may 24 confinement
play

May 24: Confinement Confinement, non-VM isolation Program - PowerPoint PPT Presentation

Jan 29, 2023 •43 likes •313 views

May 24: Confinement Confinement, non-VM isolation Program modification Covert channels May 24, 2017 ECS 235B Spring Quarter 2017 Slide #1 Compiling Compiler enforces or validates constraints Type-safe language enforces them

  1. May 24: Confinement • Confinement, non-VM isolation – Program modification – Covert channels May 24, 2017 ECS 235B Spring Quarter 2017 Slide #1

  2. Compiling • Compiler enforces or validates constraints – Type-safe language enforces them – Certifying compiler validates them May 24, 2017 ECS 235B Spring Quarter 2017 Slide #2

  3. Type Safety • Java is type-safe – Compiler enforces correct usage of types • C is not type-safe – Need to add semantics to make it safe • Example: CCured imposes type safety on C – Adds code to C programs so pointers point to 0 or objects of right type – Handles dynamic pointers, too – Impacts performance May 24, 2017 ECS 235B Spring Quarter 2017 Slide #3

  4. Certifying Compiler • Generates proof that program satisfies specific security properties – Before execution, proof is validated • Example: Touchstone validates type-safe subset of C – Checks all array references May 24, 2017 ECS 235B Spring Quarter 2017 Slide #4

  5. Touchstone • Analyzes functions, annotating code with loop invariants, preconditions, postconditions • It then generates validation code – Predicate for each function holds iff postconditions hold • Theorem prover verifies proof automatically – Uses inference rules about array bounds • Performance impact of 30% to 150% on standard C benchmarks May 24, 2017 ECS 235B Spring Quarter 2017 Slide #5

  6. Loading • Load libraries that apply confinement constraints – Sandboxing that is embedded in process rather than a separate process • Aurasium (Android) prevents apps exfiltrating sensitive data – Two parts: tool, modified libraries May 24, 2017 ECS 235B Spring Quarter 2017 Slide #6

  7. Aurasium • Tool inserts code to enforce given policies when app uses Android resources – Like SMS messaging • Modified standard C libraries determine if system call should be blocked based on policy • Problem: most apps signed – Verify signature, then modify app and resign with Aurasium’s own certificate • On test, re0packed over 99% of apps known to be malicious; negligable performance impact May 24, 2017 ECS 235B Spring Quarter 2017 Slide #7

  8. Sandboxes, VMs, and TCB • Sandboxes, VMs part of trusted computing bases – Failure: less protection than security officers, users believe – “False sense of security” • Must ensure confinement mechanism correctly implements desired security policy May 24, 2017 ECS 235B Spring Quarter 2017 Slide #8

  9. Covert Channels • Shared resources as communication paths • Covert storage channel uses attribute of shared resource – Disk space, message size, etc. • Covert timing channel uses temporal or ordering relationship among accesses to shared resource – Regulating CPU usage, order of reads on disk May 24, 2017 ECS 235B Spring Quarter 2017 Slide #9

  10. Example Storage Channel • Processes p , q not allowed to communicate – But they share a file system! • Communications protocol: – p sends a bit by creating a file called 0 or 1 , then a second file called send • p waits until send is deleted before repeating to send another bit – q waits until file send exists, then looks for file 0 or 1 ; whichever exists is the bit • q then deletes 0 , 1 , and send and waits until send is recreated before repeating to read another bit May 24, 2017 ECS 235B Spring Quarter 2017 Slide #10

  11. Example Timing Channel • System has two VMs – Sending machine S , receiving machine R • To send: – For 0, S immediately relinquishes CPU • For example, run a process that instantly blocks – For 1, S uses full quantum • For example, run a CPU-intensive process • R measures how quickly it gets CPU – Uses real-time clock to measure intervals between access to shared resource (CPU) May 24, 2017 ECS 235B Spring Quarter 2017 Slide #11

