information flow control for standard os abstractions max krohn, alex yip, micah brodsky, natan...
TRANSCRIPT
![Page 1: Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris](https://reader037.vdocuments.us/reader037/viewer/2022110304/551b1a9555034607418b57a8/html5/thumbnails/1.jpg)
Information Flow Control For Standard OS Abstractions
Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek,
Eddie Kohler, Robert Morris
![Page 2: Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris](https://reader037.vdocuments.us/reader037/viewer/2022110304/551b1a9555034607418b57a8/html5/thumbnails/2.jpg)
Vulnerabilities in Websites Exploits
• Web software is buggy• Attackers find and exploit these bugs• Data is stolen / Corrupted
– “USAJobs.gov hit by Monster.com attack, 146,000 people affected”
– “UN Website is Defaced via SQL Injection”– “Payroll Site Closes on Security Worries”– “Hacker Accesses Thousands of Personal Data Files at CSU Chico”– “FTC Investigates PETCO.com Security Hole”– “Major Breach of UCLA’s Computer Files”– “Restructured Text Include Directive Does Not Respect ACLs”
![Page 3: Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris](https://reader037.vdocuments.us/reader037/viewer/2022110304/551b1a9555034607418b57a8/html5/thumbnails/3.jpg)
Decentralized Information Flow Control (DIFC)
Layoff Plans
Free TShirts
Web AppWeb App
Declassifier
CEO
PGET /LayoffPlans
“I am the CEO.
My PW is 123”“OK”
Intern
![Page 4: Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris](https://reader037.vdocuments.us/reader037/viewer/2022110304/551b1a9555034607418b57a8/html5/thumbnails/4.jpg)
Decentralized Information Flow Control (DIFC)
Layoff Plans
Free TShirts
Web AppWeb App
Declassifier
CEO
Intern
/tmp File
Helper ProcessGET /L
ayoffPlans
GET ^@^$^$#
![Page 5: Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris](https://reader037.vdocuments.us/reader037/viewer/2022110304/551b1a9555034607418b57a8/html5/thumbnails/5.jpg)
Why is DIFC a cult?
![Page 6: Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris](https://reader037.vdocuments.us/reader037/viewer/2022110304/551b1a9555034607418b57a8/html5/thumbnails/6.jpg)
Who Needs to Understand DIFC?
Layoff Plans
Free TShirts
Web AppWeb App
Declassifier
CEO
Intern
/tmp File
Helper Process
![Page 7: Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris](https://reader037.vdocuments.us/reader037/viewer/2022110304/551b1a9555034607418b57a8/html5/thumbnails/7.jpg)
Why is Today’s DIFC DIFfiCult?
• Label systems are complex• Unexpected program behavior• Cannot reuse existing code– Drivers, SMP support, standard libraries
![Page 8: Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris](https://reader037.vdocuments.us/reader037/viewer/2022110304/551b1a9555034607418b57a8/html5/thumbnails/8.jpg)
Unexpected Program Behavior (Unreliable Communication)
Process qProcess p
“I stopped reading”“I crashed”
P“Fire Alice, Bob, Charlie, Doug, Eddie, Frank, George, Hilda, Ilya…”
![Page 9: Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris](https://reader037.vdocuments.us/reader037/viewer/2022110304/551b1a9555034607418b57a8/html5/thumbnails/9.jpg)
Unexpected Program Behavior (Mysterious Failures)
Process pProcess q File
![Page 10: Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris](https://reader037.vdocuments.us/reader037/viewer/2022110304/551b1a9555034607418b57a8/html5/thumbnails/10.jpg)
Solution/Outline
1. Flume: Solves DIFC Problems– User-level implementation of DIFC on Linux– Simple label system– Endpoints: Glue Between Unix API and Labels
2. Application + Evaluation– Real Web software secured by Flume
![Page 11: Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris](https://reader037.vdocuments.us/reader037/viewer/2022110304/551b1a9555034607418b57a8/html5/thumbnails/11.jpg)
Outline
1. Flume: Solves DIFC Problems– User-level implementation of DIFC on Linux– Simple label system– Endpoints: Glue Between Unix API and Labels
