New approaches to operating system security extensibility

This dissertation proposes new approaches to commodity computer operating system (OS) access control extensibility that address historic problems with concurrency and technology transfer. Access control extensibility addresses a lack of consensus on operating system policy model at a time when security requirements are in flux: OS vendors, anti-virus companies, firewall manufacturers, smart phone developers, and application writers require new tools to express policies tailored to their needs. By proposing prin-cipled approaches to access control extensibility, this work allows OS security to be " designed in " yet remain flexible in the face of diverse and changing requirements. I begin by analysing system call interposition, a popular extension technology used in security research and products, and reveal fundamental and readily exploited con-currency vulnerabilities. Motivated by these failures, I propose two security extension models: the TrustedBSD Mandatory Access Control (MAC) Framework, a flexible kernel access control extension framework for the FreeBSD kernel, and Capsicum, practical capabilities for UNIX. The MAC Framework, a research project I began before starting my PhD, allows policy modules to dynamically extend the kernel access control policy. The framework allows policies to integrate tightly with kernel synchronisation, avoiding race conditions inherent to system call interposition, as well as offering reduced development and technology transfer costs for new security policies. Over two chapters, I explore the framework itself, and its transfer to and use in several products: the open source Free-BSD operating system, nCircle's enforcement appliances, and Apple's Mac OS X and iOS operating systems. Capsicum is a new application-centric capability security model extending POSIX. Capsicum targets application writers rather than system designers, reflecting a trend towards security-aware applications such as Google's Chromium web browser, that map distributed security policies into often inadequate local primitives. I compare Capsicum with other sandboxing techniques, demonstrating improved performance, programmability, and security. This dissertation makes original contributions to challenging research problems in security and operating system design. Portions of this research have already had a significant impact on industry practice. 3 4 Acknowledgements Writing this dissertation would not have been possible without the support and encouragement of my family (especially my parents), friends, mentors, and colleagues, to whom I offer my sincerest thanks and appreciation. Ross Anderson, my supervisor, deserves a special note of thanks: he has been supportive throughout my less than typical path through Cambridge's PhD programme, giving me space to pursue a variety of interests, many related to my PhD …

[1]  Charles Reis,et al.  Isolating web programs in modern browser architectures , 2009, EuroSys '09.

[2]  James Cheney,et al.  Cyclone: A Safe Dialect of C , 2002, USENIX Annual Technical Conference, General Track.

[3]  Jerome H. Saltzer,et al.  Protection and the control of information sharing in multics , 1974, CACM.

[4]  Jules J. Berman,et al.  Ruby: The Programming Language , 2008 .

[5]  William J. Bolosky,et al.  Mach: A New Kernel Foundation for UNIX Development , 1986, USENIX Summer.

[6]  Rik Farrow A Report on the Linux 2.5 Kernel Developers Summit , 2001, login Usenix Mag..

[7]  Wu Xin Static Analysis Based Correctness Verification for Mandatory Access Control Framework , 2009 .

[8]  Peter G. Neumann,et al.  Principled assuredly trustworthy composable architectures , 2003 .

[9]  A. Retrospective,et al.  The UNIX Time-sharing System , 1977 .

[10]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[11]  Jonathan M. Smith,et al.  EROS: a fast capability system , 1999, SOSP.

[12]  Krste Asanovic,et al.  Mondrix: memory isolation for linux using mondriaan memory protection , 2005, SOSP '05.

[13]  Bryan Ford,et al.  Vx32: Lightweight User-level Sandboxing on the x86 , 2008, USENIX Annual Technical Conference.

[14]  Mark Handley,et al.  Wedge: Splitting Applications into Reduced-Privilege Compartments , 2008, NSDI.

[15]  Dennis Hollingworth,et al.  Protection Analysis: Final Report , 1978 .

[16]  Brian N. Bershad,et al.  Extensibility safety and performance in the SPIN operating system , 1995, SOSP.

[17]  Maurice V. Wilkes,et al.  The Cambridge CAP computer and its operating system (Operating and programming systems series) , 1979 .

[18]  Crispin Cowan,et al.  Linux security modules: general security support for the linux kernel , 2002, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[19]  Li Gong,et al.  Inside Java 2 Platform Security: Architecture, API Design, and Implementation , 1999 .

[20]  Steven McCanne,et al.  The BSD Packet Filter: A New Architecture for User-level Packet Capture , 1993, USENIX Winter.

[21]  P. A. Karger,et al.  Multics security evaluation: vulnerability analysis , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[22]  Carl E. Landwehr,et al.  On Access Checking in Capability-Based Systems , 1986, IEEE Transactions on Software Engineering.

[23]  Kai Rannenberg Die Trusted Computer System Evaluation Criteria (TCSEC) , 1998 .

[24]  Tal Garfinkel,et al.  Ostia: A Delegating Architecture for Secure System Call Interposition , 2004, NDSS.

[25]  Michael D. Schroeder Engineering a security kernel for Multics , 1975, SOSP.

