Enforcing Security Policies using Transaconal Memory ...vg/papers/ccs2008/tmi-1hrtalk.pdfTake‐home...
Transcript of Enforcing Security Policies using Transaconal Memory ...vg/papers/ccs2008/tmi-1hrtalk.pdfTake‐home...
EnforcingSecurityPoliciesusingTransac4onalMemoryIntrospec4on
VinodGanapathyRutgersUniversity
ArnarBirgisson MohanDhawan
UlfarErlingsson LiviuIEode
Take‐homeslide
Vinod Ganapathy Transactional Memory Introspection
We can utilize the mechanisms of!Software Transactional Memory !
to greatly improve !security policy enforcement!
Vinod Ganapathy
Xserverwithmul4pleXclients
REMOTE
LOCAL
Transactional Memory Introspection
Vinod Ganapathy
REMOTE
MaliciousremoteXclient
LOCAL
Transactional Memory Introspection
Vinod Ganapathy
REMOTE
Undesirableinforma4onflow
LOCAL
Transactional Memory Introspection
Vinod Ganapathy
Desirableinforma4onflow
LOCAL
REMOTE
Transactional Memory Introspection
Vinod Ganapathy
X server
Xserverwithauthoriza4on
X client Operation request Response
Authorization policy
Reference monitor
Allowed? YES/NO
Transactional Memory Introspection
Security enforcement crosscuts!application functionality!
Vinod Ganapathy
Outline
• Enforcingauthoriza4onpolicies• Problemswithexis4ngtechniques
• Transac4onalMemoryIntrospec4on
• Implementa4onandexperiments
Transactional Memory Introspection
Vinod Ganapathy
Exis4ngenforcementinterfacedispatch_request ( ) {
... perform_request ( );
}
perform_request ( ) { ...
perform_access (resource);
...
perform_access’(resource’);
}
Transactional Memory Introspection
Vinod Ganapathy
Exis4ngenforcementinterfacedispatch_request ( ) {
... perform_request ( );
}
perform_request ( ) { ...
if (allowed(principal,resource,access)){ perform_access (resource);
} else { handle_auth_failure1(); }; ... if (allowed(principal,resource’,access’)){ perform_access’(resource’); } else { handle_auth_failure2(); };
}
Transactional Memory Introspection
Vinod Ganapathy
Threeproblems
• Viola4onofcompletemedia4on• Time‐of‐checktoTime‐of‐usebugs
• Handingauthoriza4onfailures
Transactional Memory Introspection
Vinod Ganapathy
I.Incompletemedia4ondispatch_request ( ) {
… perform_request ( );
}
perform_request ( ) { ...
if (allowed(principal,resource,access)){ perform_access (resource);
} else { handle_auth_failure1(); }; ... if (allowed(principal,resource’,access’)){ perform_access’(resource’); } else { handle_auth_failure2(); };
}
Must guard each resource access !to ensure complete mediation!
Transactional Memory Introspection
Vinod Ganapathy
I.Incompletemedia4onssize_t vfs_read (struct file *file, ...) {
... if (check_permission(file, MAY_READ)) { file->f_op->read(file, ...); } ...
}
int page_cache_read (struct file *file, ...) { struct address_space *mapping = file->f_dentry->d_inode->i_mapping; ... mapping->a_ops->readpage(file, ...);
}
[Zhang et al., USENIX Security ‘02]
Transactional Memory Introspection
Vinod Ganapathy
perform_request ( ) { ... if (allowed(principal,resource,access)){ perform_access (resource); } else { handle_auth_failure1() }; ... if (allowed(principal,resource’,access’)){ perform_access’(resource’); } else { handle_auth_failure2() };
}
II.TOCTTOUbugs
Transactional Memory Introspection
Vinod Ganapathy
perform_request ( ) { ... if (allowed(principal,resource,access)){ perform_access (resource); } else { handle_auth_failure1() }; ... if (allowed(principal,resource’,access’)){ perform_access’(resource’); } else { handle_auth_failure2() };
}
II.TOCTTOUbugs
Similarracecondi4onfoundintheLinuxSecurityModulesframework[Zhangetal.USENIXSecurity’02]
Severalsimilarbugsrecentlyfoundinpopularenforcementtools:[Watson,WOOT’07]
• GSWTK• Systrace[Provos,USENIXSecurity’03]• OpenBSDSysjail[JohnsonandDeksters’07]
Transactional Memory Introspection
Vinod Ganapathy
II.TOCTTOUbugs
perform_request ( ) { ... if (allowed(principal,resource,access)){ perform_access (resource); } else { handle_auth_failure1() }; ... if (allowed(principal,resource’,access’)){ perform_access’(resource’); } else { handle_auth_failure2() };
}
Authorization check and !resource access must be atomic!
