Information Flow Control for
Standard OS Abstractions
Landon Cox
March 29, 2017
Access control and the kernel
• How does kernel know if system call is allowed?
•
•
•
•
Looks are user id (uid) of process making the call
Looks at resources accessed by call (e.g., file)
Checks access-control policy associated with resource
Decides if policy allows uid to access resources
• How is a uid normally assigned to a process?
• On fork, child inherits parent’s uid
MOO accounting problem
• Multi-player game called Moo
• Want to maintain high score in a file
Game
client
(uid x)
• Should players be able to update score?
• Yes
• Do we trust users to write file directly?
• No, they could lie about their score
High
score
Game
client
(uid y)
MOO accounting problem
• Multi-player game called Moo
Game
client
(uid x)
• Want to maintain high score in a file
• Should players be able to update score?
• Yes
• Do we trust users to write file directly?
• No, they could lie about their score
Trusted
process
(root)
High
score
• Could have a trusted process update scores
• Why isn’t this enough?
• Can’t be sure that reported score is genuine
• Also want to ensure that score was computed correctly
Game
client
(uid y)
Access control
• Simple inheritance of uids is not sufficient for
• Tasks involving management of “user id” state
• Logging in (login)
• Changing passwords (passwd)
• Solution: setuid
• Executable files can have their setuid bit set
• If setuid bit is set, process inherits uid of image file’s owner on exec
MOO accounting problem
• Multi-player game called Moo
• Want to maintain high score in a file
Game
client
(uid x)
• How does setuid allow us to know that score is correct?
•
•
•
•
Game executable is owned by trusted entity
Game cannot be modified by normal users
Users can run executable though
High-score is also owned by trusted entity
High
score
• This is a form of trustworthy computing
• High-score maintainer knows exactly which code will update score
• Ensures code integrity, even when run by untrusted users
• Also data confidentiality, since data accessed by code with integrity
Game
client
(uid y)
Information Flow Control (IFC)
• Goal: track which secrets a process has seen
• Mechanism: each process gets a secrecy label
• Label summarizes which categories of data a
process is assumed to have seen.
“tag”
• Examples:
“label”
• { “Financial Reports” }
• { “HR Documents” }
• { “Financial Reports” and “HR Documents” }
Slide by Max Krohn
Secrecy, Integrity, and Privilege
• Secrecy label (Sp)
How did endorsements
work in the Moo prob?
• Specifies what data P has read
• “/usr/bin/login may read the password file”
What is an
endorsement?
• Integrity label (Ip)
•
•
•
•
Used to endorse trustworthiness of P
Why is this restriction
necessary?
“/usr/bin/login can only be updated by root”
Also limits what P can read
“/usr/bin/login can only read user libs and config files endorsed by root”
• Ownership (Op)
•
•
•
•
Regulates how P can update Sp and Ip
Tags P can add to its labels (e.g., t+), i.e., endorse via integrity label
Tags P can remove from its labels (e.g., t-), i.e., declassify via secrecy label
Dp is the set of tags that P can both add and remove
Secrecy, Integrity, and Privilege
• Secrecy
• “At some point process p added data with tag s to its address space.”
• s ∈ Sp  ∃(data) : p read data with tag s
• Integrity
• “All inputs to process p had tag i.”
• i ∈ Ip  ∀(data) : p read data with tag i
• Privilege
•
•
•
•
“p can remove tag s from Spand add tag i to Ip.”
s ∈ t-  p is trusted to declassify s
i ∈ t+  p is trusted to endorse i
t ∈ Dp  t ∈ t- and t ∈ t+
Tags + Secrecy Labels
Secrets P has
Process
p
viewed
change_label({Finance});
tag_t HR = create_tag();
change_label({});
change_label({Finance,HR});
Any process can add
SpS=p {=Finance,
{SpFinance
= {} HR
} }
any tag to its label.
change_label({Finance});
D
=
{}
Dp p= { HR }
DIFC Rule: A process can
Tags P can add and
remove from its label
HR
Universe of Tags:
create a new tag; gets
Same
asto
Step
1.
ability
declassify
it.
DIFC: Declassification
Legal
in action.
Finance
SecretProjects
Slide by Max Krohn
Tags + Integrity Labels
change_label({});
Process
Endorsementspof P
Any process can
remove any tag from
its label.
