LAMINAR: PRACTICAL FINE-GRAINED DECENTRALIZED INFORMATION FLOW CONTROL (DIFC)

LAMINAR: PRACTICAL FINE-GRAINED DECENTRALIZED INFORMATION FLOW CONTROL (DIFC)

LAMINAR: PRACTICAL FINE-GRAINED DECENTRALIZED INFORMATION FLOW CONTROL (DIFC) Indrajit Roy, Donald E. Porter, Michael D. Bond, Kathryn S. McKinley, Emmett Witchel The University of Texas at Austin Untrusted code on trusted data Your computer holds trusted and sensitive data Credit card number, SSN, personal calendar But not every program you run is trusted Bugs in code, malicious plugins

Security breach ! Security model Decentralized Information Flow Control (DIFC) [Myers and Liskov 97] Associate labels with the data System tracks the flow of data and the labels Access and distribution of data depends on labels Firefox may read the credit card number But firefox may not send it to the outside world Control thy data (and its fate)

File Syste m Networ k DIFC Implementation How do we rethink and rewrite code for security? Hopefully not many changes Users create a lattice of labels Associate labels with the data-structure {Alice, Bob} {Alic e} { }

{Bo b} Information flow in a lattice User Mon. Alice Watc Office h work game Bob Tue. Free Wed. Free

Meet Free docto r Calendar data- structure Challenge: Programmability vs. security An ideal DIFC system No code refactoring or changes to the data structures Naturally interact with the file system and the network Enforce fine-grained policies {Alice, Bob} {Alic e}

{ } {Bo b} Information flow in a lattice User Mon. Alice Watc Office h work game Bob Tue. Free Wed.

Free Meet Free docto r Calendar data- structure In this talk: Laminar A practical way to provide end-to-end security guarantees. Outline Comparison with current DIFC systems Laminar: programming model Design: PL + OS techniques

Security regions Case studies and evaluation Summary Current DIFC enabled systems Two broad categories Advantages of Laminar PL Based Fine grained Object level OS based Laminar Address space or page level Advantages of Laminar PL Based

OS based Fine grained End-to-end guarantee Information leaks possible through files and sockets Laminar Advantages of Laminar PL Based Fine grained End-to-end guarantee Incrementally deployable New language or type system OS based Laminar

Code refactoring Advantages of Laminar PL Based OS based Fine grained End-to-end guarantee Incrementally deployable Advanced language features * *Dynamic class loading, reflection, multithreading Laminar Advantages of Laminar PL Based OS based

Laminar Fine grained End-to-end guarantee Incrementally deployable Advanced language JVM tracks features labels of objects JVM+OS integration Dynamic analysis Security regions (new PL construct)

Outline Comparison with current DIFC systems Laminar: programming model Design: PL + OS techniques Security regions Case studies and evaluation Summary Programming model No modifications to code that does not access the calendar User Monda Tuesda

No need to trust such code! Security regions y y Alice Watch game Office work Bob Free Meet doctor

Wraps the code that accesses the calendar Again, no need to trust the code! Unless it modifies the labels of the data Less work by the structure programmer. Laminar enforces user security policy. Trust assumptions Laminar JVM and Laminar OS should perform the correct DIFC checks Programmers should correctly specify the security policies using labels Limitation covert channels

Timing channels Termination channels Probabilistic channels Laminar design APP Security regions JVM Dynamic analysis OS Reference monitor Laminar design: security regions APP Security regions

JVM Dynamic analysis OS Reference monitor Lowers overhead of DIFC checks Programming language construct Security sensitive data accessed only inside aHelps security region

incremental deployment Laminar design: JVM APP Security regions JVM Dynamic analysis OS Reference monitor Fine-grained enforcement Encapsulate access to secure data Dynamic security checks on app. data

Less code refactoring Laminar design : OS APP Security regions Encapsulate access to secure data JVM Dynamic analysis Fine-grained enforcement OS Reference monitor

Security checks on files/sockets Prevents security violation on system resources Laminar design : JVM+OS APP Security regions Encapsulate access to secure data JVM Dynamic analysis Fine-grained enforcement OS

Reference monitor Integration of VM+OS mechanisms Comprehensive security guarantee Outline Comparison with current DIFC systems Laminar: programming model Design: PL + OS techniques Security regions

Case studies and evaluation Summary Example: calendar Pseudo code to find a common meeting Calen Monda Tuesd time for Alice and Bob dar y ay alice.c al bob.ca l Alice Watch game Office work Bob

Free Meet doctor Calendar cal; // has label {Alice, Bob} Labeled Can read data of Alice and secure(new Label(Alice, Bob)){ Bob.Data Calendar a = readFile(alice.cal);Read data of Alice and Bob. Calendar b = readFile(bob.cal); Add to common Access checks by OS cal.addDates(a, b); calendar Date d = cal.findMeeting(); Find common meeting time } catch(..){} This code has been simplified to help explanation. Refer to the paper for exact syntax.

