Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control...
Transcript of Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control...
![Page 1: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/1.jpg)
Securing UntrustworthySoftware Using
Information Flow Control
Nickolai Zeldovich
Joint work with Silas Boyd-Wickizer,Eddie Kohler, David Mazières
![Page 2: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/2.jpg)
Problem: Bad Code● PayMaxx divulges social security numbers
– Sequential account number stored in the URL– First account had SSN 000-00-0000, no password
![Page 3: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/3.jpg)
Problem: Bad Code● PayMaxx divulges social security numbers
– Sequential account number stored in the URL– First account had SSN 000-00-0000, no password
● CardSystems loses 40,000,000 CC numbers
![Page 4: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/4.jpg)
Problem: Bad Code● PayMaxx divulges social security numbers
– Sequential account number stored in the URL– First account had SSN 000-00-0000, no password
● CardSystems loses 40,000,000 CC numbers● Secret service email stolen from T-mobile
![Page 5: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/5.jpg)
Problem: Bad Code● PayMaxx divulges social security numbers
– Sequential account number stored in the URL– First account had SSN 000-00-0000, no password
● CardSystems loses 40,000,000 CC numbers● Secret service email stolen from T-mobile● 10,000 students data compromised at Stanford● Don't these people know what they're doing?
![Page 6: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/6.jpg)
Problem: Bad Code● Even security experts can't get it right● May 2006: Symantec AV 10.x remote exploit
– Software deployed on 200,000,000 machines– Without this software, machines also vulnerable– You just can't win
● If Symantec can't get it right, what hope is there?
![Page 7: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/7.jpg)
Solution: Give up● Accept that software is largely untrustworthy● Legitimate software is often vulnerable● Users willingly run malicious software
– Malware, spyware, ...● No sign that this problem is going away● Reduce the amount of trusted software
– Focus on security of data, not security of code
![Page 8: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/8.jpg)
Example: Virus Scanner
PrivateUser Files
VirusScanner
/tmp
UpdateProcess
VirusDatabase Network
● Goal: private files cannot go onto the network
ClamAV
● Can we eliminate trust in ClamAV?
![Page 9: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/9.jpg)
Information Flow Control
PrivateUser Files
VirusScanner
/tmp
UpdateProcess
VirusDatabase Network
● Goal: private files cannot go onto the network
![Page 10: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/10.jpg)
Buggy scanner leaks private data
PrivateUser Files
VirusScanner
/tmp
UpdateProcess
VirusDatabase Network
● Must restrict sockets to protect private data
![Page 11: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/11.jpg)
Buggy scanner leaks private data
UpdateProcess
VirusDatabase Network
PrivateUser Files
VirusScanner
/tmp
● Must restrict scanner's ability to use IPC
![Page 12: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/12.jpg)
Buggy scanner leaks private data
UpdateProcess
VirusDatabase Network
PrivateUser Files
VirusScanner
/tmp
● Must run scanner in chroot jail
![Page 13: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/13.jpg)
Buggy scanner leaks private data
UpdateProcess
VirusDatabase Network
UserShell
ptrace
PrivateUser Files
VirusScanner
/tmp
● Must run scanner with different UID
![Page 14: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/14.jpg)
Buggy scanner leaks private data
setproctitle:0x6e371bc2
UpdateProcess
VirusDatabase Network
ps
PrivateUser Files
/tmp
● Must restrict access to /proc, ...
![Page 15: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/15.jpg)
Buggy scanner leaks private data
UpdateProcess
VirusDatabase Network
diskusage
PrivateUser Files
PrivateUser Files
VirusScanner
/tmp
● Must restrict FS'es that virus scanner can write
![Page 16: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/16.jpg)
Buggy scanner leaks private data
UpdateProcess
VirusDatabase Network
fcntllocking
PrivateUser Files
VirusScanner
/tmp
● List goes on – is there any hope?
![Page 17: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/17.jpg)
What's going on?
P1
UnixKernel
Unix
P2 P3
Hardware
● Kernel not designed to enforce these policies
● Retrofitting difficult– Need to track potentially
any memory observed or modified by a system call!
