securing distributed systems with information flow control
play

Securing distributed systems with information flow control - PowerPoint PPT Presentation

Nov 24, 2023 •493 likes •1.16k views

Securing distributed systems with information flow control Nickolai Zeldovich Silas Boyd-Wickizer David Mazires Traditional web applications: lots of trusted (yellow) code HTTP User's Application User's browser front Database User's

  1. Securing distributed systems with information flow control Nickolai Zeldovich Silas Boyd-Wickizer David Mazières

  2. Traditional web applications: lots of trusted (yellow) code HTTP User's Application User's browser front Database User's code browser end browser ● Application is typically millions of lines of code ● Lots of third-party libraries from SourceForge ● Application has access to entire user database

  3. Traditional web applications: lots of trusted (yellow) code HTTP User's Application User's browser front Database User's code browser end browser ● Application is typically millions of lines of code ● Lots of third-party libraries from SourceForge ● Application has access to entire user database ● Result: any bug allows attacker to steal all data! – PayMaxx app code exposed 100,000 users' SSNs

  4. Recent work: information flow control ● Don't try to eliminate all application bugs ( hard !) ● OS'es like Asbestos, HiStar, Flume keep user data secure even if application is malicious – Track flow of user's data through system – Only send user's data to that user's browser – No need to audit/understand application code!

  5. Recent work: information flow control ● Don't try to eliminate all application bugs ( hard !) ● OS'es like Asbestos, HiStar, Flume keep user data secure even if application is malicious – Track flow of user's data through system – Only send user's data to that user's browser – No need to audit/understand application code! ● Limitation: works only on one machine – Web applications need multiple machines for scale

  6. This talk: extending information flow control to distributed systems ● Outline: – Review of information flow control (IFC) in an OS – Challenges in distributed IFC and our solution – Apps: web server, incremental deployment, ... ● Results: – Can control information flow in distributed system – Key idea: self-certifying category names – Enforce security of scalable web server in 6,000 lines

  7. Labels control information flow Label Label Label File A Process File B

  8. Labels control information flow Color is category of data (e.g. my files) Blue data can flow only to other blue objects Label Label Label File A Process File B

  9. Labels control information flow Color is category of data (e.g. my files) Blue data can flow only to other blue objects Label Label Label X File A Process File B X

  10. Labels control information flow Color is category of data (e.g. my files) Blue data can flow only to other blue objects Label Label Label X File A Process File B X

  11. Labels control information flow Color is category of data (e.g. my files) Blue data can flow only to other blue objects Owns blue data, can remove color (e.g. encrypt) Label Label Label File A Process File B

  12. Labels are egalitarian ● Any process can request a new category (color) – Gets ownership of that category ( ) – Uses category in labels to control information flow – Can grant ownership to others Label Label Label File A Process File B

  13. Traditional web server: lots of trusted (yellow) code HTTP User's front Application User's browser Database User's end code browser browser

  14. Information flow control: separate color for each user's data HTTP User's front Application Database User's browser User's end code browser browser

  15. Information flow control: track each user's data in app Application code HTTP User's front Application Database User's browser User's end code browser browser Application code

  16. Labels prevent application code from disclosing data onto network Application X code HTTP User's front Application Database User's browser User's end code browser browser Application X code

  17. Front-end uses ownership to send data only to user's browser Application X code HTTP User's front Application Database User's browser User's end code browser browser Application X code

  18. Front-end uses ownership to send data only to user's browser Application X code HTTP User's front Application Database User's browser User's end code browser browser Application X code ● What happens when the server gets overloaded?

  19. Limitation: OS alone cannot control information flow in distributed system Application X code X X HTTP User's front Application Database User's X X browser User's end code browser browser X X Application X code

  20. Distributed challenge: when to allow processes to communicate? ● Design goal: decentralized – no fully-trusted parts – (Not the usual meaning of decentralized IFC, or DIFC) HTTP Application Data front-end server server httpd App code Database ? ? ● Challenge: no equivalent of a fully-trusted OS kernel that can make all decisions

  21. High-level approach: encode labels in messages Each machine uses OS to enforce labels locally HTTP Application Data front-end server server httpd App code Database Message Message

  22. Problem: decentralized trust ● When can we trust the recipient with message? Attacker's HTTP Application Data machine front-end server server httpd App code Database X Message Message

