difc programs by automatic instrumentation william harris, somesh jha, and thomas reps 1
TRANSCRIPT
![Page 1: DIFC Programs by Automatic Instrumentation William Harris, Somesh Jha, and Thomas Reps 1](https://reader034.vdocuments.us/reader034/viewer/2022042703/56649f0d5503460f94c21188/html5/thumbnails/1.jpg)
1
DIFC Programs byAutomatic Instrumentation
William Harris, Somesh Jha, and Thomas Reps
![Page 2: DIFC Programs by Automatic Instrumentation William Harris, Somesh Jha, and Thomas Reps 1](https://reader034.vdocuments.us/reader034/viewer/2022042703/56649f0d5503460f94c21188/html5/thumbnails/2.jpg)
2
Decentralized Information Flow ControlOperating System
(DIFC OS)
Allows programs to control flow of their datathroughout the entire system.
![Page 3: DIFC Programs by Automatic Instrumentation William Harris, Somesh Jha, and Thomas Reps 1](https://reader034.vdocuments.us/reader034/viewer/2022042703/56649f0d5503460f94c21188/html5/thumbnails/3.jpg)
3
Spawner
OS Policy
Worker
Enforce
Define
Network
Requester Worker
![Page 4: DIFC Programs by Automatic Instrumentation William Harris, Somesh Jha, and Thomas Reps 1](https://reader034.vdocuments.us/reader034/viewer/2022042703/56649f0d5503460f94c21188/html5/thumbnails/4.jpg)
4
void Program() { ...}
void Program() { label l = …; … add_tag(l);}
![Page 5: DIFC Programs by Automatic Instrumentation William Harris, Somesh Jha, and Thomas Reps 1](https://reader034.vdocuments.us/reader034/viewer/2022042703/56649f0d5503460f94c21188/html5/thumbnails/5.jpg)
Failing ProgramFailing Policy 5
Program Security Policy
Instrumenter
Secure Program
Our Approach
![Page 6: DIFC Programs by Automatic Instrumentation William Harris, Somesh Jha, and Thomas Reps 1](https://reader034.vdocuments.us/reader034/viewer/2022042703/56649f0d5503460f94c21188/html5/thumbnails/6.jpg)
6
Contributions
• From high-level policies to DIFC code
• Efficiently generate DIFC code
• Provide useful debugging information
![Page 7: DIFC Programs by Automatic Instrumentation William Harris, Somesh Jha, and Thomas Reps 1](https://reader034.vdocuments.us/reader034/viewer/2022042703/56649f0d5503460f94c21188/html5/thumbnails/7.jpg)
7
Spawner
Worker
Network
Requester
: (Worker ! Network)Requester $ WorkerRequester ! Spawner
![Page 8: DIFC Programs by Automatic Instrumentation William Harris, Somesh Jha, and Thomas Reps 1](https://reader034.vdocuments.us/reader034/viewer/2022042703/56649f0d5503460f94c21188/html5/thumbnails/8.jpg)
8
Outline
• Challenge of instrumentation
• Instrumentation via constraints
• Case studies
![Page 9: DIFC Programs by Automatic Instrumentation William Harris, Somesh Jha, and Thomas Reps 1](https://reader034.vdocuments.us/reader034/viewer/2022042703/56649f0d5503460f94c21188/html5/thumbnails/9.jpg)
9
The Challenge of Instrumentation
• DIFC mechanics
• Instrumenting a server
![Page 10: DIFC Programs by Automatic Instrumentation William Harris, Somesh Jha, and Thomas Reps 1](https://reader034.vdocuments.us/reader034/viewer/2022042703/56649f0d5503460f94c21188/html5/thumbnails/10.jpg)