  12. Example Covert Channel • Uses ordering of events; does not use clock • Two VMs sharing disk cylinders 100 to 200 – SCAN algorithm schedules disk accesses – One VM is High ( H ), other is Low ( L ) • Idea: L will issue requests for blocks on cylinders 139 and 161 to be read – If read as 139, then 161, it’s a 1 bit – If read as 161, then 139, it’s a 0 bit May 24, 2017 ECS 235B Spring Quarter 2017 Slide #12

  13. How It Works • L issues read for data on cylinder 150 – Relinquishes CPU when done; arm now at 150 • H runs, issues read for data on cylinder 140 – Relinquishes CPU when done; arm now at 140 • L runs, issues read for data on cylinders 139 and 161 – Due to SCAN, reads 139 first, then 161 – This corresponds to a 1 • To send a 0, H would have issued read for data on cylinder 160 May 24, 2017 ECS 235B Spring Quarter 2017 Slide #13

  14. Analysis • Timing or storage? – Usual definition ⇒ storage (no timer, clock) • Modify example to include timer – L uses this to determine how long requests take to complete – Time to seek to 139 < time to seek to 161 ⇒ 1; otherwise, 0 • Channel works same way – Suggests it’s a timing channel; hence our definition May 24, 2017 ECS 235B Spring Quarter 2017 Slide #14

  15. Noisy vs. Noiseless • Noiseless: covert channel uses resource available only to sender, receiver • Noisy: covert channel uses resource available to others as well as to sender, receiver – Idea is that others can contribute extraneous information that receiver must filter out to “read” sender’s communication May 24, 2017 ECS 235B Spring Quarter 2017 Slide #15

  16. Key Properties • Existence : the covert channel can be used to send/receive information • Bandwidth : the rate at which information can be sent along the channel • Goal of analysis: establish these properties for each channel – If you can eliminate the channel, great! – If not, reduce bandwidth as much as possible May 24, 2017 ECS 235B Spring Quarter 2017 Slide #16

  17. Step #1: Detection • Manner in which resource is shared controls who can send, receive using that resource – Shared Resource Matrix Methodology – Information flow analysis – Covert flow trees May 24, 2017 ECS 235B Spring Quarter 2017 Slide #17

  18. SRMM • Shared Resource Matrix Methodology • Goal: identify shared channels, how they are shared • Steps: – Identify all shared resources, their visible attributes [rows] – Determine operations that reference (read), modify (write) resource [columns] – Contents of matrix show how operation accesses the resource May 24, 2017 ECS 235B Spring Quarter 2017 Slide #18

  19. Example • Multilevel security model • File attributes: – existence, owner, label, size • File manipulation operations: – read, write, delete, create – create succeeds if file does not exist; gets creator as owner, creator’s label – others require file exists, appropriate labels • Subjects: – High, Low May 24, 2017 ECS 235B Spring Quarter 2017 Slide #19

  20. Shared Resource Matrix read write delete create existence R R R, M R, M owner R M label R R R M size R M M M May 24, 2017 ECS 235B Spring Quarter 2017 Slide #20

  21. Covert Storage Channel • Properties that must hold for covert storage channel: 1. Sending, receiving processes have access to same attribute of shared object; 2. Sender can modify that attribute; 3. Receiver can reference that attribute; and 4. Mechanism for starting processes, properly sequencing their accesses to resource May 24, 2017 ECS 235B Spring Quarter 2017 Slide #21

  22. Example • Consider attributes with both R, M in rows • Let High be sender, Low receiver • create operation both references, modifies existence attribute – Low can use this due to semantics of create • Need to arrange for proper sequencing accesses to existence attribute of file (shared resource) May 24, 2017 ECS 235B Spring Quarter 2017 Slide #22

  23. Use of Channel – 3 files: ready , done , 1bit – Low creates ready at High level – High checks that file exists – If so, to send 1, it creates 1bit ; to send 0, skip – Delete ready , create done at High level – Low tries to create done at High level – On failure, High is done – Low tries to create 1bit at level High – Low deletes done , creates ready at High level May 24, 2017 ECS 235B Spring Quarter 2017 Slide #23

