Enforcing Security Policies using Transaconal Memory ...vg/papers/ccs2008/tmi-1hrtalk.pdfTake‐home...

EnforcingSecurityPoliciesusingTransac4onalMemoryIntrospec4on

VinodGanapathyRutgersUniversity

ArnarBirgisson MohanDhawan

UlfarErlingsson LiviuIEode

Take‐homeslide

Vinod Ganapathy Transactional Memory Introspection

We can utilize the mechanisms of!Software Transactional Memory !

to greatly improve !security policy enforcement!

Vinod Ganapathy

Xserverwithmul4pleXclients

REMOTE

LOCAL

Transactional Memory Introspection

Vinod Ganapathy

REMOTE

MaliciousremoteXclient

LOCAL


Vinod Ganapathy

REMOTE

Undesirableinforma4onflow

LOCAL


Vinod Ganapathy

Desirableinforma4onflow

LOCAL

REMOTE


Vinod Ganapathy

X server

Xserverwithauthoriza4on

X client Operation request Response

Authorization policy

Reference monitor

Allowed? YES/NO


Security enforcement crosscuts!application functionality!

Vinod Ganapathy

Outline

•  Enforcingauthoriza4onpolicies•  Problemswithexis4ngtechniques

•  Transac4onalMemoryIntrospec4on

•  Implementa4onandexperiments


Vinod Ganapathy

Exis4ngenforcementinterfacedispatch_request ( ) {

... perform_request ( );

}

perform_request ( ) { ...

perform_access (resource);

...

perform_access’(resource’);

}


Vinod Ganapathy

Exis4ngenforcementinterfacedispatch_request ( ) {

... perform_request ( );

}


if (allowed(principal,resource,access)){ perform_access (resource);

} else { handle_auth_failure1(); }; ... if (allowed(principal,resource’,access’)){ perform_access’(resource’); } else { handle_auth_failure2(); };

}


Vinod Ganapathy

Threeproblems

•  Viola4onofcompletemedia4on•  Time‐of‐checktoTime‐of‐usebugs

•  Handingauthoriza4onfailures


Vinod Ganapathy

I.Incompletemedia4ondispatch_request ( ) {

… perform_request ( );

}


if (allowed(principal,resource,access)){ perform_access (resource);

} else { handle_auth_failure1(); }; ... if (allowed(principal,resource’,access’)){ perform_access’(resource’); } else { handle_auth_failure2(); };

}

Must guard each resource access !to ensure complete mediation!


Vinod Ganapathy

I.Incompletemedia4onssize_t vfs_read (struct file *file, ...) {

... if (check_permission(file, MAY_READ)) { file->f_op->read(file, ...); } ...

}

int page_cache_read (struct file *file, ...) { struct address_space *mapping = file->f_dentry->d_inode->i_mapping; ... mapping->a_ops->readpage(file, ...);

}

[Zhang et al., USENIX Security ‘02]


Vinod Ganapathy

perform_request ( ) { ... if (allowed(principal,resource,access)){ perform_access (resource); } else { handle_auth_failure1() }; ... if (allowed(principal,resource’,access’)){ perform_access’(resource’); } else { handle_auth_failure2() };

}

II.TOCTTOUbugs


Vinod Ganapathy


}

II.TOCTTOUbugs

Similarracecondi4onfoundintheLinuxSecurityModulesframework[Zhangetal.USENIXSecurity’02]

Severalsimilarbugsrecentlyfoundinpopularenforcementtools:[Watson,WOOT’07]

• GSWTK• Systrace[Provos,USENIXSecurity’03]• OpenBSDSysjail[JohnsonandDeksters’07]


Vinod Ganapathy

II.TOCTTOUbugs


}

Authorization check and !resource access must be atomic!


Vinod Ganapathy

III.Failurehandling


}

Handling authorization failures !is ad hoc and error prone!


Vinod Ganapathy

III.Failurehandling

•  Excep4on‐handlingcodeaccountsforalargefrac4onofserversoEware– Overtwo‐thirdsofserversoEware[IBM’87]

– Nearly46%onseveralJavabenchmarks[Weimer&NeculaOOPSLA’04]

•  Excep4on‐handlingcodeitselfiserror‐prone[FetzerandFelber’04]

• SecurityExceptionmostoEenhandlederroneously[Weimer&NeculaOOPSLA’04]


Vinod Ganapathy

Summaryofproblems

•  Viola4onofcompletemedia4on–  Needtoiden4fyalltheresourcesaccessed–  Example:BuginLinuxSecurityModules[Zhangetal.,USENIX

Security‘02]

•  Time‐of‐checktoTime‐of‐usebugs–  Examples:[Zhangetal.,USENIXSecurity‘02][Watson,WOOT‘07]

•  Handingauthoriza4onfailures–  Largefrac4onofservercoderelatestoerrorhandling[IBM

survey,’87,WeimerandNecula,‘04]

–  Error‐handlingcodeiserror‐prone![Fetzer&Felber’04]

Security enforcement crosscuts!application functionality!

Our solution: TMI !Decouples security enforcement from application functionality!