– Hard to even enumerate
![Page 18: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/18.jpg)
What's going on?
P1
UnixKernel
Unix
P2 P3
Hardware
● Kernel not designed to enforce these policies
● Retrofitting difficult– Need to track potentially
any memory observed or modified by a system call!
– Hard to even enumerate
![Page 19: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/19.jpg)
HiStar Solution
HiStarKernel
Unix HiStar
UnixLibrary
P1 P2 P3
U1 U2 U3
Hardware
P1
UnixKernel
P2 P3
Hardware
● Make all state explicit, track all communication
![Page 20: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/20.jpg)
HiStar design● Narrow kernel interface
– Simple objects with simple, well-defined operations– Strictly control information flow for every operation– Overall approach: make everything explicit
● Unix support implemented as user-level library– Composes safe kernel operations to implement Unix– Composing is safe, since information flow is transitive– Provides control over the gamut of Unix channels
![Page 21: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/21.jpg)
HiStar kernel objects
Segment(Data)
AddressSpace Thread Gate
(IPC)
Container(Directory) Device
(Network)
![Page 22: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/22.jpg)
HiStar kernel objects
Segment(Data)
AddressSpace Thread Gate
(IPC)
Container(Directory) Device
(Network)
Label Label
Label Label LabelLabel
Think of labels asa “tainted” bit
![Page 23: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/23.jpg)
HiStar: Unix process
CodeSegment
AddressSpaceThread
ProcessContainer
DataSegment
![Page 24: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/24.jpg)
Unix File Descriptors
Process A Process B
File Descriptor(O_RDONLY) Kernel
State
![Page 25: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/25.jpg)
Unix File Descriptors
Process A Process B
File Descriptor(O_RDONLY)
X
KernelState
● Tainted process only talks to other tainted procs
![Page 26: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/26.jpg)
Unix File Descriptors
Process A Process B
File Descriptor(O_RDONLY)
Seek pointer: 0xa32f
X
KernelState
● Lots of shared state in kernel, easy to miss
![Page 27: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/27.jpg)
HiStar File Descriptors
Address Space A
Thread A
File Descriptor Segment(O_RDONLY)
Seek pointer: 0xa32f
Address Space B
Thread B
![Page 28: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/28.jpg)
HiStar File Descriptors
Address Space A
Thread A
File Descriptor Segment(O_RDONLY)
Seek pointer: 0xa32f
Address Space B
Thread B
X
● All shared state is now explicitly labeled● Reduce problem to object read/write checks
![Page 29: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/29.jpg)
Taint Tracking Strawman
TaintedThread A File Thread B
write(File)
![Page 30: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/30.jpg)
Taint Tracking Strawman
TaintedThread A Thread B
write(File)
File
● Propagate taint when writing to file
![Page 31: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/31.jpg)
Taint Tracking Strawman
Thread B
read(File)
● Propagate taint when writing to file● What happens when reading?
TaintedThread A File
![Page 32: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/32.jpg)
Taint Tracking Strawman
Thread B
read(File)
ACCESSX
DENIED
TaintedThread A File
![Page 33: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/33.jpg)
Strawman has Covert Channel
TaintedThread A
File 0
File 1
Thread B Network
Secret = 1
X
![Page 34: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/34.jpg)
Strawman has Covert Channel
TaintedThread A Thread B
File 0
File 1
Network
write(File 1)
Secret = 1
![Page 35: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/35.jpg)
Strawman has Covert Channel
TaintedThread A Thread B
File 0
File 1
Network
read(File 0)read(File 1)
Secret = 1
X
![Page 36: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/36.jpg)
Strawman has Covert Channel
TaintedThread A Thread B
File 0
File 1
Network
send email: “secret=1”
Secret = 1
X
![Page 37: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/37.jpg)
Strawman has Covert Channel
TaintedThread A Thread B
File 0
File 1
Network
Secret = 1
read(File 0)read(File 1)
X
● What if we taint Bwhen it reads File 1?