2. Application + Evaluation
![Page 12: Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris](https://reader037.vdocuments.us/reader037/viewer/2022110304/551b1a9555034607418b57a8/html5/thumbnails/12.jpg)
Flume Implementation
• Goal: User-level implementation– apt-get install flume
• Approach:– System Call Delegation [Ostia by Garfinkel et al,
2003]– Use Linux 2.6 (or OpenBSD 3.9)
![Page 13: Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris](https://reader037.vdocuments.us/reader037/viewer/2022110304/551b1a9555034607418b57a8/html5/thumbnails/13.jpg)
System Call Delegation
Web App
glibc
Linux Kernel
Layoff Plans
open(“/hr/LayoffPlans”, O_RDONLY);
![Page 14: Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris](https://reader037.vdocuments.us/reader037/viewer/2022110304/551b1a9555034607418b57a8/html5/thumbnails/14.jpg)
System Call Delegation
Web App
Flume Libc
Linux Kernel
Layoff Plans
open(“/hr/LayoffPlans”, O_RDONLY);
Flume Reference Monitor
Web App
![Page 15: Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris](https://reader037.vdocuments.us/reader037/viewer/2022110304/551b1a9555034607418b57a8/html5/thumbnails/15.jpg)
Three Classes of Processes
Flume Reference Monitor
Linux Kernel
Process p
Flume Reference Monitor
Linux Kernel
Process p
Flume Reference Monitor
Linux Kernel
Process p
Flume-Oblivious Unconfined/Mediators
Confined
![Page 16: Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris](https://reader037.vdocuments.us/reader037/viewer/2022110304/551b1a9555034607418b57a8/html5/thumbnails/16.jpg)
Outline
1. Flume: Solves DIFC Problems– User-level implementation of DIFC on Linux– Simple label system– Endpoints: Glue Between Unix API and Labels
2. Application + Evaluation
![Page 17: Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris](https://reader037.vdocuments.us/reader037/viewer/2022110304/551b1a9555034607418b57a8/html5/thumbnails/17.jpg)
Information Flow Control (IFC)
• Goal: track which secrets a process has seen• Mechanism: each process gets a secrecy label– Label summarizes which categories of data a
process is assumed to have seen. – Examples:• { “Financial Reports” }• { “HR Documents” }• { “Financial Reports” and “HR Documents” }
“tag”
“label”
![Page 18: Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris](https://reader037.vdocuments.us/reader037/viewer/2022110304/551b1a9555034607418b57a8/html5/thumbnails/18.jpg)
Tags + Labels
Process p tag_t HR = create_tag();
Sp = {}Dp = {}Dp = { HR }
Universe of Tags: Finance
Legal
SecretProjects
change_label({Finance});
Sp = { Finance }Sp = { Finance, HR }
HR
change_label({Finance,HR});
change_label({Finance});
change_label({});
DIFC: Declassification in action.
Same as Step 1.
Any process can add any tag to its label.DIFC Rule: A process can
create a new tag; gets ability to declassify it.
![Page 19: Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris](https://reader037.vdocuments.us/reader037/viewer/2022110304/551b1a9555034607418b57a8/html5/thumbnails/19.jpg)
Communication Rule
Process qProcess p
Sq = { HR, Finance }Sp = { HR }
Pp can send to q iff Sp Í Sq
![Page 20: Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris](https://reader037.vdocuments.us/reader037/viewer/2022110304/551b1a9555034607418b57a8/html5/thumbnails/20.jpg)
Outline
1. Flume: Solves DIFC Problems– User-level implementation of DIFC on Linux– Simple label system– Endpoints: Glue Between Unix API and Labels
2. Application + Evaluation
![Page 21: Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris](https://reader037.vdocuments.us/reader037/viewer/2022110304/551b1a9555034607418b57a8/html5/thumbnails/21.jpg)
Recall: Communication Problem
Process pstdinstdout
“Fire Alice, Bob, Charlie, Doug, Eddie, Frank, George, Hilda, Ilya…”
“SLOW DOWN!!”“I crashed”
P
Sq = { HR }
?
