RIFLE: An Architectural Framework for User-Centric Information-Flow - - PowerPoint PPT Presentation

rifle an architectural framework for user centric
SMART_READER_LITE
LIVE PREVIEW

RIFLE: An Architectural Framework for User-Centric Information-Flow - - PowerPoint PPT Presentation

Apr 12, 2023 217 likes •429 views

RIFLE: An Architectural Framework for User-Centric Information-Flow Security Neil Vachharajani Matthew J. Bridges Jonathan Chang Ram Rangan Guilherme Ottoni Jason A. Blome George A. Reis Manish Vachharajani David I. August

slide-1
SLIDE 1

RIFLE: An Architectural Framework for User-Centric Information-Flow Security

Neil Vachharajani · Matthew J. Bridges Jonathan Chang · Ram Rangan Guilherme Ottoni · Jason A. Blome · George A. Reis Manish Vachharajani · David I. August Liberty Research Group Princeton University

slide-2
SLIDE 2

2

http://www.liberty-research.org

RIFLE: Information Flow Security

The Liberty Research Group

Information Information-

  • Flow Security in the Real World

Flow Security in the Real World

Alice TaxPrep.com IRS.gov Tax Prep Software

IRS provides tax forms TaxPrep, Inc. provides software patches Alice enters her financial information

Financial Info Barrier

slide-3
SLIDE 3

3

http://www.liberty-research.org

RIFLE: Information Flow Security

The Liberty Research Group

Information Information-

  • Flow Security in the Real World

Flow Security in the Real World

Alice TaxPrep.com IRS.gov Tax Prep Software Financial Info Barrier

IRS provides tax forms TaxPrep, Inc. provides software patches Alice enters her financial information

slide-4
SLIDE 4

4

http://www.liberty-research.org

RIFLE: Information Flow Security

The Liberty Research Group

Information Information-

  • Flow Security in the Real World

Flow Security in the Real World

All programs must be assumed unsafe

  • Malicious programs intentionally leak information
  • Buggy programs that unintentionally leak information

User-Centric Information-Flow Security

  • 1. Users want to establish their own security policy
  • CIA's security needs differ from Joe Average's
  • 2. Users want data-dependent security policies
  • Web browser with web search form data
  • Web browser with banking login form data
  • 3. Users should not have to sacrifice security for functionality
  • All programs should be secure or securable
  • Only security holes that will be realized are significant
slide-5
SLIDE 5

5

http://www.liberty-research.org

RIFLE: Information Flow Security

The Liberty Research Group

Definition of Security: Non Definition of Security: Non-

  • Interference

Interference

Integrity

  • Untrusted inputs should not affect trusted outputs
  • Example: prevent input from being executed [Suh 04, Crandall 04]

Confidentiality [Denning 76, Myers 97, Myers 99, Tse 04]

  • High security inputs should not affect low security outputs
  • Example: tax preparation software

Key mechanism: tracking flow of information through code

  • Integrity/confidentiality are dual
  • Policies and enforcement rely on information flow
slide-6
SLIDE 6

6

http://www.liberty-research.org

RIFLE: Information Flow Security

The Liberty Research Group

add r4 = r1,r2 add r5 = r4,r3 div r6 = r5, 3 sc .write, r6

Information Information-

  • Flow Security: Tainting Data

Flow Security: Tainting Data

  • Used in Perl’s “taint” mode and other works

[Denning 76, Suh 04, Crandall 04]

1. Program inputs are tainted or

labeled with a security class

2. Labels propagate through computation 3. Certain operations enforce a security policy by verifying

  • perand labels for security
slide-7
SLIDE 7

7

http://www.liberty-research.org

RIFLE: Information Flow Security

The Liberty Research Group

1

Problems with the Taint Solution Problems with the Taint Solution

Control Flow Can Leak I nformation! bnez r1,L1 mov r2=0 sc .write,r2 L1:mov r2=1 r2

1

r1

Value

slide-8
SLIDE 8

8

http://www.liberty-research.org

RIFLE: Information Flow Security

The Liberty Research Group

Yes

User User-

  • Centric Information

Centric Information-

  • Flow Security

Flow Security

L e a k s I n f

  • r

m a t i

  • n

P

  • l

i c y E n f

  • r

c e m e n t P r

  • g

r a m m e r S u p p

  • r

t C

  • n

s e r v a t i v e P e r f

  • r

m a n c e L

  • s

s Taint [Suh 2004] Yes Dynamic No No Moderate Static Systems

[Denning 76, Myers 97, Myers 99]

Rate Limited Static Yes Yes None Static with Runtime Principles [Tse 2004] Rate Limited Hybrid Yes Little Ideal User-Centric No Dynamic/ Hybrid No No None RIFLE Rate Limited Dynamic No Yes Moderate Deal breaker for User-Centric IFS Fundamentally Impossible Essential for User-Centric IFS

slide-9
SLIDE 9

9

http://www.liberty-research.org

RIFLE: Information Flow Security

The Liberty Research Group

D D

1

PC=declassify PC sc .write,r2,PC L1:mov r2=1,PC bnez PC=r1,L1

Naïve “Solution”: Taint the Program Counter Naïve “Solution”: Taint the Program Counter

mov r2=0,PC

  • Ops have implicit PC operand
  • Label PC like other operands
  • PC should be declassified after

branch merge

Code can leak information whether it is executed

  • r not!

