proving confidentiality in a file system using disksec
play

Proving Confidentiality in a File System Using DiskSec (Poster #2) - PowerPoint PPT Presentation

Apr 05, 2024 •547 likes •796 views

Proving Confidentiality in a File System Using DiskSec (Poster #2) OSDI 18 Atalay Mert leri, Tej Chajed, Adam Chlipala, Frans Kaashoek, Nickolai Zeldovich MIT CSAIL Storage Systems Contain Confidential Data Users rely on the storage

  1. Proving Confidentiality in a File System Using DiskSec (Poster #2) OSDI ‘18 Atalay Mert İleri, Tej Chajed, Adam Chlipala, Frans Kaashoek, Nickolai Zeldovich MIT CSAIL

  2. Storage Systems Contain Confidential Data Users rely on the storage system to maintain their confidentiality. ● A file system will be used as a case study in this talk. 2

  3. Confidentiality in a File System ● Alice and Bob share a file-system on the same machine ● Bob tries to learn the content of Alice’s files Threat model: Bob can call the file-system interface and cannot bypass it. ○ can’t steal the disk ○ can’t read or write directly to the disk etc. 3

  4. Bugs May Leak Confidential Data File-systems are also subject to confidentiality bugs. Examples ● Crash can expose deleted data (ext4 - 2017) ● Anyone can change POSIX ACLs (NFS - 2016) ● Truncated data can be accessed (btrfs - 2015) ● Crash can expose data (ext4 - 2014) ● Anyone can change POSIX ACLs (btrfs, gfs2 - 2010) ● ... 4

  5. Approach: Formal Verification ● Write a specification that captures the desired behavior of the system. ● Prove that implementation satisfies the specification. ● As long as specification accurately captures the desired behavior, implementation details are irrelevant. ● We have verified file systems with correctness specifications (e.g. DFSCQ [SOSP’17]). 5

  6. Functional Specifications Do Not Ensure Confidentiality Functional specifications ensure many security properties. (e.g. no memory corruption, no disk corruption etc.) Example: Specification for readdir readdir can return entries in any order. readdir (...) ⇒ dir_a, dir_b /dir_a /dir_b dir_b, dir_a 6

  7. Functional Specifications Do Not Ensure Confidentiality def readdir(...) dirs = get_dirlist(...) ● Meets specification if (alice.txt file contains ‘a’) return sort(dirs) ● Leaks confidential data else return reverse_sort(dirs) Nondeterministic functional specifications allow breach of confidentiality. Confidentiality requires better specifications. 7

  8. State of the Art in Verifying Confidentiality Existing Systems ● seL4 [SSP’13] ● Ironclad [OSDI’14] ● CertiKOS [PLDI’16] ● Komodo [SOSP’17] ● Nickel [OSDI‘18] Above systems use non-interference for their confidentiality specifications. Non-interference does not allow any data exposure from Alice to Bob. 8

  9. Non-interference is Not Suitable for File System Confidentiality. ● File systems have discretionary access control ● File systems intentionally expose metadata. 9

  10. Contributions DiskSec Framework for proving confidentiality of storage systems. ● File-system confidentiality specification. ● Proof technique to track ownership of the data. ● DiskSec implemented and proven in Coq Proof Assistant. Evaluation ● SFSCQ file system: extension of DFSCQ with confidentiality theorem ● Confidentiality for simple app on top of SFSCQ 10

  11. Bob Cannot Infer Alice’s Confidential Data World 1 World 2 Alice: Alice: write(f, b) write(f, a) Data is confidential: observes same results Bob Bob 11

  12. Confidentiality Means Other Users See Same Thing Regardless of Your Data World 1 p s 1 s’ 1 ) a ( e Bob t i r w Confidentiality ret 1 s requires that write(b) p s 2 s’ 2 ret 1 = ret 2 Bob ret 2 World 2 Two states are equivalent with respect to a user ( ≅ user ), if all the data visible to that user is the same in both states. 12

  13. Our Confidentiality Specification: Data Non-interference State Non-interference Return Non-interference p syscall s 0 s 1 s 2 Bob ret 1 = ≅ Bob ≅ Bob ret 2 p syscall s’ 0 s’ 1 s’ 2 Bob 13

