Toward Automated Information-Flow Integrity Verification for Security-Critical Applications

We provide a largely automated system for verifying ClarkWilson interprocess information-flow integrity. Information-flow integrity properties are essential to isolate trusted processes from untrusted ones, but system misconfiguration can easily create insecure dependences. For example, an untrusted user process may be able to write to sshd config via a cron script. A useful notion of integrity is the Clark-Wilson integrity model [7], which allows trusted processes to accept necessary untrusted inputs (e.g., network data or print jobs) via filtering interfaces that sanitize the data. However, Clark-Wilson has the requirement that programs undergo formal semantic verification; in practice, this kind of burden has meant that no information-flow integrity property is verified on most widely-used systems. We define a weaker version of Clark-Wilson integrity, called CW-Lite, which has the same interprocess information-flow guarantees, but which requires less filtering, only small changes to existing applications, and which we can check using automated tools. We modify the SELinux user library and kernel module in order to support CW-Lite integrity verification and develop new software tools to aid developers in finding and enabling filtering interfaces. Using our toolset, we found and fixed several integrity-violating configuration errors in the default SELinux policies for OpenSSH and vsftpd.

[1]  Axel Schairer,et al.  Verification of a Formal Security Model for Multiapplicative Smart Cards , 2000, ESORICS.

[2]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[3]  Douglas Kilpatrick,et al.  Privman: A Library for Partitioning Applications , 2003, USENIX Annual Technical Conference, FREENIX Track.

[4]  Peng Li,et al.  Downgrading policies and relaxed noninterference , 2005, POPL '05.

[5]  Niels Provos,et al.  Preventing Privilege Escalation , 2003, USENIX Security Symposium.

[6]  Sean W. Smith,et al.  Building the IBM 4758 Secure Coprocessor , 2001, Computer.

[7]  Crispin Cowan,et al.  Linux security modules: general security support for the linux kernel , 2002, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[8]  D. E. Bell,et al.  Secure Computer Systems : Mathematical Foundations , 2022 .

[9]  David Evans,et al.  Improving Security Using Extensible Lightweight Static Analysis , 2002, IEEE Softw..

[10]  EvansDavid,et al.  Improving Security Using Extensible Lightweight Static Analysis , 2002 .

[11]  David D. Clark,et al.  A Comparison of Commercial and Military Computer Security Policies , 1987, 1987 IEEE Symposium on Security and Privacy.

[12]  David Brumley,et al.  Privtrans: Automatically Partitioning Programs for Privilege Separation , 2004, USENIX Security Symposium.

[13]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[14]  Tal Garfinkel,et al.  Understanding data lifetime via whole system simulation , 2004 .

[15]  Peter M. Broadwell,et al.  Scrash: A System for Generating Secure Crash Information , 2003, USENIX Security Symposium.

[16]  Joshua D. Guttman,et al.  Information Flow in Operating Systems: Eager Formal Methods , 2003 .

[17]  Trent Jaeger,et al.  Resolving constraint conflicts , 2004, SACMAT '04.

[18]  Trent Jaeger,et al.  Analyzing Integrity Protection in the SELinux Example Policy , 2003, USENIX Security Symposium.

[19]  Trent Jaeger,et al.  Using CQUAL for Static Analysis of Authorization Hook Placement , 2002, USENIX Security Symposium.

[20]  Andrew C. Myers,et al.  Complete, safe information flow with decentralized labels , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[21]  Butler W. Lampson,et al.  A Trusted Open Platform , 2003, Computer.

[22]  Trent Jaeger,et al.  Policy management using access control spaces , 2003, TSEC.

[23]  Timothy Fraser,et al.  LOMAC: Low Water-Mark integrity protection for COTS environments , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[24]  Sean W. Smith Outbound authentication for programmable secure coprocessors , 2004, International Journal of Information Security.