r2

1

r1

Value

A B C D

PC

slide-10
SLIDE 10

10

http://www.liberty-research.org

RIFLE: Information Flow Security

The Liberty Research Group

RIFLE: The Big Picture RIFLE: The Big Picture

Compiler Programmer Binary Translator Runtime Environment (policy enforcer) End User User’s System Programmer’s System

Unannotated Source Code Compiled Code Base ISA Compiled Code Secure ISA

slide-11
SLIDE 11

11

http://www.liberty-research.org

RIFLE: Information Flow Security

The Liberty Research Group

Naïve Binary Translation Naïve Binary Translation

PC=declassify PC sc .write,r2,PC bnez PC=r1,L1 mov r2=0,PC L1:mov r2=1,PC

Flow Dependence

slide-12
SLIDE 12

12

http://www.liberty-research.org

RIFLE: Information Flow Security

The Liberty Research Group

bnez PC=r1,L1

Naïve Binary Translation Naïve Binary Translation

  • 1. Force every if to have an else

PC=declassify PC sc .write,r2,PC mov r2=0,PC L1:mov r2=1,PC

Flow Dependence

slide-13
SLIDE 13

13

http://www.liberty-research.org

RIFLE: Information Flow Security

The Liberty Research Group

PC=declassify PC sc .write,r2,PC bnez PC=r1,L1 mov r2=r2,PC

Naïve Binary Translation Naïve Binary Translation

  • 1. Force every if to have an else
  • 2. On each side of the branch, modify same variables

mov r2=0,PC L1:mov r2=1,PC L1:mov r2=1,PC

Flow Dependence Flow Dependence

slide-14
SLIDE 14

14

http://www.liberty-research.org

RIFLE: Information Flow Security

The Liberty Research Group

st M[r1]=M[r1],PC

Naïve Binary Translation Naïve Binary Translation

  • But, what about memory?

PC=declassify PC sc .write,M[r2],PC bnez PC=r1,L1 mov r2=&x,PC L1:st M[r1]=1,PC

Possible Memory Dependence No Memory Dependence since r1 == 0

slide-15
SLIDE 15

15

http://www.liberty-research.org

RIFLE: Information Flow Security

The Liberty Research Group

L1:<s10> st M[r1]=1

RIFLE Binary Translation RIFLE Binary Translation

Key I nsight: Handle implicit flows at data use, not data definition.

mov s10=s1 bnez r1,L1 mov r2=&x

Control Dependence Possible Memory Dependence

<s10> sc .write,M[r2]

slide-16
SLIDE 16

16

http://www.liberty-research.org

RIFLE: Information Flow Security

The Liberty Research Group

Results: Security Results: Security

Word Count (wc)

  • Function calls and returns
  • Global pointer, stack pointer

PGP – identified unexpected information flows!

  • Key ring – each key labeled with a unique label
  • Plain text – colored with a unique label
  • Cipher text –
  • Expected: labeled with key’s label and plain text label
  • Actual: labeled with label of all keys up to used key and plain text label

wc.MAP load6.txt src4+2or6.txt Inputs Combined wc.NM Program Binary Command Line

slide-17
SLIDE 17

17

http://www.liberty-research.org

RIFLE: Information Flow Security

The Liberty Research Group

  • All instructions create explicit flows
  • Use shadow registers/memory to store security labels
  • Augment processor data path to track explicit flows
  • Transformation inserts redundant security register defines
  • Many instructions added
  • Many security registers needed

add r1=0,1 s50 = mov s10 (r10) jump L2 L1: <s50>(r1) jump L3 … L2: <s50> add r1=0,0 jump L1 add r1=0,1 mov s50 = s10 mov s60 = s50 (r10) jump L2 L1: <s50>(r1) jump L3 … L2: <s60> add r1=0,0 jump L1

Hardware Implementation & Optimizations Hardware Implementation & Optimizations

Before Opti After Opti

slide-18
SLIDE 18

18

http://www.liberty-research.org

RIFLE: Information Flow Security

The Liberty Research Group

0.0 0.5 1.0 1.5 2.0 2.5 1 6 4 . g z i p 1 7 5 . v p r 1 8 1 . m c f 1 8 6 . c r a f t y 1 9 7 . p a r s e r 2 5 6 . b z i p 2 3 . t w

  • l

f t h t t p d w c m p e g 2 d e c G e

  • M

e a n Normalized Runtimes Double Cache Original Cache

Results: Performance Results: Performance

Validated Itanium 2 model built in the Liberty Simulation Environment

slide-19
SLIDE 19

19

http://www.liberty-research.org

RIFLE: Information Flow Security

The Liberty Research Group

Conclusions & Future Work Conclusions & Future Work

  • User-centric information flow security empowers users
  • User (not programmer) tailored security policy
  • Data-based (not program-based) security
  • Any program (no need for special languages) can be secured
  • User-centric information flow security is possible
  • RIFLE provides user-centric information-flow security by:
  • Tracking flow and enforcing policies dynamically
  • Using static “hints” via binary translation to establish security
  • Future work
  • Improved performance – more optimization, hardware acceleration
  • JVM implementation – for broadened applicability
  • Declassification – allowing user-controlled data “leaks”