  23. Solution: per-category trust ● DB trusts front-end, app servers with a particular user's data (e.g. messages labeled blue) ● But DB doesn't trust the app code... Attacker's HTTP Application Data machine front-end server server httpd App code Database X Message Message

  24. Exporters control information flow on each machine using local OS ● Database doesn't trust the app code, but trusts the app server's exporter to contain the app code Attacker's HTTP Application Data machine front-end server server httpd App code Database Exporter Exporter Exporter X Message Message

  25. Exporter's API exp_send( dest_host , dest_mbox , msg , label ) – Exporter provides interface to send datagrams – Message should only be sent if every category in label trusts the machine dest_host – How does the exporter check for this trust?

  26. Strawman: check trust by querying category owners Process (secret bit = 1) Exporter Category owner

  27. Strawman: check trust by querying category owners exp_send(host_x, msg) Process (secret bit = 1) Exporter ? ? Host X Category owner

  28. Strawman: check trust by querying category owners exp_send(host_x, msg) Process (secret bit = 1) Control msg: Exporter “can I send to host_x?” ? ? Host X Category owner

  29. Querying category owners creates a covert channel in API Process (secret bit = 1) X Exporter Attacker's host Host X Category owner

  30. Querying category owners creates a covert channel in API Process (secret bit = 1) X Exporter Attacker's host Host X Category owner

  31. Querying category owners creates a covert channel in API exp_send(host_x, msg) Process (secret bit = 1) X Exporter ? ? Attacker's host Host X Category owner

  32. Querying category owners creates a covert channel in API exp_send(host_x, msg) Process (secret bit = 1) X Control msg: Control msg: Exporter “can I send to “can I send to host_x?” host_x?” ? ? Attacker's host Host X Category owner

  33. Strawman 2: store trust in exporter Process (secret bit = 1) host_x Exporter host_y

  34. Strawman 2: store trust in exporter exp_send(host_x, msg) Process (secret bit = 1) host_x Exporter host_y ● Exporter sends no queries that could leak data

  35. Storing trust in exporter also creates a covert channel in API Colluding Process Process (secret bit = 1) X host_x Exporter Attacker's host Y

  36. Storing trust in exporter also creates a covert channel in API Colluding Process Process (secret bit = 1) exp_trust( , host_y) X host_x Exporter host_y Depends on Attacker's host Y value of the secret bit

  37. Storing trust in exporter also creates a covert channel in API Colluding Process Process (secret bit = 1) exp_send(host_y, msg) exp_trust( , host_y) X host_x Exporter host_y Depends on Depends on Depends on behavior of Attacker's host Y value of the value of the malicious secret bit secret bit process

  38. Problem: What to do with covert channels? ● Non-goal: eliminate all covert channels – Not practical ● Goal: avoid covert channels in interface – Allow trading off performance to mitigate covert channels without changing the API

  39. Solution: Self-certifying category names ● Categories named by public key ● Trust for a category defined by certificates signed by that category's private key ● Caller supplies all certificates to exp_send()

  40. Caller supplies all certificates needed by exporter exp_send( dest_host , dest_mbox , msg , label , certs ) Caller-supplied

  41. Caller supplies all certificates needed by exporter exp_send( dest_host , dest_mbox , msg , label , certs )   Mapping = Caller-supplied

  42. Caller supplies all certificates needed by exporter exp_send( dest_host , dest_mbox , msg , label , certs ) No covert channels   to determine trust: Mapping = ➔ No external Certificate communication host X  Can send to  ➔ No shared state Caller-supplied

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Ni Nickel A Framework for Design and Verification of Information Flow Control Systems Helgi

Ni Nickel A Framework for Design and Verification of Information Flow Control Systems Helgi

Ni Nickel A Framework for Design and Verification of Information Flow Control Systems Helgi Sigurbjarnarson , Luke Nelson, Bruno Castro-Karney, James Bornholt, Emina Torlak, and Xi Wang .org Enforcing information flow control is critical

1.02k views • 58 slides
Nickel: A framework for design and verification of information flow control systems Luke Nelson

Nickel: A framework for design and verification of information flow control systems Luke Nelson

