Information flow control for standard OS abstractions

Decentralized Information Flow Control (DIFC) is an approach to security that allows application writers to control how data flows between the pieces of an application and the outside world. As applied to privacy, DIFC allows untrusted software to compute with private data while trusted security code controls the release of that data. As applied to integrity, DIFC allows trusted code to protect untrusted software from unexpected malicious inputs. In either case, only bugs in the trusted code, which tends to be small and isolated, can lead to security violations. We present Flume, a new DIFC model that applies at the granularity of operating system processes and standard OS abstractions (e.g., pipes and file descriptors). Flume was designed for simplicity of mechanism, to ease DIFC's use in existing applications, and to allow safe interaction between conventional and DIFC-aware processes. Flume runs as a user-level reference monitor onLinux. A process confined by Flume cannot perform most system calls directly; instead, an interposition layer replaces system calls with IPCto the reference monitor, which enforces data flowpolicies and performs safe operations on the process's behalf. We ported a complex web application (MoinMoin Wiki) to Flume, changingonly 2% of the original code. Performance measurements show a 43% slowdown on read workloadsand a 34% slowdown on write workloads, which aremostly due to Flume's user-level implementation.

[1]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[2]  Landon P. Cox,et al.  TightLip: Keeping Applications from Spilling the Beans , 2007, NSDI.

[3]  Niels Provos,et al.  Improving Host Security with System Call Policies , 2003, USENIX Security Symposium.

[4]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.

[5]  Timothy Fraser,et al.  LOMAC: Low Water-Mark integrity protection for COTS environments , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[6]  Boniface Hicks,et al.  From Languages to Systems: Understanding Practical Application Development in Security-typed Languages , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[7]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[8]  Tal Garfinkel,et al.  Ostia: A Delegating Architecture for Secure System Call Interposition , 2004, NDSS.

[9]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[10]  Robert N. M. Watson,et al.  Jails: confining the omnipotent root , 2000 .

[11]  Michael B. Jones,et al.  Interposition agents: transparently interposing user code at the system interface , 1994, SOSP '93.

[12]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[13]  Chris Vance,et al.  The TrustedBSD MAC Framework: Extensible Kernel Access Control for FreeBSD 5.0 , 2003, USENIX Annual Technical Conference, FREENIX Track.

[14]  Samuel T. King,et al.  ReVirt: enabling intrusion analysis through virtual-machine logging and replay , 2002, OPSR.

[15]  Marianne Shaw,et al.  Scale and performance in the Denali isolation kernel , 2002, OSDI '02.

[16]  Micah Z. Brodsky,et al.  Toward Secure Services from Untrusted Developers , 2007 .

[17]  Timothy Fraser,et al.  Hardening COTS software with generic software wrappers , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[18]  Andrew C. Myers,et al.  SIF: Enforcing Confidentiality and Integrity in Web Applications , 2007, USENIX Security Symposium.

[19]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[20]  Derek Bruening,et al.  Secure Execution via Program Shepherding , 2002, USENIX Security Symposium.

[21]  Eddie Kohler,et al.  Events Can Make Sense , 2007, USENIX Annual Technical Conference.

[22]  Crispin Cowan,et al.  Linux security modules: general security support for the linux kernel , 2002, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[23]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[24]  D. Sutherland,et al.  The open market. , 1992, Nursing Times.

[25]  James E. Smith,et al.  The architecture of virtual machines , 2005, Computer.

[26]  Steve Vandebogart,et al.  Labels and event processes in the Asbestos operating system , 2005, TOCS.

[27]  James A. Reeds,et al.  Multilevel security in the UNIX tradition , 1992, Softw. Pract. Exp..

[28]  David Lie,et al.  Splitting interfaces: making trust between applications and operating systems configurable , 2006, OSDI '06.

[29]  Wayne Salamon,et al.  Implementing SELinux as a Linux Security Module , 2003 .

[30]  Stephen Smalley,et al.  Integrating Flexible Support for Security Policies into the Linux Operating System , 2001, USENIX Annual Technical Conference, FREENIX Track.

[31]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.