10
DIFC Mechanics
P1
{ a }
P2P3
{ }
OS
{ a }
![Page 11: DIFC Programs by Automatic Instrumentation William Harris, Somesh Jha, and Thomas Reps 1](https://reader034.vdocuments.us/reader034/viewer/2022042703/56649f0d5503460f94c21188/html5/thumbnails/11.jpg)
11
raise a label = read more
![Page 12: DIFC Programs by Automatic Instrumentation William Harris, Somesh Jha, and Thomas Reps 1](https://reader034.vdocuments.us/reader034/viewer/2022042703/56649f0d5503460f94c21188/html5/thumbnails/12.jpg)
12
Raising a Label to Read
P2
+{ a }
Lab{ a }{ }
P1
Lab{ a }
add_tag(a);
![Page 13: DIFC Programs by Automatic Instrumentation William Harris, Somesh Jha, and Thomas Reps 1](https://reader034.vdocuments.us/reader034/viewer/2022042703/56649f0d5503460f94c21188/html5/thumbnails/13.jpg)
13
lower label = declassify
![Page 14: DIFC Programs by Automatic Instrumentation William Harris, Somesh Jha, and Thomas Reps 1](https://reader034.vdocuments.us/reader034/viewer/2022042703/56649f0d5503460f94c21188/html5/thumbnails/14.jpg)
14
Lowering a Label to Declassify
P1
+{ a }
Lab{ a }{ }
P2
Lab{ a }
Lab
{ }
-{ a }
Network
remove_tag(a);
![Page 15: DIFC Programs by Automatic Instrumentation William Harris, Somesh Jha, and Thomas Reps 1](https://reader034.vdocuments.us/reader034/viewer/2022042703/56649f0d5503460f94c21188/html5/thumbnails/15.jpg)
15
The Challenge of Instrumentation
• DIFC mechanics
• Instrumenting a server
![Page 16: DIFC Programs by Automatic Instrumentation William Harris, Somesh Jha, and Thomas Reps 1](https://reader034.vdocuments.us/reader034/viewer/2022042703/56649f0d5503460f94c21188/html5/thumbnails/16.jpg)
16
Spawner
Worker
Lab{ a }
-{ }
Proxy
+{ a }
-{ a }
Lab{ }
Lab{ } Network
Requester
: (Worker ! Network)Requester $ Worker
![Page 17: DIFC Programs by Automatic Instrumentation William Harris, Somesh Jha, and Thomas Reps 1](https://reader034.vdocuments.us/reader034/viewer/2022042703/56649f0d5503460f94c21188/html5/thumbnails/17.jpg)
Instrument DIFC code that is:1. Legal2. Secure3. Functional
Challenge of Instrumentation
![Page 18: DIFC Programs by Automatic Instrumentation William Harris, Somesh Jha, and Thomas Reps 1](https://reader034.vdocuments.us/reader034/viewer/2022042703/56649f0d5503460f94c21188/html5/thumbnails/18.jpg)
18
Outline
• Challenge of instrumentation
• Instrumentation via constraints
• Case studies
![Page 19: DIFC Programs by Automatic Instrumentation William Harris, Somesh Jha, and Thomas Reps 1](https://reader034.vdocuments.us/reader034/viewer/2022042703/56649f0d5503460f94c21188/html5/thumbnails/19.jpg)
19
Key Insight
From DIFC code,a DIFC system dynamically compares labels to decide flows.
![Page 20: DIFC Programs by Automatic Instrumentation William Harris, Somesh Jha, and Thomas Reps 1](https://reader034.vdocuments.us/reader034/viewer/2022042703/56649f0d5503460f94c21188/html5/thumbnails/20.jpg)
20
Key Insight
From a program and policy,an instrumenter statically constrainslabels to instrument DIFC code.
