RIFLE: An Architectural Framework for User-Centric Information-Flow Security Neil Vachharajani · Matthew J. Bridges Jonathan Chang · Ram Rangan Guilherme Ottoni · Jason A. Blome · George A. Reis Manish Vachharajani · David I. August Liberty Research Group Princeton University
Information- -Flow Security in the Real World Flow Security in the Real World Information IRS provides RIFLE: Information Flow Security tax forms IRS.gov Financial Tax Prep Alice Info Software Barrier Alice enters TaxPrep, Inc. her financial TaxPrep.com provides software information patches http://www.liberty-research.org The Liberty Research Group 2
Information- -Flow Security in the Real World Flow Security in the Real World Information Financial Info IRS provides RIFLE: Information Flow Security Barrier tax forms IRS.gov Tax Prep Alice Software Alice enters TaxPrep, Inc. her financial TaxPrep.com provides software information patches http://www.liberty-research.org The Liberty Research Group 3
Information- -Flow Security in the Real World Flow Security in the Real World Information All programs must be assumed unsafe Malicious programs intentionally leak information • Buggy programs that unintentionally leak information • RIFLE: Information Flow Security User-Centric Information-Flow Security 1. Users want to establish their own security policy • CIA's security needs differ from Joe Average's 2. Users want data-dependent security policies • Web browser with web search form data • Web browser with banking login form data 3. Users should not have to sacrifice security for functionality • All programs should be secure or securable • Only security holes that will be realized are significant http://www.liberty-research.org The Liberty Research Group 4
Definition of Security: Non- -Interference Interference Definition of Security: Non Integrity • Untrusted inputs should not affect trusted outputs RIFLE: Information Flow Security • Example: prevent input from being executed [Suh 04, Crandall 04] Confidentiality [Denning 76, Myers 97, Myers 99, Tse 04] • High security inputs should not affect low security outputs • Example: tax preparation software Key mechanism: tracking flow of information through code • Integrity/confidentiality are dual • Policies and enforcement rely on information flow http://www.liberty-research.org The Liberty Research Group 5
Information- -Flow Security: Tainting Data Flow Security: Tainting Data Information • Used in Perl’s “taint” mode and other works [Denning 76, Suh 04, Crandall 04] RIFLE: Information Flow Security Program inputs are tainted or 1. add r4 = r1 , r2 labeled with a security class add r5 = r4 ,r3 2. Labels propagate through div r6 = r5 , 3 computation sc .write, r6 3. Certain operations enforce a security policy by verifying operand labels for security http://www.liberty-research.org The Liberty Research Group 6
Problems with the Taint Solution Problems with the Taint Solution mov r2=0 RIFLE: Information Flow Security Value bnez r1 ,L1 1 0 r1 r2 1 0 L1:mov r2=1 Control Flow Can sc .write,r2 Leak I nformation! http://www.liberty-research.org The Liberty Research Group 7
User- -Centric Information Centric Information- -Flow Security Flow Security User Essential for User-Centric IFS Deal breaker for t User-Centric IFS r RIFLE: Information Flow Security t o n p s e n s p m o o u i e L S t Fundamentally c a e e r r m v o e c i r m n f t Impossible o n a a m f E v m n r a I y e r r o s c s g k i n f l o r a o o e r e P P C P L Taint [Suh 2004] Yes Dynamic No No Moderate Static Systems Rate Limited Static Yes Yes None [Denning 76, Myers 97, Myers 99] Static with Runtime Rate Limited Hybrid Yes Yes Little Principles [Tse 2004] Dynamic/ Ideal User-Centric No No No None Hybrid RIFLE Rate Limited Dynamic No Yes Moderate http://www.liberty-research.org The Liberty Research Group 8
Naïve “Solution”: Taint the Program Counter Naïve “Solution”: Taint the Program Counter A mov r2=0, PC • Ops have implicit PC operand RIFLE: Information Flow Security • Label PC like other operands B • PC should be declassified after bnez PC = r1 ,L1 branch merge C Value L1:mov r2 =1, PC 1 0 r1 1 r2 0 D PC D D PC =declassify PC sc .write, r2 , PC Code can leak information whether it is executed or not! http://www.liberty-research.org The Liberty Research Group 9