Sp = {}Dp = { HR }
Process q
![Page 22: Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris](https://reader037.vdocuments.us/reader037/viewer/2022110304/551b1a9555034607418b57a8/html5/thumbnails/22.jpg)
New Abstraction: Endpoints
f
Sf = { HR }Se = { HR }Process qProcess p
Sp = {}Dp = { HR }
e
• If Se Í Sf , then allow e to send to f• If Sf Í Se , then allow f to send to e• If Sf = Se , then allow bidirectional flow
Sq = { HR }
“Fire Alice, Bob, Charlie, Doug, Eddie, Frank, George, Hilda, Ilya…”
“SLOW DOWN!!”“I crashed”
PP
![Page 23: Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris](https://reader037.vdocuments.us/reader037/viewer/2022110304/551b1a9555034607418b57a8/html5/thumbnails/23.jpg)
Thus p needs HR Î Dp
Endpoints Declassify DataData enters
process p with secrecy { HR }
But p keeps its label Sp = {}Se = { HR }
Process p
Sp = {}Dp = { HR }
e
![Page 24: Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris](https://reader037.vdocuments.us/reader037/viewer/2022110304/551b1a9555034607418b57a8/html5/thumbnails/24.jpg)
Endpoint Invariant
• For any tag t Î Sp and t Ï Se
• Or any tag t Î Se and t Ï Sp
• It must be that t Î Dp
Process p e
Sp = { Finance } Se = { HR }
Dp = { Finance, HR}
Writing
Reading
![Page 25: Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris](https://reader037.vdocuments.us/reader037/viewer/2022110304/551b1a9555034607418b57a8/html5/thumbnails/25.jpg)
Endpoints Labels Are Independent
f
g
Sf = { HR }
Sg = {}
Se = { HR }Process qProcess p
Sq = { HR }Sp = {}Dp = { HR }
e
![Page 26: Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris](https://reader037.vdocuments.us/reader037/viewer/2022110304/551b1a9555034607418b57a8/html5/thumbnails/26.jpg)
Recall: Mysterious Failures
Process p FileProcess q
![Page 27: Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris](https://reader037.vdocuments.us/reader037/viewer/2022110304/551b1a9555034607418b57a8/html5/thumbnails/27.jpg)
Endpoints Reveal Errors Eagerly
Process p
Sp = {}
/tmp/public.dat
Spublic.dat = {}
open(“/tmp/public.dat”, O_WRONLY);change_label({HR})
eSe = {}
Process q
Sq = { HR }
Dp = {}
Sp = { HR } ? Violates endpoint invariant!Sp – Se = { HR } Í Dp
![Page 28: Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris](https://reader037.vdocuments.us/reader037/viewer/2022110304/551b1a9555034607418b57a8/html5/thumbnails/28.jpg)
Endpoints Reveal Errors Eagerly
Process p
Sp = {}
/tmp/public.dat
Spublic.dat = {}
fd = open(“/tmp/public.dat”, O_WRONLY);close(fd);change_label({HR})
eSe = {}
Process q
Sq = { HR }
Dp = {}
Sp = { HR }
![Page 29: Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris](https://reader037.vdocuments.us/reader037/viewer/2022110304/551b1a9555034607418b57a8/html5/thumbnails/29.jpg)
Outline
1. Flume: Solves DIFC Problems2. Application + Evaluation
![Page 30: Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris](https://reader037.vdocuments.us/reader037/viewer/2022110304/551b1a9555034607418b57a8/html5/thumbnails/30.jpg)
Questions for Evaluation
• Does Flume allow adoption of Unix software?• Does Flume solve security vulnerabilities?• Does Flume perform reasonably?