![Page 21: DIFC Programs by Automatic Instrumentation William Harris, Somesh Jha, and Thomas Reps 1](https://reader034.vdocuments.us/reader034/viewer/2022042703/56649f0d5503460f94c21188/html5/thumbnails/21.jpg)
21
Key Payoffs of Constraints
• Naturally express semantics, policies
• Efficiently generate DIFC code
• Provide useful debugging information
![Page 22: DIFC Programs by Automatic Instrumentation William Harris, Somesh Jha, and Thomas Reps 1](https://reader034.vdocuments.us/reader034/viewer/2022042703/56649f0d5503460f94c21188/html5/thumbnails/22.jpg)
22
Instrumentation via Constraints
• Generating constraints
• Solving constraints
![Page 23: DIFC Programs by Automatic Instrumentation William Harris, Somesh Jha, and Thomas Reps 1](https://reader034.vdocuments.us/reader034/viewer/2022042703/56649f0d5503460f94c21188/html5/thumbnails/23.jpg)
23
Generating Constraints
1. Legal
2. Secure
3. Functional
![Page 24: DIFC Programs by Automatic Instrumentation William Harris, Somesh Jha, and Thomas Reps 1](https://reader034.vdocuments.us/reader034/viewer/2022042703/56649f0d5503460f94c21188/html5/thumbnails/24.jpg)
24
Spawner
Worker
Network
Requester
void Spawner() {
1: Conn c = requestConn();
2: spawn(Worker, c);
}
Lab1 Pos1 Neg1 Create1
Lab2 Pos2 Neg2 Create2
![Page 25: DIFC Programs by Automatic Instrumentation William Harris, Somesh Jha, and Thomas Reps 1](https://reader034.vdocuments.us/reader034/viewer/2022042703/56649f0d5503460f94c21188/html5/thumbnails/25.jpg)
25
Legal Rule #1:A process’s label only increases by tags in its positive capability.
1: Conn c = requestConn();2: spawn(Worker, c);
Lab2 µ Lab1 [ Pos1
![Page 26: DIFC Programs by Automatic Instrumentation William Harris, Somesh Jha, and Thomas Reps 1](https://reader034.vdocuments.us/reader034/viewer/2022042703/56649f0d5503460f94c21188/html5/thumbnails/26.jpg)
26
Legal Rule #2:A process’s label only decreases bytags in its negative capability.
1: Conn c = requestConn();2: spawn(Worker, c);
Lab2 ¶ Lab1 - Neg1
![Page 27: DIFC Programs by Automatic Instrumentation William Harris, Somesh Jha, and Thomas Reps 1](https://reader034.vdocuments.us/reader034/viewer/2022042703/56649f0d5503460f94c21188/html5/thumbnails/27.jpg)
27
Legal Rule #3:A process’s capabilities only increase to hold tags that the process creates.
1: Conn c = requestConn();2: spawn(Worker, c);
Pos2 µ Pos1 [ Create1Neg2 µ Neg1 [ Create1
![Page 28: DIFC Programs by Automatic Instrumentation William Harris, Somesh Jha, and Thomas Reps 1](https://reader034.vdocuments.us/reader034/viewer/2022042703/56649f0d5503460f94c21188/html5/thumbnails/28.jpg)
28
Generating Constraints
1. Legal
2. Secure
3. Functional
![Page 29: DIFC Programs by Automatic Instrumentation William Harris, Somesh Jha, and Thomas Reps 1](https://reader034.vdocuments.us/reader034/viewer/2022042703/56649f0d5503460f94c21188/html5/thumbnails/29.jpg)
29
: (LabW – NegW µ LabN)Spawner
Worker
: (Worker ! Network)
Network
Requester
![Page 30: DIFC Programs by Automatic Instrumentation William Harris, Somesh Jha, and Thomas Reps 1](https://reader034.vdocuments.us/reader034/viewer/2022042703/56649f0d5503460f94c21188/html5/thumbnails/30.jpg)
30
Generating Constraints
1. Legal
2. Secure
3. Functional
![Page 31: DIFC Programs by Automatic Instrumentation William Harris, Somesh Jha, and Thomas Reps 1](https://reader034.vdocuments.us/reader034/viewer/2022042703/56649f0d5503460f94c21188/html5/thumbnails/31.jpg)
31
Worker
Requester $ Worker
Spawner
Network
Requester
LabW µ LabR LabR µ LabW
