Operating System Process Level Security
Download
Report
Transcript Operating System Process Level Security
By Ronny Bull, Chaitanya Pinnamaneni, Alex Stuart
Word Press root hack – Facebook & Twitter accounts
compromised
Monster.com attack 146,000 accounts compromised
UN Website - Defaced via SQL Injection
Payroll Site Closes on Security Worries
Hacker Accesses Thousands of Personal Data Files at
CSU Chico
FTC Investigates PETCO.com Security Hole
Major Breach of UCLA’s Computer Files
Restructured Text Include Directive Does Not Respect
ACLs
SQL injection
Man in the middle
Spoofing
Serverside Malware e.g. Farmville
Clientside Malware
Alice’s
Data
Vulnerable Web
App
Bob’s Data
Variation of classic information flow control
Ability to improve the security of complex applications
even in the presence of potential exploits e.g. third
party plugins
Services are distributed and policies are enforced at
the userspace level
User cannot directly interact with the kernel
API for secure cloud based application development
Opposite of centralized flow control which requires
individual attention for each application
Divides processes into two categories: Trusted and
Non-trusted
Untrusted - do most of computation
- constrained by transparent DIFC controls
Trusted
- conscious of DIFC
- manage the privacy and integrity controls
that constrain untrusted processes
Provides security against aforementioned threats
Utilizes DIFC and process level security
Tags and labels are used to track data as it flows
through a cloud based system
Tags have no meaning to the user, but to the processes
the tags represent levels of security xor integrity
There are two types of labels, Security (Sp) and
Integrity (Ip)
Security tags are grouped within a security label and
vesa versa
Label
Tag
{ “Financial Reports”
“HR Documents” }
Security (Sq) - As a matter of security all process are
allowed to add tags to its label to access the private
data associated with it but doesn’t allow the processes
to declassify it until it has permissions from the owner
of the tag.
Integrity (Iq) - As a matter of integrity all process are
allowed to declassify tag from its label, to read lower
integrity files but doesn’t allow the processes to add
tag again, without the owner’s permission.
The aim of this model is to track the flow of data by
controlling process, message and its label changes.
Rule 1. A system is secure if every change made to the
label of the process are safe
Rule 2. All allowed communications are “safe”
For a process q, let label set “L” consists of Sq or Iq, and
the new value of label L′ with S′q or I′q,
The change from L to L′ is safe if and only if:
{L′ −L}+ ∪ {L−L′}− ⊆ Op.
q
Sq
Sq == {{ tt ,b}
} Oq
Oq=={ {t+t+, ,t-t-, ,b+
b-}}
Sq`
Sq` == {{ bt ,} b }
{L`
{L −L`}
−L}+- ⊆
⊆O
Opp
{{Sq`Sq- Sq`
Sq }}+-==Oq
Oq== {{t+
t+ ,,t-,
t-,b+
b- }
p
Sp = { b }
q
Sq
Sq == {{ b,
b}t} Oq
Oq= ={ t+
{ t+, t, t-, b, b-} }
p
SpSp
Sp
==
{=b,
{{ bb
h}} Oq={
Oq={ b+,
b+, b,-h+}
b,-h+}
Process (p)
Sp = { a }
Process (q)
Sq = { }
Oq = { a, b }
Process (r)
Sr = { b }
Rule 3. Communication by sending a message is safe
iff
Sr − Or ⊆ Sq ∪ Oq
Iq−Oq ⊆ Ir ∪Or.
C
Sc = { c } Oq={ c+, c-,k+}
A
Sa = { a} Oq = { a+ , h-,h+ }
B
Sp = { a } Oq={ a+, a-,h+}
Sp` = { a,c}
Writing
• For any tag t є Sp and t є Se
Reading
• Or any tag t є Se and t є Sp
• It must be that t є Dp
Process p
Sp = { F }
e
Se = { H }
Dp = { F , H }
Rule 4. A readable endpoint e is safe iff
(Se−Sp) ⊆ Dp.
Rule 5 A writable endpoint e is safe iff
(Sp −Se) ⊆ Dp
a process can read or write to a outside flume contorl
(network, terminal, printer, remote host to the
network or console if and only if it can decrease its
secrecy label to {}
Process r
Sr = {}
Internet
{}
Bs = { b }
Wiki
Authentication
Tag
Sb = { rb},} r }
Sb = { b , r }
Ob = { b+ b- r+ p+}
p+ }
Ob = { b+ b- r+ p+}
Blue’s data
Red’s data
Sr = { r }
Or = { r+ r- b+ p+}
Rs = { r }
Malicious
Application
Public data
Label &Tag Id
Application Header
Permissions
Data
http://www.informationweek.com/news/security/atta
cks/229401577
http://www.sosp2007.org/talks/sosp112-krohn.pdf
Information Flow Control for Standard OS
Abstractions: SOSP ’07 October 14-17 2007
Securing the Web with Decentralized Information
Flow Control: Lecture by Krohn MIT
http://www.youtube.com/watch?v=hO5XWLVoi24