  14. Data Non-interference is a Good Confidentiality Specification for File Systems Data non-interference ● allows discretionary access control, ● allows exposing of metadata, ● forbids exposing of user data ○ even indirectly (e.g. readdir) 14

  15. How can We Prove Data Non-interference? Data non-interference require more complicated proofs than functional correctness. ● Require reasoning about behavior of two executions. Insight: File systems mostly does not inspect user data. ● Suffices to reason about where user data is accessed in one execution. 15

  16. Our Approach: Sealed Blocks ● Pretend that all disk blocks are logically sealed. ● Function needs to request an unseal to access the data content. ● Functions can be analyzed to prove that they do not unseal user data. 16

  17. Standard Disk Infrastructure read(a: addr) -> data write(a: addr, b: data) File system implementation Disk data data data 17

  18. DiskSec Infrastructure owner sealed block ( sblock ) data read(a: addr) -> sblock read(a: addr) -> data write(a: addr, b: sblock) write(a: addr, b: data) File system implementation seal(d: data, u: user) -> sblock unseal(b: sblock) -> data Sec logical disk Disk unseal owner trace owner owner owner u 1 , u 2 , ... data data data 18

  19. How to Use DiskSec? 1. Developer instruments his code with seals, unseals and access control checks. Standard Implementation DiskSec Implementation def read(f,...) def read (f,...) data = read_disk(f,...) if (can_access(f)) return data sealed_data = read_disk(f,...) data = unseal(sealed_data) return data else return error 2. Developer proves that a certain property holds for the unseal trace of the implementation. 19

  20. Sealed Blocks Simplify Confidentiality Proofs Unseal Public Function only unseals data accessible to every user . Unseal Public ➙ Data Non-interference Unseal Secure Function only unseals data accessible to the current user Unseal Secure ➙ Return Non-interference In this case, state non-interference needs to be proven separately. 20

  21. DiskSec Summary ● Provides infrastructure for access control in storage systems. ● Formalizes data non-interference as a confidentiality specification. ● Simplifies proof effort by reducing data non-interference proofs to unseal trace proofs. 21

  22. Applying DiskSec: SFSCQ Overview ● Based on DFSCQ [SOSP’17] ● Supports multiple users ● Simplified permission model ○ All metadata, including file names, are public. ○ File contents may be public or private. ○ File owner is set upon creation. ● Fully implemented and verified in Coq Proof Assistant 22

  23. Evaluation ● Did we prove DFSCQ satisfies data non-interference? ○ Not completely. ○ Needed to remove an advanced feature. ● Is performance the same as DFSCQ? ○ SFSCQ code = DFSCQ code + access control checks ● How much effort did it require? ○ Took one author ~3 months 23

  24. Conclusions ● Correctness specifications are not enough for confidentiality. ● Data non-interference is a suitable confidentiality specification for file systems. ● We designed and implemented DiskSec, a framework for confidentiality proofs for storage systems. ● We implemented SFSCQ, the first file system with machine-checkable confidentiality proofs, using DiskSec. https://github.com/mit-pdos/fscq/tree/security 24

Recommend

On Protecting Integrity and Confidentiality of Cryptographic File System for Outsourced Storage

On Protecting Integrity and Confidentiality of Cryptographic File System for Outsourced Storage

On Protecting Integrity and Confidentiality of Cryptographic File System for Outsourced Storage Aaram Yun , Chunhui Shi, Yongdae Kim University of Minnesota CCSW 2009, 13 Nov 2009 Cryptographic network file system How to achieve a

348 views • 16 slides
Encrypted File Systems Don Porter CSE 506 Goals Protect confidentiality of data at rest

Encrypted File Systems Don Porter CSE 506 Goals Protect confidentiality of data at rest

Encrypted File Systems Don Porter CSE 506 Goals Protect confidentiality of data at rest (i.e., on disk) Even if the media is lost or stolen Protecting confidentiality of in-memory data much harder Continue using file system features

227 views • 19 slides
Hands on a Grand Challenge in Computing: Proving a Journaled File System Correct J.N. Oliveira

Hands on a Grand Challenge in Computing: Proving a Journaled File System Correct J.N. Oliveira