Ip = {Apple}
Dp = {}
Tags P can add and
remove from its label
Legal
Universe of Tags:
Finance
Apple
Slide by Max Krohn
Tags + Integrity Labels
change_label({});
Process p
Ip = {}
Dp = {}
Legal
Universe of Tags:
Finance
Apple
Slide by Max Krohn
Tags + Integrity Labels
Process p
change_label({});
tag_t HR = create_tag();
change_label({Microsoft});
Ip = {}
Dp = {}
Legal
Universe of Tags:
Finance
Apple
Slide by Max Krohn
Tags + Integrity Labels
Process p
change_label({});
tag_t HR = create_tag();
Ip = {}
Dp = {}
Legal
Universe of Tags:
Finance
Apple
Slide by Max Krohn
Tags + Integrity Labels
Process p
change_label({});
tag_t HR = create_tag();
Ip = {}
Dp = {HR}
DIFC Rule: A process can
create a new tag; gets
ability to endorse w/ it.
Legal
HR
Universe of Tags:
Finance
Apple
Slide by Max Krohn
Tags + Integrity Labels
Process p
Ip = {}
Dp = {HR}
change_label({});
tag_t HR = create_tag();
change_label({HR});
Legal
HR
Universe of Tags:
Finance
Apple
Slide by Max Krohn
Tags + Integrity Labels
Process p
Ip = {HR}
Dp = {HR}
change_label({});
tag_t HR = create_tag();
change_label({HR});
DIFC: Endorsement in
action.
Legal
HR
Universe of Tags:
Finance
Apple
Slide by Max Krohn
Privilege in action (secrecy)
HR
Universe of Secrecy Tags:
Legal
Finance
SecretProjects
Process p
Sp = {}
Dp = { HR, Admin }
Microsoft
Bob’s code
Admin
Alice’s code
Universe of Integrity Tags
Privilege in action (secrecy)
HR
Universe of Secrecy Tags:
Legal
Finance
SecretProjects
Process p
Sp = { HR }
Dp = { HR, Admin }
Microsoft
Bob’s code
Admin
Why is this
allowed?
Alice’s code
Universe of Integrity Tags
Privilege in action (secrecy)
HR
Universe of Secrecy Tags:
Legal
Finance
SecretProjects
Process p
Sp = { HR }
Dp = { HR, Admin }
Microsoft
Bob’s code
Admin
What is the
effect?
Alice’s code
Universe of Integrity Tags
Privilege in action (secrecy)
HR
Universe of Secrecy Tags:
Legal
Finance
SecretProjects
Process p
Sp = { HR }
Dp = { HR, Admin }
q
Sq = { HR }
Microsoft
Bob’s code
Admin
What is the
effect?
Can now receive data
from HR processes
Alice’s code
Universe of Integrity Tags
Privilege in action (secrecy)
HR
Universe of Secrecy Tags:
Legal
Finance
SecretProjects
Process p
Sp = {}
Dp = { HR, Admin }
q
Sq = { HR }
Microsoft
Bob’s code
Admin
Why is this
allowed?
Alice’s code
Universe of Integrity Tags
Privilege in action (secrecy)
HR
Universe of Secrecy Tags:
Legal
Finance
SecretProjects
Process p
Sp = {}
Dp = { HR, Admin }
q
Sq = { HR }
Microsoft
Bob’s code
Admin
What is the
effect?
Alice’s code
Universe of Integrity Tags
Privilege in action (secrecy)
r
HR
Universe of Secrecy Tags:
Legal
Finance
Sr = {}
SecretProjects
Process p
Sp = {}
Dp = { HR, Admin }
q
Sq = { HR }
Microsoft
Bob’s code
Admin
What is the
effect?