Transactional Memory Introspection
Vinod Ganapathy
III.Failurehandling
perform_request ( ) { ... if (allowed(principal,resource,access)){ perform_access (resource); } else { handle_auth_failure1() }; ... if (allowed(principal,resource’,access’)){ perform_access’(resource’); } else { handle_auth_failure2() };
}
Handling authorization failures !is ad hoc and error prone!
Transactional Memory Introspection
Vinod Ganapathy
III.Failurehandling
• Excep4on‐handlingcodeaccountsforalargefrac4onofserversoEware– Overtwo‐thirdsofserversoEware[IBM’87]
– Nearly46%onseveralJavabenchmarks[Weimer&NeculaOOPSLA’04]
• Excep4on‐handlingcodeitselfiserror‐prone[FetzerandFelber’04]
• SecurityExceptionmostoEenhandlederroneously[Weimer&NeculaOOPSLA’04]
Transactional Memory Introspection
Vinod Ganapathy
Summaryofproblems
• Viola4onofcompletemedia4on– Needtoiden4fyalltheresourcesaccessed– Example:BuginLinuxSecurityModules[Zhangetal.,USENIX
Security‘02]
• Time‐of‐checktoTime‐of‐usebugs– Examples:[Zhangetal.,USENIXSecurity‘02][Watson,WOOT‘07]
• Handingauthoriza4onfailures– Largefrac4onofservercoderelatestoerrorhandling[IBM
survey,’87,WeimerandNecula,‘04]
– Error‐handlingcodeiserror‐prone![Fetzer&Felber’04]
Security enforcement crosscuts!application functionality!
Our solution: TMI !Decouples security enforcement from application functionality!
Transactional Memory Introspection
Vinod Ganapathy
Outline
• Enforcingauthoriza4onpolicies• Problemswithexis4ngtechniques
• Transac4onalMemoryIntrospec4on(TMI)– Programmer’sinterface– MechanicsofTMI
• Implementa4onandexperiments
Transactional Memory Introspection
Vinod Ganapathy
Transac4onalmemoryprimer
• Alterna4vetolock‐basedprogramming• Reasonaboutatomicsec4ons,notlocks
• TMprovidesatomicityandisola4on
acquire(S1.lock) acquire(S2.lock) value = S1.pop() S2.push(value) Release(S2.lock) Release(S1.lock)
transaction { value = S1.pop() S2.push(value) }
Transactional Memory Introspection
Vinod Ganapathy
Programmer’sinterfacetoTMIdispatch_request ( ) {
transaction [ principal ] { ... perform_request ( ); }
}
perform_request ( ) { ... perform_access (resource); ... perform_access’(resource’);
}
Transactional Memory Introspection
Vinod Ganapathy
Programmer’sinterfacetoTMIdispatch_request ( ) {
transaction [ principal ] { ... perform_request ( ); }
}
perform_request ( ) { ... perform_access (resource); ... perform_access’(resource’);
}
Authorization manager: case (resource=R, access_type=A)
if (!allowed(principal, R, A)) then abort_tx allowed(principal, resource, access)?
allowed(principal, resource’, access’)?
Transactional Memory Introspection
Vinod Ganapathy
I.Completemedia4onforfreedispatch_request ( ) {
transaction [ principal ] { ... perform_request ( ); }
}
perform_request ( ) { ... perform_access (resource); ... perform_access’(resource’);
}
TMI automatically invokes!authorization checks!
Transactional Memory Introspection
Vinod Ganapathy
II.TOCTTOU‐freedomforfreedispatch_request ( ) {
transaction [ principal ] { ... perform_request ( ); }
}
perform_request ( ) { ... perform_access (resource); ... perform_access’(resource’);
}
Conflicting resource accesses!automatically abort transaction!
Transactional Memory Introspection
Vinod Ganapathy
III.Error‐handlingforfreedispatch_request ( ) {
transaction [ principal ] { ... perform_request ( ); }
}
perform_request ( ) { ... perform_access (resource); ... perform_access’(resource’);
}
Unauthorized resource accesses!automatically abort transaction!
Transactional Memory Introspection
Vinod Ganapathy
Decouplesfunc4onalityandsecuritydispatch_request ( ) {
transaction [ principal ] { ... perform_request ( ); }
}
perform_request ( ) { ... perform_access (resource); ... perform_access’(resource’);
}
Authorization manager
Transactional Memory Introspection
Vinod Ganapathy
Outline
• Enforcingauthoriza4onpolicies• Problemswithexis4ngtechniques
• Transac4onalMemoryIntrospec4on(TMI)– Programmer’sinterface– MechanicsofTMI
• Implementa4onandexperiments
Transactional Memory Introspection
Vinod Ganapathy
TMrun4mesystem
• TheTMrun4memaintainsper‐transac4onread/writesetsanddetectsconflicts
transaction { value = S1.pop() S2.push(value) }
val1 = S1.pop() val2 = S1.pop() S2.push(val2) S2.push(val1)
Transaction Read set Write set Green S1.stkptr S1.stkptr
Red S1.stkptr, S2.stkptr S1.stkptr, S2.stkptr
Transactional Memory Introspection
Vinod Ganapathy
TMrun4mesystem
Transaction body
Execution
Read and Write Sets
Validation
Contention manager
Retry
Commit logic
Commit
Transactional Memory Introspection
Vinod Ganapathy
Transac4onalMemoryIntrospec4on
Transaction body
Execution
Read and Write Sets
Validation
Contention manager
Retry
Commit logic
Commit Authorization
Auth. checks
Auth. Manager
Success
Failure
Abort
Transactional Memory Introspection
Vinod Ganapathy
perform_request ( ) { ... perform_access (resource); ... perform_access’(resource’);
}
Transac4onalMemoryIntrospec4ondispatch_request ( ) {
transaction [ principal ] { ... perform_request ( ); }
}
Present in !read/write set!