Hands on a Grand Challenge in Computing: Proving a Journaled File System Correct J.N. Oliveira High Assurance Software Lab and Dept. Inform atica Universidade do Minho Braga, Portugal INFORUM 2010 Braga, Portugal, September 2010 Context

1.1k views • 73 slides
Chapter 12: File System Implementation File System Structure File System Implementation

Chapter 12: File System Implementation File System Structure File System Implementation

Chapter 12: File System Implementation File System Structure File System Implementation Directory Implementation Allocation Methods Free-Space Management Efficiency and Performance Recovery Log-Structured File Systems

492 views • 47 slides
~FILE SYSTEM~ SUNU WIBIRAMA OUTLINE FILE SYSTEM ACCESS METHODS DIRECTORY STRUCTURE FILE

~FILE SYSTEM~ SUNU WIBIRAMA OUTLINE FILE SYSTEM ACCESS METHODS DIRECTORY STRUCTURE FILE

~FILE SYSTEM~ SUNU WIBIRAMA OUTLINE FILE SYSTEM ACCESS METHODS DIRECTORY STRUCTURE FILE SYSTEM MOUNTING PROTECTION EXTERNAL VIEW OF THE FILE MANAGER FILE MANAGEMENT FILE, IS A NAMED AND ORDERED COLLECTION OF INFORMATION COMPUTER SHOULD

341 views • 33 slides
File Systems Chapter 11, 13 OSPP What is a File? What is a Directory? Goals of File System

File Systems Chapter 11, 13 OSPP What is a File? What is a Directory? Goals of File System

File Systems Chapter 11, 13 OSPP What is a File? What is a Directory? Goals of File System Performance Controlled Sharing Convenience: naming Reliability File System Workload File sizes Are most files small or large?

996 views • 62 slides
CSE 120 File System Interface What the user/programmer sees File System Implementation

CSE 120 File System Interface What the user/programmer sees File System Implementation

Overview CSE 120 File System Interface What the user/programmer sees File System Implementation How it works Summer, 2006 Day 9 File Systems Instructor: Neil Rhodes 2 What is a File? Typical Filesystem Named collection of related

175 views • 5 slides
File System Implementation Summer 2016 Cornell University Today File allocation Unix

File System Implementation Summer 2016 Cornell University Today File allocation Unix

CS 4410 Operating Systems File System Implementation Summer 2016 Cornell University Today File allocation Unix file system Log-structured file system 2 File system: two design problems User interface: File, directory,

362 views • 21 slides
Distributed File Systems Distributed File Systems A distributed file system (DFS) is a

Distributed File Systems Distributed File Systems A distributed file system (DFS) is a

Distributed File Systems Distributed File Systems A distributed file system (DFS) is a distributed Definitions implementation of a classical time-sharing model of a file Distributed system - A number of loosely coupled system. machines

997 views • 8 slides
Windows File System Efficiency and Stability of a file system are contradicting requirements. How

Windows File System Efficiency and Stability of a file system are contradicting requirements. How

Unit OS8: File System 8.6. Quiz Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Windows File System Efficiency and Stability of a file system are contradicting requirements. How can the

279 views • 11 slides
Distributed Systems - III Open a file, check status on a file, close a file; Read data

Distributed Systems - III Open a file, check status on a file, close a file; Read data

CSE 421/521 - Operating Systems What does Distributed File System Provide? Fall 2011 Provide access to and manipulation of data stored at remote servers using file system interfaces Lecture - XXV What are the file system interfaces?

236 views • 5 slides
File System Thierry Sans (recap) File System Abstraction File system specifics of which disk

File System Thierry Sans (recap) File System Abstraction File system specifics of which disk

File System Thierry Sans (recap) File System Abstraction File system specifics of which disk class it is using It issues block read/write requests to the generic block layer Provide an abstraction Goals Implement an abstraction (files) for

389 views • 37 slides
FILE SYSTEM IMPLEMENTATION Sunu Wibirama Outline File-System Structure File-System

FILE SYSTEM IMPLEMENTATION Sunu Wibirama Outline File-System Structure File-System

FILE SYSTEM IMPLEMENTATION Sunu Wibirama Outline File-System Structure File-System Implementation Directory Implementation Allocation Methods Free-Space Management Discussion 11. Outline File-System Structure

