abstractions for usable information flow control in aeolus
play

Abstractions for Usable Information Flow Control in Aeolus Winnie - PowerPoint PPT Presentation

Apr 20, 2023 •494 likes •883 views

Abstractions for Usable Information Flow Control in Aeolus Winnie Cheng Dan R. K. Ports David Schultz Victoria Popic Aaron Blankstein James Cowling Dorothy Curtis Liuba Shrira Barbara Liskov MIT CSAIL Motivation Con fi dential

  1. Abstractions for Usable Information Flow Control in Aeolus Winnie Cheng Dan R. K. Ports David Schultz Victoria Popic Aaron Blankstein James Cowling Dorothy Curtis Liuba Shrira Barbara Liskov MIT CSAIL

  2. Motivation Con fi dential information ( e.g. , fi nancial data, medical records) is increasingly stored online Keeping this information secure is a high priority However, building secure software remains as di ffi cult as ever.

  3. Financial Management Service Example Inspired by Mint.com • users provide service with online banking credentials (username and password) • system periodically downloads & aggregates transaction info from banks • presents report to user

  4. Financial Management Service Example Security requirements • don’t expose one user’s fi nancial data to another • bank passwords should only be used to log in to bank; should not even display them to user

  5. Financial Management Service Example Security requirements • don’t expose one user’s fi nancial data to another • bank passwords should only be used to log in to bank; should not even display them to user

  6. Financial Management Service Example Security requirements • don’t expose one user’s fi nancial data to another • bank passwords should only be used to log in to bank; should not even display them to user Much code needs to be trusted to ensure these • all application code that handles fi nancial data • third-party libraries ( e.g., to parse data or draw graphs)

  7. Aeolus Platform for building new secure applications (available as a set of Java libraries) Uses decentralized information fl ow control to avoid information leaks

  8. Information Flow Control Specify restrictions on when information can be released (instead of access control ) • allows untrusted code to access sensitive information but not to release it • only trusted code allowed to remove restrictions on information fl ow (“declassify”) Historically: military IFC systems (con fi dential, secret, etc.) Decentralized IFC (DIFC) extends model to many users

  9. Previous DIFC Work Language-based approaches ( e.g., Jif) • static analysis: IFC enforced through type system, at fi ne granularity (individual variables) DIFC operating systems ( e.g., Asbestos, HiStar, Flume) • dynamic: track information fl ow at the level of processes and fi les Aeolus : information fl ow control in language runtime • similar to OS approach, but provides higher-level abstractions • implemented as library, so doesn’t require new OS or language (tradeo ff is larger TCB size than DIFC OSes)

  10. Aeolus Model “inside” App App App system tracks … information fl ow dynamically Aeolus Aeolus Internet “outside” requires declassi fi cation to release info

  11. Aeolus Contributions New security model • designed to be understandable & easy to use • represents authority relationships in explicit graph Programming model • abstractions for supporting principle of least privilege • threads with secure shared state • distributed computation support

  12. Security Model Concepts Principals: represent users or roles Tags: categories of data with security requirements e.g., ALICE-FINANCIAL-DATA, ALICE-PASSWORD , … Secrecy label: set of tags • objects ( fi les) have immutable labels representing contamination of their contents • threads have mutable labels representing contamination of data accessed

  13. Information Flow Rule

  14. Information Flow Rule Information can only fl ow to a destination more contaminated than the source

  15. Information Flow Rule Information can only fl ow to a destination more contaminated than the source • Thread T can read object O only if O.label ⊆ T.label • Thread T can write object O only if T.label ⊆ O.label

  16. Information Flow Rule Information can only fl ow to a destination more contaminated than the source • Thread T can read object O only if O.label ⊆ T.label • Thread T can write object O only if T.label ⊆ O.label Thread T can communicate with outside only if T.label is null

  17. Label Manipulations Thread labels can be changed with two operations 1. Add a tag to thread’s secrecy label • allows thread to read contaminated data • safe: increases restrictions on thread 2. Declassify: Remove a tag from thread’s label • unsafe: allows sensitive data to be released • requires authority

  18. Authority Each thread runs with an associated principal that determines what it can declassify Any thread can create a new tag • thread’s principal has authority to declassify that tag Principals can delegate authority to other principals • acts-for relationships delegate all authority • grants delegate authority for a particular tag • either type can be revoked

