explicit information flow in the histar os
play

Explicit Information Flow in the HiStar OS Nickolai Zeldovich, - PowerPoint PPT Presentation

Feb 14, 2024 •149 likes •986 views

Explicit Information Flow in the HiStar OS Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, David Mazires Too much trusted software Untrustworthy code a huge problem Users willingly run malicious software Malware, spyware,

  1. Explicit Information Flow in the HiStar OS Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, David Mazières

  2. Too much trusted software ● Untrustworthy code a huge problem ● Users willingly run malicious software – Malware, spyware, ... ● Even legitimate software is often vulnerable – Symantec remote vulnerability ● No sign that this problem is going away ● Can an OS make untrustworthy code secure?

  3. Example: Virus Scanner ● Goal: private files cannot go onto the network Virus Update Scanner Process Symantec™ Private /tmp Virus Network User Files Database

  4. Information Flow Control ● Goal: private files cannot go onto the network Virus Update Scanner Process Private /tmp Virus Network User Files Database

  5. Buggy scanner leaks private data Virus Update Scanner Process Private /tmp Virus Network User Files Database ● Must restrict sockets to protect private data

  6. Buggy scanner leaks private data Virus Update Scanner Process Private /tmp Virus Network User Files Database ● Must restrict scanner's ability to use IPC

  7. Buggy scanner leaks private data Virus Update Scanner Process Private /tmp Virus Network User Files Database ● Must run scanner in chroot jail

  8. Buggy scanner leaks private data ptrace Virus Update Scanner Process User Shell Private /tmp Virus Network User Files Database ● Must run scanner with different UID

  9. Buggy scanner leaks private data ps setproctitle: Update 0x6e371bc2 Process Private /tmp Virus Network User Files Database ● Must restrict access to /proc, ...

  10. Buggy scanner leaks private data disk usage Virus Update Scanner Process Private Private /tmp Virus Network User Files User Files Database ● Must restrict FS'es that virus scanner can write

  11. Buggy scanner leaks private data Virus Update Scanner Process fcntl locking Private /tmp Virus Network User Files Database ● List goes on – is there any hope?

  12. What's going on? ● Kernel not designed to enforce these policies P1 P2 P3 ● Retrofitting difficult Unix – Need to track potentially Kernel any memory observed or modified by a system call! – Hard to even enumerate Hardware Unix

  13. What's going on? ● Kernel not designed to enforce these policies P1 P2 P3 ● Retrofitting difficult Unix – Need to track potentially Kernel any memory observed or modified by a system call! – Hard to even enumerate Hardware Unix

  14. HiStar Solution ● Make all state explicit, track all communication P1 P2 P3 P1 P2 P3 Unix U1 U2 U3 Library Unix Kernel HiStar Kernel Hardware Hardware HiStar Unix

  15. HiStar: Contributions ● Narrow kernel interface, few comm. channels – Minimal mechanism: enough for a Unix library – Strong control over information flow ● Unix support implemented as user-level library – Unix communication channels are made explicit, in terms of HiStar's mechanisms – Provides control over the gamut of Unix channels

  16. HiStar kernel objects Container Device (Directory) (Network) Address Segment Gate Thread Space (Data) (IPC)

  17. HiStar kernel objects Label Think of labels as Label a “tainted” bit Container Device (Directory) (Network) Address Segment Gate Thread Space (Data) (IPC) Label Label Label Label

  18. HiStar: Unix process Process Container Address Code Data Thread Space Segment Segment

  19. Unix File Descriptors Process A Process B File Descriptor Kernel (O_RDONLY) State

  20. Unix File Descriptors ● Tainted process only talks to other tainted procs X Process A Process B File Descriptor Kernel (O_RDONLY) State

  21. Unix File Descriptors X Process A Process B File Descriptor Kernel (O_RDONLY) State Seek pointer: 0xa32f ● Lots of shared state in kernel, easy to miss

  22. HiStar File Descriptors Thread A Thread B Address Space A Address Space B File Descriptor Segment (O_RDONLY) Seek pointer: 0xa32f

  23. HiStar File Descriptors Thread A Thread B Address Space A Address Space B X File Descriptor Segment (O_RDONLY) Seek pointer: 0xa32f ● All shared state is now explicitly labeled ● Just need segment read/write checks

  24. Taint Tracking Strawman write(File) Tainted File Thread B Thread A

  25. Taint Tracking Strawman ● Propagate taint when writing to file write(File) Tainted File Thread B Thread A

  26. Taint Tracking Strawman ● Propagate taint when writing to file ● What happens when reading? read(File) Tainted File Thread B Thread A

