securing distributed systems with information flow control
play

Securing distributed systems with information flow control - PowerPoint PPT Presentation

Nov 24, 2023 •493 likes •1.16k views

Securing distributed systems with information flow control Nickolai Zeldovich Silas Boyd-Wickizer David Mazires Traditional web applications: lots of trusted (yellow) code HTTP User's Application User's browser front Database User's

  1. Securing distributed systems with information flow control Nickolai Zeldovich Silas Boyd-Wickizer David Mazières

  2. Traditional web applications: lots of trusted (yellow) code HTTP User's Application User's browser front Database User's code browser end browser ● Application is typically millions of lines of code ● Lots of third-party libraries from SourceForge ● Application has access to entire user database

  3. Traditional web applications: lots of trusted (yellow) code HTTP User's Application User's browser front Database User's code browser end browser ● Application is typically millions of lines of code ● Lots of third-party libraries from SourceForge ● Application has access to entire user database ● Result: any bug allows attacker to steal all data! – PayMaxx app code exposed 100,000 users' SSNs

  4. Recent work: information flow control ● Don't try to eliminate all application bugs ( hard !) ● OS'es like Asbestos, HiStar, Flume keep user data secure even if application is malicious – Track flow of user's data through system – Only send user's data to that user's browser – No need to audit/understand application code!

  5. Recent work: information flow control ● Don't try to eliminate all application bugs ( hard !) ● OS'es like Asbestos, HiStar, Flume keep user data secure even if application is malicious – Track flow of user's data through system – Only send user's data to that user's browser – No need to audit/understand application code! ● Limitation: works only on one machine – Web applications need multiple machines for scale

  6. This talk: extending information flow control to distributed systems ● Outline: – Review of information flow control (IFC) in an OS – Challenges in distributed IFC and our solution – Apps: web server, incremental deployment, ... ● Results: – Can control information flow in distributed system – Key idea: self-certifying category names – Enforce security of scalable web server in 6,000 lines

  7. Labels control information flow Label Label Label File A Process File B

  8. Labels control information flow Color is category of data (e.g. my files) Blue data can flow only to other blue objects Label Label Label File A Process File B

  9. Labels control information flow Color is category of data (e.g. my files) Blue data can flow only to other blue objects Label Label Label X File A Process File B X

  10. Labels control information flow Color is category of data (e.g. my files) Blue data can flow only to other blue objects Label Label Label X File A Process File B X

  11. Labels control information flow Color is category of data (e.g. my files) Blue data can flow only to other blue objects Owns blue data, can remove color (e.g. encrypt) Label Label Label File A Process File B

  12. Labels are egalitarian ● Any process can request a new category (color) – Gets ownership of that category ( ) – Uses category in labels to control information flow – Can grant ownership to others Label Label Label File A Process File B

  13. Traditional web server: lots of trusted (yellow) code HTTP User's front Application User's browser Database User's end code browser browser

  14. Information flow control: separate color for each user's data HTTP User's front Application Database User's browser User's end code browser browser

  15. Information flow control: track each user's data in app Application code HTTP User's front Application Database User's browser User's end code browser browser Application code

  16. Labels prevent application code from disclosing data onto network Application X code HTTP User's front Application Database User's browser User's end code browser browser Application X code

  17. Front-end uses ownership to send data only to user's browser Application X code HTTP User's front Application Database User's browser User's end code browser browser Application X code

  18. Front-end uses ownership to send data only to user's browser Application X code HTTP User's front Application Database User's browser User's end code browser browser Application X code ● What happens when the server gets overloaded?

  19. Limitation: OS alone cannot control information flow in distributed system Application X code X X HTTP User's front Application Database User's X X browser User's end code browser browser X X Application X code

  20. Distributed challenge: when to allow processes to communicate? ● Design goal: decentralized – no fully-trusted parts – (Not the usual meaning of decentralized IFC, or DIFC) HTTP Application Data front-end server server httpd App code Database ? ? ● Challenge: no equivalent of a fully-trusted OS kernel that can make all decisions

  21. High-level approach: encode labels in messages Each machine uses OS to enforce labels locally HTTP Application Data front-end server server httpd App code Database Message Message

  22. Problem: decentralized trust ● When can we trust the recipient with message? Attacker's HTTP Application Data machine front-end server server httpd App code Database X Message Message

  23. Solution: per-category trust ● DB trusts front-end, app servers with a particular user's data (e.g. messages labeled blue) ● But DB doesn't trust the app code... Attacker's HTTP Application Data machine front-end server server httpd App code Database X Message Message

  24. Exporters control information flow on each machine using local OS ● Database doesn't trust the app code, but trusts the app server's exporter to contain the app code Attacker's HTTP Application Data machine front-end server server httpd App code Database Exporter Exporter Exporter X Message Message

  25. Exporter's API exp_send( dest_host , dest_mbox , msg , label ) – Exporter provides interface to send datagrams – Message should only be sent if every category in label trusts the machine dest_host – How does the exporter check for this trust?

