Zeldovich et al. (both papers)Reading Group by Theo
Part 1/2Slides based on Zeldovich’s talk
2
Untrustworthy code everywhere◦Legitimate programs are vulnerable Even antivirus scanners…
◦Users authorize malicious software
Not getting any better◦Software becomes more complex
Can the O/S guarantee security?◦Probably not…
3
Virus Scanner
Virus Scanner
Live Update
Live Update
Internet
Internet
Private User Files
Private User Files
/tmp/tmp Virus Database
Virus Database
Acceptable flow
Private files should not leak to the internet!Private files should not leak to the internet!4
Virus Scanner
Virus Scanner
Live Update
Live Update
Internet
Internet
Private User Files
Private User Files
/tmp/tmp Virus Database
Virus Database
O/S
5
Virus Scanner
Virus Scanner
Live Update
Live Update
Internet
Internet
Private User Files
Private User Files
/tmp/tmp Virus Database
Virus Database
O/S
6
Virus Scanner
Virus Scanner
Live Update
Live Update
Internet
Internet
Private User Files
Private User Files
/tmp/tmp Virus Database
Virus DatabaseOr: Create file
SecretBitIs1.txtOr: Create file
SecretBitIs1.txt
2 malicious apps cooperating hard to detect!2 malicious apps cooperating hard to detect!
Covert Channel: Lock virus DB
Covert Channel: Lock virus DB
7
Existing O/S are too complex◦Too many protection
mechanisms File descriptors, user ids
Doesn’t help with security
Unix
P3P3P2P2P1P1
Unix Kernel(TCB)
Unix Kernel(TCB)
H/WH/W
Complex Objects
8
Unix HiStar
Unix Lib
P3P3P2P2P1P1
Unix Kernel(TCB)
Unix Kernel(TCB)
H/WH/W
P2P2P1P1
U1U1
P3P3
U3U3U2U2
HiStar Kernel(TCB)
HiStar Kernel(TCB)H/WH/W
Simple Objects9
Most Unix implemented as user-level libraries◦Narrow, easily controlled interface
All kernel objects have the same, flat namespace◦Files, users, processes, address spaces are kernel
objects
All information flow is made explicit
10
High DataHigh Data
High Process
High Process
Low DataLow Data
Low Process
Low Process
e.g.: credit card processing
Web ServerGlobally visible, read-only confi-
guration file
e.g.: Untrusted user process
‘High’ information should never modify ‘low’! Information only flows upwards
‘High’ information should never modify ‘low’! Information only flows upwards11
Each kernel object has a label◦Files, users, programs, etc
Each label is a set of categories For each category, each object has a level E.g. ‘unmodifiable’, ‘secret’ file of user X
12
Level Meaning0 Unmodifiable (read-only)1 Default Level2 Cannot be exported from PC3 Inaccessible (no read)⋆ Super access (can R/W
anything, change tags)
Fully trusted
Top Secret
Process can read less secret data (lower level), can write less trusted data (higher level)
Process can read less secret data (lower level), can write less trusted data (higher level)
Objects can have multiple labels (top secret & unmodifiable)
13
Bob’sFilesBob’sFiles
Bob’s ProcessBob’s
ProcessBob’s ShellBob’s Shell
Internet
Internet
Alice’sFiles
Alice’sFiles
Alice’s ProcessAlice’s
ProcessAlice’s Shell
Alice’s Shell
Color Mismatch
14
Bob’sSecret Files
Bob’sSecret Files
Bob’s FilesBob’s Files
Bob’s ShellBob’s Shell
Alice’sFiles
Alice’sFiles
Alice’s Shell
Alice’s Shell
Root shellRoot shell
15
S/W only implementation 11,600 TCB kernel code◦Hmmm. Can we do better? (LoStar)◦1,300 extra bootstrapping code
HiStar ensures that you have enough rights to execute, read, write data
Malicious web app can leak data only of the users that called it.