516 views • 51 slides
Week 10: File Management What is a file? Elements of file management File

Week 10: File Management What is a file? Elements of file management File

CPSC 410 / 611 : Operating Systems Week 10: File Management What is a file? Elements of file management File organization Directories File allocation UNIX file system Reading: Silberschatz, Chapter 10, 11

498 views • 13 slides
Speeding up file system checks in ext4 Theodore Ts'o Why File System Checks Are Necessary

Speeding up file system checks in ext4 Theodore Ts'o Why File System Checks Are Necessary

Speeding up file system checks in ext4 Theodore Ts'o Why File System Checks Are Necessary Software is not perfect Bugs in kernel (File system, VM, Device Driver code) Hardware is not perfect Disk errors Memory errors File

613 views • 24 slides
Chapter 11: File-System Interface File Concept Access Methods Directory Structure

Chapter 11: File-System Interface File Concept Access Methods Directory Structure

Chapter 11: File-System Interface File Concept Access Methods Directory Structure File System Mounting File Sharing Protection Operating System Concepts Silberschatz, Galvin and Gagne 2002 11.1 File Concept

387 views • 15 slides
File-System: Implementation Summer 2013 Cornell University 1 Today How is the file system

File-System: Implementation Summer 2013 Cornell University 1 Today How is the file system

CS 4410 Operating Systems File-System: Implementation Summer 2013 Cornell University 1 Today How is the file system implemented? Layered file system Directory implementation Allocation methods Free-space management 2

453 views • 18 slides
Network File System - NFS NFS Specification NFS is a distributed file system (DFS) originally

Network File System - NFS NFS Specification NFS is a distributed file system (DFS) originally

Network File System - NFS NFS Specification NFS is a distributed file system (DFS) originally The NFS specification distinguishes between the implemented by Sun Microsystems. services provided by the mount mechanism and the remote file

105 views • 9 slides
File System Aging: Increasing the Relevance of File System Benchmarks Keith A. Smith Margo I.

File System Aging: Increasing the Relevance of File System Benchmarks Keith A. Smith Margo I.

File System Aging: Increasing the Relevance of File System Benchmarks Keith A. Smith Margo I. Seltzer Harvard University Division of Engineering and Applied Sciences File System Performance 3.0 Read Throughput (MB/sec) 2.5 2.0 1.5 1.0

541 views • 42 slides
CPSC 410/611: File Management What is a file? Elements of file management File

CPSC 410/611: File Management What is a file? Elements of file management File

CPSC 410 / 611 : Operating Systems CPSC 410/611: File Management What is a file? Elements of file management File organization Directories File allocation UNIX file system Reading: Silberschatz, Chapter 10, 11

186 views • 14 slides
Virtual File System Don Porter CSE 306 History Early OSes provided a single file system In

Virtual File System Don Porter CSE 306 History Early OSes provided a single file system In

Virtual File System Don Porter CSE 306 History Early OSes provided a single file system In general, system was pretty tailored to target hardware In the early 80s, people became interested in supporting more than one file system type on

546 views • 35 slides
Roadmap for Section 8.3 Encrypting File System (EFS) Terminology EFS Operation Data Encryption

Roadmap for Section 8.3 Encrypting File System (EFS) Terminology EFS Operation Data Encryption

Unit OS8: File System 8.3. Encrypting File System Security in Windows Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section 8.3 Encrypting File System (EFS) Terminology EFS

250 views • 12 slides
Unix File System API Operating System Hebrew University Spring 2009 1 File System API manuals

Unix File System API Operating System Hebrew University Spring 2009 1 File System API manuals

Unix File System API Operating System Hebrew University Spring 2009 1 File System API manuals The information on file system API can be found on section 2 (Unix and C system calls ) of the Unix/Linux man pages ~> man S 2 open

559 views • 41 slides
The Berkeley File System The Original File System Background Why is the bandwidth low? The

The Berkeley File System The Original File System Background Why is the bandwidth low? The

The Berkeley File System The Original File System Background Why is the bandwidth low? The original UNIX file system was implemented on a The file system used a 512 byte block size. This block PDP-11. size is to small with 10 ms disk

328 views • 8 slides

More recommend