  24. Covert Timing Channel • Properties that must hold for covert timing channel: 1. Sending, receiving processes have access to same attribute of shared object; 2. Sender, receiver have access to a time reference (wall clock, timer, event ordering, …); 3. Sender can control timing of detection of change to that attribute by receiver; and 4. Mechanism for starting processes, properly sequencing their accesses to resource May 24, 2017 ECS 235B Spring Quarter 2017 Slide #24

  25. Example • Revisit variant of KVM/370 channel – Sender, receiver can access ordering of requests by disk arm scheduler (attribute) – Sender, receiver have access to the ordering of the requests (time reference) – High can control ordering of requests of Low process by issuing cylinder numbers to position arm appropriately (timing of detection of change) – So whether channel can be exploited depends on whether there is a mechanism to (1) start sender, receiver and (2) sequence requests as desired May 24, 2017 ECS 235B Spring Quarter 2017 Slide #25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Lecture 19: Flow and Confinement Examples of information flow applications The confinement

Lecture 19: Flow and Confinement Examples of information flow applications The confinement

Lecture 19: Flow and Confinement Examples of information flow applications The confinement problem Covert channels Isolation: virtual machines, sandboxes March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #19-1 Matt Bishop, UC

322 views • 30 slides
QCD - properties confinement, Higgs mechanism more on confinement (i) the absence of free quarks

QCD - properties confinement, Higgs mechanism more on confinement (i) the absence of free quarks

QCD - properties confinement, Higgs mechanism more on confinement (i) the absence of free quarks in Nature [but quarks could combine with a fundamental coloured scalar] (ii) observable particles are colour singlets [but this confuses

1.58k views • 130 slides
Tetraquarks in the Steiner tree model of confinement available at

Tetraquarks in the Steiner tree model of confinement available at

Introduction Symmetry breaking and tetraquarks The additive model of tetraquark confinement The Steiner-tree model of confinement Conclusions Tetraquarks in the Steiner tree model of confinement available at

644 views • 20 slides
Laboratorio Nacional de Fusin, CIEMAT, Spain 1/ 31 CORE TRANSPORT EMPIRICAL ACTUATORS

Laboratorio Nacional de Fusin, CIEMAT, Spain 1/ 31 CORE TRANSPORT EMPIRICAL ACTUATORS

SUMMARY SESSION EX/C Magnetic Confinement experiments (Confinement) EX/D Magnetic Confinement Experiments: Plasma-material interactions PPC -Plasma Overall Performance and Control I. CORE TRANSPORT II. EDGE TRANSPORT III. PLASMA-WALL IV.

591 views • 31 slides
May 19: Design Principles and Confinement Principles of Secure Design One set; other sets

May 19: Design Principles and Confinement Principles of Secure Design One set; other sets

May 19: Design Principles and Confinement Principles of Secure Design One set; other sets say basically the same thing Confinement, non-VM isolation Library operating systems Sandboxes Program modification Covert

584 views • 30 slides
Static Use-Based Object Confinement Christian Skalka and Scott Smith The Johns Hopkins University

Static Use-Based Object Confinement Christian Skalka and Scott Smith The Johns Hopkins University

Static Use-Based Object Confinement Christian Skalka and Scott Smith The Johns Hopkins University Object confinement: what is it? Object confinement is concerned with the encapsulation , or protection, of object references Code boundaries

412 views • 24 slides
May 15: Information Flow and Confinement Information flow for integrity policies Examples

May 15: Information Flow and Confinement Information flow for integrity policies Examples

May 15: Information Flow and Confinement Information flow for integrity policies Examples of information flow controls Android phone Firewalls Confinement Virtual machines May 15, 2017 ECS 235B Spring Quarter 2017 Slide

487 views • 32 slides
Solitary ry confinement and super- maximum prisons A South Afr frican and in international