Declassifies HR data
received from q
Alice’s code
Universe of Integrity Tags
Privilege in action (integrity)
HR
Universe of Secrecy Tags:
Legal
Finance
SecretProjects
Process p
Ip = {Admin}
Dp = { HR, Admin }
Microsoft
Bob’s code
Admin
Admin+ makes
p a certifier
Alice’s code
Universe of Integrity Tags
Privilege in action (integrity)
Fake
vi
Ip = {}
Process p
vi
Ip = {Admin}
Dp = { HR, Admin }
Ip = {Admin}
/etc/r
c
Ip = {Admin}
libc
Ip = {Admin}
Privilege in action (integrity)
Fake
vi
Ip = {}
“Run vi”
Process p
vi
Ip = {Admin}
Dp = { HR, Admin }
Ip = {Admin}
/etc/r
c
Ip = {Admin}
libc
Ip = {Admin}
Privilege in action (integrity)
Ip = {Admin}
Dp = { HR, Admin }
Fake
vi
q
fork()
“Run vi”
Ip = {}
Process p
vi
Ip = {Admin}
Dp = { HR, Admin }
Ip = {Admin}
/etc/r
c
Ip = {Admin}
libc
Ip = {Admin}
Privilege in action (integrity)
Why drop
Admin+?
Ip = {Admin}
Dp = { HR }
Fake
vi
q
fork()
“Run vi”
Ip = {}
Process p
vi
Ip = {Admin}
Dp = { HR, Admin }
Ip = {Admin}
/etc/r
c
Ip = {Admin}
libc
Ip = {Admin}
Privilege in action (integrity)
Should
this work?
Ip = {Admin}
Dp = { HR }
q
fork()
“Run vi”
Fake
vi
Ip = {}
Process p
vi
Ip = {Admin}
Dp = { HR, Admin }
Ip = {Admin}
/etc/r
c
Ip = {Admin}
libc
Ip = {Admin}
Privilege in action (integrity)
Ip = {Admin}
Dp = { HR }
Fake
vi
q
fork()
“Run vi”
Ip = {}
Process p
vi
Ip = {Admin}
Dp = { HR, Admin }
Ip = {Admin}
/etc/r
c
Ip = {Admin}
libc
Ip = {Admin}
Privilege in action (integrity)
Ip = {Admin}
Dp = { HR }
Fake
vi
q
fork()
“Run vi”
Ip = {}
Process p
vi
Ip = {Admin}
Dp = { HR, Admin }
Ip = {Admin}
/etc/r
c
Ip = {Admin}
libc
Ip = {Admin}
Privilege in action (integrity)
Fake
vi
Ip = {}
“Run Fakevi”
Process p
vi
Ip = {Admin}
Dp = { HR, Admin }
Ip = {Admin}
/etc/r
c
Ip = {Admin}
libc
Ip = {Admin}
Privilege in action (integrity)
Ip = {Admin}
Dp = { HR, Admin }
Fake
vi
q
fork()
“Run Fakevi”
Ip = {}
Process p
vi
Ip = {Admin}
Dp = { HR, Admin }
Ip = {Admin}
/etc/r
c
Ip = {Admin}
libc
Ip = {Admin}
Privilege in action (integrity)
Ip = {Admin}
Dp = { HR }
Fake
vi
q
fork()
“Run Fakevi”
Ip = {}
Process p
vi
Ip = {Admin}
Dp = { HR, Admin }
Ip = {Admin}
/etc/r
c
Ip = {Admin}
libc
Ip = {Admin}
Privilege in action (integrity)
Ip = {Admin}
Dp = { HR }
exec(“fakevi”)
q
fork()
“Run Fakevi”
Fake
vi
Ip = {}
Process p
vi
Ip = {Admin}
Dp = { HR, Admin }
Ip = {Admin}
/etc/r
c
Ip = {Admin}
libc
Ip = {Admin}
Privilege in action (integrity)
Should
this work?
Ip = {Admin}
Dp = { HR }
exec(“fakevi”)
q
fork()
“Run Fakevi”
Fake
vi
Ip = {}
Process p
vi
Ip = {Admin}
Dp = { HR, Admin }
Ip = {Admin}
/etc/r
c
Ip = {Admin}
libc
Ip = {Admin}
Communication Rule
Process p
Sp = { HR }
P
Process q
Sq = { HR, Finance }
p can send to q iff Sp  Sq
Slide by Max Krohn
Flume Communication Rule
MoinMoin
(p)
?
P
Sp = { Alice }
Sp Sq
Database
(q)
Sq =Sq{ =Alice
{} }
Dq = { Alice, Bob }
1. q changes to Sq = { Alice }
2. p sends to q
3. q changes back to Sq= {}
Slide by Max Krohn
?
