other software does... so you don t care what the programmer did 9 / 30

is transitive L U L bug L bug L net User data L U L U L bug L bug LU L net L bug L net Internet L net Transitivity makes it easier to reason about security Example: Label user data so it cannot flow to Internet (L U L net ) - Policy holds regardless of what other software does... so you don t care what the programmer did Suppose untrustworthy software labeled L bug reads user file - Must have L U L bug - But since L U L net, it follows that L bug L net. 9 / 30

is transitive L U L bug L bug L net User data L U L U L bug L bug LU L net L bug L net Internet L net Transitivity makes it easier to reason about security Example: Label user data so it cannot flow to Internet (L U L net ) - Policy holds regardless of what other software does... so you don t care what the programmer did Suppose untrustworthy software labeled L bug reads user file - Must have L U L bug - But since L U L net, it follows that L bug L net. 9 / 30

is transitive L U L bug L bug L net User data L U L U L bug L bug LU L net L bug L net Internet L net Transitivity makes it easier to reason about security Example: Label user data so it cannot flow to Internet (L U L net ) - Policy holds regardless of what other software does... so you don t care what the programmer did Suppose untrustworthy software labeled L bug reads user file - Must have L U L bug - But since L U L net, it follows that L bug L net. 9 / 30

is transitive L U L bug L bug L net User data L U L U L bug L bug LU L net L bug L net Internet L net Transitivity makes it easier to reason about security Example: Label user data so it cannot flow to Internet (L U L net ) - Policy holds regardless of what other software does... so you don t care what the programmer did Conversely, a process that can write to network cannot read the file 9 / 30

Traditionally labels form static lattice top-secret, {Nuclear, Crypto} top-secret, {Nuclear} top-secret, {Crypto} top-secret, secret, {Nuclear} secret, {Crypto} secret, L 1 L 2 means L 1 L 2 unclassified, 10 / 30

Dynamic labels can express per-user policy L AB L A L B L E.g., use L for public data, L A for user A s private data If new user B joins web site, introduce new label L B for his data - A and B cannot read each other s private data Mix A s and B s private data? Need label L AB = L A L B But what if A wants to make her data public? 11 / 30

Dynamic labels can express per-user policy L AB L A L B L E.g., use L for public data, L A for user A s private data If new user B joins web site, introduce new label L B for his data - A and B cannot read each other s private data Mix A s and B s private data? Need label L AB = L A L B But what if A wants to make her data public? 11 / 30

Dynamic labels can express per-user policy L AB L A L B L E.g., use L for public data, L A for user A s private data If new user B joins web site, introduce new label L B for his data - A and B cannot read each other s private data Mix A s and B s private data? Need label L AB = L A L B But what if A wants to make her data public? 11 / 30

Decentralized information flow control [Myers] User data L U L U L bug p Sanitize L bug L bug p L net L bug L net Internet L net L bug Privilege p lets one bypass restrictions of L bug (represented ) Exercising p loosens label requirements to a pre-order, p - Since L bug p L net, Sanitize process can send result to network Idea: Set labels so you understand all use of relevant privileges 12 / 30

Decentralized information flow control [Myers] User data L U L U L bug p Sanitize L bug L bug p L net L bug L net Internet L net L bug Privilege p lets one bypass restrictions of L bug (represented ) Exercising p loosens label requirements to a pre-order, p - Since L bug p L net, Sanitize process can send result to network Idea: Set labels so you understand all use of relevant privileges 12 / 30

Decentralized information flow control [Myers] User data L U L U L bug p Sanitize L bug L bug p L net L bug L net Internet L net L bug Privilege p lets one bypass restrictions of L bug (represented ) Exercising p loosens label requirements to a pre-order, p - Since L bug p L net, Sanitize process can send result to network Idea: Set labels so you understand all use of relevant privileges 12 / 30

Example privileges Consider again the simple two user lattice Let a be user A s privileges User A should be allowed to make her own data public She can because L A a L and L AB a L B 13 / 30

Example privileges Equivalent under Equivalent under Consider again the simple two user lattice Let a be user A s privileges User A should be allowed to make her own data public She can because L A a L and L AB a L B 13 / 30

Outline 1 Background: Information flow control 2 HiStar & Hails 3 Experience 4 IFC in the Internet of things 14 / 30

