difc programs by automatic instrumentation william harris, somesh jha, and thomas reps 1

1

DIFC Programs byAutomatic Instrumentation

William Harris, Somesh Jha, and Thomas Reps

2

Decentralized Information Flow ControlOperating System

(DIFC OS)

Allows programs to control flow of their datathroughout the entire system.

3

Spawner

OS Policy

Worker

Enforce

Define

Network

Requester Worker

4

void Program() { ...}

void Program() { label l = …; … add_tag(l);}

Failing ProgramFailing Policy 5

Program Security Policy

Instrumenter

Secure Program

Our Approach

6

Contributions

• From high-level policies to DIFC code

• Efficiently generate DIFC code

• Provide useful debugging information

7

Spawner

Worker

Network

Requester

: (Worker ! Network)Requester $ WorkerRequester ! Spawner

8

Outline

• Challenge of instrumentation

• Instrumentation via constraints

• Case studies

9

The Challenge of Instrumentation

• DIFC mechanics

• Instrumenting a server

10

DIFC Mechanics

P1

{ a }

P2P3

{ }

OS

{ a }

11

raise a label = read more

12

Raising a Label to Read

P2

+{ a }

Lab{ a }{ }

P1

Lab{ a }

add_tag(a);

13

lower label = declassify

14

Lowering a Label to Declassify

P1

+{ a }

Lab{ a }{ }

P2

Lab{ a }

Lab

{ }

-{ a }

Network

remove_tag(a);

15

The Challenge of Instrumentation

• DIFC mechanics

• Instrumenting a server

16

Spawner

Worker

Lab{ a }

-{ }

Proxy

+{ a }

-{ a }

Lab{ }

Lab{ } Network

Requester

: (Worker ! Network)Requester $ Worker

Instrument DIFC code that is:1. Legal2. Secure3. Functional

Challenge of Instrumentation

18

Outline

• Challenge of instrumentation

• Instrumentation via constraints

• Case studies

19

Key Insight

From DIFC code,a DIFC system dynamically compares labels to decide flows.

20

Key Insight

From a program and policy,an instrumenter statically constrainslabels to instrument DIFC code.

21

Key Payoffs of Constraints

• Naturally express semantics, policies

• Efficiently generate DIFC code

• Provide useful debugging information

22

Instrumentation via Constraints

• Generating constraints

• Solving constraints

23

Generating Constraints

1. Legal

2. Secure

3. Functional

24

Spawner

Worker

Network

Requester

void Spawner() {

1: Conn c = requestConn();

2: spawn(Worker, c);

}

Lab1 Pos1 Neg1 Create1

Lab2 Pos2 Neg2 Create2

25

Legal Rule #1:A process’s label only increases by tags in its positive capability.

1: Conn c = requestConn();2: spawn(Worker, c);

Lab2 µ Lab1 [ Pos1

26

Legal Rule #2:A process’s label only decreases bytags in its negative capability.

1: Conn c = requestConn();2: spawn(Worker, c);

Lab2 ¶ Lab1 - Neg1

27

Legal Rule #3:A process’s capabilities only increase to hold tags that the process creates.

1: Conn c = requestConn();2: spawn(Worker, c);

Pos2 µ Pos1 [ Create1Neg2 µ Neg1 [ Create1

28

Generating Constraints

1. Legal

2. Secure

3. Functional

29

: (LabW – NegW µ LabN)Spawner

Worker

: (Worker ! Network)

Network

Requester

30

Generating Constraints

1. Legal

2. Secure

3. Functional

31

Worker

Requester $ Worker

Spawner

Network

Requester

LabW µ LabR LabR µ LabW

32

Instrumentation via Constraints

• Generating constraints

• Solving constraints

33

Solving Constraints

• NP-complete in general

• Amenable to SMT solvers in practice

34

Worker $ RequesterRequester ! Spawner

Spawner

Worker

: (Worker ! Network)

Network

Requester

Lab2 µ Lab1 [ Pos1…

: (LabW – NegW µ LabN)

LabW µ LabR LabR µ LabWLabW µ LabS

LabS µ LabW

35

Worker $ RequesterRequester ! Spawner

Spawner

Worker

: (Worker ! Network)

Network

Requester

36

Worker $ RequesterWorker $ Proxy

Worker

: (Worker ! Network)

ProxyRequester $ Proxy Network

Requester

37

Spawner

Worker

Lab{ a }

-{ }

Proxy

+{ a }

-{ a }

Lab{ }

Lab{ }

: (Worker ! Network)Worker $ ProxyRequester $ ProxyRequester ! Spawner Network

Requester

38

void Spawner() {

tag a = create_tag();1: Conn c = requestConn();

2: spawn(Worker, c);

}

Lab1{ }

Pos1{ }

Neg1{ }

Create1{ a }

Lab2{ a }

Pos2{ a }

Neg2{ }

Create2{ }

2: spawn(Worker, c, lab: { a }, pos: { a }, neg: { });

39

Outline

• Challenge of instrumentation

• Instrumentation via constraints

• Case studies

40

Case Studies

Application Fully Automatic

Instr. Time (s)

Apache NO 2.302FlumeWiki YES 0.183ClamAV YES 1.374OpenVPN YES 7.912

41

Program Security Policy

Instrumenter

Secure Program

Conclusion

42

Thanks for listening!

43

Program Security Policy

Instrumenter

Secure Program

Conclusion

44

Extra Slides

45

Expressivity vs. Automation

Expressive

Auto

mati

c

this work

FineAura

Fable

HiStar

46

47

Challenge for DIFC Programmers

• Semantic gap from policy to DIFC code

• Instrumenting legacy code

48

Mandatory Access Control

P1

P2

OSPolicy

: P1 ! N P2 ! N

Network

49

Instrument DIFC code that is1. Legal2. Secure3. Functional

Spawner

Worker

Lab{ a }

-{ }

Proxy

+{ a }

-{ a }

Lab{ }

Lab{ } Network

Requester

Key Challenge

50

Application Fully Automatic

Instr. Time (s)

Apache NO 2.302FlumeWiki YES 0.183ClamAV YES 1.374OpenVPN YES 7.912

Case Studies