Vinod Ganapathy

Outline


•  Transac4onalMemoryIntrospec4on(TMI)–  Programmer’sinterface– MechanicsofTMI



Vinod Ganapathy

Transac4onalmemoryprimer

•  Alterna4vetolock‐basedprogramming•  Reasonaboutatomicsec4ons,notlocks

•  TMprovidesatomicityandisola4on

acquire(S1.lock) acquire(S2.lock) value = S1.pop() S2.push(value) Release(S2.lock) Release(S1.lock)

transaction { value = S1.pop() S2.push(value) }


Vinod Ganapathy

Programmer’sinterfacetoTMIdispatch_request ( ) {

transaction [ principal ] { ... perform_request ( ); }

}

perform_request ( ) { ... perform_access (resource); ... perform_access’(resource’);

}


Vinod Ganapathy

Programmer’sinterfacetoTMIdispatch_request ( ) {


}


}

Authorization manager: case (resource=R, access_type=A)

if (!allowed(principal, R, A)) then abort_tx allowed(principal, resource, access)?

allowed(principal, resource’, access’)?


Vinod Ganapathy

I.Completemedia4onforfreedispatch_request ( ) {


}


}

TMI automatically invokes!authorization checks!


Vinod Ganapathy

II.TOCTTOU‐freedomforfreedispatch_request ( ) {


}


}

Conflicting resource accesses!automatically abort transaction!


Vinod Ganapathy

III.Error‐handlingforfreedispatch_request ( ) {


}


}

Unauthorized resource accesses!automatically abort transaction!


Vinod Ganapathy

Decouplesfunc4onalityandsecuritydispatch_request ( ) {


}


}

Authorization manager


Vinod Ganapathy

Outline


•  Transac4onalMemoryIntrospec4on(TMI)–  Programmer’sinterface– MechanicsofTMI



Vinod Ganapathy

TMrun4mesystem

•  TheTMrun4memaintainsper‐transac4onread/writesetsanddetectsconflicts

transaction { value = S1.pop() S2.push(value) }

val1 = S1.pop() val2 = S1.pop() S2.push(val2) S2.push(val1)

Transaction Read set Write set Green S1.stkptr S1.stkptr

Red S1.stkptr, S2.stkptr S1.stkptr, S2.stkptr


Vinod Ganapathy

TMrun4mesystem

Transaction body

Execution

Read and Write Sets

Validation

Contention manager

Retry

Commit logic

Commit


Vinod Ganapathy

Transac4onalMemoryIntrospec4on

Transaction body

Execution

Read and Write Sets

Validation

Contention manager

Retry

Commit logic

Commit Authorization

Auth. checks

Auth. Manager

Success

Failure

Abort


Vinod Ganapathy


}

Transac4onalMemoryIntrospec4ondispatch_request ( ) {


}

Present in !read/write set!

Accesses checked!before tx commits!


Vinod Ganapathy

Outline


•  Transac4onalMemoryIntrospec4on



Vinod Ganapathy

TMIImplementa4on:TMI/DSTM2

•  ImplementedusingSun’sDSTM2•  Object‐basedso0wareTMsystem

•  TMsystemmodifiedto–  Triggerauthoriza4onchecksonaddi4onstoread/writesetandupontransac4onvalida4on

–  RaiseAccessDeniedExceptionuponabort–  Integratetransac4onalI/Olibraries

•  Fewerthan500lineschangedinDSTM2


Vinod Ganapathy

Por4ngsoEwaretoTMI/DSTM2

1.  Marktransac4onalobjectswith@atomic –  Alsorequire@atomicwrappersforlibraries:

java.util.HashMap,java.util.Vector

2.  Readsandwritestofieldsof@atomicobjectsreplacedwithDSTM2accessors

3.  Placetransaction{…}blocksaroundclientrequests

4.  Writeanauthoriza4onmanager


Vinod Ganapathy

GradeSheetinTMI/DSTM2


Vinod Ganapathy

Evalua4on

•  PortedfourJava‐basedservers•  GradeSheet:Agrade‐managementserver

•  FreeCS:Achatserver• WeirdX:AnXwindowmanagementserver

–  EnforcedasimpleXACMLbasedpolicy

•  Tar:Atararchiveservice–  EnforcedJavastackinspec4onpolicy


Vinod Ganapathy

Modifica4onsneeded

Server LOC Lines modified Transactions GradeSheet 900 300 1

Tarservice 5,000 <50 1

FreeCS 22,000 860 47

WeirdX 27,000 4,800 108

Authoriza4onmanagerswereapproximately200linesofcodeineachcase


Vinod Ganapathy


}

Whentoenforcepolicy?dispatch_request ( ) {


}

allowed(principal, resource, access)?


Eager


Vinod Ganapathy


}



} allowed(principal, resource, access)?


Lazy


Vinod Ganapathy


}



}

allowed(principal, resource, access)?


Parallel


Vinod Ganapathy

PerformanceoverheadsofTMI

10x

-15.8%


Vinod Ganapathy

PerformanceoverheadsofSTM•  SoEwaretransac4onalmemoryimposesasignificantoverhead

Server Native TMI-ported Overhead GradeSheet 395µs 451µs 14.7% Tar service 4.96s 15.40s 2.1x

FreeCS 321µs 3907µs 11.2x WeirdX 0.23ms 6.40ms 26.8x

Hardware TMs reduce runtime !overheads of TM runtime systems!


Take‐homemessage

Vinod Ganapathy Transactional Memory Introspection

We can utilize the mechanisms of!Software Transactional Memory !

to greatly improve !security policy enforcement!

VinodGanapathyRutgersUniversity

[email protected] http://www.cs.rutgers.edu/~vinodg

Thank you!!Reference:

Enforcing Authorization Policies using Transactional Memory Introspection

Proc. ACM CCS, October 2008

Enforcing Security Policies using Transaconal Memory ...vg/papers/ccs2008/tmi-1hrtalk.pdfTake‐home...

Documents

Transcript of Enforcing Security Policies using Transaconal Memory ...vg/papers/ccs2008/tmi-1hrtalk.pdfTake‐home...