Nickel: A framework for design and verification of information flow control systems Luke Nelson Joint work with Helgi Sigurbjarnarson, Bruno Castro-Karney, James Bornholt, Emina Torlak, Xi Wang 2018 New England Systems Verification Day 1

749 views • 31 slides
Possibilistic Information Flow Control for Workflow Management Systems Thomas Bauereiss Dieter

Possibilistic Information Flow Control for Workflow Management Systems Thomas Bauereiss Dieter

Possibilistic Information Flow Control for Workflow Management Systems Thomas Bauereiss Dieter Hutter DFKI Bremen Workflow management systems Coordinating manual and (semi-)automatic activities involving multiple users Security

364 views • 17 slides
Securing Information Systems Reading: Laudon & Laudon chapter 7 Additional Reading: Brien

Securing Information Systems Reading: Laudon & Laudon chapter 7 Additional Reading: Brien

Securing Information Systems Reading: Laudon & Laudon chapter 7 Additional Reading: Brien & Marakas chapter 11 COMP 5131 1 Outline System Vulnerability and Abuse Business Value of Security and Control Establishing

734 views • 40 slides
What is this course about? What do I mean by distributed information systems ?

What is this course about? What do I mean by distributed information systems ?

What is this course about? What do I mean by distributed information systems ? distributed : a bunch of computers connected by wires. independent systems but not necessarily autonomous assume network supports messaging and stream

311 views • 10 slides
with Deferrable constraints in Haskell through the tale of a Haskell information flow control

with Deferrable constraints in Haskell through the tale of a Haskell information flow control

Gradually typed DSLs with Deferrable constraints in Haskell through the tale of a Haskell information flow control library Pablo Buiras, Alejandro Russo, Dimitrios Vytiniotis Information flow control 101 Non- interference:

465 views • 31 slides
Topic #8 Signal Flow Graphs Reference textbook : Control Systems, Dhanesh N. Manik, Cengage

Topic #8 Signal Flow Graphs Reference textbook : Control Systems, Dhanesh N. Manik, Cengage

ME 779 Control Systems Topic #8 Signal Flow Graphs Reference textbook : Control Systems, Dhanesh N. Manik, Cengage Publishing, 2012 1 Control Systems: Signal Flow Graphs Learning Objectives Definition Canonical feedback system

380 views • 14 slides
1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

Control-Flow Analysis and Loop Detection Context Last time Data-flow Speeding up data-flow analysis Flow of data values from defs to uses Could alternatively be represented as a data dependence Today Control-flow analysis

516 views • 5 slides
Distributed Systems (ICE 601) Concurrency Control - Part2 Dongman Lee ICU Class Overview

Distributed Systems (ICE 601) Concurrency Control - Part2 Dongman Lee ICU Class Overview

Distributed Systems (ICE 601) Concurrency Control - Part2 Dongman Lee ICU Class Overview Transactions Why Concurrency Control Concurrency Control Protocols pessimistic optimistic time-based Distributed Systems -

414 views • 8 slides
Information flow control 1 D. Denning and P. Denning Certification of Programs for Secure

Information flow control 1 D. Denning and P. Denning Certification of Programs for Secure

Secure Architecture Principles Information flow control 1 D. Denning and P. Denning Certification of Programs for Secure Information Flow (CACM 1976) Review Access Control Discretionary access control (DAC) Philosophy: users have

321 views • 16 slides
Securing Industrial Control Systems An E2E Integrity Verification Approach Sye-Loong Keoh , Ken

Securing Industrial Control Systems An E2E Integrity Verification Approach Sye-Loong Keoh , Ken

Securing Industrial Control Systems An E2E Integrity Verification Approach Sye-Loong Keoh , Ken Wai-Kin Au School of Computing Science University of Glasgow Zhaohui Tang School of Infocomm Republic Polytechnic, Singapore 1 Introduction

576 views • 21 slides
Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification

Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification

Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification and overview of main techniques TCP Tahoe, Reno, Vegas TCP Westwood Readings: (1) Keshavs book Chapter on Flow Control; (2)

374 views • 22 slides
CPSC 213 Introduction to Computer Systems Unit 1d Static Control Flow 1 Reading Companion

CPSC 213 Introduction to Computer Systems Unit 1d Static Control Flow 1 Reading Companion