Solitary ry confinement and super- maximum prisons A South Afr frican and in international

Solitary ry confinement and super- maximum prisons A South Afr frican and in international perspective Gwen Dereymaeker Westville CC 7 September 2017 @ACJReform History ry of f super-maximum prisons Solitary confinement as punishment

380 views • 18 slides
FIRST STEP ACT OF 2018 Early Release Mechanisms: Home Confinement and Reduction in Sentence

FIRST STEP ACT OF 2018 Early Release Mechanisms: Home Confinement and Reduction in Sentence

FIRST STEP ACT OF 2018 Early Release Mechanisms: Home Confinement and Reduction in Sentence Peter Goldberger, Ardmore PA NACDL Webinar, July 25, 2019 Early Eligibility for Home Confinement Per 603(a) of the First Step Act, amending

356 views • 22 slides
Creativity in confinement Arvid&amp;Marie S.A.M. The Symbiotic Autonomous Machine 2017 Alve

Creativity in confinement Arvid&amp;Marie S.A.M. The Symbiotic Autonomous Machine 2017 Alve

Creativity in confinement Arvid&amp;Marie S.A.M. The Symbiotic Autonomous Machine 2017 Alve 2018 The Bestiary of Autonomous Machines 2018 What is art in confinement Art in prison Russian prisoner tattoos Art in prison Art in prison

1.31k views • 32 slides
Inertial Confinement Fusion Experiments &amp; Modeling Using X-ray Absorption Spectroscopy of

Inertial Confinement Fusion Experiments &amp; Modeling Using X-ray Absorption Spectroscopy of

Inertial Confinement Fusion Experiments &amp; Modeling Using X-ray Absorption Spectroscopy of Thin Tracer Layers to Diagnose the Time-Dependent Properties of ICF Ablator Materials David Cohen (Swarthmore College, Prism Computational

362 views • 20 slides
Drugs during Confinement: A look at different sources of information Jorge Ameth Villatoro

Drugs during Confinement: A look at different sources of information Jorge Ameth Villatoro

Drugs during Confinement: A look at different sources of information Jorge Ameth Villatoro Velzquez Coordinator of the Surveys and Data Analysis Unit Ramn de la Fuente Muiz National Institute of Psychiatry Online Training Seminar Drug

387 views • 25 slides
The Infrared Confinement Hadronization Underlying Event &amp; Soft QCD interactions Disclaimer

The Infrared Confinement Hadronization Underlying Event &amp; Soft QCD interactions Disclaimer

TASI 2012 The Infrared Confinement Hadronization Underlying Event &amp; Soft QCD interactions Disclaimer Focus on ideas, make you think about the physics P . Skands (CERN) From Partons to Pions Heres a fast parton It ends up It

810 views • 79 slides
New Safe Confinement Purpose and background The purpose of the NSC construction is to create a

New Safe Confinement Purpose and background The purpose of the NSC construction is to create a

New Safe Confinement Purpose and background The purpose of the NSC construction is to create a barrier against dissemination of radioactive substances contained in the OS and to create conditions for further OS deconstruction operations. The

416 views • 30 slides
Self-similar point vortices and confinement of vorticity Drago s Iftimie Institut Camille

Self-similar point vortices and confinement of vorticity Drago s Iftimie Institut Camille

Self-similar point vortices and confinement of vorticity Drago s Iftimie Institut Camille Jordan Universit e Lyon 1 June 23, 2016 Dynamics and Differential Equations Minneapolis Dedicated to the memory of George Sell 1 / 22

488 views • 22 slides
DOMAIN WALL NETWORK AS QCD VACUUM: CONFINEMENT, CHIRAL SYMMETRY, HADRONIZATION Sergei Nedelko

