HiStar and LoStar
-
Upload
fiona-foreman -
Category
Documents
-
view
40 -
download
5
description
Transcript of HiStar and LoStar
![Page 1: HiStar and LoStar](https://reader036.fdocuments.net/reader036/viewer/2022062422/56813874550346895da02245/html5/thumbnails/1.jpg)
Zeldovich et al. (both papers)Reading Group by Theo
![Page 2: HiStar and LoStar](https://reader036.fdocuments.net/reader036/viewer/2022062422/56813874550346895da02245/html5/thumbnails/2.jpg)
Part 1/2Slides based on Zeldovich’s talk
2
![Page 3: HiStar and LoStar](https://reader036.fdocuments.net/reader036/viewer/2022062422/56813874550346895da02245/html5/thumbnails/3.jpg)
Untrustworthy code everywhere◦Legitimate programs are vulnerable Even antivirus scanners…
◦Users authorize malicious software
Not getting any better◦Software becomes more complex
Can the O/S guarantee security?◦Probably not…
3
![Page 4: HiStar and LoStar](https://reader036.fdocuments.net/reader036/viewer/2022062422/56813874550346895da02245/html5/thumbnails/4.jpg)
Virus Scanner
Virus Scanner
Live Update
Live Update
Internet
Internet
Private User Files
Private User Files
/tmp/tmp Virus Database
Virus Database
Acceptable flow
Private files should not leak to the internet!Private files should not leak to the internet!4
![Page 5: HiStar and LoStar](https://reader036.fdocuments.net/reader036/viewer/2022062422/56813874550346895da02245/html5/thumbnails/5.jpg)
Virus Scanner
Virus Scanner
Live Update
Live Update
Internet
Internet
Private User Files
Private User Files
/tmp/tmp Virus Database
Virus Database
O/S
5
![Page 6: HiStar and LoStar](https://reader036.fdocuments.net/reader036/viewer/2022062422/56813874550346895da02245/html5/thumbnails/6.jpg)
Virus Scanner
Virus Scanner
Live Update
Live Update
Internet
Internet
Private User Files
Private User Files
/tmp/tmp Virus Database
Virus Database
O/S
6
![Page 7: HiStar and LoStar](https://reader036.fdocuments.net/reader036/viewer/2022062422/56813874550346895da02245/html5/thumbnails/7.jpg)
Virus Scanner
Virus Scanner
Live Update
Live Update
Internet
Internet
Private User Files
Private User Files
/tmp/tmp Virus Database
Virus DatabaseOr: Create file
SecretBitIs1.txtOr: Create file
SecretBitIs1.txt
2 malicious apps cooperating hard to detect!2 malicious apps cooperating hard to detect!
Covert Channel: Lock virus DB
Covert Channel: Lock virus DB
7
![Page 8: HiStar and LoStar](https://reader036.fdocuments.net/reader036/viewer/2022062422/56813874550346895da02245/html5/thumbnails/8.jpg)
Existing O/S are too complex◦Too many protection
mechanisms File descriptors, user ids
Doesn’t help with security
Unix
P3P3P2P2P1P1
Unix Kernel(TCB)
Unix Kernel(TCB)
H/WH/W
Complex Objects
8
![Page 9: HiStar and LoStar](https://reader036.fdocuments.net/reader036/viewer/2022062422/56813874550346895da02245/html5/thumbnails/9.jpg)
Unix HiStar
Unix Lib
P3P3P2P2P1P1
Unix Kernel(TCB)
Unix Kernel(TCB)
H/WH/W
P2P2P1P1
U1U1
P3P3
U3U3U2U2
HiStar Kernel(TCB)
HiStar Kernel(TCB)H/WH/W
Simple Objects9
![Page 10: HiStar and LoStar](https://reader036.fdocuments.net/reader036/viewer/2022062422/56813874550346895da02245/html5/thumbnails/10.jpg)
Most Unix implemented as user-level libraries◦Narrow, easily controlled interface
All kernel objects have the same, flat namespace◦Files, users, processes, address spaces are kernel
objects
All information flow is made explicit
10
![Page 11: HiStar and LoStar](https://reader036.fdocuments.net/reader036/viewer/2022062422/56813874550346895da02245/html5/thumbnails/11.jpg)
High DataHigh Data
High Process
High Process
Low DataLow Data
Low Process
Low Process
e.g.: credit card processing
Web ServerGlobally visible, read-only confi-
guration file
e.g.: Untrusted user process
‘High’ information should never modify ‘low’! Information only flows upwards