![Page 38: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/38.jpg)
Strawman has Covert Channel
TaintedThread A
Thread 0File 0
File 1 Thread 1
Network
Secret = 1
read(File 0)
read(File 1)
● What if we taint Bwhen it reads File 1?
![Page 39: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/39.jpg)
Strawman has Covert Channel
TaintedThread A
Thread 0File 0
File 1 Thread 1
Network
Secret = 1
send email:“secret=1”
send email:“secret=0”
X
● What if we taint Bwhen it reads File 1?
![Page 40: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/40.jpg)
HiStar: Immutable File Labels
TaintedThread A Thread B
read(...)Untainted
File
TaintedFile
X
X
write(...)
● Label (taint level) is state that must be tracked● Immutable labels solve this problem!
![Page 41: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/41.jpg)
Who creates tainted files?
TaintedThread A
UntaintedFile
Thread B
DirectoryCreate Tainted File
TaintedFile
X
● Tainted thread can't modify untainted directory to place the new file there...
![Page 42: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/42.jpg)
Thread BTainted
File
Directory
TaintedThread A
Create Tainted File
Thread C
HiStar: Untainted threadpre-creates tainted file
● Existence and label of tainted file provide no information about A
UntaintedFile
![Page 43: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/43.jpg)
Reading a tainted file
TaintedThread A
UntaintedFile
Thread BTainted
File
Directory
● Existence and label of tainted file provide no information about A
XX
Thread C
![Page 44: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/44.jpg)
Reading a tainted file
TaintedThread A
UntaintedFile
Thread BTainted
File
Directory readdir():T. File's label
● Existence and label of tainted file provide no information about A
XX
Thread C
![Page 45: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/45.jpg)
Reading a tainted file
TaintedThread A
UntaintedFile
Thread BTainted
File
DirectoryTaint self
● Existence and label of tainted file provide no information about A
● Neither does B's decision to taint
X
Thread C
![Page 46: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/46.jpg)
HiStar avoids file covert channels● Immutable labels prevent covert channels that
communicate through label state● Untainted threads pre-allocate tainted files
– File existence or label provides no secret information● Threads taint themselves to read tainted files
– Tainted file's label accessible via parent directory
![Page 47: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/47.jpg)
Problems with IPC
IPCPort
DBServerClient
Thread
Time
● IPC with tainted client– Taint server thread
during request SELECT ...
ServerThreads
Create
![Page 48: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/48.jpg)
Problems with IPC
IPCPort
IPC Return
DBServerClient
Thread
Time
● IPC with tainted client– Taint server thread
during requestSELECT ...
ServerThreads
Create
![Page 49: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/49.jpg)
Problems with IPC
IPCPort
IPC Return
DBServerClient
Thread
Time
● IPC with tainted client– Taint server thread
during request
Results
ServerThreads
Create
![Page 50: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/50.jpg)
Problems with IPC
IPCPort
IPC Return
DBServerClient
Thread
Time
● IPC with tainted client– Taint server thread
during request– Secrecy preserved?
Results ServerThreads
Create
![Page 51: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/51.jpg)
Problems with IPC
IPCPort
IPC Return
DBServerClient
Thread
Time
● IPC with tainted client– Taint server thread
during request– Secrecy preserved?
● Lots of client calls– Limit server threads?
Leaks information...– Otherwise, no control
over resources!
Create
Results ServerThreads
![Page 52: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/52.jpg)
Gates make resources explicit
● Client donates initialresources (thread)
Time
Gate
DBServerClient
ThreadSELECT ...
ServerThreads
Create
![Page 53: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/53.jpg)
Gates make resources explicit
● Client donates initialresources (thread)
● Client thread runs in server address space, executing server code
Time
Gate
DBServerClient
Thread
SELECT ...
ServerThreads
Create
ServerCode
ReturnGate
![Page 54: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/54.jpg)
Gates make resources explicit
● Client donates initialresources (thread)
● Client thread runs in server address space, executing server code
Time
Gate
DBServerClient
Thread
Results
ServerThreads
Create
ServerCode
ReturnGate
![Page 55: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/55.jpg)
Gates make resources explicit
● Client donates initialresources (thread)
● Client thread runs in server address space, executing server code
● No implicit resource allocation – no leaks
Time
Gate
DBServerClient
Thread
ServerThreads
Create
ServerCode
ReturnGate
Results
![Page 56: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/56.jpg)
How do we get anything out?