Security regions for programming ease Untrusted Code APP Security region Untrusted Code Easier to add security policies Wrap code that touches sensitive data inside security region Hypothesis: only small portions of code and data are security sensitive

Simplifies auditing Threads and security regions THREADS Untrusted Code APP Security region Untrusted Code Threads execute the application code On entering, threads get the labels and privileges of the security region Supporting security regions: JVM+OS Calendar cal; // has label {Alice, Bob} APP

JVM OS Securi ty region Dynami c analysis Referen ce monitor secure(new Label(Alice, Bob)){ Calendar a = readFile(alice.cal); Calendar b = readFile(bob.cal); cal.addDates(a, b); Date d = cal.findMeeting(); } catch(..){} {Alice, Bob} {Alic e} { }

{Bo b} Labeling application data JVM allocates labeled objects from a separate heap space Locals and statics are not labeled Efficient checks on whether an object is labeled Object header points to secrecy and integrity labels Restricted use inside and outside security regions Prevents illegal information flow We are extending our implementation to

support labeled statics Security regions for efficiency Limits the amount of work done by the VM to enforce DIFC Prevent access to labeled objects outside security regions Use read/write barriers Perform efficient address range checks on objects THRE AD Untrusted

Code APP Security region Untrusted Code Checks outside a security region THRE AD Untrusted Code APP Security region Untrusted Code Label credentials = new Label (Alice, Bob); Calendar cal; // has label {Alice, Bob} secure(credentials){

cal.addDates(a, b); Date d = cal.findMeeting(); } catch(..){} Date d= cal.getMeetTime(); Labeled object read outside the security region Checks inside a security region Untrusted Code APP Mandatory DIFC checks inside security regions Secrecy rule THRE

AD Security region Untrusted Code Cannot read more secret Cannot write to less secret Integrity rule Cannot read less trusted Cannot write to more trusted Checks inside a security region Label credentials = new Label (Alice, Thread in security Bob);

region Calendar mainCal; // has label {Alice, Bob} WRI Calendar aliceCal; //has label {Alice} TE mainCal.ev ent secure(credentials){ Information mainCal.event = aliceCal.date; aliceCal.dat e flow } catch(..){} REA D {Alice,

Bob} {Alic e} { } {Bo b} Information flow in a lattice Checks inside a security region Label credentials = new Label (Alice, Thread in security Bob); region Calendar mainCal; // has label {Alice, Bob} WRI Calendar aliceCal; //has label {Alice} TE aliceCal.dat secure(credentials){ e Information aliceCal.date

= mainCal.event ; flow } catch(..){} {Alice, Bob} {Alic e} { } {Bo b} Information flow in a lattice REA D mainCal.ev ent Nested security regions

Laminar allows nesting of security regions For nesting, the parent security region should have the correct privileges to initialize the child security region Natural hierarchical semantics More details are present in the paper Supporting security regions: OS OS acts as a repository for labels APP JVM OS

Securi ty region Dynami c analysis Referen ce monitor New labels can be allocated using a system call Labels stored in security fields of the kernel objects Before each resource access, the reference monitor performs DIFC checks E.g. inode permission checks, file access

checks Outline Comparison with current DIFC systems Laminar: programming model Design: PL + OS techniques Security regions Case studies and evaluation Summary Evaluation hypothesis Laminar requires modest code changes to retrofit security to applications

Less burden on the programmer Laminar incurs modest overheads Practical and efficient Laminar requires modest changes Applicatio n GradeSheet LOC Protected Data LOC Added 900 Student grades

92 (10%) Battleship 1,700 Ship locations 95 (6%) Calendar 6,200 Schedules 290 (5%) 22,000 Membershi p properties 1,200 (6%)