Accesses checked!before tx commits!
Transactional Memory Introspection
Vinod Ganapathy
Outline
• Enforcingauthoriza4onpolicies• Problemswithexis4ngtechniques
• Transac4onalMemoryIntrospec4on
• Implementa4onandexperiments
Transactional Memory Introspection
Vinod Ganapathy
TMIImplementa4on:TMI/DSTM2
• ImplementedusingSun’sDSTM2• Object‐basedso0wareTMsystem
• TMsystemmodifiedto– Triggerauthoriza4onchecksonaddi4onstoread/writesetandupontransac4onvalida4on
– RaiseAccessDeniedExceptionuponabort– Integratetransac4onalI/Olibraries
• Fewerthan500lineschangedinDSTM2
Transactional Memory Introspection
Vinod Ganapathy
Por4ngsoEwaretoTMI/DSTM2
1. Marktransac4onalobjectswith@atomic – Alsorequire@atomicwrappersforlibraries:
java.util.HashMap,java.util.Vector
2. Readsandwritestofieldsof@atomicobjectsreplacedwithDSTM2accessors
3. Placetransaction{…}blocksaroundclientrequests
4. Writeanauthoriza4onmanager
Transactional Memory Introspection
Vinod Ganapathy
GradeSheetinTMI/DSTM2
Transactional Memory Introspection
Vinod Ganapathy
Evalua4on
• PortedfourJava‐basedservers• GradeSheet:Agrade‐managementserver
• FreeCS:Achatserver• WeirdX:AnXwindowmanagementserver
– EnforcedasimpleXACMLbasedpolicy
• Tar:Atararchiveservice– EnforcedJavastackinspec4onpolicy
Transactional Memory Introspection
Vinod Ganapathy
Modifica4onsneeded
Server LOC Lines modified Transactions GradeSheet 900 300 1
Tarservice 5,000 <50 1
FreeCS 22,000 860 47
WeirdX 27,000 4,800 108
Authoriza4onmanagerswereapproximately200linesofcodeineachcase
Transactional Memory Introspection
Vinod Ganapathy
perform_request ( ) { ... perform_access (resource); ... perform_access’(resource’);
}
Whentoenforcepolicy?dispatch_request ( ) {
transaction [ principal ] { ... perform_request ( ); }
}
allowed(principal, resource, access)?
allowed(principal, resource’, access’)?
Eager
Transactional Memory Introspection
Vinod Ganapathy
perform_request ( ) { ... perform_access (resource); ... perform_access’(resource’);
}
Whentoenforcepolicy?dispatch_request ( ) {
transaction [ principal ] { ... perform_request ( ); }
} allowed(principal, resource, access)?
allowed(principal, resource’, access’)?
Lazy
Transactional Memory Introspection
Vinod Ganapathy
perform_request ( ) { ... perform_access (resource); ... perform_access’(resource’);
}
Whentoenforcepolicy?dispatch_request ( ) {
transaction [ principal ] { ... perform_request ( ); }
}
allowed(principal, resource, access)?
allowed(principal, resource’, access’)?
Parallel
Transactional Memory Introspection
Vinod Ganapathy
PerformanceoverheadsofTMI
10x
-15.8%
Transactional Memory Introspection
Vinod Ganapathy
PerformanceoverheadsofSTM• SoEwaretransac4onalmemoryimposesasignificantoverhead
Server Native TMI-ported Overhead GradeSheet 395µs 451µs 14.7% Tar service 4.96s 15.40s 2.1x
FreeCS 321µs 3907µs 11.2x WeirdX 0.23ms 6.40ms 26.8x
Hardware TMs reduce runtime !overheads of TM runtime systems!
Transactional Memory Introspection
Take‐homemessage
Vinod Ganapathy Transactional Memory Introspection
We can utilize the mechanisms of!Software Transactional Memory !
to greatly improve !security policy enforcement!
VinodGanapathyRutgersUniversity
[email protected] http://www.cs.rutgers.edu/~vinodg
Thank you!!Reference:
Enforcing Authorization Policies using Transactional Memory Introspection
Proc. ACM CCS, October 2008