  27. Taint Tracking Strawman read(File) ACCESS Tainted File Thread B X Thread A DENIED

  28. Strawman has Covert Channel X File 0 Tainted Thread B Network Thread A File 1 Secret = 1

  29. Strawman has Covert Channel write(File 1) File 0 Tainted Thread B Network Thread A File 1 Secret = 1

  30. Strawman has Covert Channel read(File 0) read(File 1) File 0 Tainted Thread B Network Thread A File 1 Secret = 1

  31. Strawman has Covert Channel send email: “secret=1” File 0 Tainted Thread B Network Thread A File 1 Secret = 1

  32. Strawman has Covert Channel ● What if we taint B when it reads File 1? read(File 0) read(File 1) File 0 Tainted X Thread B Network Thread A File 1 Secret = 1

  33. Strawman has Covert Channel ● What if we taint B read(File 0) when it reads File 1? File 0 Thread 0 Tainted Network Thread A File 1 Thread 1 read(File 1) Secret = 1

  34. Strawman has Covert Channel ● What if we taint B send email: when it reads File 1? “secret=1” File 0 Thread 0 Tainted Network Thread A X File 1 Thread 1 send email: Secret = 1 “secret=0”

  35. HiStar: Immutable File Labels ● Label (taint level) is state that must be tracked ● Immutable labels solve this problem! write(...) read(...) Untainted File X Tainted Thread B Thread A X Tainted File

  36. Who creates tainted files? ● Tainted thread can't modify untainted directory to place the new file there... Create Directory X Tainted File Untainted File Tainted Thread B Thread A Tainted File

  37. HiStar: Untainted thread pre-creates tainted file ● Existence and label of tainted file provide no information about A Thread C Create Directory Tainted File Untainted File Tainted Thread B Thread A Tainted File

  38. Reading a tainted file ● Existence and label of tainted file provide no information about A Thread C Directory Untainted X File Tainted Thread B Thread A X Tainted File

  39. Reading a tainted file ● Existence and label of tainted file provide no information about A Thread C readdir(): Directory T. File's label Untainted X File Tainted Thread B Thread A X Tainted File

  40. Reading a tainted file ● Existence and label of tainted file provide no information about A Thread C ● Neither does B's decision to taint Directory Taint self Untainted X File Tainted Thread B Thread A Tainted File

  41. HiStar avoids file covert channels ● Immutable labels prevent covert channels that communicate through label state ● Untainted threads pre-allocate tainted files – File existence or label provides no secret information ● Threads taint themselves to read tainted files – Tainted file's label accessible via parent directory

  42. Problems with IPC Create DB ● IPC with tainted client Client Server Thread – Taint server thread during request IPC SELECT ... Port Server Threads Time

  43. Problems with IPC Create DB ● IPC with tainted client Client Server Thread – Taint server thread during request IPC SELECT ... Port IPC Return Server Threads Time

  44. Problems with IPC Create DB ● IPC with tainted client Client Server Thread – Taint server thread during request IPC Port Results IPC Return Server Threads Time

  45. Problems with IPC Create DB ● IPC with tainted client Client Server Thread – Taint server thread during request IPC – Secrecy preserved? Port IPC Return Results Server Threads Time

  46. Problems with IPC Create DB ● IPC with tainted client Client Server Thread – Taint server thread during request IPC – Secrecy preserved? Port ● Lots of client calls – Limit server threads? Leaks information... IPC Return – Otherwise, no control Results over resources! Server Threads Time

  47. Gates make resources explicit Create DB ● Client donates initial Client Server resources (thread) Thread SELECT ... Gate Server Threads Time

  48. Gates make resources explicit Create DB ● Client donates initial Client Server resources (thread) Thread Gate ● Client thread runs in SELECT ... Server server address space, Code executing server code Return Gate Server Threads Time

  49. Gates make resources explicit Create DB ● Client donates initial Client Server resources (thread) Thread Gate ● Client thread runs in Server server address space, Code executing server code Results Return Gate Server Threads Time

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Modelgen: Mining Explicit Information Flow Specifications from Concrete Executions Lazaro Clapp,

Modelgen: Mining Explicit Information Flow Specifications from Concrete Executions Lazaro Clapp,

Modelgen: Mining Explicit Information Flow Specifications from Concrete Executions Lazaro Clapp, Saswat Anand, Alex Aiken Stanford University I Why mine specifications? Whole-program static analysis Application Whole-program static

992 views • 84 slides
IR Simone Campanoni simonec@eecs.northwestern.edu Outline IR Explicit control flows

IR Simone Campanoni simonec@eecs.northwestern.edu Outline IR Explicit control flows

IR Simone Campanoni simonec@eecs.northwestern.edu Outline IR Explicit control flows Explicit data types A compiler High level programming language Front-end IR Middle-end IR Today: translating explicit control flow and data

696 views • 46 slides
May 15: Information Flow and Confinement Information flow for integrity policies Examples

May 15: Information Flow and Confinement Information flow for integrity policies Examples