‘High’ information should never modify ‘low’! Information only flows upwards11
![Page 12: HiStar and LoStar](https://reader036.fdocuments.net/reader036/viewer/2022062422/56813874550346895da02245/html5/thumbnails/12.jpg)
Each kernel object has a label◦Files, users, programs, etc
Each label is a set of categories For each category, each object has a level E.g. ‘unmodifiable’, ‘secret’ file of user X
12
![Page 13: HiStar and LoStar](https://reader036.fdocuments.net/reader036/viewer/2022062422/56813874550346895da02245/html5/thumbnails/13.jpg)
Level Meaning0 Unmodifiable (read-only)1 Default Level2 Cannot be exported from PC3 Inaccessible (no read)⋆ Super access (can R/W
anything, change tags)
Fully trusted
Top Secret
Process can read less secret data (lower level), can write less trusted data (higher level)
Process can read less secret data (lower level), can write less trusted data (higher level)
Objects can have multiple labels (top secret & unmodifiable)
13
![Page 14: HiStar and LoStar](https://reader036.fdocuments.net/reader036/viewer/2022062422/56813874550346895da02245/html5/thumbnails/14.jpg)
Bob’sFilesBob’sFiles
Bob’s ProcessBob’s
ProcessBob’s ShellBob’s Shell
Internet
Internet
Alice’sFiles
Alice’sFiles
Alice’s ProcessAlice’s
ProcessAlice’s Shell
Alice’s Shell
Color Mismatch
14
![Page 15: HiStar and LoStar](https://reader036.fdocuments.net/reader036/viewer/2022062422/56813874550346895da02245/html5/thumbnails/15.jpg)
Bob’sSecret Files
Bob’sSecret Files
Bob’s FilesBob’s Files
Bob’s ShellBob’s Shell
Alice’sFiles
Alice’sFiles
Alice’s Shell
Alice’s Shell
Root shellRoot shell
15
![Page 16: HiStar and LoStar](https://reader036.fdocuments.net/reader036/viewer/2022062422/56813874550346895da02245/html5/thumbnails/16.jpg)
S/W only implementation 11,600 TCB kernel code◦Hmmm. Can we do better? (LoStar)◦1,300 extra bootstrapping code
HiStar ensures that you have enough rights to execute, read, write data
Malicious web app can leak data only of the users that called it.
Does not protect against DoS
16
![Page 17: HiStar and LoStar](https://reader036.fdocuments.net/reader036/viewer/2022062422/56813874550346895da02245/html5/thumbnails/17.jpg)
17
![Page 18: HiStar and LoStar](https://reader036.fdocuments.net/reader036/viewer/2022062422/56813874550346895da02245/html5/thumbnails/18.jpg)
Part 2/2
18
![Page 19: HiStar and LoStar](https://reader036.fdocuments.net/reader036/viewer/2022062422/56813874550346895da02245/html5/thumbnails/19.jpg)
HiStar has few kernel objects◦Process, files, address space, etc
Each object has a label◦‘Colored’ objects ◦Access allowed only when I have enough
credentials for that label
Let’s color the physical RAM!◦Using Raksha-like H/W
19
![Page 20: HiStar and LoStar](https://reader036.fdocuments.net/reader036/viewer/2022062422/56813874550346895da02245/html5/thumbnails/20.jpg)
Unix HiStar
P2P2P1P1
U1U1
P3P3
U3U3U2U2
HiStar Kernel(TCB)
HiStar Kernel(TCB)
DRAMDRAM
Unix Lib
P3P3P2P2P1P1
Unix Kernel(TCB)
Unix Kernel(TCB)
DRAMDRAM
LoStar
P1P1
U1U1
P2P2
KernelKernel
P3P3
U3U3U2U2
KernelKernel
KernelKernel
(TCB)Security Monitor
(TCB)Security Monitor
DD RR AA MM
Super-Visor
Moni-torPhysical RAM
Authorized Colors
Protection Domain
20
![Page 21: HiStar and LoStar](https://reader036.fdocuments.net/reader036/viewer/2022062422/56813874550346895da02245/html5/thumbnails/21.jpg)
Each 32-bit word has a 32-bit color Every memory reference (I and D) will retrieve
the associated color The security monitor checks the HiStar label
for that color and the current thread’s rights Check will be cached for future reuse
21
![Page 22: HiStar and LoStar](https://reader036.fdocuments.net/reader036/viewer/2022062422/56813874550346895da02245/html5/thumbnails/22.jpg)
TagsTags TagsTags
L1-IL1-IPCPC De-
codeDe-
codeReg. FileReg. File
Permission Checks
Permission Checks
EXCEXC WBWBALU
Preexisting