RIFLE: The Big Picture RIFLE: The Big Picture Binary Translator Compiled Code RIFLE: Information Flow Security Runtime Base ISA Compiler Environment (policy enforcer) Programmer’s User’s System System Compiled Code Unannotated Secure ISA Source Code Programmer End User http://www.liberty-research.org The Liberty Research Group 10
Naïve Binary Translation Naïve Binary Translation RIFLE: Information Flow Security mov r2=0, PC bnez PC = r1 ,L1 L1:mov r2=1, PC Flow Dependence PC =declassify PC sc .write,r2, PC http://www.liberty-research.org The Liberty Research Group 11
Naïve Binary Translation Naïve Binary Translation 1. Force every if to have an else RIFLE: Information Flow Security mov r2=0, PC bnez PC = r1 ,L1 L1:mov r2=1, PC Flow Dependence PC =declassify PC sc .write,r2, PC http://www.liberty-research.org The Liberty Research Group 12
Naïve Binary Translation Naïve Binary Translation 1. Force every if to have an else 2. On each side of the branch, modify same variables RIFLE: Information Flow Security mov r2=0, PC bnez PC = r1 ,L1 mov r2 =r2, PC L1:mov r2 =1, PC L1:mov r2=1, PC Flow Flow Dependence Dependence PC =declassify PC sc .write, r2 , PC http://www.liberty-research.org The Liberty Research Group 13
Naïve Binary Translation Naïve Binary Translation • But, what about memory? RIFLE: Information Flow Security mov r2=&x, PC bnez PC = r1 ,L1 st M[r1] =M[ r1 ], PC L1:st M[r1] =1, PC No Memory Possible Dependence Memory PC =declassify PC since r1 == 0 Dependence sc .write,M[r2], PC http://www.liberty-research.org The Liberty Research Group 14
RIFLE Binary Translation RIFLE Binary Translation Key I nsight: Handle implicit flows at data use, not data definition. mov r2=&x RIFLE: Information Flow Security mov s10 = s1 bnez r1 ,L1 Control Dependence L1:< s10 > st M[ r1 ]=1 Possible Memory Dependence < s10 > sc .write,M[r2] http://www.liberty-research.org The Liberty Research Group 15
Results: Security Results: Security Word Count (wc) • Function calls and returns • Global pointer, stack pointer RIFLE: Information Flow Security wc.NM wc.MAP load6.txt src4+2or6.txt Inputs Combined Command Line Program Binary PGP – identified unexpected information flows! • Key ring – each key labeled with a unique label • Plain text – colored with a unique label • Cipher text – • Expected: labeled with key’s label and plain text label • Actual: labeled with label of all keys up to used key and plain text label http://www.liberty-research.org The Liberty Research Group 16
Hardware Implementation & Optimizations Hardware Implementation & Optimizations • All instructions create explicit flows • Use shadow registers/memory to store security labels • Augment processor data path to track explicit flows RIFLE: Information Flow Security • Transformation inserts redundant security register defines • Many instructions added • Many security registers needed add r1=0,1 add r1=0,1 mov s50 = s10 s50 = mov s10 mov s60 = s50 (r10) jump L2 (r10) jump L2 L1: <s50>(r1) jump L3 L1: <s50>(r1) jump L3 … … L2: <s50> add r1=0,0 L2: <s60> add r1=0,0 jump L1 jump L1 Before Opti After Opti http://www.liberty-research.org The Liberty Research Group 17
Results: Performance Results: Performance Validated Itanium 2 model built in the Liberty Simulation Environment 2.5 RIFLE: Information Flow Security Double Cache Original Cache Normalized Runtimes 2.0 1.5 1.0 0.5 0.0 y f d c n r r 2 p f c l p c e t w a o p p i e f z m v s a w t e i d t g . z r r h M 5 . a t 2 b . c 1 . 4 7 t p 0 g . . 8 6 6 6 o 1 . 0 e 1 7 1 8 5 e 3 p 9 1 2 G m 1 http://www.liberty-research.org The Liberty Research Group 18
Conclusions & Future Work Conclusions & Future Work • User-centric information flow security empowers users • User (not programmer) tailored security policy • Data-based (not program-based) security RIFLE: Information Flow Security • Any program (no need for special languages) can be secured • User-centric information flow security is possible • RIFLE provides user-centric information-flow security by: • Tracking flow and enforcing policies dynamically • Using static “hints” via binary translation to establish security • Future work • Improved performance – more optimization, hardware acceleration • JVM implementation – for broadened applicability • Declassification – allowing user-controlled data “leaks” http://www.liberty-research.org The Liberty Research Group 19
Recommend
More recommend