[26]  David A. Bell,et al.  Secure computer systems: mathematical foundations and model , 1973 .

[27]  Didier Rémy,et al.  Objective ML: a simple object-oriented extension of ML , 1997, POPL '97.

[28]  Robert N. M. Watson,et al.  Design and Implementation of the TrustedBSD MAC Framework , 2003 .

[29]  Akinori Yonezawa,et al.  Control of system calls from outside of virtual machines , 2008, SAC '08.

[30]  Calvin Ko,et al.  Detecting and countering system intrusions using software wrappers , 2003, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[31]  Niels Provos,et al.  Improving Host Security with System Call Policies , 2003, USENIX Security Symposium.

[32]  Ross J. Anderson,et al.  Certification and evaluation: A security economics perspective , 2009, 2009 IEEE Conference on Emerging Technologies & Factory Automation.

[33]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.

[34]  Thomas E. Anderson,et al.  SLIC: An Extensibility System for Commodity Operating Systems , 1998, USENIX ATC.

[35]  Alan J. Hu,et al.  Fixing Races for Fun and Profit: How to Use access(2) , 2004, USENIX Security Symposium.

[36]  William A. Wulf,et al.  HYDRA , 1974, Commun. ACM.

[37]  Mark S. Miller,et al.  Robust composition: towards a unified approach to access control and concurrency control , 2006 .

[38]  David Jefferson,et al.  Protection in the Hydra Operating System , 1975, SOSP.

[39]  Douglas Kilpatrick,et al.  Privman: A Library for Partitioning Applications , 2003, USENIX Annual Technical Conference, FREENIX Track.

[40]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[41]  Jason Nieh,et al.  Secure Isolation of Untrusted Legacy Applications , 2007, LISA.

[42]  William A. Wulf,et al.  Towards the design of secure systems , 1975, Softw. Pract. Exp..

[43]  Paul A. Karger Using registers to optimize cross-domain call performance , 1989, ASPLOS III.

[44]  David Flanagan,et al.  The Ruby Programming Language , 2007 .

[45]  James P Anderson,et al.  Computer Security Technology Planning Study , 1972 .

[46]  Timothy Fraser,et al.  LOMAC: Low Water-Mark integrity protection for COTS environments , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[47]  Mark S. Miller,et al.  Capability Myths Demolished , 2003 .

[48]  Mike Hibler,et al.  The Flask Security Architecture: System Support for Diverse Security Policies , 1999, USENIX Security Symposium.

[49]  Dwight Spivey Mac OS X Snow Leopard , 2009 .

[50]  Butler W. Lampson,et al.  Dynamic protection structures , 1899, AFIPS '69 (Fall).

[51]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[52]  George C. Necula,et al.  Safe kernel extensions without run-time checking , 1996, OSDI '96.

[53]  Robert N. M. Watson,et al.  The Age of Avatar Realism , 2010, IEEE Robotics & Automation Magazine.

[54]  Robert N. M. Watson,et al.  Capsicum: Practical Capabilities for UNIX , 2010, USENIX Security Symposium.

[55]  Chris Vance,et al.  The TrustedBSD MAC Framework: Extensible Kernel Access Control for FreeBSD 5.0 , 2003, USENIX Annual Technical Conference, FREENIX Track.

[56]  Christopher Smowton Secure 3D graphics for virtual machines , 2009, EUROSEC '09.

[57]  Stephen Smalley,et al.  Integrating Flexible Support for Security Policies into the Linux Operating System , 2001, USENIX Annual Technical Conference, FREENIX Track.

[58]  John M. Rushby,et al.  Design and verification of secure systems , 1981, SOSP.

[59]  Peter G. Neumann,et al.  Security kernels , 1974, AFIPS '74.

[60]  Steven Hand,et al.  Privilege separation made easy , 2008 .

[61]  Poul-Henning Kamp,et al.  Building Systems to Be Shared, Securely , 2004, ACM Queue.

[62]  Erez Zadok,et al.  FIST: a language for stackable file systems , 2000, OPSR.

[63]  Helen J. Wang,et al.  The Multi-Principal OS Construction of the Gazelle Web Browser , 2009, USENIX Security Symposium.

[64]  O. Sami Saydjari LOCK : An Historical Perspective , 2002, ACSAC.

[65]  George G. Robertson,et al.  Accent: A communication oriented network operating system kernel , 1981, SOSP.

[66]  Paul A. Karger,et al.  Limiting the Damage Potential of Discretionary Trojan Horses , 1987, 1987 IEEE Symposium on Security and Privacy.

[67]  Yale N. Patt,et al.  Soft updates: a solution to the metadata update problem in file systems , 2000 .

[68]  Norman Feske,et al.  A Nitpicker’s guide to a minimal-complexity secure GUI , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[69]  P. G. Neumann,et al.  A general-purpose file system for secondary storage , 1965, Published in AFIPS '65 (Fall, part I).

[70]  Guy L. Steele,et al.  The Java Language Specification , 1996 .