![Page 32: DIFC Programs by Automatic Instrumentation William Harris, Somesh Jha, and Thomas Reps 1](https://reader034.vdocuments.us/reader034/viewer/2022042703/56649f0d5503460f94c21188/html5/thumbnails/32.jpg)
32
Instrumentation via Constraints
• Generating constraints
• Solving constraints
![Page 33: DIFC Programs by Automatic Instrumentation William Harris, Somesh Jha, and Thomas Reps 1](https://reader034.vdocuments.us/reader034/viewer/2022042703/56649f0d5503460f94c21188/html5/thumbnails/33.jpg)
33
Solving Constraints
• NP-complete in general
• Amenable to SMT solvers in practice
![Page 34: DIFC Programs by Automatic Instrumentation William Harris, Somesh Jha, and Thomas Reps 1](https://reader034.vdocuments.us/reader034/viewer/2022042703/56649f0d5503460f94c21188/html5/thumbnails/34.jpg)
34
Worker $ RequesterRequester ! Spawner
Spawner
Worker
: (Worker ! Network)
Network
Requester
Lab2 µ Lab1 [ Pos1…
: (LabW – NegW µ LabN)
LabW µ LabR LabR µ LabWLabW µ LabS
LabS µ LabW
![Page 35: DIFC Programs by Automatic Instrumentation William Harris, Somesh Jha, and Thomas Reps 1](https://reader034.vdocuments.us/reader034/viewer/2022042703/56649f0d5503460f94c21188/html5/thumbnails/35.jpg)
35
Worker $ RequesterRequester ! Spawner
Spawner
Worker
: (Worker ! Network)
Network
Requester
![Page 36: DIFC Programs by Automatic Instrumentation William Harris, Somesh Jha, and Thomas Reps 1](https://reader034.vdocuments.us/reader034/viewer/2022042703/56649f0d5503460f94c21188/html5/thumbnails/36.jpg)
36
Worker $ RequesterWorker $ Proxy
Worker
: (Worker ! Network)
ProxyRequester $ Proxy Network
Requester
![Page 37: DIFC Programs by Automatic Instrumentation William Harris, Somesh Jha, and Thomas Reps 1](https://reader034.vdocuments.us/reader034/viewer/2022042703/56649f0d5503460f94c21188/html5/thumbnails/37.jpg)
37
Spawner
Worker
Lab{ a }
-{ }
Proxy
+{ a }
-{ a }
Lab{ }
Lab{ }
: (Worker ! Network)Worker $ ProxyRequester $ ProxyRequester ! Spawner Network
Requester
![Page 38: DIFC Programs by Automatic Instrumentation William Harris, Somesh Jha, and Thomas Reps 1](https://reader034.vdocuments.us/reader034/viewer/2022042703/56649f0d5503460f94c21188/html5/thumbnails/38.jpg)
38
void Spawner() {
tag a = create_tag();1: Conn c = requestConn();
2: spawn(Worker, c);
}
Lab1{ }
Pos1{ }
Neg1{ }
Create1{ a }
Lab2{ a }
Pos2{ a }
Neg2{ }
Create2{ }
2: spawn(Worker, c, lab: { a }, pos: { a }, neg: { });
![Page 39: DIFC Programs by Automatic Instrumentation William Harris, Somesh Jha, and Thomas Reps 1](https://reader034.vdocuments.us/reader034/viewer/2022042703/56649f0d5503460f94c21188/html5/thumbnails/39.jpg)
39
Outline
• Challenge of instrumentation
• Instrumentation via constraints
• Case studies
![Page 40: DIFC Programs by Automatic Instrumentation William Harris, Somesh Jha, and Thomas Reps 1](https://reader034.vdocuments.us/reader034/viewer/2022042703/56649f0d5503460f94c21188/html5/thumbnails/40.jpg)
40
Case Studies
Application Fully Automatic
Instr. Time (s)
Apache NO 2.302FlumeWiki YES 0.183ClamAV YES 1.374OpenVPN YES 7.912
![Page 41: DIFC Programs by Automatic Instrumentation William Harris, Somesh Jha, and Thomas Reps 1](https://reader034.vdocuments.us/reader034/viewer/2022042703/56649f0d5503460f94c21188/html5/thumbnails/41.jpg)
41
Program Security Policy
Instrumenter
Secure Program
Conclusion
![Page 42: DIFC Programs by Automatic Instrumentation William Harris, Somesh Jha, and Thomas Reps 1](https://reader034.vdocuments.us/reader034/viewer/2022042703/56649f0d5503460f94c21188/html5/thumbnails/42.jpg)
42
Thanks for listening!