  19. Authority Structure PAT-DATA t PAT t PAT PAT PAT-DR DR-BOB principal acts-for grant tag subtag compound tag

  20. Authority Structure PAT-DATA t PAT t PAT PAT PAT-DR DR-TOM DR-BOB principal acts-for grant tag subtag compound tag

  21. Authority Structure PAT-DATA t PAT t PAT PAT PAT-DR X DR-TOM DR-BOB principal acts-for grant tag subtag compound tag

  22. Authority Structure ALL-PATIENT-DATA PAT-DATA t PAT other t PAT patients PAT PAT-DR X t ALL DR-TOM DR-BOB CLINIC-ADMIN t ALL STATS principal acts-for grant tag subtag compound tag

  23. Authority Aeolus uses explicit authority graph to manage authority • models common authority relationships • readily supports modi fi cation and revocation • compare to capabilities as used in DIFC OSes

  24. Programming Model Abstractions for supporting: • Principle of least privilege • Secure sharing between threads • Distributed computation

  25. Principle of Least Privilege Needs to be easy to drop and regain authority Two mechanisms: • Reduced authority calls : run function with di ff erent principal (lower authority) e.g., drop all authority when invoking untrusted library • Authority closures : Java object bound to principal during construction; object methods run with authority of that principal e.g., grant authority to code that fetches bank transactions

  26. Threads and Isolation Each thread has security state: associated principal and secrecy label Threads must be isolated to ensure information fl ow obeys label restrictions • can’t allow threads to share memory directly Threads can only share data through safe Aeolus mechanisms • shared objects • RPCs • fi le system

  27. Threads and Isolation Each thread has security state: associated principal and secrecy label Threads must be isolated to ensure information fl ow obeys label restrictions • can’t allow threads to share memory directly Threads can only share data through safe Aeolus mechanisms • shared objects • shared objects • RPCs • fi le system } support distributed applications (see paper)

  28. Shared Objects Can be referenced from multiple threads Each shared object has a secrecy label (like fi les); Aeolus platform checks labels on access • Simple built-in example: boxes shared objects with a get/put interface • Developers can de fi ne new shared object types; Aeolus adds appropriate label checks

  29. Boxes Labeled object with get/put interface Box.get() { if (this.label ⊈ thread.label) throw InfoFlowException return copy(this.contents) } Allows thread to hold reference to sensitive data without being contaminated by its contents until read

  30. User-De fi ned Shared Objects Extending AeolusShared base class causes Aeolus platform to add runtime label check to all methods class SharedHashTable<T> extends AeolusShared { public SharedHashTable(Label label) { super(label); } public T get(String key) { if (thread.label != object.label) throw InfoFlowException; return copy (data[key]); } }

  31. User-De fi ned Shared Objects Extending AeolusShared base class causes Aeolus platform to add runtime label check to all methods class SharedHashTable<T> extends AeolusShared { public SharedHashTable(Label label) { super(label); } public T get(String key) { if (thread.label != object.label) throw InfoFlowException; return copy (data[key]); } }

  32. User-De fi ned Shared Objects Extending AeolusShared base class causes Aeolus platform to add runtime label check to all methods class SharedHashTable<T> extends AeolusShared { public SharedHashTable(Label label) { super(label); Aeolus platform can’t tell if method is } read-only, so assumes it both reads and writes public T get(String key) { if (thread.label != object.label) throw InfoFlowException; return copy (data[key]); } }

  33. User-De fi ned Shared Objects Extending AeolusShared base class causes Aeolus platform to add runtime label check to all methods class SharedHashTable<T> extends AeolusShared { public SharedHashTable(Label label) { super(label); Aeolus platform can’t tell if method is } read-only, so assumes it both reads and writes public T get(String key) { if (thread.label != object.label) throw InfoFlowException; return copy (data[key]); } }

  34. Implementing Isolation Rely on memory safety of JVM • copy all arguments passed to a newly-forked thread • also, all arguments and result of shared object calls • needs to be a deep copy, except references to shared objects OK Disallow unsafe features via Java SecurityManager & bytecode veri fi cation • native code (except in approved libraries) • re fl ection • static variables

Recommend

Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan

Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan

Information Flow Control For Standard OS Abstractions Max Krohn, Alex Yip, Micah Brodsky, Natan Cliffer, Frans Kaashoek, Eddie Kohler, Robert Morris Vulnerabilities in Websites Exploits Web software is buggy Attackers find and

672 views • 49 slides
Optimizing Dynamic Power Flow Anders Rantzer Automatic Control LTH Lund Universty Anders