  26. Strawman: check trust by querying category owners Process (secret bit = 1) Exporter Category owner

  27. Strawman: check trust by querying category owners exp_send(host_x, msg) Process (secret bit = 1) Exporter ? ? Host X Category owner

  28. Strawman: check trust by querying category owners exp_send(host_x, msg) Process (secret bit = 1) Control msg: Exporter “can I send to host_x?” ? ? Host X Category owner

  29. Querying category owners creates a covert channel in API Process (secret bit = 1) X Exporter Attacker's host Host X Category owner

  30. Querying category owners creates a covert channel in API Process (secret bit = 1) X Exporter Attacker's host Host X Category owner

  31. Querying category owners creates a covert channel in API exp_send(host_x, msg) Process (secret bit = 1) X Exporter ? ? Attacker's host Host X Category owner

  32. Querying category owners creates a covert channel in API exp_send(host_x, msg) Process (secret bit = 1) X Control msg: Control msg: Exporter “can I send to “can I send to host_x?” host_x?” ? ? Attacker's host Host X Category owner

  33. Strawman 2: store trust in exporter Process (secret bit = 1) host_x Exporter host_y

  34. Strawman 2: store trust in exporter exp_send(host_x, msg) Process (secret bit = 1) host_x Exporter host_y ● Exporter sends no queries that could leak data

  35. Storing trust in exporter also creates a covert channel in API Colluding Process Process (secret bit = 1) X host_x Exporter Attacker's host Y

  36. Storing trust in exporter also creates a covert channel in API Colluding Process Process (secret bit = 1) exp_trust( , host_y) X host_x Exporter host_y Depends on Attacker's host Y value of the secret bit

  37. Storing trust in exporter also creates a covert channel in API Colluding Process Process (secret bit = 1) exp_send(host_y, msg) exp_trust( , host_y) X host_x Exporter host_y Depends on Depends on Depends on behavior of Attacker's host Y value of the value of the malicious secret bit secret bit process

  38. Problem: What to do with covert channels? ● Non-goal: eliminate all covert channels – Not practical ● Goal: avoid covert channels in interface – Allow trading off performance to mitigate covert channels without changing the API

  39. Solution: Self-certifying category names ● Categories named by public key ● Trust for a category defined by certificates signed by that category's private key ● Caller supplies all certificates to exp_send()

  40. Caller supplies all certificates needed by exporter exp_send( dest_host , dest_mbox , msg , label , certs ) Caller-supplied

  41. Caller supplies all certificates needed by exporter exp_send( dest_host , dest_mbox , msg , label , certs )   Mapping = Caller-supplied

  42. Caller supplies all certificates needed by exporter exp_send( dest_host , dest_mbox , msg , label , certs ) No covert channels   to determine trust: Mapping = ➔ No external Certificate communication host X  Can send to  ➔ No shared state Caller-supplied

Recommend

Ni Nickel A Framework for Design and Verification of Information Flow Control Systems Helgi

Ni Nickel A Framework for Design and Verification of Information Flow Control Systems Helgi

Ni Nickel A Framework for Design and Verification of Information Flow Control Systems Helgi Sigurbjarnarson , Luke Nelson, Bruno Castro-Karney, James Bornholt, Emina Torlak, and Xi Wang .org Enforcing information flow control is critical

1.02k views • 58 slides
Nickel: A framework for design and verification of information flow control systems Luke Nelson

Nickel: A framework for design and verification of information flow control systems Luke Nelson

Nickel: A framework for design and verification of information flow control systems Luke Nelson Joint work with Helgi Sigurbjarnarson, Bruno Castro-Karney, James Bornholt, Emina Torlak, Xi Wang 2018 New England Systems Verification Day 1

749 views • 31 slides
Possibilistic Information Flow Control for Workflow Management Systems Thomas Bauereiss Dieter