Loki Logic
Loki Tags
L1-DL1-D
Execute P-CacheExecute P-Cache R/W
P-CacheR/W
P-Cache
Memory ControllerMemory
Controller
MemoryMemory TagsTags
Tag HandlingTag Handling
22
![Page 23: HiStar and LoStar](https://reader036.fdocuments.net/reader036/viewer/2022062422/56813874550346895da02245/html5/thumbnails/23.jpg)
Color: 32-bit physical address of HiStar’s label◦1 color per page Indirect entry for multi-colored pages (color/word)
Colors stored in RAM◦Physical address space reserved Virtual memory manager not in the TCB
Colors associated with physical addresses◦No aliasing problem
23
![Page 24: HiStar and LoStar](https://reader036.fdocuments.net/reader036/viewer/2022062422/56813874550346895da02245/html5/thumbnails/24.jpg)
A cache of recently checked labels◦32-bit color tag and 3 bit permissions (RWX)
32-entry 2-way set associative Can be thought as TLB◦Permission Lookaside Buffer◦Normal TLB tricks apply Eg P-Cache-I and P-Cache-D
Saved on context switch
24
![Page 25: HiStar and LoStar](https://reader036.fdocuments.net/reader036/viewer/2022062422/56813874550346895da02245/html5/thumbnails/25.jpg)
Security exception calls LoStar’s monitor◦Not the kernel (HiStar) of the active thread
Security monitor in TCB◦No checks performed◦No physical – virtual translation◦‘Trusted’ mode above the H/W supervisor move
25
![Page 26: HiStar and LoStar](https://reader036.fdocuments.net/reader036/viewer/2022062422/56813874550346895da02245/html5/thumbnails/26.jpg)
HiStar calls LoStar for new labels◦LoStar will write-protect the new label
LoStar protects critical global HiStar structures◦E.g., kernel object hash table◦HiStar kernels do not have to trust each other So virtual memory manager not in the TCB
LoStar does not guarantee liveness
26
![Page 27: HiStar and LoStar](https://reader036.fdocuments.net/reader036/viewer/2022062422/56813874550346895da02245/html5/thumbnails/27.jpg)
Pipeline Depth 7 L1-I 16 KB, 2-way SARegister Windows 8 L1-D 32 KB, 2-way SA
Memory 512 MB I-TLB 8-entry, fully assoc.Bus width 64 bits D-TLB 8-entry, fully assoc.
Frequency 65 MHz I-Tag Cache 8-entry, fully assoc.*D-Tag Cache 8-entry, fully assoc.*
P-Cache 32-entry 2-way SA*Store page granularity tags.Multicolored pages store tags in ‘modified’(?) caches
27
![Page 28: HiStar and LoStar](https://reader036.fdocuments.net/reader036/viewer/2022062422/56813874550346895da02245/html5/thumbnails/28.jpg)
Hardware Overhead
Trusted Code Base
Component Block RAMs 4-input LUTsBase Leon 43 14,502Loki Logic 2 2,756
% increase 5 19
Lines of code HiStar LoStarKernel code 11,600 12,700
Bootstrapping code 1,300 1,300Security monitor - 5,200
TCB size 11,600 5,20028
![Page 29: HiStar and LoStar](https://reader036.fdocuments.net/reader036/viewer/2022062422/56813874550346895da02245/html5/thumbnails/29.jpg)
29
![Page 30: HiStar and LoStar](https://reader036.fdocuments.net/reader036/viewer/2022062422/56813874550346895da02245/html5/thumbnails/30.jpg)
30
![Page 31: HiStar and LoStar](https://reader036.fdocuments.net/reader036/viewer/2022062422/56813874550346895da02245/html5/thumbnails/31.jpg)
HiStarLoStar
LoStar without page tags1.4
1.6
1.0
1.2
0.6
0.8
0.2
0.4
0.0
Aver
age
Slow
dow
n
primes syscall IPC fork/exec small-file large-file wget gzip
Benchmarks
31
![Page 32: HiStar and LoStar](https://reader036.fdocuments.net/reader036/viewer/2022062422/56813874550346895da02245/html5/thumbnails/32.jpg)
HiStar is an O/S with strict information flow◦Most O/S implemented as user library◦~11,000 TCB◦Achieves good performance
LoStar is a hardware-assisted HiStar◦~5,000 TCB◦Similar performance to HiStar
Unclear whether the benefit of reduced TCB outweighs the cost of extra H/W
32
![Page 33: HiStar and LoStar](https://reader036.fdocuments.net/reader036/viewer/2022062422/56813874550346895da02245/html5/thumbnails/33.jpg)
Questions?
33