difc programs by automatic instrumentation william harris, somesh jha, and thomas reps 1
TRANSCRIPT
1
DIFC Programs byAutomatic Instrumentation
William Harris, Somesh Jha, and Thomas Reps
2
Decentralized Information Flow ControlOperating System
(DIFC OS)
Allows programs to control flow of their datathroughout the entire system.
3
Spawner
OS Policy
Worker
Enforce
Define
Network
Requester Worker
4
void Program() { ...}
void Program() { label l = …; … add_tag(l);}
Failing ProgramFailing Policy 5
Program Security Policy
Instrumenter
Secure Program
Our Approach
6
Contributions
• From high-level policies to DIFC code
• Efficiently generate DIFC code
• Provide useful debugging information
7
Spawner
Worker
Network
Requester
: (Worker ! Network)Requester $ WorkerRequester ! Spawner
8
Outline
• Challenge of instrumentation
• Instrumentation via constraints
• Case studies
9
The Challenge of Instrumentation
• DIFC mechanics
• Instrumenting a server
10
DIFC Mechanics
P1
{ a }
P2P3
{ }
OS
{ a }
11
raise a label = read more
12
Raising a Label to Read
P2
+{ a }
Lab{ a }{ }
P1
Lab{ a }
add_tag(a);
13
lower label = declassify
14
Lowering a Label to Declassify
P1
+{ a }
Lab{ a }{ }
P2
Lab{ a }
Lab
{ }
-{ a }
Network
remove_tag(a);
15
The Challenge of Instrumentation
• DIFC mechanics
• Instrumenting a server
16
Spawner
Worker
Lab{ a }
-{ }
Proxy
+{ a }
-{ a }
Lab{ }
Lab{ } Network
Requester
: (Worker ! Network)Requester $ Worker
Instrument DIFC code that is:1. Legal2. Secure3. Functional
Challenge of Instrumentation
18
Outline
• Challenge of instrumentation
• Instrumentation via constraints
• Case studies
19
Key Insight
From DIFC code,a DIFC system dynamically compares labels to decide flows.
20
Key Insight
From a program and policy,an instrumenter statically constrainslabels to instrument DIFC code.
21
Key Payoffs of Constraints
• Naturally express semantics, policies
• Efficiently generate DIFC code
• Provide useful debugging information
22
Instrumentation via Constraints
• Generating constraints
• Solving constraints
23
Generating Constraints
1. Legal
2. Secure
3. Functional
24
Spawner
Worker
Network
Requester
void Spawner() {
1: Conn c = requestConn();
2: spawn(Worker, c);
}
Lab1 Pos1 Neg1 Create1
Lab2 Pos2 Neg2 Create2
25
Legal Rule #1:A process’s label only increases by tags in its positive capability.
1: Conn c = requestConn();2: spawn(Worker, c);
Lab2 µ Lab1 [ Pos1
26
Legal Rule #2:A process’s label only decreases bytags in its negative capability.
1: Conn c = requestConn();2: spawn(Worker, c);
Lab2 ¶ Lab1 - Neg1
27
Legal Rule #3:A process’s capabilities only increase to hold tags that the process creates.
1: Conn c = requestConn();2: spawn(Worker, c);
Pos2 µ Pos1 [ Create1Neg2 µ Neg1 [ Create1
28
Generating Constraints
1. Legal
2. Secure
3. Functional
29
: (LabW – NegW µ LabN)Spawner
Worker
: (Worker ! Network)
Network
Requester
30
Generating Constraints
1. Legal
2. Secure
3. Functional
31
Worker
Requester $ Worker
Spawner
Network
Requester
LabW µ LabR LabR µ LabW
32
Instrumentation via Constraints
• Generating constraints
• Solving constraints
33
Solving Constraints
• NP-complete in general
• Amenable to SMT solvers in practice
34
Worker $ RequesterRequester ! Spawner
Spawner
Worker
: (Worker ! Network)
Network
Requester
Lab2 µ Lab1 [ Pos1…
: (LabW – NegW µ LabN)
LabW µ LabR LabR µ LabWLabW µ LabS
LabS µ LabW
35
Worker $ RequesterRequester ! Spawner
Spawner
Worker
: (Worker ! Network)
Network
Requester
36
Worker $ RequesterWorker $ Proxy
Worker
: (Worker ! Network)
ProxyRequester $ Proxy Network
Requester
37
Spawner
Worker
Lab{ a }
-{ }
Proxy
+{ a }
-{ a }
Lab{ }
Lab{ }
: (Worker ! Network)Worker $ ProxyRequester $ ProxyRequester ! Spawner Network
Requester
38
void Spawner() {
tag a = create_tag();1: Conn c = requestConn();
2: spawn(Worker, c);
}
Lab1{ }
Pos1{ }
Neg1{ }
Create1{ a }
Lab2{ a }
Pos2{ a }
Neg2{ }
Create2{ }
2: spawn(Worker, c, lab: { a }, pos: { a }, neg: { });
39
Outline
• Challenge of instrumentation
• Instrumentation via constraints
• Case studies
40
Case Studies
Application Fully Automatic
Instr. Time (s)
Apache NO 2.302FlumeWiki YES 0.183ClamAV YES 1.374OpenVPN YES 7.912
41
Program Security Policy
Instrumenter
Secure Program
Conclusion
42
Thanks for listening!
43
Program Security Policy
Instrumenter
Secure Program
Conclusion
44
Extra Slides
45
Expressivity vs. Automation
Expressive
Auto
mati
c
this work
FineAura
Fable
HiStar
46
47
Challenge for DIFC Programmers
• Semantic gap from policy to DIFC code
• Instrumenting legacy code
48
Mandatory Access Control
P1
P2
OSPolicy
: P1 ! N P2 ! N
Network
49
Instrument DIFC code that is1. Legal2. Secure3. Functional
Spawner
Worker
Lab{ a }
-{ }
Proxy
+{ a }
-{ a }
Lab{ }
Lab{ } Network
Requester
Key Challenge
50
Application Fully Automatic
Instr. Time (s)
Apache NO 2.302FlumeWiki YES 0.183ClamAV YES 1.374OpenVPN YES 7.912
Case Studies