DOMAIN WALL NETWORK AS QCD VACUUM: CONFINEMENT, CHIRAL SYMMETRY, HADRONIZATION Sergei Nedelko

S.N. Nedelko Domain wall network as QCD vacuum: confinement, chiral symmetry, hadronization DOMAIN WALL NETWORK AS QCD VACUUM: CONFINEMENT, CHIRAL SYMMETRY, HADRONIZATION Sergei Nedelko Bogoliubov Laboratory of Theoretical Physics Vladimir

421 views • 40 slides
Optimal Design of Information Channels in Networked Control Serdar Y uksel Queens

Optimal Design of Information Channels in Networked Control Serdar Y uksel Queens

Optimal Design of Information Channels in Networked Control Serdar Y uksel Queens University, Department of Mathematics and Statistics Stochastic Control A controlled stochastic system is governed by the following state / measurement

686 views • 51 slides
ADVANCED MULTIMEDIA ADVANCED MULTIMEDIA CODING CODING Fernando Pereira Instituto Superior

ADVANCED MULTIMEDIA ADVANCED MULTIMEDIA CODING CODING Fernando Pereira Instituto Superior

ADVANCED MULTIMEDIA ADVANCED MULTIMEDIA CODING CODING Fernando Pereira Instituto Superior Tcnico Comunicao de udio e Vdeo, Fernando Pereira The Old Analogue Times: the TV Paradigm The Old Analogue Times: the TV Paradigm The Old

2.04k views • 148 slides
Compression: Information Theory Greg Plaxton Theory in Programming Practice, Spring 2005

Compression: Information Theory Greg Plaxton Theory in Programming Practice, Spring 2005

Compression: Information Theory Greg Plaxton Theory in Programming Practice, Spring 2005 Department of Computer Science University of Texas at Austin Coding Theory Encoder Input: a message over some finite alphabet such as { 0 , 1 } or

162 views • 15 slides
Analyzing Large Communication Networks Shirin Jalali joint work with Michelle Effros and Tracey

Analyzing Large Communication Networks Shirin Jalali joint work with Michelle Effros and Tracey

Analyzing Large Communication Networks Shirin Jalali joint work with Michelle Effros and Tracey Ho Dec. 2015 1 The gap Fundamental questions: i. What is the best achievable performance? ii. How to communicate over such networks? Huge gap

1.06k views • 63 slides
Noise &quot; ? &quot; &quot; Remove Additive Erkut Erdem ! Dept. of Computer Engineering !

Noise &quot; ? &quot; &quot; Remove Additive Erkut Erdem ! Dept. of Computer Engineering !

! Noise Removal? &quot; BIL 717 ! Image Processing ! Noise &quot; ? &quot; &quot; Remove Additive Erkut Erdem ! Dept. of Computer Engineering ! Hacettepe University ! Important: (i) Practical application; (ii) A convenient platform (being

499 views • 17 slides
Lecture 15: OS Noise and Interference Abhinav Bhatele, Department of Computer Science Summary of

Lecture 15: OS Noise and Interference Abhinav Bhatele, Department of Computer Science Summary of

High Performance Computing Systems (CMSC714) Lecture 15: OS Noise and Interference Abhinav Bhatele, Department of Computer Science Summary of last lecture Goal of auto-tuning: performance portability Selecting code variants,

321 views • 13 slides
Signal Types Recall even digital signals are just ___________________ Analog signal

Signal Types Recall even digital signals are just ___________________ Analog signal

1 2 Signal Types Recall even digital signals are just ___________________ Analog signal Continuous time signal where each voltage level has a unique meaning EE 109 Unit 18 Noise Margins, Digital signal Continuous

253 views • 7 slides
Systems Logic Gates and Electrical Properties Shankar Balachandran* Associate Professor, CSE

Systems Logic Gates and Electrical Properties Shankar Balachandran* Associate Professor, CSE

Spring 2015 Week 5 Module 23 Digital Circuits and Systems Logic Gates and Electrical Properties Shankar Balachandran* Associate Professor, CSE Department Indian Institute of Technology Madras *Currently a Visiting Professor at IIT Bombay

393 views • 15 slides

More recommend