Does not protect against DoS
16
17
Part 2/2
18
HiStar has few kernel objects◦Process, files, address space, etc
Each object has a label◦‘Colored’ objects ◦Access allowed only when I have enough
credentials for that label
Let’s color the physical RAM!◦Using Raksha-like H/W
19
Unix HiStar
P2P2P1P1
U1U1
P3P3
U3U3U2U2
HiStar Kernel(TCB)
HiStar Kernel(TCB)
DRAMDRAM
Unix Lib
P3P3P2P2P1P1
Unix Kernel(TCB)
Unix Kernel(TCB)
DRAMDRAM
LoStar
P1P1
U1U1
P2P2
KernelKernel
P3P3
U3U3U2U2
KernelKernel
KernelKernel
(TCB)Security Monitor
(TCB)Security Monitor
DD RR AA MM
Super-Visor
Moni-torPhysical RAM
Authorized Colors
Protection Domain
20
Each 32-bit word has a 32-bit color Every memory reference (I and D) will retrieve
the associated color The security monitor checks the HiStar label
for that color and the current thread’s rights Check will be cached for future reuse
21
TagsTags TagsTags
L1-IL1-IPCPC De-
codeDe-
codeReg. FileReg. File
Permission Checks
Permission Checks
EXCEXC WBWBALU
Preexisting
Loki Logic
Loki Tags
L1-DL1-D
Execute P-CacheExecute P-Cache R/W
P-CacheR/W
P-Cache
Memory ControllerMemory
Controller
MemoryMemory TagsTags
Tag HandlingTag Handling
22
Color: 32-bit physical address of HiStar’s label◦1 color per page Indirect entry for multi-colored pages (color/word)
Colors stored in RAM◦Physical address space reserved Virtual memory manager not in the TCB
Colors associated with physical addresses◦No aliasing problem
23
A cache of recently checked labels◦32-bit color tag and 3 bit permissions (RWX)
32-entry 2-way set associative Can be thought as TLB◦Permission Lookaside Buffer◦Normal TLB tricks apply Eg P-Cache-I and P-Cache-D
Saved on context switch
24
Security exception calls LoStar’s monitor◦Not the kernel (HiStar) of the active thread
Security monitor in TCB◦No checks performed◦No physical – virtual translation◦‘Trusted’ mode above the H/W supervisor move
25
HiStar calls LoStar for new labels◦LoStar will write-protect the new label
LoStar protects critical global HiStar structures◦E.g., kernel object hash table◦HiStar kernels do not have to trust each other So virtual memory manager not in the TCB
LoStar does not guarantee liveness
26
Pipeline Depth 7 L1-I 16 KB, 2-way SARegister Windows 8 L1-D 32 KB, 2-way SA
Memory 512 MB I-TLB 8-entry, fully assoc.Bus width 64 bits D-TLB 8-entry, fully assoc.
Frequency 65 MHz I-Tag Cache 8-entry, fully assoc.*D-Tag Cache 8-entry, fully assoc.*
P-Cache 32-entry 2-way SA*Store page granularity tags.Multicolored pages store tags in ‘modified’(?) caches
27
Hardware Overhead
Trusted Code Base
Component Block RAMs 4-input LUTsBase Leon 43 14,502Loki Logic 2 2,756
% increase 5 19
Lines of code HiStar LoStarKernel code 11,600 12,700
Bootstrapping code 1,300 1,300Security monitor - 5,200
TCB size 11,600 5,20028
29
30
HiStarLoStar
LoStar without page tags1.4
1.6
1.0
1.2
0.6
0.8
0.2
0.4
0.0
Aver
age
Slow
dow
n
primes syscall IPC fork/exec small-file large-file wget gzip
Benchmarks
31
HiStar is an O/S with strict information flow◦Most O/S implemented as user library◦~11,000 TCB◦Achieves good performance
LoStar is a hardware-assisted HiStar◦~5,000 TCB◦Similar performance to HiStar
Unclear whether the benefit of reduced TCB outweighs the cost of extra H/W
32
Questions?
33
Top Related