![Page 31: Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris](https://reader037.vdocuments.us/reader037/viewer/2022110304/551b1a9555034607418b57a8/html5/thumbnails/31.jpg)
Example App: MoinMoin Wiki
![Page 32: Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris](https://reader037.vdocuments.us/reader037/viewer/2022110304/551b1a9555034607418b57a8/html5/thumbnails/32.jpg)
How Problems Arise…
MoinMoinWiki
(100 kLOC)
FreeTShirts
LayoffPlans if not self.request.user.may.read(pagename): return self.notAllowedFault() x43
![Page 33: Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris](https://reader037.vdocuments.us/reader037/viewer/2022110304/551b1a9555034607418b57a8/html5/thumbnails/33.jpg)
MoinMoin + DIFC
Apache Web Server
MoinMoinWiki
(100 kLOC)
FreeTShirts
LayoffPlans
Declassifier1 kLOC
UntrustedTrusted
![Page 34: Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris](https://reader037.vdocuments.us/reader037/viewer/2022110304/551b1a9555034607418b57a8/html5/thumbnails/34.jpg)
FlumeWiki
Apache MoinMoin(100 kLOC)
FreeTShirts
LayoffPlans
Declassifier1 kLOC
Web Client
GET /LayoffPlans?user=Intern&PW=abcd
S={}
S={ HR }
reliable IPC
file I/O
Flume-Oblivious unconfined confined
![Page 35: Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris](https://reader037.vdocuments.us/reader037/viewer/2022110304/551b1a9555034607418b57a8/html5/thumbnails/35.jpg)
Future Work
Apache Totally Suspect
Software
FreeTShirts
LayoffPlans
Declassifier1 kLOC
Web Client
GET /LayoffPlans?user=Intern&PW=abcd
S={}
S={ HR }
![Page 36: Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris](https://reader037.vdocuments.us/reader037/viewer/2022110304/551b1a9555034607418b57a8/html5/thumbnails/36.jpg)
Results
• Does Flume allow adoption of Unix software?– 1,000 LOC launcher/declassifier– 1,000 out of 100,000 LOC in MoinMoin changed– Python interpreter, Apache, unchanged
• Does Flume solve security vulnerabilities?– Without our knowing, we inherited two ACL bypass bugs
from MoinMoin– Both are not exploitable in Flume’s MoinMoin
• Does Flume perform reasonably?– Performs within a factor of 2 of the original on read and
write benchmarks
![Page 37: Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris](https://reader037.vdocuments.us/reader037/viewer/2022110304/551b1a9555034607418b57a8/html5/thumbnails/37.jpg)
Most Related Work
• Asbestos, HiStar: New DIFC OSes• Jif: DIFC at the language level• Ostia, Plash: Implementation techniques• Classical MAC literature (Bell-LaPadula, Biba,
Orange Book MAC, Lattice Model, etc.)
![Page 38: Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris](https://reader037.vdocuments.us/reader037/viewer/2022110304/551b1a9555034607418b57a8/html5/thumbnails/38.jpg)
Limitations
• Bigger TCB than HiStar / Asbestos– Linux stack (Kernel + glibc + linker)– Reference monitor (~22 kLOC)
• Covert channels via disk quotas• Confined processes like MoinMoin don’t get
full POSIX API.– spawn() instead of fork() & exec()– flume_pipe() instead of pipe()
![Page 39: Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris](https://reader037.vdocuments.us/reader037/viewer/2022110304/551b1a9555034607418b57a8/html5/thumbnails/39.jpg)
Summary
• DIFC is a challenge to Programmers• Flume: DIFC in User-Level– Preserves legacy software– Complements today’s programming techniques
• MoinMoin Wiki: Flume works as promised• Invite you to play around:
http://flume.csail.mit.edu
![Page 40: Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris](https://reader037.vdocuments.us/reader037/viewer/2022110304/551b1a9555034607418b57a8/html5/thumbnails/40.jpg)
Thanks!