[71]  Xinsong Wu,et al.  Static Analysis of a Class of Memory Leaks in TrustedBSD MAC Framework , 2009, ISPEC.

[72]  William A. Wulf,et al.  Policy/mechanism separation in Hydra , 1975, SOSP.

[73]  Tal Garfinkel,et al.  Traps and Pitfalls: Practical Problems in System Call Interposition Based Security Tools , 2003, NDSS.

[74]  Jack B. Dennis,et al.  Programming semantics for multiprogrammed computations , 1966, CACM.

[75]  Gregory R. Andrews Partitions and principles for secure operating systems , 1975, ACM '75.

[76]  Ross J. Anderson Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .

[77]  Todd C. Miller,et al.  Security-Enhanced Darwin: Porting SELinux to Mac OS X , 2007 .

[78]  Butler W. Lampson,et al.  Redundancy and Robustness in Memory Protection , 1974, IFIP Congress.

[79]  Stephen T. Walker The advent of trusted computer operating systems , 1980, AFIPS '80.

[80]  Robert N. M. Watson Introduction to Multithreading and Multiprocessing in the FreeBSD SMPng Network Stack , 2005 .

[81]  Steve Vandebogart,et al.  Labels and event processes in the Asbestos operating system , 2005, TOCS.

[82]  M. Branstad,et al.  Assurance for the Trusted Mach operating system , 1989, Proceedings of the Fourth Annual Conference on Computer Assurance, 'Systems Integrity, Software Safety and Process Security.

[83]  Peter J. Denning,et al.  Fault Tolerant Operating Systems , 1976, CSUR.

[84]  Norman Hardy,et al.  KeyKOS architecture , 1985, OPSR.

[85]  Niels Provos,et al.  Preventing Privilege Escalation , 2003, USENIX Security Symposium.

[86]  James Kelly,et al.  Rapid service creation using the JUNOS SDK , 2009, PRESTO '09.

[87]  Robert N. M. Watson,et al.  Exploiting Concurrency Vulnerabilities in System Call Wrappers , 2007, WOOT.

[88]  Carlo H. Séquin,et al.  RISC I: a reduced instruction set VLSI computer , 1981, ISCA '98.

[89]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[90]  Christof Fetzer,et al.  Switchblade: enforcing dynamic personalized system call models , 2008, Eurosys '08.

[91]  Robert N. M. Watson,et al.  Ignoring the Great Firewall of China , 2006, Privacy Enhancing Technologies.

[92]  William B. Ackerman,et al.  An implementation of a multiprocessing computer system , 1967, SOSP 1967.

[93]  James H. Morris Protection in programming languages , 1973, CACM.

[94]  Jeffrey Picciotto,et al.  Compartmented Mode Workstation: Prototype Highlights , 1990, IEEE Trans. Software Eng..

[95]  Bennet S. Yee,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[96]  Marshall K. McKusick Enhancements to the Fast Filesystem to Support Multi-Terabyte Storage Systems , 2003, BSDCon.

[97]  Robert N. M. Watson,et al.  Metrics for Security and Performance in Low-Latency Anonymity Systems , 2008, Privacy Enhancing Technologies.

[98]  Daniel F. Sterne,et al.  Practical Domain and Type Enforcement for UNIX , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[99]  Bryan Cantrill,et al.  Dynamic Instrumentation of Production Systems , 2004, USENIX Annual Technical Conference, General Track.

[100]  Dan Walsh,et al.  Design and implementation of the Sun network filesystem , 1985, USENIX Conference Proceedings.

[101]  Robert C. Daley,et al.  An experimental time-sharing system , 1962, AIEE-IRE '62 (Spring).

[102]  RICHARD J. FEIERTAG,et al.  The foundations of a provably secure operating system (PSOS) , 1979, 1979 International Workshop on Managing Requirements Knowledge (MARK).

[103]  F. J. Corbató,et al.  Introduction and overview of the multics system , 1965, AFIPS '65 (Fall, part I).

[104]  Robert S. Fabry The case for capability based computers (Extended Abstract) , 1973, SOSP '73.

[105]  John S. Heidemann,et al.  File-system development with stackable layers , 1994, TOCS.

[106]  Richard A. Kemmerer,et al.  Specification and verification of the UCLA Unix security kernel , 1979, CACM.

[107]  Jerome H. Saltzer,et al.  A hardware architecture for implementing protection rings , 1972, CACM.

[108]  Timothy Fraser,et al.  Hardening COTS software with generic software wrappers , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[109]  John McHugh,et al.  Evolution of a trusted B3 window system prototype , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[110]  Benedict G. E. Wiedemann Protection? , 1998, Science.

[111]  Robert N. M. Watson,et al.  TrustedBSD: Adding Trusted Operating System Features to FreeBSD , 2001, USENIX Annual Technical Conference, FREENIX Track.

[112]  Robert N. M. Watson,et al.  Jails: confining the omnipotent root , 2000 .