![Page 43: DIFC Programs by Automatic Instrumentation William Harris, Somesh Jha, and Thomas Reps 1](https://reader034.vdocuments.us/reader034/viewer/2022042703/56649f0d5503460f94c21188/html5/thumbnails/43.jpg)
43
Program Security Policy
Instrumenter
Secure Program
Conclusion
![Page 44: DIFC Programs by Automatic Instrumentation William Harris, Somesh Jha, and Thomas Reps 1](https://reader034.vdocuments.us/reader034/viewer/2022042703/56649f0d5503460f94c21188/html5/thumbnails/44.jpg)
44
Extra Slides
![Page 45: DIFC Programs by Automatic Instrumentation William Harris, Somesh Jha, and Thomas Reps 1](https://reader034.vdocuments.us/reader034/viewer/2022042703/56649f0d5503460f94c21188/html5/thumbnails/45.jpg)
45
Expressivity vs. Automation
Expressive
Auto
mati
c
this work
FineAura
Fable
HiStar
![Page 46: DIFC Programs by Automatic Instrumentation William Harris, Somesh Jha, and Thomas Reps 1](https://reader034.vdocuments.us/reader034/viewer/2022042703/56649f0d5503460f94c21188/html5/thumbnails/46.jpg)
46
![Page 47: DIFC Programs by Automatic Instrumentation William Harris, Somesh Jha, and Thomas Reps 1](https://reader034.vdocuments.us/reader034/viewer/2022042703/56649f0d5503460f94c21188/html5/thumbnails/47.jpg)
47
Challenge for DIFC Programmers
• Semantic gap from policy to DIFC code
• Instrumenting legacy code
![Page 48: DIFC Programs by Automatic Instrumentation William Harris, Somesh Jha, and Thomas Reps 1](https://reader034.vdocuments.us/reader034/viewer/2022042703/56649f0d5503460f94c21188/html5/thumbnails/48.jpg)
48
Mandatory Access Control
P1
P2
OSPolicy
: P1 ! N P2 ! N
Network
![Page 49: DIFC Programs by Automatic Instrumentation William Harris, Somesh Jha, and Thomas Reps 1](https://reader034.vdocuments.us/reader034/viewer/2022042703/56649f0d5503460f94c21188/html5/thumbnails/49.jpg)
49
Instrument DIFC code that is1. Legal2. Secure3. Functional
Spawner
Worker
Lab{ a }
-{ }
Proxy
+{ a }
-{ a }
Lab{ }
Lab{ } Network
Requester
Key Challenge
![Page 50: DIFC Programs by Automatic Instrumentation William Harris, Somesh Jha, and Thomas Reps 1](https://reader034.vdocuments.us/reader034/viewer/2022042703/56649f0d5503460f94c21188/html5/thumbnails/50.jpg)
50
Application Fully Automatic
Instr. Time (s)
Apache NO 2.302FlumeWiki YES 0.183ClamAV YES 1.374OpenVPN YES 7.912
Case Studies