Petros Maniatis , Devdatta Akhawe, Kevin Fall, Elaine Shi, Stephen - - PowerPoint PPT Presentation

petros maniatis devdatta akhawe kevin fall elaine shi
SMART_READER_LITE
LIVE PREVIEW

Petros Maniatis , Devdatta Akhawe, Kevin Fall, Elaine Shi, Stephen - - PowerPoint PPT Presentation

Jan 03, 2024 293 likes •548 views

Petros Maniatis , Devdatta Akhawe, Kevin Fall, Elaine Shi, Stephen McCamant, Dawn Song Secure Data Capsules @ HotOS2011 3 Secure Data Capsules @ HotOS2011 4 Secure Data Capsules @ HotOS2011 5 Secure Data Capsules @ HotOS2011 6 Secure Data

slide-1
SLIDE 1

Petros Maniatis, Devdatta Akhawe, Kevin Fall, Elaine Shi, Stephen McCamant, Dawn Song

slide-2
SLIDE 2

Secure Data Capsules @ HotOS2011 3

slide-3
SLIDE 3

Secure Data Capsules @ HotOS2011 4

slide-4
SLIDE 4

Secure Data Capsules @ HotOS2011 5

slide-5
SLIDE 5

Secure Data Capsules @ HotOS2011 6

slide-6
SLIDE 6

Secure Data Capsules @ HotOS2011 7

slide-7
SLIDE 7
  • Diverse modes of data use and storage outside owner’s control
  • Distinct organizations, infrastructures, jurisdictions
  • Unknown software, maintenance, trustworthiness
  • Deep, continuous, critical sharing

Today: trust everyone to do anything undetected, or die

Secure Data Capsules @ HotOS2011 9

slide-8
SLIDE 8
  • Owner sets data policy: Data Use Controls (DUCs)
  • Policy enforced on data while out-of-custody
  • Data provenance maintained through all change
  • 1. Support current OSes and applications without limiting choice
  • 2. Remove OS, applications from the TCB, verify
  • 3. Provide good performance

Legacy is the Killer App

Secure Data Capsules @ HotOS2011 10

slide-9
SLIDE 9

Secure Data Capsules @ HotOS2011 12

slide-10
SLIDE 10

Secure Data Capsules @ HotOS2011 13

Unmodified OS Application

HW

slide-11
SLIDE 11

Secure Data Capsules @ HotOS2011 14

Unmodified OS Application

HyperVisor HW HRoT/TPM Trusted

slide-12
SLIDE 12

Secure Data Capsules @ HotOS2011 16

Unmodified OS

SEE

System Interposer Taint Tracker

Application

HW HyperVisor HRoT/TPM Trusted

slide-13
SLIDE 13

Secure Data Capsules @ HotOS2011 18

Unmodified OS

DUC Engine Auth

SEE

System Interposer Taint Tracker

Application

HW HyperVisor HRoT/TPM

DUC Provenance

Trusted

slide-14
SLIDE 14

Secure Data Capsules @ HotOS2011 19

slide-15
SLIDE 15

Petros’s Foot MRI

  • Mass here, mass there

DUC

  • Dr. Magneto can edit
  • Dr. Ken can view

Provenance

  • Nurse Jackie Created

Secure Data Capsules @ HotOS2011 21

slide-16
SLIDE 16

Petros’s Foot MRI

  • Mass here, mass there

DUC

  • Dr. Magneto can edit
  • Dr. Ken can view

Provenance

  • Nurse Jackie Created
  • Dr. Magneto appended

text, cropped image

Secure Data Capsules @ HotOS2011 22

slide-17
SLIDE 17

DUC Provenance

Unmodified OS

DUC Engine Auth

SEE

System Interposer Taint Tracker

Application Unmodified OS Application

HW HyperVisor HRoT/TPM

Secure Data Capsules @ HotOS2011 23

Secure Launch Secure Launch

Release Keys

Trusted

slide-18
SLIDE 18

Unmodified OS

DUC Engine Auth

SEE

System Interposer Taint Tracker

Application

HW HyperVisor HRoT/TPM

Secure Data Capsules @ HotOS2011 24

DUC Provenance

Trusted

slide-19
SLIDE 19

Unmodified OS

DUC Engine Auth

SEE Application

Secure Data Capsules @ HotOS2011 25

Tainted

Before Before

My photo

ADD MUL MOV JMP … …

After

Trusted

slide-20
SLIDE 20

Unmodified OS

DUC Engine Auth

Sandbox Application

Secure Data Capsules @ HotOS2011 26

MRI

Taint Other Obj No taint

Cropped

Taint

Intercepted Released Intercept

DUC Provenance

Release X-Ray

Taint

Trusted

slide-21
SLIDE 21
  • Flow tracking does much of the heavy lifting, slooooowly
  • Might improve with: Restriction, Granularity, Asynchrony, Hardware
  • How to keep as little as possible of policy evaluation and flow

tracking in TCB? Why T, CB? Prove it, please!

  • Are DUCs meaningful to humans? Composable? App-specific?
  • Covert channels a serious threat with untrusted applications
  • A tussle between flexibility – leak-ability, what can we do in between?
  • Aggregation/analytics?

Secure Data Capsules @ HotOS2011 28

slide-22
SLIDE 22

Thank You!

Secure Data Capsules @ HotOS2011 29

slide-23
SLIDE 23
  • Ampoules
  • Caplets
  • Flasks
  • Pods
  • Cocoons
  • Sheaths
  • Husks
  • Bob

Secure Data Capsules @ HotOS2011 30

slide-24
SLIDE 24
  • The Enterprise Rights Management approach
  • Everyone uses same SW platform, applications
  • Like begging for non-compliance
  • Tough across organization/jurisdiction boundaries
  • Decentralized Information Flow Control
  • New OSes: small TCB but incompatible (e.g., HiStar), or compatible but

large TCB (e.g., Flume)

  • New languages (e.g., Jif): rewrite applications, no protection at OS

custody

  • Red/Green models: Trust application, disallow sharing, coarse granularity

Secure Data Capsules @ HotOS2011 31

slide-25
SLIDE 25
  • Sandboxes can have variable semantic richness

1. Know nothing of semantics

  • Act as a data sink, block all output except display
  • Storage Capsules [Borders2008]

2. Understand information flow

  • Allow output of data, sharing across apps
  • Must track flow of sensitive bits to outputs (DIFT)

3. Understand application or data semantics

  • Need trusted enforcers for app-specific policy
  • For now, targeting #2 with support for #3

Secure Data Capsules @ HotOS2011 32