CPSC 213 Introduction to Computer Systems Unit 1d Static Control Flow 1 Reading Companion 2.7.1-2.7.3, 2.7.5-2.7.6 Textbook 3.6.1-3.6.5 2 Control Flow The flow of control is the sequence of instruction executions

541 views • 21 slides
Control flow Conditionals and Control Flow l A conditional branch

Control flow Conditionals and Control Flow l A conditional branch

10/2/15 Control flow Conditionals and Control Flow l A conditional branch is sufficient to implement most control Condition codes flow constructs offered in higher

356 views • 12 slides
1 Why Why flow flow control? control? sender

1 Why Why flow flow control? control? sender

Lecture 7. Lecture 7. TCP mechanisms for: TCP mechanisms for: data transfer control / flow control error control congestion control Graphical examples (applet java) of several algorithms at:

589 views • 13 slides
Motivation Intra-procedural analysis depends upon accurate control-flow information. In the

Motivation Intra-procedural analysis depends upon accurate control-flow information. In the

Motivation Intra-procedural analysis depends upon accurate control-flow information. In the presence of certain language features (e.g. indirect calls) it is nontrivial to predict accurately how control may flow at execution time the nave

594 views • 42 slides
Anomaly Detection through DNS Correlations Michael H. Warfield Senior Security Researcher and

Anomaly Detection through DNS Correlations Michael H. Warfield Senior Security Researcher and

Anomaly Detection through DNS Correlations Michael H. Warfield Senior Security Researcher and Threat Analyst IBM Security Services X-Force Why DNS? This is still a work in progress but... Why look at the DNS? It's just THERE.

496 views • 21 slides
Assessing the Feasibility of Machine Learning to Detect Network Covert Channels Name: Diogo

Assessing the Feasibility of Machine Learning to Detect Network Covert Channels Name: Diogo

Assessing the Feasibility of Machine Learning to Detect Network Covert Channels Name: Diogo Barradas PhD Stage: Planner Advisors: Prof. Lus Rodrigues & Prof. Nuno Santos Research Area: Privacy-Enhancing Technologies Diogo Barradas - EuroSys

395 views • 15 slides
COVERT CHANNELS ERIK TEWS <E.TEWS@UTWENTEL.NL> HOUSEKEEPLING Lab on May 30th seems to

COVERT CHANNELS ERIK TEWS <E.TEWS@UTWENTEL.NL> HOUSEKEEPLING Lab on May 30th seems to

COVERT CHANNELS ERIK TEWS <E.TEWS@UTWENTEL.NL> HOUSEKEEPLING Lab on May 30th seems to be problematic for Delft Lab on May 31st seems to be problematic for Twente Systems Security Covert Channels 2 14.05.2018 Prepare to vote 1

1.05k views • 50 slides
Outline Side and covert channels Transient execution CSci 5271 Introduction to Computer

Outline Side and covert channels Transient execution CSci 5271 Introduction to Computer

Outline Side and covert channels Transient execution CSci 5271 Introduction to Computer Security Transient execution and kernel isolation: Meltdown Day 11: Side Channels and Transient Execution Stephen McCamant Transient execution and kernel

496 views • 4 slides
Cloud security CS642: Computer Security Professor Ristenpart

Cloud security CS642: Computer Security Professor Ristenpart

Cloud security CS642: Computer Security Professor Ristenpart h9p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot edu University of Wisconsin CS 642

567 views • 43 slides
Information flow and policy In five minutes, you learn what the average college graduate

Information flow and policy In five minutes, you learn what the average college graduate

Information flow and policy In five minutes, you learn what the average college graduate remembers five years after he or she is out of school. If you want to know more about something... Ask me Man pages, manuals, papers, books

451 views • 18 slides
Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of

Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of

Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of achieving confiden5ality and integrity) Who can access What Objects : Subjects : Files/ Programs/ Sockets/ User/ process/ applica5on Hardware/

985 views • 46 slides
I Heard It through the Firewall: Exploiting Cloud Management Services as an Information Leakage

I Heard It through the Firewall: Exploiting Cloud Management Services as an Information Leakage

I Heard It through the Firewall: Exploiting Cloud Management Services as an Information Leakage Channel Hyunwook Baek , Eric Eide, Robert Ricci, Jacobus Van der Merwe University of Utah 1 Motivation Information leakage in cloud has

874 views • 49 slides

More recommend