May 15: Information Flow and Confinement Information flow for integrity policies Examples of information flow controls Android phone Firewalls Confinement Virtual machines May 15, 2017 ECS 235B Spring Quarter 2017 Slide

487 views • 32 slides
Information Flow Tracking Andrei Sabelfeld Chalmers https://www.cse.chalmers.se/~andrei EWSCS

Information Flow Tracking Andrei Sabelfeld Chalmers https://www.cse.chalmers.se/~andrei EWSCS

Information Flow Tracking Andrei Sabelfeld Chalmers https://www.cse.chalmers.se/~andrei EWSCS 2019 Language c ::= skip | x:=exp | c;c | if exp then c else c | while exp do c 2 Explicit flows high (secret) l:=h insecure low (public)

555 views • 27 slides
Decompilation is an information-flow problem (Or, information flow meets program transformation)

Decompilation is an information-flow problem (Or, information flow meets program transformation)

Decompilation is an information-flow problem (Or, information flow meets program transformation) Boris Feigin Computer Laboratory, University of Cambridge PLID 2008 joint work with Alan Mycroft 1 / 22 Motivation Given suitable tools we

605 views • 33 slides
Exceptional Control Flow: Hardware support for reacting to the rest of the world. Control Flow

Exceptional Control Flow: Hardware support for reacting to the rest of the world. Control Flow

Exceptional Control Flow: Hardware support for reacting to the rest of the world. Control Flow Processor: read instruction, execute it, go to next instruction, repeat Physical control flow Explicit changes: Jumps (conditional, unconditional)

428 views • 8 slides
On some Computational Method for the Explicit Forms of the Decompositions of Master Equations

On some Computational Method for the Explicit Forms of the Decompositions of Master Equations

Introduction Associative Algebra Explicit Decomposition References On some Computational Method for the Explicit Forms of the Decompositions of Master Equations Takeo Kamizawa Department of Information Sciences, Tokyo University of Science,

580 views • 42 slides
IP Flow Information eXport IP Flow Information eXport (IPFIX) (IPFIX)

IP Flow Information eXport IP Flow Information eXport (IPFIX) (IPFIX)

IP Flow Information eXport IP Flow Information eXport (IPFIX) (IPFIX) elisa.boschi@hitachi-eu.com {boschi, zseby, mark, hirsch}@fokus.fraunhofer.de Outline Outline IPFIX Terminology Applicability Initial Goals

212 views • 19 slides
Towards a Flow- and Path-Sensitive Information Flow Analysis Peixuan Li, Danfeng Zhang

Towards a Flow- and Path-Sensitive Information Flow Analysis Peixuan Li, Danfeng Zhang

Towards a Flow- and Path-Sensitive Information Flow Analysis Peixuan Li, Danfeng Zhang Pennsylvania State University University Park, PA, USA {pzl129,zhang}@cse.psu.edu Background: Information Flow Analysis o Security enforcement to prevent

379 views • 24 slides
Flow Networks Flow Network: - digraph - weights, called capacities on edges - two

Flow Networks Flow Network: - digraph - weights, called capacities on edges - two

M AXIMUM F LOW How to do it... Why you want it... Where you find it... The Tao of Flow: Let your body go with the flow. -Madonna, Vogue Maximum flow...because youre worth it. -Loreal Go with the flow, Joe.

619 views • 20 slides
Quantifying Information is a fundamental issue in computer security: Flow Using Min-Entropy

Quantifying Information is a fundamental issue in computer security: Flow Using Min-Entropy

Secure Information Flow ! Protecting the confidentiality of secret information Quantifying Information is a fundamental issue in computer security: Flow Using Min-Entropy Blood type: AB Birth date: 9/5/46 HIV: positive ! Access control and

399 views • 10 slides
Lecture 19: Flow and Confinement Examples of information flow applications The confinement

Lecture 19: Flow and Confinement Examples of information flow applications The confinement

Lecture 19: Flow and Confinement Examples of information flow applications The confinement problem Covert channels Isolation: virtual machines, sandboxes March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #19-1 Matt Bishop, UC

322 views • 30 slides
Information Flow Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security

Information Flow Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security

Information Flow Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security Information Flow 3 Many security requirements can be formulated as what information flow is allowed/disallowed E.g., confidential data should not

478 views • 27 slides
IMplicit-EXplicit schemes for BGK kinetic equations Sandra Pieraccini, Gabriella Puppo

IMplicit-EXplicit schemes for BGK kinetic equations Sandra Pieraccini, Gabriella Puppo

IMplicit-EXplicit schemes for BGK kinetic equations Sandra Pieraccini, Gabriella Puppo Politecnico di Torino Dipartimento di Matematica HYP06, Lyon, July 17-21 p.1/22 Boltzmann equation Rarefied gas flow obeys Boltzmann equation which