To: ITRI, Nokia, NSF and You
![Page 41: Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris](https://reader037.vdocuments.us/reader037/viewer/2022110304/551b1a9555034607418b57a8/html5/thumbnails/41.jpg)
Reasons to Read the Paper
• Generalized security properties– Including: Novel integrity policies
• Support for very large labels• Support for clusters of Flume Machines
![Page 42: Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris](https://reader037.vdocuments.us/reader037/viewer/2022110304/551b1a9555034607418b57a8/html5/thumbnails/42.jpg)
Flume’s Rule is Fast
• Recall: p can send to q iff: Sp – Dp Í Sq È Dq
• To Compute:– for each tag t Î Sp:
• If t Ï Sq and t Ï Dp and t Ï Dq:–output “NO”
– output “OK”
• Runs in time proportional to size of Sp.
• No need to enumerate Dp or Dq !!!
![Page 43: Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris](https://reader037.vdocuments.us/reader037/viewer/2022110304/551b1a9555034607418b57a8/html5/thumbnails/43.jpg)
Flume Communication Rule
1. q changes to Sq = { Alice }
2. p sends to q
3. q changes back to Sq= {}
MoinMoin (r)
MoinMoin (p)
Sr = { Bob }Sp = { Alice }
Database (q)
Sq = {}Dq = { Alice, Bob }
? ?
Sp Í Sq
Sq = { Alice }Dq = { Alice, Bob }
P
![Page 44: Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris](https://reader037.vdocuments.us/reader037/viewer/2022110304/551b1a9555034607418b57a8/html5/thumbnails/44.jpg)
Flume Communication Rule
MoinMoin (r)
MoinMoin (p)
Sr = { Bob }Sp = { Alice }
Database (q)
Sq = {}Dq= { Alice, Bob }
P PSenders get extra latitude
Receivers get extra latitude• p can send to q iff:– In IFC: Sp Í Sq
– In Flume: Sp – Dp Í Sq È Dq
![Page 45: Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris](https://reader037.vdocuments.us/reader037/viewer/2022110304/551b1a9555034607418b57a8/html5/thumbnails/45.jpg)
Flume Kernel Module
Flume Kernel Module
Flume Libc
Linux Kernel
Alice’s Data
open(“/alice/inbox.dat”, O_RDONLY);
Flume Reference Monitor
Web Appmov $0x5, %eaxint $0x80
open(…)
P
![Page 46: Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris](https://reader037.vdocuments.us/reader037/viewer/2022110304/551b1a9555034607418b57a8/html5/thumbnails/46.jpg)
Reference Monitor Proxies Pipes
Linux Kernel
write(0, “some data”, 10);
Flume Reference Monitor
Web App Helper Process
![Page 47: Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris](https://reader037.vdocuments.us/reader037/viewer/2022110304/551b1a9555034607418b57a8/html5/thumbnails/47.jpg)
Unconfined Processes
sendmailst
derr
TCP S
ocke
t
mmap’ed memory
ioctl
fork’ed
child
kill
sigcatch
getpwent
e ^
Se ^ = {}
/tmp/public.dat
Spublic.dat = {}
Sp = {}Dp = {}Process q
Sq = { HR }
DIFC
“Unconfined processes get e ^ endpoint.”
change_label({HR})
Dp = { HR } Sp = { HR }
PP
![Page 48: Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris](https://reader037.vdocuments.us/reader037/viewer/2022110304/551b1a9555034607418b57a8/html5/thumbnails/48.jpg)
Endpoints Reveal Errors Eagerly
Process p
Sp = {}
/tmp/public.dat
Spublic.dat = {}
open(“/tmp/public.dat”, O_WRONLY);change_label({HR})
eSe = {}
Process q
Sq = { HR }
Dp = {HR}
Sp = { HR }
P
P
![Page 49: Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris](https://reader037.vdocuments.us/reader037/viewer/2022110304/551b1a9555034607418b57a8/html5/thumbnails/49.jpg)
Why Do We Need Sp?
Process p e
Sp = { Finance } Se = { Finance, HR }
Dp = { HR }