Operating System Process Level Security

Download Report

Transcript Operating System Process Level Security 

By Ronny Bull, Chaitanya Pinnamaneni, Alex Stuart
 Word Press root hack – Facebook & Twitter accounts







compromised
Monster.com attack 146,000 accounts compromised
UN Website - Defaced via SQL Injection
Payroll Site Closes on Security Worries
Hacker Accesses Thousands of Personal Data Files at
CSU Chico
FTC Investigates PETCO.com Security Hole
Major Breach of UCLA’s Computer Files
Restructured Text Include Directive Does Not Respect
ACLs
 SQL injection
 Man in the middle
 Spoofing
 Serverside Malware e.g. Farmville
 Clientside Malware
Alice’s
Data
Vulnerable Web
App
Bob’s Data
 Variation of classic information flow control
 Ability to improve the security of complex applications




even in the presence of potential exploits e.g. third
party plugins
Services are distributed and policies are enforced at
the userspace level
User cannot directly interact with the kernel
API for secure cloud based application development
Opposite of centralized flow control which requires
individual attention for each application
 Divides processes into two categories: Trusted and
Non-trusted
 Untrusted - do most of computation
- constrained by transparent DIFC controls
 Trusted
- conscious of DIFC
- manage the privacy and integrity controls
that constrain untrusted processes
 Provides security against aforementioned threats
 Utilizes DIFC and process level security
 Tags and labels are used to track data as it flows
through a cloud based system
 Tags have no meaning to the user, but to the processes
the tags represent levels of security xor integrity
 There are two types of labels, Security (Sp) and
Integrity (Ip)
 Security tags are grouped within a security label and
vesa versa
Label
Tag
{ “Financial Reports”
“HR Documents” }
 Security (Sq) - As a matter of security all process are
allowed to add tags to its label to access the private
data associated with it but doesn’t allow the processes
to declassify it until it has permissions from the owner
of the tag.
 Integrity (Iq) - As a matter of integrity all process are
allowed to declassify tag from its label, to read lower
integrity files but doesn’t allow the processes to add
tag again, without the owner’s permission.
 The aim of this model is to track the flow of data by
controlling process, message and its label changes.
 Rule 1. A system is secure if every change made to the
label of the process are safe
 Rule 2. All allowed communications are “safe”
 For a process q, let label set “L” consists of Sq or Iq, and
the new value of label L′ with S′q or I′q,
 The change from L to L′ is safe if and only if:
 {L′ −L}+ ∪ {L−L′}− ⊆ Op.
q
Sq
Sq == {{ tt ,b}
} Oq
Oq=={ {t+t+, ,t-t-, ,b+
b-}}
Sq`
Sq` == {{ bt ,} b }
{L`
{L −L`}
−L}+- ⊆
⊆O
Opp
{{Sq`Sq- Sq`
Sq }}+-==Oq
Oq== {{t+
t+ ,,t-,
t-,b+
b- }
p
Sp = { b }
q
Sq
Sq == {{ b,
b}t} Oq
Oq= ={ t+
{ t+, t, t-, b, b-} }
p
SpSp
Sp
==
{=b,
{{ bb
h}} Oq={
Oq={ b+,
b+, b,-h+}
b,-h+}
Process (p)
Sp = { a }
Process (q)
Sq = { }
Oq = { a, b }
Process (r)
Sr = { b }
Rule 3. Communication by sending a message is safe
iff
Sr − Or ⊆ Sq ∪ Oq
Iq−Oq ⊆ Ir ∪Or.
C
Sc = { c } Oq={ c+, c-,k+}
A
Sa = { a} Oq = { a+ , h-,h+ }
B
Sp = { a } Oq={ a+, a-,h+}
Sp` = { a,c}
Writing
• For any tag t є Sp and t є Se
Reading
• Or any tag t є Se and t є Sp
• It must be that t є Dp
Process p
Sp = { F }
e
Se = { H }
Dp = { F , H }
Rule 4. A readable endpoint e is safe iff
(Se−Sp) ⊆ Dp.
Rule 5 A writable endpoint e is safe iff
(Sp −Se) ⊆ Dp
 a process can read or write to a outside flume contorl
(network, terminal, printer, remote host to the
network or console if and only if it can decrease its
secrecy label to {}
Process r
Sr = {}
Internet
{}
Bs = { b }
Wiki
Authentication
Tag
Sb = { rb},} r }
Sb = { b , r }
Ob = { b+ b- r+ p+}
p+ }
Ob = { b+ b- r+ p+}
Blue’s data
Red’s data
Sr = { r }
Or = { r+ r- b+ p+}
Rs = { r }
Malicious
Application
Public data
Label &Tag Id
Application Header
Permissions
Data
 http://www.informationweek.com/news/security/atta
cks/229401577
 http://www.sosp2007.org/talks/sosp112-krohn.pdf
 Information Flow Control for Standard OS
Abstractions: SOSP ’07 October 14-17 2007
 Securing the Web with Decentralized Information
Flow Control: Lecture by Krohn MIT
http://www.youtube.com/watch?v=hO5XWLVoi24