By Ronny Bull, Chaitanya Pinnamaneni, Alex Stuart

By Ronny Bull, Chaitanya Pinnamaneni, Alex Stuart

Operating System Process Level Security

Word Press root hack – Facebook & Twitter accounts compromised

Monster.com attack 146,000 accounts compromisedUN Website - Defaced via SQL InjectionPayroll Site Closes on Security WorriesHacker Accesses Thousands of Personal Data Files

at CSU ChicoFTC Investigates PETCO.com Security HoleMajor Breach of UCLA’s Computer FilesRestructured Text Include Directive Does Not

Respect ACLs

Security Threats of Today’s Cloud

SQL injectionMan in the middleSpoofingServerside Malware e.g. FarmvilleClientside Malware

Current Threats

Alice’s Data

Bob’s Data

Vulnerable Web App

Variation of classic information flow controlAbility to improve the security of complex

applications even in the presence of potential exploits e.g. third party plugins

Services are distributed and policies are enforced at the userspace level

User cannot directly interact with the kernelAPI for secure cloud based application

developmentOpposite of centralized flow control which

requires individual attention for each application

Decentralized Information Flow Control

Divides processes into two categories: Trusted and Non-trusted

Untrusted - do most of computation- constrained by transparent DIFC

controls

Trusted - conscious of DIFC- manage the privacy and integrity

controls that constrain untrusted

processes

What is Process Level Security

Provides security against aforementioned threats

Utilizes DIFC and process level securityTags and labels are used to track data as it

flows through a cloud based systemTags have no meaning to the user, but to the

processes the tags represent levels of security xor integrity

There are two types of labels, Security (Sp) and Integrity (Ip)

Security tags are grouped within a security label and vesa versa

Tags & Labels

Example of Label and Tags

{ “Financial Reports”

“HR Documents” }

Tag

Label

Security (Sq) - As a matter of security all process are allowed to add tags to its label to access the private data associated with it but doesn’t allow the processes to declassify it until it has permissions from the owner of the tag.

Integrity (Iq) - As a matter of integrity all process are allowed to declassify tag from its label, to read lower integrity files but doesn’t allow the processes to add tag again, without the owner’s permission.

Differences Between Security and Integrity

The aim of this model is to track the flow of data by controlling process, message and its label changes.

Rule 1. A system is secure if every change made to the label of the process are safe

Rule 2. All allowed communications are “safe”

Rule 1 & 2

For a process q, let label set “L” consists of Sq or Iq, and the new value of label L′ with S′q or I′q,

The change from L to L′ is safe if and only if: {L′ −L}+ ∪ {L−L′}− ⊆ Op.

Label Changes are safe

q p

{L` −L}+ ⊆ Op

{ Sq`- Sq }+ = Oq = { t+ , t-, b+ }

Sq = { t } Oq = { t+ , t- , b+ }Sq` = { t , b }

Sp = { b }Sq = { t ,b} Oq = { t+ , t- , b- }Sq` = { b }

Sp = { b }

{L −L`}- ⊆ Op

{ Sq- Sq` }- = Oq = { t+ , t-, b- }

q p

Sq = { b} Oq = { t+ , t- , b- }

Sp = { b } Oq={ b+, b,-h+}

Sq = { b, t} Oq = { t+ , t- , b- }

Sp = { b } Oq={ b+, b,-h+}

Sq = { b} Oq = { t+ , t- , b- }

Sp = { b, h } Oq={ b+, b,-h+}

Communication problem

Process (p) Process (q) Process (r)

Sp = { a } Sq = { }Oq = { a, b }

Sr = { b }

Rule 3. Communication by sending a message is safe iff Sr − Or ⊆ Sq ∪ Oq Iq−Oq ⊆ Ir ∪Or.

Problem with above rule

A B

C

Sa = { a} Oq = { a+ , h-,h+ }

Sp = { a } Oq={ a+, a-,h+}

Sc = { c } Oq={ c+, c-,k+}

Sp` = { a,c}

Rule 4. A readable endpoint e is safe iff (Se−Sp) ⊆ Dp. Rule 5 A writable endpoint e is safe iff (Sp −Se) ⊆ Dp

• For any tag t є Sp and t є Se

• Or any tag t є Se and t є Sp

• It must be that t є Dp

Writing

Reading

Process p e

Se = { H }Sp = { F }

Dp = { F , H }

a process can read or write to a outside flume contorl (network, terminal, printer, remote host to the network or console if and only if it can decrease its secrecy label to {}

External Sinks and Sources

Process r Internet

Sr = {}

Wiki

Malicious Applicatio

n

Blue’s data

Red’s data

Public data

AuthenticationTag

Bs = { b }

Rs = { r }

Sb = { b }Ob = { b+ b- r+ p+ } Sb = { b , r }Ob = { b+ b- r+ p+ }

{}

Sb = { r }Ob = { b+ b- r+ p+}

Sr = { r }Or = { r+ r- b+ p+}

Sb = { b , r }Ob = { b+ b- r+ p+}

Examples

Encryption

Encryption

Packet Wrapper

Label &Tag Id

Application Header

Permissions

Data

http://www.informationweek.com/news/security/attacks/229401577

http://www.sosp2007.org/talks/sosp112-krohn.pdf

Information Flow Control for Standard OS Abstractions: SOSP ’07 October 14-17 2007

Securing the Web with Decentralized Information Flow Control: Lecture by Krohn MIT http://www.youtube.com/watch?v=hO5XWLVoi24

References