Network
VirusScanner
X
Alice'sFiles
![Page 57: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/57.jpg)
“Owner” privilege
Alice'sshell
Network
VirusScanner
X
Alice'sFiles
● Star can get around information flow restrictions ● Small, trusted shell can isolate a large,
frequently-changing virus scanner
![Page 58: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/58.jpg)
Multiple categories of taint
Alice'sshell
Network
VirusScanner
X
Alice'sFiles
Bob'sshell
Bob'sFiles
VirusScanner
X
● Owner privilege and information flow control are the only access control mechanism
● Anyone can allocate a new category, gets star
![Page 59: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/59.jpg)
HiStar root privileges are explicit
Alice'sshell
Bob'sshell
root'sshell
Alice'sFiles
Bob'sFiles
● Kernel gives no special treatment to root
![Page 60: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/60.jpg)
HiStar root privileges are explicit
Bob'sSecret Files
Alice'sshell
Bob'sshell
root'sshell
Alice'sFiles
Bob'sFilesX
● Users can keep secret data inaccessible to root
![Page 61: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/61.jpg)
What to do with inaccessible files?
Bob'sSecret Files
Alice'sshell
Bob'sshell
root'sshell
Alice'sFiles
Bob'sFilesX
X
● Noone has privilege to access Bob's Secret Files
![Page 62: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/62.jpg)
HiStar resource allocation
Bob'sContainer
Bob's FilesBob'sshell
![Page 63: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/63.jpg)
HiStar resource allocation
Bob's SecretContainer
Bob'sContainer
Bob's FilesBob's
Secret FilesBob'sshell
● Create a new sub-container for secret files
![Page 64: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/64.jpg)
HiStar resource allocation
Bob's SecretContainer
Bob'sContainer
Bob's FilesBob's
Secret FilesBob'sshell X
● Create a new sub-container for secret files
![Page 65: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/65.jpg)
HiStar resource allocation
Unlink
● Create a new sub-container for secret files● Bob can delete sub-container even if he cannot
otherwise access it!
Bob's SecretContainer
Bob'sContainer
Bob's FilesBob's
Secret FilesBob'sshell X
![Page 66: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/66.jpg)
HiStar resource allocation● Create a new sub-container for secret files● Bob can delete sub-container even if he cannot
otherwise access it!
Bob's SecretContainer
Bob'sContainer
Bob's FilesBob's
Secret FilesBob'sshell X
![Page 67: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/67.jpg)
HiStar resource allocation● Create a new sub-container for secret files● Bob can delete sub-container even if he cannot
otherwise access it!
Bob'sContainer
Bob's FilesBob'sshell
![Page 68: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/68.jpg)
HiStar resource allocation
Bob'sContainer
Bob's FilesBob'sshell
RootContainer
root'sshell
● Root has control over all resources: root container
● Remove recalcitrantusers
![Page 69: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/69.jpg)
Persistent Storage● Unix: file system implemented in the kernel
– Many potential pitfalls leading to covert channels:mtime, atime, link counts, ...
– Would be great to implement it in user-space as well
● HiStar: Single-level store (like Multics / EROS)– All kernel objects stored on disk – memory is a cache– No difference between disk & memory objects– Eliminates need for trusted boot scripts
![Page 70: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/70.jpg)
Single-level store% ssh root@histarHiStar#
![Page 71: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/71.jpg)
Single-level store% ssh root@histarHiStar# reboot
![Page 72: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/72.jpg)
Single-level store% ssh root@histarHiStar# rebootrebooting...
Kernel checkpoints to disk:● Threads● Address spaces● Segments (memory)● ...and then reboots machine
![Page 73: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/73.jpg)
Single-level store% ssh root@histarHiStar# rebootrebooting...doneHiStar#
Kernel boots up, reads in:● Threads● Address spaces● Segments (memory)● ...and continues as before!