Possibilistic Information Flow Control for Workflow Management Systems Thomas Bauereiss Dieter

Possibilistic Information Flow Control for Workflow Management Systems Thomas Bauereiss Dieter Hutter DFKI Bremen Workflow management systems Coordinating manual and (semi-)automatic activities involving multiple users Security

364 views • 17 slides
Securing Information Systems Reading: Laudon & Laudon chapter 7 Additional Reading: Brien

Securing Information Systems Reading: Laudon & Laudon chapter 7 Additional Reading: Brien

Securing Information Systems Reading: Laudon & Laudon chapter 7 Additional Reading: Brien & Marakas chapter 11 COMP 5131 1 Outline System Vulnerability and Abuse Business Value of Security and Control Establishing

734 views • 40 slides
What is this course about? What do I mean by distributed information systems ?

What is this course about? What do I mean by distributed information systems ?

What is this course about? What do I mean by distributed information systems ? distributed : a bunch of computers connected by wires. independent systems but not necessarily autonomous assume network supports messaging and stream

311 views • 10 slides
with Deferrable constraints in Haskell through the tale of a Haskell information flow control

with Deferrable constraints in Haskell through the tale of a Haskell information flow control

Gradually typed DSLs with Deferrable constraints in Haskell through the tale of a Haskell information flow control library Pablo Buiras, Alejandro Russo, Dimitrios Vytiniotis Information flow control 101 Non- interference:

465 views • 31 slides
Topic #8 Signal Flow Graphs Reference textbook : Control Systems, Dhanesh N. Manik, Cengage

Topic #8 Signal Flow Graphs Reference textbook : Control Systems, Dhanesh N. Manik, Cengage

ME 779 Control Systems Topic #8 Signal Flow Graphs Reference textbook : Control Systems, Dhanesh N. Manik, Cengage Publishing, 2012 1 Control Systems: Signal Flow Graphs Learning Objectives Definition Canonical feedback system

380 views • 14 slides
1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

Control-Flow Analysis and Loop Detection Context Last time Data-flow Speeding up data-flow analysis Flow of data values from defs to uses Could alternatively be represented as a data dependence Today Control-flow analysis

516 views • 5 slides
Distributed Systems (ICE 601) Concurrency Control - Part2 Dongman Lee ICU Class Overview

Distributed Systems (ICE 601) Concurrency Control - Part2 Dongman Lee ICU Class Overview

Distributed Systems (ICE 601) Concurrency Control - Part2 Dongman Lee ICU Class Overview Transactions Why Concurrency Control Concurrency Control Protocols pessimistic optimistic time-based Distributed Systems -

414 views • 8 slides
Information flow control 1 D. Denning and P. Denning Certification of Programs for Secure

Information flow control 1 D. Denning and P. Denning Certification of Programs for Secure

Secure Architecture Principles Information flow control 1 D. Denning and P. Denning Certification of Programs for Secure Information Flow (CACM 1976) Review Access Control Discretionary access control (DAC) Philosophy: users have

321 views • 16 slides
Securing Industrial Control Systems An E2E Integrity Verification Approach Sye-Loong Keoh , Ken

Securing Industrial Control Systems An E2E Integrity Verification Approach Sye-Loong Keoh , Ken

Securing Industrial Control Systems An E2E Integrity Verification Approach Sye-Loong Keoh , Ken Wai-Kin Au School of Computing Science University of Glasgow Zhaohui Tang School of Infocomm Republic Polytechnic, Singapore 1 Introduction

576 views • 21 slides
Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification

Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification

Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification and overview of main techniques TCP Tahoe, Reno, Vegas TCP Westwood Readings: (1) Keshavs book Chapter on Flow Control; (2)

374 views • 22 slides
CPSC 213 Introduction to Computer Systems Unit 1d Static Control Flow 1 Reading Companion

CPSC 213 Introduction to Computer Systems Unit 1d Static Control Flow 1 Reading Companion

CPSC 213 Introduction to Computer Systems Unit 1d Static Control Flow 1 Reading Companion 2.7.1-2.7.3, 2.7.5-2.7.6 Textbook 3.6.1-3.6.5 2 Control Flow The flow of control is the sequence of instruction executions

541 views • 21 slides
Control flow Conditionals and Control Flow l A conditional branch

Control flow Conditionals and Control Flow l A conditional branch

10/2/15 Control flow Conditionals and Control Flow l A conditional branch is sufficient to implement most control Condition codes flow constructs offered in higher