Optimizing Dynamic Power Flow Anders Rantzer Automatic Control LTH Lund Universty Anders

Optimizing Dynamic Power Flow Anders Rantzer Automatic Control LTH Lund Universty Anders Rantzer Optimizing Dynamic Power Flow Combine with water power reservoirs in northern Sweden Use wind farms to stabilize network AEOLUS project:

873 views • 27 slides
Motivation It may involve Minor changes in the main source Requires static linking We

Motivation It may involve Minor changes in the main source Requires static linking We

1 July 2012 Plugins: Outline 1/61 Outline Workshop on Essential Abstractions in GCC GCC Control Flow and Plugins Motivation GCC Resource Center Plugins in GCC (www.cse.iitb.ac.in/grc) GCC Control Flow Department of Computer

639 views • 24 slides
with Deferrable constraints in Haskell through the tale of a Haskell information flow control

with Deferrable constraints in Haskell through the tale of a Haskell information flow control

Gradually typed DSLs with Deferrable constraints in Haskell through the tale of a Haskell information flow control library Pablo Buiras, Alejandro Russo, Dimitrios Vytiniotis Information flow control 101 Non- interference:

465 views • 31 slides
Ni Nickel A Framework for Design and Verification of Information Flow Control Systems Helgi

Ni Nickel A Framework for Design and Verification of Information Flow Control Systems Helgi

Ni Nickel A Framework for Design and Verification of Information Flow Control Systems Helgi Sigurbjarnarson , Luke Nelson, Bruno Castro-Karney, James Bornholt, Emina Torlak, and Xi Wang .org Enforcing information flow control is critical

1.02k views • 58 slides
1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

Control-Flow Analysis and Loop Detection Context Last time Data-flow Speeding up data-flow analysis Flow of data values from defs to uses Could alternatively be represented as a data dependence Today Control-flow analysis

516 views • 5 slides
Information flow control 1 D. Denning and P. Denning Certification of Programs for Secure

Information flow control 1 D. Denning and P. Denning Certification of Programs for Secure

Secure Architecture Principles Information flow control 1 D. Denning and P. Denning Certification of Programs for Secure Information Flow (CACM 1976) Review Access Control Discretionary access control (DAC) Philosophy: users have

321 views • 16 slides
Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification

Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification

Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification and overview of main techniques TCP Tahoe, Reno, Vegas TCP Westwood Readings: (1) Keshavs book Chapter on Flow Control; (2)

374 views • 22 slides
Control flow Conditionals and Control Flow l A conditional branch

Control flow Conditionals and Control Flow l A conditional branch

10/2/15 Control flow Conditionals and Control Flow l A conditional branch is sufficient to implement most control Condition codes flow constructs offered in higher

356 views • 12 slides
1 Why Why flow flow control? control? sender

1 Why Why flow flow control? control? sender

Lecture 7. Lecture 7. TCP mechanisms for: TCP mechanisms for: data transfer control / flow control error control congestion control Graphical examples (applet java) of several algorithms at:

589 views • 13 slides
Motivation Intra-procedural analysis depends upon accurate control-flow information. In the

Motivation Intra-procedural analysis depends upon accurate control-flow information. In the

Motivation Intra-procedural analysis depends upon accurate control-flow information. In the presence of certain language features (e.g. indirect calls) it is nontrivial to predict accurately how control may flow at execution time the nave

594 views • 42 slides
Flow of Control Flow of Control Recitation 09/(11,12)/2008 CS 180 CS 180 Department of

Flow of Control Flow of Control Recitation 09/(11,12)/2008 CS 180 CS 180 Department of

Flow of Control Flow of Control Recitation 09/(11,12)/2008 CS 180 CS 180 Department of Computer Science, Purdue University Project 2 j Now posted on the class webpage. Due Wed, Sept. 17 at 10 pm. Start early All

663 views • 22 slides
Information flow control for the web Prof. Frank PIESSENS Overview The web platform Web

Information flow control for the web Prof. Frank PIESSENS Overview The web platform Web

Information flow control for the web Prof. Frank PIESSENS Overview The web platform Web script security: threats and countermeasures A formal model of web scripts Information flow security Secure multi-execution The

2.25k views • 131 slides
V3 1/3/2015 Programming in C 1 Flow of Control Flow of control The order in which

V3 1/3/2015 Programming in C 1 Flow of Control Flow of control The order in which