MoinMoin
(r)
Sr = { Bob }
Flume Communication Rule
MoinMoin
(p)
Sp = { Alice }
P
Database
(q)
MoinMoin
(r)
Sr = { Bob }
Sq = {}
Senders get extra latitude
Dq= { Alice, Bob }
• p can send to q iff:
• In IFC:
Sp  Sq
• In Flume: Sp – Dp  Sq  Dq
Slide by Max Krohn
P
Receivers get extra latitude
Unexpected Program Behavior
(Unreliable Communication)
Process p
Process q
P
“Fire Alice, Bob, Charlie, Doug, Eddie, Frank, George, Hilda, Ilya…”
“I stopped reading”
“I crashed”
Slide by Max Krohn
Unreliable communication
Process p
stdout
stdin
Sp = {}
Dp = { HR }
Process q
Sq = { HR }
P
“Fire Alice, Bob, Charlie, Doug, Eddie, Frank, George, Hilda, Ilya…”
?
“SLOW DOWN!!”
“I crashed”
Slide by Max Krohn
New Abstraction: Endpoints
Process p
e
f
Se = { HR }
Process q
Sf = { HR }
Sp = {}
Dp = { HR }
Sq = { HR }
P
P
If Se S
allowGeorge,
e to send
to f Ilya…”
f , then
“Fire Alice, Bob, Charlie,• Doug,
Eddie,
Frank,
Hilda,
• If Sf Se , then allow f to send to e
• If Sf = Se , then allow bidirectional flow
“SLOW DOWN!!”
“I crashed”
Slide by Max Krohn
Endpoints Declassify Data
Data enters
process p with
secrecy { HR }
Process p
e
Se = { HR }
Sp = {}
Dp = { HR }
Slide by Max Krohn
But p keeps its
label Sp = {}
Thus p needs
HR  Dp
Endpoint Invariant
• For any tag t  Sp and t Se
• Or any tag t  Se and t Sp
• It must be that t  Dp
Process p
e
Se = { HR }
Sp = { Finance }
Dp = { Finance, HR}
Slide by Max Krohn
Export inf.
Import inf.
Endpoints Labels Are Independent
g Sg = {}
Process p
e
Se = { HR }
Sp = {}
Dp = { HR }
Slide by Max Krohn
f
Process q
Sf = { HR }
Sq = { HR }
Example App: MoinMoin Wiki
Slide by Max Krohn
How Problems Arise…
if not self.request.user.may.read(pagename):
return self.notAllowedFault()
x43
LayoffPlans
MoinMoin
Wiki
(100 kLOC)
FreeTShirts
Slide by Max Krohn
MoinMoin + DIFC
LayoffPlans
Apache
Web Server
Trusted
Slide by Max Krohn
Declassifier
1 kLOC
MoinMoin
Wiki
(100 kLOC)
Untrusted
FreeTShirts
FlumeWiki
Web Client
FlumeOblivious
unconfined
confined
reliable
IPC
GET /LayoffPlans?user=Intern&PW=abcd
LayoffPlans
S={ HR }
Apache
Declassifier
1 kLOC
MoinMoin
(100 kLOC)
FreeTShirts
S={}
file I/O
Slide by Max Krohn
Results
• Does Flume allow adoption of Unix software?
• 1,000 LOC launcher/declassifier
• 1,000 out of 100,000 LOC in MoinMoin changed
• Python interpreter, Apache, unchanged
• Does Flume solve security vulnerabilities?
• Without our knowing, we inherited two ACL bypass bugs
from MoinMoin
• Both are not exploitable in Flume’s MoinMoin
• Does Flume perform reasonably?
• Performs within a factor of 2 of the original on read and
write benchmarks
Slide by Max Krohn
Limitations
• Bigger TCB than HiStar / Asbestos
• Linux stack (Kernel + glibc + linker)
• Reference monitor (~22 kLOC)
• Covert channels via disk quotas
• Confined processes like MoinMoin don’t get
full POSIX API.
• spawn() instead of fork() & exec()
• flume_pipe() instead of pipe()
Slide by Max Krohn
Summary
• DIFC is a challenge to Programmers
• Flume: DIFC in User-Level
• Preserves legacy software
• Complements today’s programming techniques
• MoinMoin Wiki: Flume works as promised
• Invite you to play around:
http://flume.csail.mit.edu
Slide by Max Krohn