356 views • 12 slides
1 Why Why flow flow control? control? sender

1 Why Why flow flow control? control? sender

Lecture 7. Lecture 7. TCP mechanisms for: TCP mechanisms for: data transfer control / flow control error control congestion control Graphical examples (applet java) of several algorithms at:

589 views • 13 slides
Motivation Intra-procedural analysis depends upon accurate control-flow information. In the

Motivation Intra-procedural analysis depends upon accurate control-flow information. In the

Motivation Intra-procedural analysis depends upon accurate control-flow information. In the presence of certain language features (e.g. indirect calls) it is nontrivial to predict accurately how control may flow at execution time the nave

594 views • 42 slides
CPSC 213 2.7.1-2.7.3, 2.7.5-2.7.6 Textbook 3.6.1-3.6.5 Introduction to Computer

CPSC 213 2.7.1-2.7.3, 2.7.5-2.7.6 Textbook 3.6.1-3.6.5 Introduction to Computer

Reading Companion CPSC 213 2.7.1-2.7.3, 2.7.5-2.7.6 Textbook 3.6.1-3.6.5 Introduction to Computer Systems Unit 1d Static Control Flow 1 2 Control Flow Loops (S5-loop) The flow of control is In Java public class Foo {

514 views • 6 slides
95-702 Distributed Systems Lecture 6: Web Services Chapter 19 of Coulouris 95-702 Distributed

95-702 Distributed Systems Lecture 6: Web Services Chapter 19 of Coulouris 95-702 Distributed

95-702 Distributed Systems Lecture 6: Web Services Chapter 19 of Coulouris 95-702 Distributed Systems 1 Master of Information System Management In A Nutshell From Globus.org (Grid computing) 95-702 Distributed Systems 2 Master of Information

779 views • 51 slides
Securing Software Systems by Preventing Information Leaks Kangjie Lu Georgia Institute of

Securing Software Systems by Preventing Information Leaks Kangjie Lu Georgia Institute of

Securing Software Systems by Preventing Information Leaks Kangjie Lu Georgia Institute of Technology Computer devices are everywhere 2 Foundational software systems 3 Inherent insecurity: Vulnerabilities and insecure designs Implemented in

774 views • 74 slides
Distributed Systems Goals of Distributed Systems 13A. Distributed Systems: Goals & Challenges

Distributed Systems Goals of Distributed Systems 13A. Distributed Systems: Goals & Challenges

5/19/2018 Distributed Systems Goals of Distributed Systems 13A. Distributed Systems: Goals & Challenges scalability and performance apps require more resources than one computer has 13B. Distributed Systems: Communication grow

131 views • 9 slides
Distributed Systems Goals of Distributed Systems 13A. Distributed Systems: Goals & Challenges

Distributed Systems Goals of Distributed Systems 13A. Distributed Systems: Goals & Challenges

5/17/2017 Distributed Systems Goals of Distributed Systems 13A. Distributed Systems: Goals & Challenges scalability and performance apps require more resources than one computer has 13B. Distributed Systems: Communication grow

572 views • 7 slides
Flow of Control Flow of Control Recitation 09/(11,12)/2008 CS 180 CS 180 Department of

Flow of Control Flow of Control Recitation 09/(11,12)/2008 CS 180 CS 180 Department of

Flow of Control Flow of Control Recitation 09/(11,12)/2008 CS 180 CS 180 Department of Computer Science, Purdue University Project 2 j Now posted on the class webpage. Due Wed, Sept. 17 at 10 pm. Start early All

663 views • 22 slides
Information flow control for the web Prof. Frank PIESSENS Overview The web platform Web

Information flow control for the web Prof. Frank PIESSENS Overview The web platform Web

Information flow control for the web Prof. Frank PIESSENS Overview The web platform Web script security: threats and countermeasures A formal model of web scripts Information flow security Secure multi-execution The

2.25k views • 131 slides
CPSC 213 Condition Codes - Loops 3.6.1-3.6.5 Introduction to Computer Systems Unit 1d

CPSC 213 Condition Codes - Loops 3.6.1-3.6.5 Introduction to Computer Systems Unit 1d

Readings for Next 2 Lectures Textbook CPSC 213 Condition Codes - Loops 3.6.1-3.6.5 Introduction to Computer Systems Unit 1d Static Control Flow 1 2 Control Flow Loops (S5-loop) The flow of control is In Java public class

214 views • 6 slides

More recommend