Securing Distributed Systems with Information Flow Control

  • View
    34

  • Download
    0

Embed Size (px)

DESCRIPTION

Securing Distributed Systems with Information Flow Control. CS6204 Privacy and Security Virginia Tech -Nikhil Komawar Oct 6, 2011. Outline. Introduction Information Flow Control Design Implementation Instance applications Evaluation. Introduction. - PowerPoint PPT Presentation

Text of Securing Distributed Systems with Information Flow Control

Slide 1

Securing Distributed Systems with Information Flow Control

CS6204 Privacy and SecurityVirginia Tech

-Nikhil KomawarOct 6, 2011

Fall, 2011 - Privacy&Security - Virginia Tech Computer ScienceClick to edit Master title styleIntroductionInformation Flow ControlDesignImplementationInstance applicationsEvaluation

2OutlineFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceClick to edit Master title styleWe try to design system which remain secure despite of the untrustworthy code.Decentralized trust:-OS has have it entirely trusted kernelNot the same case for a Distributed SystemOne solution: centralize trust mechanism (Not the most effective!)Egalitarian Mechanism:-Specifically designed for applicationsEven unprivileged code can use DIFCNo inherent covert channels:-Avoid any covert channels in Dstars interface to meet different security requirements.

3IntroductionFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceClick to edit Master title styleA typical web application.

4

Fall, 2011 - Privacy&Security - Virginia Tech Computer ScienceFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceClick to edit Master title styleLabels:Ensure the communication between two processesDirection of communicationProcesses S and R:Flows from S to RFlows even from R to SOn a distributed system, label LM for a message M5Information Flow Control

Fall, 2011 - Privacy&Security - Virginia Tech Computer ScienceFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceClick to edit Master title styleIf information flows to higher label then we will not get anything out of the system

S can send message M to R if

.

6Downgrading privileges

Fall, 2011 - Privacy&Security - Virginia Tech Computer ScienceFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceClick to edit Master title styleA process Ps downgrading are also represented as categories:P owns a category

Set of categories in DStar message M7Categories

Fall, 2011 - Privacy&Security - Virginia Tech Computer ScienceFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceClick to edit Master title style8Lattice structure

Fall, 2011 - Privacy&Security - Virginia Tech Computer ScienceFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceClick to edit Master title styleEach process has third set of categories CP besides LP and OP

. Are called clearance: which gives a right to the process P to raise its own label say

Now 9Clearance

Fall, 2011 - Privacy&Security - Virginia Tech Computer ScienceFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceClick to edit Master title style10Example

Fall, 2011 - Privacy&Security - Virginia Tech Computer ScienceFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceClick to edit Master title styleRun on each host: an exporter daemon which provides three requirements:-Track labels assigned to and categories owned by each process on the machineA process cannot send messages with inappropriate labelSend and accept network message M when a remote exporter can be trusted

11DSTAR EXPORTERFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceClick to edit Master title styleWe may have different host Oses Asbestos, HiStar, Flume.We refer to their categories as OS categories and OS labelsDowngrading privilages:Corresponding category 12Local OS DIFC

Fall, 2011 - Privacy&Security - Virginia Tech Computer ScienceFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceClick to edit Master title style13Local checks, Trust and Addressing

Local ChecksAddressingDecentralized TrustFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceClick to edit Master title style14Exporter Interface

Fall, 2011 - Privacy&Security - Virginia Tech Computer ScienceFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceClick to edit Master title styleDelegation serviceLocal process to another exporterMapping serviceMapping between DStar and local OS categoriesGuarded invocation serviceLaunches executables with specified arguments and privilegesResource allocation serviceAllocates space for data, CPU time for threads15Management ServiceFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceClick to edit Master title styleObject types in HiStarSegments: 0 or more memory pagesContainers: similar to directoriesThreads: execute codeGates: used for IPC and privilege transfer16HiStarFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceClick to edit Master title style17DStar and HiStar Mapping

Object is in a containerHiStar category cDStar category dBinding segmentFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceClick to edit Master title style18HiStar SSL web server

Fall, 2011 - Privacy&Security - Virginia Tech Computer ScienceFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceClick to edit Master title style19Code complexity

Lines of C CodeFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceClick to edit Master title style20Web application on many HiStar machines

Fall, 2011 - Privacy&Security - Virginia Tech Computer ScienceFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceClick to edit Master title style21Size of DStar structures

Compression of data using zlibFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceClick to edit Master title styleMicrobenchmarks measuring time to sign and verify certificates22Microbenchmarks

Fall, 2011 - Privacy&Security - Virginia Tech Computer ScienceFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceClick to edit Master title style23Throughput and Latency

Fall, 2011 - Privacy&Security - Virginia Tech Computer ScienceFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceClick to edit Master title style24Different configurations

Fall, 2011 - Privacy&Security - Virginia Tech Computer ScienceFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceClick to edit Master title styleDStar:Framework for securing distributed systemsUses security label mechanisms of DIFC OsesExporter daemon on every machineExporter ensures safe communicationTrust relation left to the applicationsSelf certifying categories fully trusted machines not neededShowed a DStar implementation of a three tired Web ServerWeb server scales well25SummaryFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceFall, 2011 - Privacy&Security - Virginia Tech Computer ScienceClick to edit Master title styleThank You!

Fall, 2011 - Privacy&Security - Virginia Tech Computer ScienceClick to edit Master title style