untrusted hosts and confidentiality: secure program partitioning steve zdancewic lantian zheng...
TRANSCRIPT
Untrusted Hosts and Confidentiality:
Secure Program Partitioning
Steve ZdancewicLantian Zheng • Nathaniel Nystrom • Andrew
Myers
Cornell University
2
Protecting Confidential Data
• Programs manipulate valuable data– web-based e-mail, shopping, financial planning– B2B transactions, military information
systems,...
• Important Features– Confidentiality is crucial– Distribution is unavoidable– Heterogeneous trust
• Challenges– Complex policies– Complex software– Correct use of access control & cryptography
A
C
B
"Alice trusts A & C""Bob trusts B & C"
3
Tools for Security• Automatic tools
– Check the use of enforcement mechanisms– Increase confidence in security
• Language-based tools– Raise the level of abstraction– Consider information flow through entire
system (program)
• Use the security policy to guide distribution
4
Secure Program Partitioning
Source CodePolicy
Trustinfo
Compiler
Splitter
subprograms
Host 1 Host 2 Host 3runtime
5
Secure Program Partitioning
Source CodePolicy
Trustinfo
Compiler
Splitter
subprograms
Host 1 Host 2 Host 3runtime
Describes the computation
and the principals' security policies.
6
Secure Program Partitioning
Source CodePolicy
Trustinfo
Compiler
Splitter
subprograms
Host 1 Host 2 Host 3runtime
Verifies that the program
obeys the security policies.
7
Secure Program Partitioning
Source CodePolicy
Trustinfo
Compiler
Splitter
subprograms
Host 1 Host 2 Host 3runtime
Describes the trust
relationships between
principals and hosts.
8
Secure Program Partitioning
Source CodePolicy
Trustinfo
Compiler
Splitter
subprograms
Host 1 Host 2 Host 3runtime
Partitions the data and computation among hosts, so
thatpolicies are
obeyed.
9
Secure Program Partitioning
Source CodePolicy
Trustinfo
Compiler
Splitter
subprograms
Host 1 Host 2 Host 3runtime
Performs dynamic
access control checks and
encrypts communication
.
10
Security Assurance• Goal: Resulting distributed program
performs the same computation as the source and also satisfies the security policies.
• Guarantee: Principal P's security policy is violated only if a host that P trusts fails or is subverted.
• Example: A
C
B
"Alice trusts A & C""Bob trusts B & C"
If B fails, Alice's policy is obeyed, Bob's policy may be violated.
11
Secure Program Partitioning
Source CodePolicy
Trustinfo
Compiler
Splitter
subprograms
Host 1 Host 2 Host 3runtime
12
Confidentiality Policies in Jif
• Confidentiality labels: int{Alice} a; "a is Alice's private int"
• Integrity labels: int{?Alice} a; "Alice must trust a"
• Combined labels: int{Alice, ?Alice} a; (Both constraints)int{Alice} a1, a2;
int{Bob} b;
// Insecurea1 = b;b = a1;
// Securea1 = a2;
13
Policy Operations in Jif• Declassification:
int{Alice} a; declassify(a to Bob);
• Endorse: int{?Bob} b; endorse(b by Alice);
• But (!) Alice must trust the integrity of decision to perform the policy operation.– Compiler guarantees the integrity
"type-cast int{Alice} to int{Bob}"
14
Example: Oblivious Transfer
int m1;int m2;
Alice Bobrequest(n)
• Alice has two integers: m1 and m2. • Alice's Policy:"Bob gets to choose exactly one of m1 and m2."• Bob's Policy:"Alice doesn't get to know which item I request."• Classic Result: "Impossible to solve using 2 principals, with perfect security."
answer(mn)
15
Oblivious Transfer (Java)
int m1, m2; // Alice's databoolean accessed;int n, ans; // Bob's data
n = choose(); // Bob's choice
if (!accessed) { // Transfer accessed = true; if (n == 1) ans = m1; else ans = m2;}
16
int{Alice} m1, m2; // Alice's databoolean accessed;int{Bob} n, ans; // Bob's data
n = choose(); // Bob's choice
if (!accessed) { // Transfer accessed = true; if (n == 1) ans = m1; else ans = m2;}
Adding Confidentiality Labels
Verification Fails
17
int{Alice} m1, m2; // Alice's databoolean accessed;int{Bob} n, ans; // Bob's data
n = choose(); // Bob's choice
if (!accessed) { // Transfer accessed = true; if (n == 1) ans = declassify(m1 to Bob); else ans = declassify(m2 to Bob);}
Using Declassification
Verification Fails
18
Integrity Constraintsint{Alice} m1, m2; // Alice's databoolean{?Alice} accessed;int{Bob} n, ans; // Bob's data
n = choose(); // Bob's choice
if (!accessed) { // Transfer accessed = true; if (n == 1) ans = declassify(m1 to Bob); else ans = declassify(m2 to Bob);}
Verification Fails
19
Using Endorsementint{Alice} m1, m2; // Alice's databoolean{?Alice} accessed;int{Bob} n, ans; // Bob's data
n = choose(); // Bob's choice
if (!accessed) { // Transfer accessed = true; if (endorse(n by Alice) == 1) ans = declassify(m1 to Bob); else ans = declassify(m2 to Bob);}
20
Secure Program Partitioning
Source CodePolicy
Trustinfo
Compiler
Splitter
subprograms
Host 1 Host 2 Host 3runtime
21
Trust Configurations• Labels describe the trust relationship
between principals and the available hosts.
• Confidentiality: Host A:{Alice}"Alice trusts host A not to leak her confidential data."
• Integrity: Host A:{?Alice}"Alice trusts host A not to corrupt her high-integrity data."
int{Alice} m1; m1 can be sent to Aint{Bob} n; n cannot be sent to A
23
Splitter output: No Solution!