Kernel checkpoints to disk:● Threads● Address spaces● Segments (memory)● ...and then reboots machine
![Page 74: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/74.jpg)
File System
Segment/tmp/one
Container/tmp/two
Filename Segmentonetwo
Container/tmp
. . .
● Implemented at user-level, using same objects● Security checks separate from FS implementation
![Page 75: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/75.jpg)
How to really reboot?● Separate command called “ureboot”
● Kills all processes except itself (ureboot)– Delete all containers, except for the file system– FS containers have special bit that excludes threads
● Starts a new init process– It will start everything else (TCP/IP stack, sshd, ...)
![Page 76: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/76.jpg)
HiStar kernel design● Kernel operations make information flow explicit
– Explicit operation for thread to taint itself● Kernel never implicitly changes labels
– Explicit resource allocation: gates, pre-created files● Kernel never implicitly allocates resources
● Kernel has no concept of superuser– Users can explicitly grant their privileges to root– Root owns the top-level container
![Page 77: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/77.jpg)
Applications● Many Unix applications
– gcc, gdb, openssh, ...
● High-security applications alongside with Unix– Untrusted virus scanners (already described)– VPN/Internet data separation (see paper)– login with user-supplied authentication code (next)– Privilege-separated web server
![Page 78: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/78.jpg)
Login on Unix: highly centralized● Difficult and error-prone to extend login process
– Any bugs can lead to complete system compromise!
/etc/shadow:
Alice: H(alic3)Bob: H(1bob)
LoginProcess
(runs as root)
User: BobPass: 1bob
![Page 79: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/79.jpg)
Login on HiStar: less trusted code
LoginProcess
Alice'sAuth. Service
Bob'sAuth. Service
User: BobPass: 1bob PW:
H(alic3)
PW:H(1bob)
● Login process requires no privileges● Each user can provide their own auth. service
![Page 80: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/80.jpg)
Pass: 1bobAlice's
Auth. Service
Bob'sAuth. Service
PW:H(alic3)
PW:H(1bob)
● Login process requires no privileges● Each user can provide their own auth. service
LoginProcess
Login on HiStar: less trusted code
![Page 81: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/81.jpg)
OK
Alice'sAuth. Service
Bob'sAuth. Service
PW:H(alic3)
PW:H(1bob)
LoginProcess
Pass: 1bob
Login on HiStar: less trusted code
![Page 82: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/82.jpg)
● No code runs with every user's privilege– Each user trusts their 300-line authentication agent
● Users supply their own authentication agent– Password checker, one-time passwords, ...
● OS ensures password is not disclosed– Even if user mistypes username and gives password
to a malicious authentication agent (see paper)
Login on HiStar: less trusted code
![Page 83: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/83.jpg)
HiStar SSL Web Server
User'sbrowser
inetdRSAkey
Userauthentication
Userdata
● Only small fraction of code (green) is trusted310 lines
![Page 84: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/84.jpg)
HiStar SSL Web Server
User'sbrowser
inetdRSAkey
Userauthentication
Userdata
310 lines
● Only small fraction of code (green) is trusted
![Page 85: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/85.jpg)
300 lines
HiStar SSL Web Server
User'sbrowser
inetd SSLRSAkey
httpd
Userauthentication
Userdata
310 lines 340K lines
● OpenSSL only trusted to encrypt/decrypt
![Page 86: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/86.jpg)
300 lines
HiStar SSL Web Server
User'sbrowser
inetd SSL RSAdRSAkey
httpd
Userauthentication
Userdata
● OpenSSL cannot disclose certificate private key 310 lines 340K lines 4600 lines
![Page 87: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/87.jpg)
300 lines
HiStar SSL Web Server
User'sbrowser
inetd SSL RSAdRSAkey
httpd
Userauthentication
Userdata
● httpd trusted with user's privilege, credentials310 lines 340K lines 4600 lines
![Page 88: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/88.jpg)
300 lines
HiStar SSL Web Server
User'sbrowser
inetd SSL RSAdRSAkey
httpd
Userauthentication
Applicationcode
Userdata
● Application code cannot disclose user data310 lines 340K lines 4600 lines
680K lines: PDF maker
![Page 89: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/89.jpg)
HiStar allows developersto reduce trusted code
● No code with every user's privilege during login● No trusted code to initiate authentication● 110-line trusted wrapper for large virus scanner● Web server isolates different users' app code
● Small kernel: under 20,000 lines of code
![Page 90: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/90.jpg)
HiStar controls one machine● Can enforce security for small web server
Web Server
httpd Applicationcode
Userdata
![Page 91: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/91.jpg)
Large services are distributed
DataServer
ApplicationServer
Front-endServer
httpd Applicationcode
Userdata
? ?
