Information Flow Control for Standard OS Abstractions Landon Cox March 29, 2017 Access control and the kernel • How does kernel know if system call is allowed? • • • • Looks are user id (uid) of process making the call Looks at resources accessed by call (e.g., file) Checks access-control policy associated with resource Decides if policy allows uid to access resources • How is a uid normally assigned to a process? • On fork, child inherits parent’s uid MOO accounting problem • Multi-player game called Moo • Want to maintain high score in a file Game client (uid x) • Should players be able to update score? • Yes • Do we trust users to write file directly? • No, they could lie about their score High score Game client (uid y) MOO accounting problem • Multi-player game called Moo Game client (uid x) • Want to maintain high score in a file • Should players be able to update score? • Yes • Do we trust users to write file directly? • No, they could lie about their score Trusted process (root) High score • Could have a trusted process update scores • Why isn’t this enough? • Can’t be sure that reported score is genuine • Also want to ensure that score was computed correctly Game client (uid y) Access control • Simple inheritance of uids is not sufficient for • Tasks involving management of “user id” state • Logging in (login) • Changing passwords (passwd) • Solution: setuid • Executable files can have their setuid bit set • If setuid bit is set, process inherits uid of image file’s owner on exec MOO accounting problem • Multi-player game called Moo • Want to maintain high score in a file Game client (uid x) • How does setuid allow us to know that score is correct? • • • • Game executable is owned by trusted entity Game cannot be modified by normal users Users can run executable though High-score is also owned by trusted entity High score • This is a form of trustworthy computing • High-score maintainer knows exactly which code will update score • Ensures code integrity, even when run by untrusted users • Also data confidentiality, since data accessed by code with integrity Game client (uid y) Information Flow Control (IFC) • Goal: track which secrets a process has seen • Mechanism: each process gets a secrecy label • Label summarizes which categories of data a process is assumed to have seen. “tag” • Examples: “label” • { “Financial Reports” } • { “HR Documents” } • { “Financial Reports” and “HR Documents” } Slide by Max Krohn Secrecy, Integrity, and Privilege • Secrecy label (Sp) How did endorsements work in the Moo prob? • Specifies what data P has read • “/usr/bin/login may read the password file” What is an endorsement? • Integrity label (Ip) • • • • Used to endorse trustworthiness of P Why is this restriction necessary? “/usr/bin/login can only be updated by root” Also limits what P can read “/usr/bin/login can only read user libs and config files endorsed by root” • Ownership (Op) • • • • Regulates how P can update Sp and Ip Tags P can add to its labels (e.g., t+), i.e., endorse via integrity label Tags P can remove from its labels (e.g., t-), i.e., declassify via secrecy label Dp is the set of tags that P can both add and remove Secrecy, Integrity, and Privilege • Secrecy • “At some point process p added data with tag s to its address space.” • s ∈ Sp ∃(data) : p read data with tag s • Integrity • “All inputs to process p had tag i.” • i ∈ Ip ∀(data) : p read data with tag i • Privilege • • • • “p can remove tag s from Spand add tag i to Ip.” s ∈ t- p is trusted to declassify s i ∈ t+ p is trusted to endorse i t ∈ Dp t ∈ t- and t ∈ t+ Tags + Secrecy Labels Secrets P has Process p viewed change_label({Finance}); tag_t HR = create_tag(); change_label({}); change_label({Finance,HR}); Any process can add SpS=p {=Finance, {SpFinance = {} HR } } any tag to its label. change_label({Finance}); D = {} Dp p= { HR } DIFC Rule: A process can Tags P can add and remove from its label HR Universe of Tags: create a new tag; gets Same asto Step 1. ability declassify it. DIFC: Declassification Legal in action. Finance SecretProjects Slide by Max Krohn Tags + Integrity Labels change_label({}); Process Endorsementspof P Any process can remove any tag from its label. Ip = {Apple} Dp = {} Tags P can add and remove from its label Legal Universe of Tags: Finance Apple Slide by Max Krohn Tags + Integrity Labels change_label({}); Process p Ip = {} Dp = {} Legal Universe of Tags: Finance Apple Slide by Max Krohn Tags + Integrity Labels Process p change_label({}); tag_t HR = create_tag(); change_label({Microsoft}); Ip = {} Dp = {} Legal Universe of Tags: Finance Apple Slide by Max Krohn Tags + Integrity Labels Process p change_label({}); tag_t HR = create_tag(); Ip = {} Dp = {} Legal Universe of Tags: Finance Apple Slide by Max Krohn Tags + Integrity Labels Process p change_label({}); tag_t HR = create_tag(); Ip = {} Dp = {HR} DIFC Rule: A process can create a new tag; gets ability to endorse w/ it. Legal HR Universe of Tags: Finance Apple Slide by Max Krohn Tags + Integrity Labels Process p Ip = {} Dp = {HR} change_label({}); tag_t HR = create_tag(); change_label({HR}); Legal HR Universe of Tags: Finance Apple Slide by Max Krohn Tags + Integrity Labels Process p Ip = {HR} Dp = {HR} change_label({}); tag_t HR = create_tag(); change_label({HR}); DIFC: Endorsement in action. Legal HR Universe of Tags: Finance Apple Slide by Max Krohn Privilege in action (secrecy) HR Universe of Secrecy Tags: Legal Finance SecretProjects Process p Sp = {} Dp = { HR, Admin } Microsoft Bob’s code Admin Alice’s code Universe of Integrity Tags Privilege in action (secrecy) HR Universe of Secrecy Tags: Legal Finance SecretProjects Process p Sp = { HR } Dp = { HR, Admin } Microsoft Bob’s code Admin Why is this allowed? Alice’s code Universe of Integrity Tags Privilege in action (secrecy) HR Universe of Secrecy Tags: Legal Finance SecretProjects Process p Sp = { HR } Dp = { HR, Admin } Microsoft Bob’s code Admin What is the effect? Alice’s code Universe of Integrity Tags Privilege in action (secrecy) HR Universe of Secrecy Tags: Legal Finance SecretProjects Process p Sp = { HR } Dp = { HR, Admin } q Sq = { HR } Microsoft Bob’s code Admin What is the effect? Can now receive data from HR processes Alice’s code Universe of Integrity Tags Privilege in action (secrecy) HR Universe of Secrecy Tags: Legal Finance SecretProjects Process p Sp = {} Dp = { HR, Admin } q Sq = { HR } Microsoft Bob’s code Admin Why is this allowed? Alice’s code Universe of Integrity Tags Privilege in action (secrecy) HR Universe of Secrecy Tags: Legal Finance SecretProjects Process p Sp = {} Dp = { HR, Admin } q Sq = { HR } Microsoft Bob’s code Admin What is the effect? Alice’s code Universe of Integrity Tags Privilege in action (secrecy) r HR Universe of Secrecy Tags: Legal Finance Sr = {} SecretProjects Process p Sp = {} Dp = { HR, Admin } q Sq = { HR } Microsoft Bob’s code Admin What is the effect? Declassifies HR data received from q Alice’s code Universe of Integrity Tags Privilege in action (integrity) HR Universe of Secrecy Tags: Legal Finance SecretProjects Process p Ip = {Admin} Dp = { HR, Admin } Microsoft Bob’s code Admin Admin+ makes p a certifier Alice’s code Universe of Integrity Tags Privilege in action (integrity) Fake vi Ip = {} Process p vi Ip = {Admin} Dp = { HR, Admin } Ip = {Admin} /etc/r c Ip = {Admin} libc Ip = {Admin} Privilege in action (integrity) Fake vi Ip = {} “Run vi” Process p vi Ip = {Admin} Dp = { HR, Admin } Ip = {Admin} /etc/r c Ip = {Admin} libc Ip = {Admin} Privilege in action (integrity) Ip = {Admin} Dp = { HR, Admin } Fake vi q fork() “Run vi” Ip = {} Process p vi Ip = {Admin} Dp = { HR, Admin } Ip = {Admin} /etc/r c Ip = {Admin} libc Ip = {Admin} Privilege in action (integrity) Why drop Admin+? Ip = {Admin} Dp = { HR } Fake vi q fork() “Run vi” Ip = {} Process p vi Ip = {Admin} Dp = { HR, Admin } Ip = {Admin} /etc/r c Ip = {Admin} libc Ip = {Admin} Privilege in action (integrity) Should this work? Ip = {Admin} Dp = { HR } q fork() “Run vi” Fake vi Ip = {} Process p vi Ip = {Admin} Dp = { HR, Admin } Ip = {Admin} /etc/r c Ip = {Admin} libc Ip = {Admin} Privilege in action (integrity) Ip = {Admin} Dp = { HR } Fake vi q fork() “Run vi” Ip = {} Process p vi Ip = {Admin} Dp = { HR, Admin } Ip = {Admin} /etc/r c Ip = {Admin} libc Ip = {Admin} Privilege in action (integrity) Ip = {Admin} Dp = { HR } Fake vi q fork() “Run vi” Ip = {} Process p vi Ip = {Admin} Dp = { HR, Admin } Ip = {Admin} /etc/r c Ip = {Admin} libc Ip = {Admin} Privilege in action (integrity) Fake vi Ip = {} “Run Fakevi” Process p vi Ip = {Admin} Dp = { HR, Admin } Ip = {Admin} /etc/r c Ip = {Admin} libc Ip = {Admin} Privilege in action (integrity) Ip = {Admin} Dp = { HR, Admin } Fake vi q fork() “Run Fakevi” Ip = {} Process p vi Ip = {Admin} Dp = { HR, Admin } Ip = {Admin} /etc/r c Ip = {Admin} libc Ip = {Admin} Privilege in action (integrity) Ip = {Admin} Dp = { HR } Fake vi q fork() “Run Fakevi” Ip = {} Process p vi Ip = {Admin} Dp = { HR, Admin } Ip = {Admin} /etc/r c Ip = {Admin} libc Ip = {Admin} Privilege in action (integrity) Ip = {Admin} Dp = { HR } exec(“fakevi”) q fork() “Run Fakevi” Fake vi Ip = {} Process p vi Ip = {Admin} Dp = { HR, Admin } Ip = {Admin} /etc/r c Ip = {Admin} libc Ip = {Admin} Privilege in action (integrity) Should this work? Ip = {Admin} Dp = { HR } exec(“fakevi”) q fork() “Run Fakevi” Fake vi Ip = {} Process p vi Ip = {Admin} Dp = { HR, Admin } Ip = {Admin} /etc/r c Ip = {Admin} libc Ip = {Admin} Communication Rule Process p Sp = { HR } P Process q Sq = { HR, Finance } p can send to q iff Sp Sq Slide by Max Krohn Flume Communication Rule MoinMoin (p) ? P Sp = { Alice } Sp Sq Database (q) Sq =Sq{ =Alice {} } Dq = { Alice, Bob } 1. q changes to Sq = { Alice } 2. p sends to q 3. q changes back to Sq= {} Slide by Max Krohn ? MoinMoin (r) Sr = { Bob } Flume Communication Rule MoinMoin (p) Sp = { Alice } P Database (q) MoinMoin (r) Sr = { Bob } Sq = {} Senders get extra latitude Dq= { Alice, Bob } • p can send to q iff: • In IFC: Sp Sq • In Flume: Sp – Dp Sq Dq Slide by Max Krohn P Receivers get extra latitude Unexpected Program Behavior (Unreliable Communication) Process p Process q P “Fire Alice, Bob, Charlie, Doug, Eddie, Frank, George, Hilda, Ilya…” “I stopped reading” “I crashed” Slide by Max Krohn Unreliable communication Process p stdout stdin Sp = {} Dp = { HR } Process q Sq = { HR } P “Fire Alice, Bob, Charlie, Doug, Eddie, Frank, George, Hilda, Ilya…” ? “SLOW DOWN!!” “I crashed” Slide by Max Krohn New Abstraction: Endpoints Process p e f Se = { HR } Process q Sf = { HR } Sp = {} Dp = { HR } Sq = { HR } P P If Se S allowGeorge, e to send to f Ilya…” f , then “Fire Alice, Bob, Charlie,• Doug, Eddie, Frank, Hilda, • If Sf Se , then allow f to send to e • If Sf = Se , then allow bidirectional flow “SLOW DOWN!!” “I crashed” Slide by Max Krohn Endpoints Declassify Data Data enters process p with secrecy { HR } Process p e Se = { HR } Sp = {} Dp = { HR } Slide by Max Krohn But p keeps its label Sp = {} Thus p needs HR Dp Endpoint Invariant • For any tag t Sp and t Se • Or any tag t Se and t Sp • It must be that t Dp Process p e Se = { HR } Sp = { Finance } Dp = { Finance, HR} Slide by Max Krohn Export inf. Import inf. Endpoints Labels Are Independent g Sg = {} Process p e Se = { HR } Sp = {} Dp = { HR } Slide by Max Krohn f Process q Sf = { HR } Sq = { HR } Example App: MoinMoin Wiki Slide by Max Krohn How Problems Arise… if not self.request.user.may.read(pagename): return self.notAllowedFault() x43 LayoffPlans MoinMoin Wiki (100 kLOC) FreeTShirts Slide by Max Krohn MoinMoin + DIFC LayoffPlans Apache Web Server Trusted Slide by Max Krohn Declassifier 1 kLOC MoinMoin Wiki (100 kLOC) Untrusted FreeTShirts FlumeWiki Web Client FlumeOblivious unconfined confined reliable IPC GET /LayoffPlans?user=Intern&PW=abcd LayoffPlans S={ HR } Apache Declassifier 1 kLOC MoinMoin (100 kLOC) FreeTShirts S={} file I/O Slide by Max Krohn Results • Does Flume allow adoption of Unix software? • 1,000 LOC launcher/declassifier • 1,000 out of 100,000 LOC in MoinMoin changed • Python interpreter, Apache, unchanged • Does Flume solve security vulnerabilities? • Without our knowing, we inherited two ACL bypass bugs from MoinMoin • Both are not exploitable in Flume’s MoinMoin • Does Flume perform reasonably? • Performs within a factor of 2 of the original on read and write benchmarks Slide by Max Krohn Limitations • Bigger TCB than HiStar / Asbestos • Linux stack (Kernel + glibc + linker) • Reference monitor (~22 kLOC) • Covert channels via disk quotas • Confined processes like MoinMoin don’t get full POSIX API. • spawn() instead of fork() & exec() • flume_pipe() instead of pipe() Slide by Max Krohn Summary • DIFC is a challenge to Programmers • Flume: DIFC in User-Level • Preserves legacy software • Complements today’s programming techniques • MoinMoin Wiki: Flume works as promised • Invite you to play around: http://flume.csail.mit.edu Slide by Max Krohn
© Copyright 2024 Paperzz