A B
{Alice, ?Alice} {Bob, ?Bob}
Can't find a host for the expression:
endorse(n by Alice)
It requires a host that has Alice's integrity yet can hold Bob's private data.
24
Splitter Output
A B
{Alice, ?Alice} {Bob, ?Bob}{Alice, ?Alice, Bob}
T
n = choose(); if (!accessed) { ...}
int m1, m2;bool accessed; int n, ans;
int choose() { ... return n;}
25
Splitter Output is Java
A B
{Alice, ?Alice} {Bob, ?Bob}{Alice, ?Alice, Bob}
T
n = choose(); if (!accessed) { ...}
int m1, m2;bool accessed; int n, ans;
int choose() { ... return n;}
Data and all of the code
except 'choose()' are located at T.
26
Run-time Calls
A B
{Alice, ?Alice} {Bob, ?Bob}{Alice, ?Alice, Bob}
T
n = choose(); if (!accessed) { ...}
int m1, m2;bool accessed; int n, ans;
int choose() { ... return n;}
Resulting code links against the
runtime.
27
Security Assurance
A B
{Alice, ?Alice} {Bob, ?Bob}{Alice, ?Alice, Bob}
T
n = choose(); if (!accessed) { ...}
int m1, m2;bool accessed; int n, ans;
int choose() { ... return n;} Alice's policy is
enforced.
28
Network Overhead
A B
{Alice, ?Alice} {Bob, ?Bob}{Alice, ?Alice, Bob}
T
n = choose(); if (!accessed) { ...}
int m1, m2;bool accessed; int n, ans;
int choose() { ... return n;}
Nothing located at host
A!
29
Another Secure Solution
A B
{Alice, ?Alice} {Bob, ?Bob}{Alice, ?Alice, Bob}
T
goto(B);
int n'= get(n,B);if (n' == 1) set(ans, m1);else ...
int m1, m2;
int choose() { ... return n;}
bool accessed;
int n, ans;
n = choose();goto(T);
goto(A);
if (!accessed){ accessed=true; goto(T);}
30
Secure Program Partitioning
Source CodePolicy
Trustinfo
Compiler
Splitter
subprograms
Host 1 Host 2 Host 3runtime
31
• Data TransferVal getField(Host h, ObjID o, Field f)Val setField(Host h, ObjID o, Field f, Val v)void forward(Host h, Frame f, Var vr, Val v)
• Control Transfervoid rgoto(Host h, Frame f, EntryPt e, Token t)void lgoto(Token t)void sync(Host h, Frame f, EntryPt e, Token t)
• Implementation– Performs access control checks– Encrypts network communication– Capability mechanism protects control transfers
Core Runtime Protocol
32
Control Transfer Integrity
{?Alice}(Trusted) (Less Trusted)
{?Alice}(Trusted)
... goto(B); ...
declassify(X)
... goto(A);
...declassify(Y)
Alice's privileged
code
33
Control Transfer Integrity
{?Alice}(Trusted)
{?Alice}(Trusted)
... goto(B); ...
declassify(X)
... goto(A);
...declassify(Y)
(Less Trusted)
34
Control Transfer Integrity
{?Alice}(Trusted)
{?Alice}(Trusted)
... goto(B); ...
declassify(X)
... goto(A);
...declassify(Y)
1. sync
2. rgoto
3. lgoto
T
T
T
T
(Less Trusted)
35
Control Transfer Integrity
{?Alice}(Trusted)
{?Alice}(Trusted)
... goto(B); ...
declassify(X)
... goto(A);
...declassify(Y)
TT
(Less Trusted)
T
T
36
Capabilities Protocol
• Theorem: When trusted hosts follow the
protocol, there is at most one valid capability available to less trusted hosts.
Means that less trusted hosts have no choice about how privileges are restored to the computation.
37
Prototype: Jif/split• Jif/split: 7400 loc Runtime: 1700 loc• 4 small benchmarks:
– < 300 lines of code each– 2 hand implemented in Java using RMI
• Experimental results: (LAN setting)– Running time overhead vs. hand
implemented: 20% to 120%– Message count overhead vs. hand
implemented:-25% to 25%
– Costs seem reasonable– Need to try bigger programs
38
60
Source Code Policy
Trustinfo
Compiler
Splitter
subprograms
Host 1 Host 2 Host 3runtime
Secure Program Partitioning
• Language-based Confidentiality Policies– Compiler splits a program among
heterogeneously trusted hosts.– Guided by security policies– Resulting distributed program satisfies the
policies
• Benefits:– End-to-end security– Decentralized– Automatic– Explicit Policies
40
Oblivious Transfer Impossibility
"It is well known (and easy to see) that in a two-player scenario with noiseless communication,OT [Oblivious Transfer] ... with information-theoretic security is not possible, even if only passive cheating is assumed, and players are allowed infinite computing power."
– Damgård, Kilian, SlavailOn the (Im)possibility of Basing Oblivious Transfer and Bit Commitment on Weakened Security Assumptions, EUROCRYPTO '99
41
Access Control Checks
• Static constraints for read/write are compiled into access control checks
• Host A checks that {Alice} {Alice,?Alice,Bob}– verifies signature of S– checks that S {A, S}– if so, replies with m1
• setField requires integrity checks
t1 = getField(Alice, m1);
{Alice, ?Alice, Bob}
S
{Alice, ?Alice}
A
int{Alice, ?Alice} m1;get(m1)K(S)
42
Partitioning Jif Programs
• Solve a constraint system to determine possible hosts
• Use dynamic programming & heuristics to find an efficient solution
• Rewrite program, inserting calls to runtime system– data forwarding and control transfers
• Outputs: A collection of Java code fragments with host assignments