View
220
Download
2
Category
Preview:
Citation preview
By Ronny Bull, Chaitanya Pinnamaneni, Alex Stuart
Operating System Process Level Security
Word Press root hack – Facebook & Twitter accounts compromised
Monster.com attack 146,000 accounts compromisedUN Website - Defaced via SQL InjectionPayroll Site Closes on Security WorriesHacker Accesses Thousands of Personal Data Files
at CSU ChicoFTC Investigates PETCO.com Security HoleMajor Breach of UCLA’s Computer FilesRestructured Text Include Directive Does Not
Respect ACLs
Security Threats of Today’s Cloud
SQL injectionMan in the middleSpoofingServerside Malware e.g. FarmvilleClientside Malware
Current Threats
Alice’s Data
Bob’s Data
Vulnerable Web App
Variation of classic information flow controlAbility to improve the security of complex
applications even in the presence of potential exploits e.g. third party plugins
Services are distributed and policies are enforced at the userspace level
User cannot directly interact with the kernelAPI for secure cloud based application
developmentOpposite of centralized flow control which
requires individual attention for each application
Decentralized Information Flow Control
Divides processes into two categories: Trusted and Non-trusted
Untrusted - do most of computation- constrained by transparent DIFC
controls
Trusted - conscious of DIFC- manage the privacy and integrity
controls that constrain untrusted
processes
What is Process Level Security
Provides security against aforementioned threats
Utilizes DIFC and process level securityTags and labels are used to track data as it
flows through a cloud based systemTags have no meaning to the user, but to the
processes the tags represent levels of security xor integrity
There are two types of labels, Security (Sp) and Integrity (Ip)
Security tags are grouped within a security label and vesa versa
Tags & Labels
Example of Label and Tags
{ “Financial Reports”
“HR Documents” }
Tag
Label
Security (Sq) - As a matter of security all process are allowed to add tags to its label to access the private data associated with it but doesn’t allow the processes to declassify it until it has permissions from the owner of the tag.
Integrity (Iq) - As a matter of integrity all process are allowed to declassify tag from its label, to read lower integrity files but doesn’t allow the processes to add tag again, without the owner’s permission.
Differences Between Security and Integrity
The aim of this model is to track the flow of data by controlling process, message and its label changes.
Rule 1. A system is secure if every change made to the label of the process are safe
Rule 2. All allowed communications are “safe”
Rule 1 & 2
For a process q, let label set “L” consists of Sq or Iq, and the new value of label L′ with S′q or I′q,
The change from L to L′ is safe if and only if: {L′ −L}+ ∪ {L−L′}− ⊆ Op.
Label Changes are safe
q p
{L` −L}+ ⊆ Op
{ Sq`- Sq }+ = Oq = { t+ , t-, b+ }
Sq = { t } Oq = { t+ , t- , b+ }Sq` = { t , b }
Sp = { b }Sq = { t ,b} Oq = { t+ , t- , b- }Sq` = { b }
Sp = { b }
{L −L`}- ⊆ Op
{ Sq- Sq` }- = Oq = { t+ , t-, b- }
q p
Sq = { b} Oq = { t+ , t- , b- }
Sp = { b } Oq={ b+, b,-h+}
Sq = { b, t} Oq = { t+ , t- , b- }
Sp = { b } Oq={ b+, b,-h+}
Sq = { b} Oq = { t+ , t- , b- }
Sp = { b, h } Oq={ b+, b,-h+}
Communication problem
Process (p) Process (q) Process (r)
Sp = { a } Sq = { }Oq = { a, b }
Sr = { b }
Rule 3. Communication by sending a message is safe iff Sr − Or ⊆ Sq ∪ Oq Iq−Oq ⊆ Ir ∪Or.
Problem with above rule
A B
C
Sa = { a} Oq = { a+ , h-,h+ }
Sp = { a } Oq={ a+, a-,h+}
Sc = { c } Oq={ c+, c-,k+}
Sp` = { a,c}
Rule 4. A readable endpoint e is safe iff (Se−Sp) ⊆ Dp. Rule 5 A writable endpoint e is safe iff (Sp −Se) ⊆ Dp
• For any tag t є Sp and t є Se
• Or any tag t є Se and t є Sp
• It must be that t є Dp
Writing
Reading
Process p e
Se = { H }Sp = { F }
Dp = { F , H }
a process can read or write to a outside flume contorl (network, terminal, printer, remote host to the network or console if and only if it can decrease its secrecy label to {}
External Sinks and Sources
Process r Internet
Sr = {}
Wiki
Malicious Applicatio
n
Blue’s data
Red’s data
Public data
AuthenticationTag
Bs = { b }
Rs = { r }
Sb = { b }Ob = { b+ b- r+ p+ } Sb = { b , r }Ob = { b+ b- r+ p+ }
{}
Sb = { r }Ob = { b+ b- r+ p+}
Sr = { r }Or = { r+ r- b+ p+}
Sb = { b , r }Ob = { b+ b- r+ p+}
Examples
Encryption
Encryption
Packet Wrapper
Label &Tag Id
Application Header
Permissions
Data
http://www.informationweek.com/news/security/attacks/229401577
http://www.sosp2007.org/talks/sosp112-krohn.pdf
Information Flow Control for Standard OS Abstractions: SOSP ’07 October 14-17 2007
Securing the Web with Decentralized Information Flow Control: Lecture by Krohn MIT http://www.youtube.com/watch?v=hO5XWLVoi24
References
Recommended