FreeCS (Chat server) 10% changes Laminar has modest overheads Compared against unmodified applications running on unmodified JVM and OS Overheads range from 1% to 54% IO disabled to prevent masking effect Lower overheads expected in real deployment All experiments on Quad-code Intel Xeon 2.83 GHz 60 40 20

0 GradeS... Battleship Cale... Fr Related Work IFC and lattice model Language level DIFC Lattice Model[Denning76], Biba77, Bell-LaPadula73 Jif[Myers97], FlowCaml[Simonet03], Swift[Chong07] OS based DIFC

Asbestos[Efstathopoulos05], HiStar[Zeldovich06], Flume[Krohn07], DStar[Zeldovich08] Summary Current DIFC systems fall short of enforcing comprehensive DIFC policies Laminar solves this by introducing security regions and integrating PL + OS mechanisms Laminar provides fine-grained DIFC, and yet has low overheads Thank you! Current DIFC systems fall short of enforcing comprehensive DIFC policies Laminar solves this by introducing security regions and integrating PL + OS mechanisms Laminar provides fine-grained DIFC, and yet has low overheads BACKUP SLIDES ! The University of Texas at Austin

Implicit information flow H is secret // H has label {secret} // L has label {} L.val = false; H.val =true if(H.val) L.val = true; N O L remains false YE S L is assigned true Value of L

reveals H Handling implicit information flows // H has label {secret} // L has label {} L.val = false; secure(credentials){ if(H.val) L.val = true; } catch() { } Mandatory catch block. Executes with same labels as the security region H.val =true N O L.val not assigned YES

VM raises exception L.val not assigned Exception not revealed L.val always false ! No implicit flow

Recently Viewed Presentations

  • Diapositive 1

    Diapositive 1

    The ECB has delivered low levels of inflation, inflation expectations, and long-term interest rates… Does One-Size Monetary Policy Fit All? According to the "traditional" view, a single monetary policy was doomed to failure because the euro area does not fulfill...
  • Toxicology Human Food Safety Assessement

    Toxicology Human Food Safety Assessement

    Hazard Identification. Chronic & acute effects. Toxicological endpoints. Hazard Characterization (Dose-Response) Determine a No-Observed-Effect-Level (NOEL) and safe level of exposure to humans. Toxicology Assessment
  • April 2018 College and Career Ready IEPs (CCRIEPs)

    April 2018 College and Career Ready IEPs (CCRIEPs)

    Consider strengths in academic, vocational, extra-curricular areas. Include strengths that are pertinent to engaging the student in their education. When completing this step, be sure data and information are shared in meaningful ways so all IEP team members understand, including...
  • Dress for Success: Women - Welcome to Magda's ESL Class

    Dress for Success: Women - Welcome to Magda's ESL Class

    Dress for Success: Women. ... Although your interview attire should be professional and conservative, you can experiment with color. A tasteful dress in an interesting color, like muted turquoise or deep red, is a good addition to your interview wardrobe....
  • Bayh-Dole and Entrepreneurship Reconsidered: University ...

    Bayh-Dole and Entrepreneurship Reconsidered: University ...

    Methodology Find inventor-ownership university Cambridge, Stanford, Wisconsin - all changed Only Anglo-Saxon pure inventor ownership univ. -- Waterloo, Canada Collect all technology-based startups Internet search, documents, interviews, TLO offices Extremely strict definition about firms to be included Decisions made by...
  • 1.cdn.edl.io

    1.cdn.edl.io

    The Veldt, the author proposes that children raised with no parental supervision will ignore attempts at discipline. In Richard Connell's . The Most Dangerous Game, the author discusses the fine line between savagery and civility.
  • AmeriCorps State Funding 2019-2020 A P P L

    AmeriCorps State Funding 2019-2020 A P P L

    The submitted reports describe evaluations that were conducted relatively recently, preferably within the last six years; The submitted reports show a meaningful and significant positive effect on program beneficiaries in at least one key outcome of interest.
  • HISTORICAL ROOTS OF LAW - Reynolds Room

    HISTORICAL ROOTS OF LAW - Reynolds Room

    MAGNA CARTA (Great Charter) Henry II system needed codifying, especially to take away DIVINE RIGHT. In 1215 CE, angry barons forced King John (Henry's grandson) to sign the Magna Carta. KEY POINTS. ... CCF during 30's, Bloc for separatism.