V3 1/3/2015 Programming in C 1 Flow of Control Flow of control The order in which statements are executed Transfer of control When the next statement executed is not the next one in sequence 2 Flow of Control Control

310 views • 12 slides
Programming in C 1 Flow of Control Flow of control The order in which statements are

Programming in C 1 Flow of Control Flow of control The order in which statements are

Programming in C 1 Flow of Control Flow of control The order in which statements are executed Transfer of control When the next statement executed is not the next one in sequence 2 Flow of Control Control structures

540 views • 34 slides
Exceptional Control Flow: Hardware support for reacting to the rest of the world. Control Flow

Exceptional Control Flow: Hardware support for reacting to the rest of the world. Control Flow

Exceptional Control Flow: Hardware support for reacting to the rest of the world. Control Flow Processor: read instruction, execute it, go to next instruction, repeat Physical control flow Explicit changes: Jumps (conditional, unconditional)

428 views • 8 slides
ex 1. compare and test : conditions Aside: save conditions b,a computes a - b , sets flags,

ex 1. compare and test : conditions Aside: save conditions b,a computes a - b , sets flags,

Conditionals and Control Flow Two key pieces 1. Comparisons and tests: check conditions 2. Transfer control: choose next instruction Control flow Processor Control-Flow State Familiar C constructs Condition codes (a.k.a. flags ) if else l

191 views • 8 slides
Control Structures Lecture 4 COP 3014 Fall 2020 September 10, 2020 Control Flow Control flow

Control Structures Lecture 4 COP 3014 Fall 2020 September 10, 2020 Control Flow Control flow

Control Structures Lecture 4 COP 3014 Fall 2020 September 10, 2020 Control Flow Control flow refers to the specification of the order in which the individual statements, instructions or function calls of an imperative program are executed or

333 views • 19 slides
Control-flow analysis ? ? ? ? ? Discovering information about how control (e.g. the program

Control-flow analysis ? ? ? ? ? Discovering information about how control (e.g. the program

Control-flow analysis ? ? ? ? ? Discovering information about how control (e.g. the program counter) may move through a program. Intra-procedural analysis An intra-procedural analysis collects information about the code inside a single

1.3k views • 53 slides
JFlow: Practical Mostly- Static Information Flow Control By Andrew C. Myers (POPL 99)

JFlow: Practical Mostly- Static Information Flow Control By Andrew C. Myers (POPL 99)

JFlow: Practical Mostly- Static Information Flow Control By Andrew C. Myers (POPL 99) Presented by Daryl Zuniga Overview Information-flow: what and why JFlow: Intro JFlow: How it works JFlow: Characteristics and limitations

810 views • 53 slides
Diagnostic Information for Control-Flow Analysis of Workflow Graphs (aka Free-Choice Workflow Nets)

Diagnostic Information for Control-Flow Analysis of Workflow Graphs (aka Free-Choice Workflow Nets)

Diagnostic Information for Control-Flow Analysis of Workflow Graphs (aka Free-Choice Workflow Nets) Cdric Favre(1,2), Hagen Vlzer(1), Peter Mller(2) (1) IBM Research - Zurich (2) ETH Zurich 1 Outline Problem - Control-flow analysis

624 views • 44 slides
Quantifying Information is a fundamental issue in computer security: Flow Using Min-Entropy

Quantifying Information is a fundamental issue in computer security: Flow Using Min-Entropy

Secure Information Flow ! Protecting the confidentiality of secret information Quantifying Information is a fundamental issue in computer security: Flow Using Min-Entropy Blood type: AB Birth date: 9/5/46 HIV: positive ! Access control and

399 views • 10 slides
Usable security for control systems Jun Ho Huh Honeywell ACS Labs, research scientist

Usable security for control systems Jun Ho Huh Honeywell ACS Labs, research scientist

Usable security for control systems Jun Ho Huh Honeywell ACS Labs, research scientist junho.huh@honeywell.com Honeywell.com What is usable security? Building security solutions that are intuitive and easy to use Many security

350 views • 9 slides
Python language: Control Flow The FOSSEE Group Department of Aerospace Engineering IIT Bombay

Python language: Control Flow The FOSSEE Group Department of Aerospace Engineering IIT Bombay

Python language: Control Flow The FOSSEE Group Department of Aerospace Engineering IIT Bombay Mumbai, India FOSSEE Team (FOSSEE IITB) Control flow 1 / 32 Outline Control flow 1 Basic Conditional flow Control flow 2 Basic Looping

560 views • 37 slides

More recommend