Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Securing Distributed Systems with Information Flow Control
CS6204 Privacy and SecurityVirginia Tech
-Nikhil KomawarOct 6, 2011
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
2Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
IntroductionInformation Flow ControlDesignImplementationInstance applicationsEvaluation
Outline
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
3Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
We try to design system which remain secure despite of the untrustworthy code.
Decentralized trust:- OS has have it entirely trusted kernel Not the same case for a Distributed System One solution: centralize trust mechanism (Not the most effective!)
Egalitarian Mechanism:- Specifically designed for applications Even unprivileged code can use DIFC
No inherent covert channels:- Avoid any covert channels in Dstar’s interface to meet different
security requirements.
Introduction
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
4Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
A typical web application.
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
5Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Labels: Ensure the communication between two processes Direction of communication
Processes S and R: Flows from S to R Flows even from R to S
On a distributed system, label LM for a message M
Information Flow Control
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
6Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
If information flows to higher label then we will not get anything out of the system
S can send message M to R if
.
Downgrading privileges
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
7Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
A process P’s downgrading are also represented as categories:
P owns a category
Set of categories in DStar message M
Categories
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
8Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Lattice structure
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
9Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Each process has third set of categories CP besides LP and OP
. Are called clearance: which gives a right to the process P to raise its own label say
Now
Clearance
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
10Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Example
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
11Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Run on each host: an exporter daemon which provides three requirements:- Track labels assigned to and categories owned by
each process on the machine A process cannot send messages with
inappropriate label Send and accept network message M when a
remote exporter can be trusted
DSTAR EXPORTER
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
12Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
We may have different host Oses Asbestos, HiStar, Flume.
We refer to their categories as OS categories and OS labels
Downgrading privilages:Corresponding category
Local OS DIFC
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
13Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Local checks, Trust and Addressing
Local Checks
Addressing
Decentralized Trust
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
14Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Exporter Interface
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
15Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Delegation service Local process to another exporter
Mapping service Mapping between DStar and local OS categories
Guarded invocation service Launches executables with specified arguments
and privilegesResource allocation service
Allocates space for data, CPU time for threads
Management Service
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
16Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Object types in HiStar Segments: 0 or more memory pages Containers: similar to directories Threads: execute code Gates: used for IPC and privilege transfer
HiStar
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
17Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
DStar and HiStar Mapping
Object is in a container
HiStar category c DStar category d
Binding segment
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
18Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
HiStar SSL web server
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
19Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Code complexity
Lines of C Code
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
20Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Web application on many HiStar machines
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
21Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Size of DStar structures
Compression of data using zlib
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
22Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Microbenchmarks measuring time to sign and verify certificates
Microbenchmarks
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
23Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Throughput and Latency
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
24Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Different configurations
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
25Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
DStar: Framework for securing distributed systems Uses security label mechanisms of DIFC Oses Exporter daemon on every machine Exporter ensures safe communication Trust relation left to the applications Self certifying categories – fully trusted machines not
needed Showed a DStar implementation of a three tired Web
Server Web server scales well
Summary
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Thank You!