745 views • 45 slides
Lecture 17: Information Flow Basics and background Entropy Nonlattice flow policies

Lecture 17: Information Flow Basics and background Entropy Nonlattice flow policies

Lecture 17: Information Flow Basics and background Entropy Nonlattice flow policies Compiler-based mechanisms Execution-based mechanisms Examples Security Pipeline Interface Secure Network Server Mail Guard February

625 views • 44 slides
with Deferrable constraints in Haskell through the tale of a Haskell information flow control

with Deferrable constraints in Haskell through the tale of a Haskell information flow control

Gradually typed DSLs with Deferrable constraints in Haskell through the tale of a Haskell information flow control library Pablo Buiras, Alejandro Russo, Dimitrios Vytiniotis Information flow control 101 Non- interference:

465 views • 31 slides
Malware Analysis Arun Lakhotia University of Louisiana at Lafayette, USA Presented at ISSISP

Malware Analysis Arun Lakhotia University of Louisiana at Lafayette, USA Presented at ISSISP

Malware Analysis Arun Lakhotia University of Louisiana at Lafayette, USA Presented at ISSISP 2017, CNRS Gif Sur Yvette 7/18/2017 ISSISP 2017- (C) Lakhotia 1 Introduction Professor of Computer Science Founder, CEO 7/18/2017 ISSISP 2017-

805 views • 46 slides
Boards Association August 14, 2015 Data Use for Accountability and Student Achievement From

Boards Association August 14, 2015 Data Use for Accountability and Student Achievement From

New York State School Boards Association August 14, 2015 Data Use for Accountability and Student Achievement From School Performance to Teacher Growth Scores Fred Cohen, Nassau BOCES Data Warehouse Specialist fcohen@mail.nasboces.org

848 views • 70 slides
Data Centric Security and Data Protection Manuela Cianfrone Bologna 29/10/2016 Speaker Manuela

Data Centric Security and Data Protection Manuela Cianfrone Bologna 29/10/2016 Speaker Manuela

Data Centric Security and Data Protection Manuela Cianfrone Bologna 29/10/2016 Speaker Manuela Cianfrone EMEA Solution Architect @ Protegrity USA Implement Data Centric Security Design Data Security Solutions Agenda Using Walls to

877 views • 34 slides
https://www.eur.nl/en/campus/university-library/erasmus-data-service-centre Outline Introduction

https://www.eur.nl/en/campus/university-library/erasmus-data-service-centre Outline Introduction

Erasmus Data Service Centre (EDSC): Your FAIR Research Data Solution Paul J Plaatsman Data- and Economics Librarian Erasmus University Rotterdam(EUR) The Netherlands https://www.eur.nl/en/campus/university-library/erasmus-data-service-centre

740 views • 20 slides
COVID 19 and Cycling: Panel Discussion October 28, 2020 Mark Greve, MD Moderator Michael

COVID 19 and Cycling: Panel Discussion October 28, 2020 Mark Greve, MD Moderator Michael

COVID 19 and Cycling: Panel Discussion October 28, 2020 Mark Greve, MD Moderator Michael Roshon, MD/PhD Kevin Sprouse, MD Aaron Baggish, MD Agenda Virology of SARS CoV-2 Transmission Testing Clinical Course Cycling and Covid: Tales from

1k views • 40 slides
Data Warehouse and OLAP Data Warehouse and OLAP Week 5 1 Midterm I Midterm I Friday, March

Data Warehouse and OLAP Data Warehouse and OLAP Week 5 1 Midterm I Midterm I Friday, March

Data Warehouse and OLAP Data Warehouse and OLAP Week 5 1 Midterm I Midterm I Friday, March 4 Scope Homework assignments 1 4 Open book Team Homework Assignment #7 Team Homework Assignment #7 Read pp. 121 139, 146

609 views • 31 slides
OLAP and Data Warehousing Advanced Topics in Database Management (INFSCI 2711) Some materials are

OLAP and Data Warehousing Advanced Topics in Database Management (INFSCI 2711) Some materials are

OLAP and Data Warehousing Advanced Topics in Database Management (INFSCI 2711) Some materials are from Database Management Systems, R. Ramakrishnan and J. Gehrke and from https://www.kimballgroup.com/ Vladimir Zadorozhny, DINS, University of

414 views • 22 slides
Data Science in the Wild Lecture 12: Memory-Based Data Warehouses Eran Toch Data Science in the

Data Science in the Wild Lecture 12: Memory-Based Data Warehouses Eran Toch Data Science in the

Data Science in the Wild Lecture 12: Memory-Based Data Warehouses Eran Toch Data Science in the Wild, Spring 2019 1 Data Engineering Extract Transform Load & Clean Sources Data Warehouse Data Science in the Wild, Spring 2019 2

1.12k views • 54 slides

More recommend