Labels and event processes in the Asbestos operating system

Asbestos, a new prototype operating system, provides novel labeling and isolation mechanisms that help contain the effects of exploitable software flaws. Applications can express a wide range of policies with Asbestos's kernel-enforced label mechanism, including controls on inter-process communication and system-wide information flow. A new event process abstraction provides lightweight, isolated contexts within a single process, allowing the same process to act on behalf of multiple users while preventing it from leaking any single user's data to any other user. A Web server that uses Asbestos labels to isolate user data requires about 1.5 memory pages per user, demonstrating that additional security can come at an acceptable cost.

[1]  Bruce Schneier,et al.  Description of a New Variable-Length Key, 64-bit Block Cipher (Blowfish) , 1993, FSE.

[2]  Wei-Ming Hu,et al.  Reducing timing channels with fuzzy time , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[3]  LouAnna Notargiacomo,et al.  Beyond the pale of MAC and DAC-defining new forms of access control , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[4]  Norman Hardy,et al.  The Confused Deputy: (or why capabilities might have been invented) , 1988, OPSR.

[5]  John M. Boone,et al.  INTEGRITY-ORIENTED CONTROL OBJECTIVES: PROPOSED REVISIONS TO THE TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA (TCSEC), DoD 5200.28-STD , 1991 .

[6]  Mark S. Miller,et al.  Capability Myths Demolished , 2003 .

[7]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[8]  R. Goldberg Architecture of virtual machines , 1899, Workshop on Virtual Computer Systems.

[9]  Chris Vance,et al.  The TrustedBSD MAC Framework: Extensible Kernel Access Control for FreeBSD 5.0 , 2003, USENIX Annual Technical Conference, FREENIX Track.

[10]  Stephen Smalley,et al.  Integrating Flexible Support for Security Policies into the Linux Operating System , 2001, USENIX Annual Technical Conference, FREENIX Track.

[11]  Steve Vandebogart,et al.  Make Least Privilege a Right (Not a Privilege) , 2005, HotOS.

[12]  F. Mayer,et al.  Access meditation in a message passing kernel , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[13]  Jochen Liedtke,et al.  On micro-kernel construction , 1995, SOSP.

[14]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2003, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[15]  James A. Reeds,et al.  Multilevel security in the UNIX tradition , 1992, Softw. Pract. Exp..

[16]  J. Shapiro,et al.  EROS: a fast capability system , 2000, OPSR.

[17]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[18]  Willy Zwaenepoel,et al.  Flash: An efficient and portable Web server , 1999, USENIX Annual Technical Conference, General Track.

[19]  Jonathan S. Shapiro,et al.  EROS: A Principle-Driven Operating System from the Ground Up , 2002, IEEE Softw..

[20]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[21]  Michael N. Nelson,et al.  An overview of the Spring system , 1994, Proceedings of COMPCON '94.

[22]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[23]  Adam Dunkels,et al.  Full TCP/IP for 8-bit architectures , 2003, MobiSys '03.

[24]  Viktors Berstis,et al.  Security and protection of data in the IBM System/38 , 1980, ISCA '80.

[25]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[26]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[27]  Carl E. Landwehr,et al.  Formal Models for Computer Security , 1981, CSUR.

[28]  David R. Cheriton,et al.  The V distributed system , 1988, CACM.

[29]  Claude Kaiser,et al.  CHORUS Distributed Operating System , 1988, Comput. Syst..

[30]  George C. Necula,et al.  Capriccio: scalable threads for internet services , 2003, SOSP '03.

[31]  Paul A. Karger,et al.  An Augmented Capability Architecture to Support Lattice Security and Traceability of Access , 1984, 1984 IEEE Symposium on Security and Privacy.

[32]  Robbert van Renesse,et al.  Experiences with the Amoeba distributed operating system , 1990, CACM.

[33]  Mary Ellen Zurko,et al.  A VMM security kernel for the VAX architecture , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[34]  Samuel T. King,et al.  Operating System Support for Virtual Machines , 2003, USENIX Annual Technical Conference, General Track.

[35]  David E. Culler,et al.  SEDA: an architecture for well-conditioned, scalable internet services , 2001, SOSP.

[36]  S. Gribble,et al.  Scale and performance in the Denali isolation kernel , 2002, OSDI '02.

[37]  Timothy Fraser,et al.  LOMAC: Low Water-Mark integrity protection for COTS environments , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[38]  Ken Thompson,et al.  Plan 9 from Bell Labs , 1995 .

[39]  George G. Robertson,et al.  Accent: A communication oriented network operating system kernel , 1981, SOSP.

[40]  Paul A. Karger,et al.  Limiting the Damage Potential of Discretionary Trojan Horses , 1987, 1987 IEEE Symposium on Security and Privacy.

[41]  Maxwell N. Krohn,et al.  Building Secure High-Performance Web Services with OKWS , 2004, USENIX Annual Technical Conference, General Track.

[42]  Atul Prakash,et al.  Flexible control of downloaded executable content , 1999, TSEC.