● How to track information flow across machines?
![Page 92: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/92.jpg)
Problem: Who can we trust?● No single fully-trusted kernel to make decisions
DataServer
ApplicationServer
Front-endServer
X
httpd Applicationcode
Userdata
Attacker'sServer
? ?
![Page 93: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/93.jpg)
Globally-trusted authority?● Made sense for local kernel (HiStar), but not here
– Problems with scalability, security, trust
DataServer
ApplicationServer
Front-endServer
httpd Applicationcode
Userdata
Attacker'sServer Global
NetworkAuthority?
X
![Page 94: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/94.jpg)
Decentralized design● When it is safe to contact another machine?
– Any query may leak information to attacker!
httpd Applicationcode
Userdata
Attacker'sServer
? ?
X
LocalAuthority
LocalAuthority
LocalAuthority
![Page 95: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/95.jpg)
Solution: Users define trustwith self-certifying categories
● Category (taint color) is a public key C
● To trust host H with your secret data, signdelegation certificate (H trusted with C) using C-1
● Anyone can verify delegation certificates based on the category name (public key)
![Page 96: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/96.jpg)
Exporter daemons
httpd Applicationcode
Userdata
Exporter Exporter Exporter
● HiStar enforces information flow locally● Exporters send UDP-like messages with labels
– Not part of kernel – only in TCB for distributed apps– Need delegations to determine if recipient is trusted
![Page 97: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/97.jpg)
Strawman:Exporter stores delegations
PrivateUser Files
Delegations:Host X: “ “File
Server Exporter
● Delegation: User trusts host X with his data
![Page 98: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/98.jpg)
Strawman:Exporter stores delegations
PrivateUser Files
Delegations:Host X: “ “File
Server Exporter
Send to X
● Delegation: User trusts host X with his data
![Page 99: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/99.jpg)
Strawman has covert channel
PrivateUser Files
Delegations:Host X: “ “File
Server
AttackerProcess
Exporter
![Page 100: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/100.jpg)
Strawman has covert channel
PrivateUser Files
Delegations:Host X: “ “File
Server
AttackerProcess
Exporter
![Page 101: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/101.jpg)
Strawman has covert channel
PrivateUser Files
Delegations:Host X: “ “File
Server
AttackerProcess
2nd attackerProcess
Exporter
![Page 102: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/102.jpg)
Strawman has covert channel
PrivateUser Files
Delegations:Host X: “ “File
Server
AttackerProcess
2nd attackerProcess
Exporter
![Page 103: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/103.jpg)
Strawman has covert channel
PrivateUser Files
Delegations:Host X: “ “File
Server
AttackerProcess
2nd attackerProcess1st
bit
Exporter
![Page 104: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/104.jpg)
Strawman has covert channel
PrivateUser Files
Delegations:Host X: “ “Host Y: “ “
FileServer
AttackerProcess
2nd attackerProcess1st
bit Delegate to Y
Exporter
![Page 105: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/105.jpg)
Strawman has covert channel
PrivateUser Files
Delegations:Host X: “ “Host Y: “ “
FileServer
AttackerProcess
2nd attackerProcess
Send
to Y
Exporter
![Page 106: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/106.jpg)
Solution: Stateless exporter● Delegations are self-authenticating
PrivateUser Files
FileServer
AttackerProcess
2nd attackerProcess
Exporter
![Page 107: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/107.jpg)
Sender supplies delegations● Result only depends on caller-supplied data
– Verify certificate signatures using category pub. key