HiStar OS Clean-slate OS that makes all information flow explicit Key feature: partial declassification privileges - All other security features built on partial declassification Example: user IDs - Each uid implemented as two privileges, one for reading and one for writing user s files - User s login shell receives privileges after authentication Example: web security - Each web user is associated with unique privileges - Ensures Paymaxx-style dump-the-database attacks not possible 15 / 30

HiStar architecture AV helper Scanner Update AV helper Scanner Update Security checks POSIX Hardware Linux POSIX POSIX POSIX Security checks Hardware HiStar Kernel provides six simple object types - Simple enough that information flow is unambiguous Layer POSIX API as untrusted library on top of kernel 16 / 30

Web server 17 / 30

What we learned from HiStar Nickolai Zeldovich can secure 1,000,000+ lines of third-party code - But he is not the median programmer to say the least System-wide egalitarian access control is practical Dynamic IFC enforcement can avoid implicit flows - Dynamic IFC was previously through to be inherently insecure 18 / 30

Applying Haskell to HiStar Haskell is a pure functional langauge - Functions without side effects do not leak data Impure computations have type IO a for some return type a - Haskell s Monad support lets one to introduce other types like IO Idea: introduce a new labeled IO type, LIO, as substitute for IO - Internally, LIO makes use of IO actions, but only after enforcing IFC - Type safety and abstraction prevent LIO code from executing raw IO Safe Haskell compiler feature enforces type safety & abstraction - Privileged symbols (ending... TCB) are inaccessible from safe code 19 / 30

Hails: An LIO web framework Introduces Model-Policy-View-Controller paradigm A Hails server comprises two types of software package - VCs contain View and Controller logic - MPs contain Model and Policy logic Policies enforced using LIO - Also isolate spawned programs with Linux namespaces 20 / 30

GitStar Public GitHub-like service supporting private projects 21 / 30

Simplified GitStar architecture Splint Code Viewer Browser View View Controller Server Server GitStar Follower Git-Blog View Controller View Controller Server Bookmark View Controller View Controller View Model DBI View Model DBI Controller Policy Controller Policy Two MPs: GitStar hosts git repos, Follower stores a relationship between users Three different VC apps make use of these MPs - VCs can be written after the fact w/o permission of MP author - LIO ensures they cannot misuse data 22 / 30

Outline 1 Background: Information flow control 2 HiStar & Hails 3 Experience 4 IFC in the Internet of things 23 / 30

Three usability data points 1. One high-school student hired at Stanford 2. Four (screened) Brandeis students in Lincoln labs evaluation study 3. Four Stanford students (hired blind, no experience necessary) [Disclaimer: all programmers compensated in dollars.] 24 / 30

A few highly subjective conclusions + APIs and languages can change programmer behavior - Much more effective than trying to teach security + Teaching people Haskell much easier than deploying a new OS - People s willingness to learn new languages may be increasing + People generally had an easy time writing VCs - Which is good because VCs are larger and more numerous than MPs - Students struggled with policy - The policy DSL was introduced later, and helped some - It doesn t work to prototype an app, then add policy We ve come a long way since HiStar s labels, which could mystify even senior systems researchers - E.g., Stanford team built task management system with rich policies - #1 challenge is enabling more people to understand, express policy 25 / 30

Outline 1 Background: Information flow control 2 HiStar & Hails 3 Experience 4 IFC in the Internet of things 26 / 30

Putting computation on the computer There are some good reasons to compute in the cloud - Derive value for users by computing over multiple users data Then there are some very non-fundamental ones - NAT makes it a pain to connect to home devices [IPv6] - Users don t trust themselves to manage storage [Ori] - Can t tap unused cycles on users desktop machines/routers IFC works well for hosting untrusted code (e.g., Hails) Define API for devices to offload computation to desktop or router - Enforce privacy locally rather than depending on cloud 27 / 30

Graphical policy tools AV Helper AV Scanner User TTY Update Daemon /tmp User Data Virus DB Network Information flow pictures concisely express security properties Can we generate pictures and policy from same source? Can visualizing information flow help users devise policy? - Hard for OS people to answer alone... good area for collaboration 28 / 30

Leveraging small amounts of verification User data L U L U L bug p Sanitize L bug L bug p L net L bug L net Internet L net L bug IFC directly captures many high-level security goals Security can depends on much smaller pieces of code IFC may be much easier to verify than full functional correctness - Particularly with some help from the programming language 29 / 30

Questions Secure Computer Systems http://www.scs.stanford.edu/ 30 / 30

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback