Information Flow Control For Standard OS Abstractions. Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris

Transcription

1 Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris

2 Vulnerabilities in Websites Exploits Web software is buggy Attackers find and exploit these bugs Data is stolen / Corrupted USAJobs.gov hit by Monster.com attack, 146,000 people affected UN Website is Defaced via SQL Injection Payroll Site Closes on Security Worries Hacker Accesses Thousands of Personal Data Files at CSU Chico FTC Investigates PETCO.com Security Hole Major Breach of UCLA s Computer Files Restructured Text Include Directive Does Not Respect ACLs

3 Decentralized Information Flow CEO Control (DIFC) P Declassifier Web App Layoff Plans Free TShirts Intern

4 Decentralized Information Flow CEO Control (DIFC) Web App Layoff Plans Declassifier Helper Process /tmp File Free TShirts Intern

5 Why is DIFC a cult?

6 Who Needs to Understand DIFC? CEO Web App Layoff Plans Declassifier Helper Process /tmp File Free TShirts Intern

7 Why is Today s DIFC DIFfiCult? Label systems are complex Unexpected program behavior Cannot reuse existing code Drivers, SMP support, standard libraries

8 Unexpected Program Behavior (Unreliable Communication) Process p Process q P Fire Alice, Bob, Charlie, Doug, Eddie, Frank, George, Hilda, Ilya I stopped reading I crashed

9 Unexpected Program Behavior (Mysterious Failures) Process q Process p File

10 Solution/Outline 1. Flume: Solves DIFC Problems User-level implementation of DIFC on Linux Simple label system Endpoints: Glue Between Unix API and Labels 2. Application + Evaluation Real Web software secured by Flume

11 Outline 1. Flume: Solves DIFC Problems User-level implementation of DIFC on Linux Simple label system Endpoints: Glue Between Unix API and Labels 2. Application + Evaluation

12 Flume Implementation Goal: User-level implementation apt-get install flume Approach: System Call Delegation [Ostia by Garfinkel et al, 2003] Use Linux 2.6 (or OpenBSD 3.9)

13 System Call Delegation open( /hr/layoffplans, O_RDONLY); Web App glibc Linux Kernel Layoff Plans

14 System Call Delegation open( /hr/layoffplans, O_RDONLY); Web App Flume Libc Flume Reference Monitor Linux Kernel Layoff Plans

15 Three Classes of Processes Flume-Oblivious Flume Reference Monitor Unconfined/ Mediators Flume Reference Monitor Confined Flume Reference Monitor Process p Process p Process p Linux Kernel Linux Kernel Linux Kernel

16 Outline 1. Flume: Solves DIFC Problems User-level implementation of DIFC on Linux Simple label system Endpoints: Glue Between Unix API and Labels 2. Application + Evaluation

17 Information Flow Control (IFC) Goal: track which secrets a process has seen Mechanism: each process gets a secrecy label Label summarizes which categories of data a process is assumed to have seen. Examples: { Financial Reports } { HR Documents } tag label { Financial Reports and HR Documents }

18 Tags + Labels Process p S p S= p { = Finance, { S p = {} HR } } DD p p = = { {} HR } Universe of Tags: change_label({finance}); change_label({}); tag_t HR = create_tag(); change_label({finance,hr}); change_label({finance}); any tag to its label. HR Finance SecretProjects Any process can add DIFC Rule: A process can create a new tag; gets Same ability as to Step declassify 1. it. DIFC: Declassification Legal in action.

19 Communication Rule Process p P Process q S p = { HR } S q = { HR, Finance } p can send to q iff S p S q

20 Outline 1. Flume: Solves DIFC Problems User-level implementation of DIFC on Linux Simple label system Endpoints: Glue Between Unix API and Labels 2. Application + Evaluation

21 Recall: Communication Problem Process p stdout stdin Process q S p = {} D p = { HR } S q = { HR } P Fire Alice, Bob, Charlie, Doug, Eddie, Frank, George, Hilda, Ilya? SLOW DOWN!! I crashed

22 New Abstraction: Endpoints Process p S p = {} D p = { HR } e S e = { HR } f S f = { HR } Process q S q = { HR } If S e S f, Pthen allow e to send to f If S f S e, then allow f to send to e If S f = S e, then Pallow bidirectional flow SLOW DOWN!! I crashed Fire Alice, Bob, Charlie, Doug, Eddie, Frank, George, Hilda, Ilya

23 Endpoints Declassify Data Data enters process p with secrecy { HR } Process p S p = {} D p = { HR } e S e = { HR } But p keeps its label S p = {} Thus p needs HR D p

24 Endpoint Invariant For any tag t S p and t S e Or any tag t S e and t S p It must be that t D p Writing Reading Process p S e = { HR } S p = { Finance } D p = { Finance, HR} e

25 Endpoints Labels Are Independent g S g = {} Process p S p = {} D p = { HR } e S e = { HR } f S f = { HR } Process q S q = { HR }

26 Recall: Mysterious Failures Process q Process p File

27 Endpoints Reveal Errors Eagerly D p = {} Process p S p = {} S p = { HR } e S e = {} /tmp/public.dat S public.dat = {}? Violates endpoint Process q invariant! S p S e = { HR } D p S q = { HR } open( /tmp/public.dat, O_WRONLY); change_label({hr})

28 Endpoints Reveal Errors Eagerly D p = {} Process p S p = {} S p = { HR } e S e = {} /tmp/public.dat S public.dat = {} Process q S q = { HR } fd = open( /tmp/public.dat, O_WRONLY); close(fd); change_label({hr})

29 Outline 1. Flume: Solves DIFC Problems 2. Application + Evaluation

30 Questions for Evaluation Does Flume allow adoption of Unix software? Does Flume solve security vulnerabilities? Does Flume perform reasonably?

31 Example App: MoinMoin Wiki

32 How Problems Arise if not self.request.user.may.read(pagename): return self.notallowedfault() MoinMoin Wiki (100 kloc) x43 LayoffPlans FreeTShirts

33 MoinMoin + DIFC LayoffPlans Apache Web Server Declassifier 1 kloc MoinMoin Wiki (100 kloc) Trusted Untrusted FreeTShirts

34 FlumeWiki Web Client Flume- Oblivious unconfined confined reliable IPC GET /LayoffPlans?user=Intern&PW=abcd LayoffPlans Apache Declassifier 1 kloc MoinMoin (100 kloc) S={ HR } FreeTShirts S={} file I/O

35 Future Work Web Client GET /LayoffPlans?user=Intern&PW=abcd LayoffPlans Apache Declassifier 1 kloc Totally Suspect Software S={ HR } FreeTShirts S={}

36 Results Does Flume allow adoption of Unix software? 1,000 LOC launcher/declassifier 1,000 out of 100,000 LOC in MoinMoin changed Python interpreter, Apache, unchanged Does Flume solve security vulnerabilities? Without our knowing, we inherited two ACL bypass bugs from MoinMoin Both are not exploitable in Flume s MoinMoin Does Flume perform reasonably? Performs within a factor of 2 of the original on read and write benchmarks

37 Most Related Work Asbestos, HiStar: New DIFC OSes Jif: DIFC at the language level Ostia, Plash: Implementation techniques Classical MAC literature (Bell-LaPadula, Biba, Orange Book MAC, Lattice Model, etc.)

38 Limitations Bigger TCB than HiStar / Asbestos Linux stack (Kernel + glibc + linker) Reference monitor (~22 kloc) Covert channels via disk quotas Confined processes like MoinMoin don t get full POSIX API. spawn() instead of fork() & exec() flume_pipe() instead of pipe()

39 Summary DIFC is a challenge to Programmers Flume: DIFC in User-Level Preserves legacy software Complements today s programming techniques MoinMoin Wiki: Flume works as promised Invite you to play around:

40 Thanks! To: ITRI, Nokia, NSF and You

41 Reasons to Read the Paper Generalized security properties Including: Novel integrity policies Support for very large labels Support for clusters of Flume Machines

42 Flume s Rule is Fast Recall: p can send to q iff: S p D p S q D q To Compute: for each tag t S p : If t S q and t D p and t D q : output NO output OK Runs in time proportional to size of S p. No need to enumerate D p or D q!!!

43 Flume Communication Rule MoinMoin (p) S p = { Alice } P?? Database (q) S q = S q { = Alice {} } D q = { Alice, Bob } MoinMoin (r) S r = { Bob } S p S q 1. q changes to S q = { Alice } 2. p sends to q 3. q changes back to S q = {}

44 Flume Communication Rule MoinMoin (p) S p = { Alice } P Database (q) S q = {} D q = { Alice, Bob } P MoinMoin (r) S r = { Bob } Senders get extra latitude p can send to q iff: Receivers get extra latitude In IFC: S p S q In Flume: S p D p S q D q

45 Flume Kernel Module open( /alice/inbox.dat, O_RDONLY); Web App Flume Libc mov $0x5, %eax int $0x80 Flume Kernel Module Flume Reference Monitor Linux Kernel open( ) P Alice s Data

46 Reference Monitor Proxies Pipes write(0, some data, 10); Web App Flume Reference Monitor Helper Process Linux Kernel

47 Unconfined Processes e S e = {} Unconfined processes get e endpoint. kill sendmail mmap ed memory P fork ed child D p D= p = { HR {} } S p = {} HR } /tmp/public.dat DIFC S public.dat = {} PProcess q change_label({hr}) S q = { HR }

48 Endpoints Reveal Errors Eagerly D p = {HR} Process p S p = {} S p = { HR } e S e = {} P /tmp/public.dat S public.dat = {} Process q S q = { HR } P open( /tmp/public.dat, O_WRONLY); change_label({hr})

49 Why Do We Need S p? Process p S p = { Finance } D p = { HR } e S e = { Finance, HR }