PrivateUser Files
FileServer
AttackerProcess
2nd attackerProcess
Send
to Y
+ dele
gatio
ns
for ho
st Y
Exporter
![Page 108: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/108.jpg)
300 lines
Recall: HiStar SSL Web Server
User'sbrowser
inetd SSL RSAdRSAkey
httpd
Userauthentication
Applicationcode
Userdata
● Only small fraction of code (green) is trusted
310 lines 340K lines 4600 lines
680K lines: PDF maker
![Page 109: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/109.jpg)
300 lines
Scalable, Distributed Web Server
User'sbrowser
inetd SSL RSAdRSAkey
httpd
Userauthentication
Applicationcode
Userdata
● Same security properties (except trust exporters)– No fully-trusted machines: limits effect of compromise
310 lines 340K lines 4600 lines
![Page 110: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/110.jpg)
Conclusion● HiStar reduces amount of trusted code
– Safely run untrusted code on confidential data● Kernel interface eliminates covert channels
– Make everything explicit: labels, resources● Unix library makes Unix information flow explicit
– Superuser by convention, not by design● No fully-trusted machines in distributed system
http://www.scs.stanford.edu/histar/
![Page 111: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/111.jpg)
gcc wget Clam AV
pipe disk read
disk write
create 10k files
fork exec
00.5
11.5
22.5
33.5
44.5
55.5
66.5
77.5
LinuxHiStarOpenBSD
Benchmarks, relative to Linux
Comparable performanceto Linux and OpenBSD
Application-level benchmarksand disk benchmarks
![Page 112: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/112.jpg)
gcc wget Clam AV
pipe disk read
disk write
create 10k files
fork exec
00.5
11.5
22.5
33.5
44.5
55.5
66.5
77.5
LinuxHiStarOpenBSD
Benchmarks, relative to Linux217x faster!
Synchronous creation of 10,000 files
HiStar allows use of group sync.Application either runs to completion, or
appears to never start (single-level store)
![Page 113: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/113.jpg)
gcc wget Clam AV
pipe disk read
disk write
create 10k files
fork exec
00.5
11.5
22.5
33.5
44.5
55.5
66.5
77.5
LinuxHiStarOpenBSD
Benchmarks, relative to Linux7.5x slower
Linux: 9 syscalls per iterationHiStar: 317 syscalls per iteration
![Page 114: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/114.jpg)
Web server: “PDF maker” app
0
1
2
3
4
5
6Throughput on one server, req / second
Linux ApacheUnifiedSeparatedDistributed
![Page 115: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/115.jpg)
Web server: “PDF maker” app
0
1
2
3
4
5
6Throughput on one server, req / second
Linux ApacheUnifiedSeparatedDistributed
1 2 30
2
4
6
8
10
12
14
Scalability of application servers(Fixed number of other servers)
![Page 116: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/116.jpg)
Language-based security● Much more fine-grained control● Resource allocation covert channels hard to fix● Similar problems in structuring code
– if (secret == 1) foo();printf(“Hello world.\n”);
– If secret is tainted, foo runs tainted– printf only runs if foo terminates– Must prove that foo halts to remove taint on thread
![Page 117: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/117.jpg)
Labels vs capabilities● Both provide strong isolation
● Capabilities: determine privilege before starting– Restricts program structure
● Labels: can change privilege levels at runtime– Thread can raise label to read a secret file– Label change prevents writing to non-secret files– Easier to apply to existing code
![Page 118: Securing Untrustworthy Software Using … Untrustworthy Software Using Information Flow Control Nickolai Zeldovich Joint work with Silas Boyd-Wickizer, Eddie Kohler, David Mazières](https://reader034.fdocuments.net/reader034/viewer/2022050902/5ab985a37f8b9ac10d8e5b9e/html5/thumbnails/118.jpg)
Labels in a capability OS
Process ACapabilityWrapper
A's label
CapabilityWrapper