Operating System Security: Building Secure Distributed...
10
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Operating System Security: Building Secure Distributed Systems Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Pennsylvania State University October 16, 2007
Transcript of Operating System Security: Building Secure Distributed...
Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1
Systems and InternetInfrastructure Security
Network and Security Research CenterDepartment of Computer Science and EngineeringPennsylvania State University, University Park PA
Operating System Security:Building Secure Distributed Systems
Trent JaegerSystems and Internet Infrastructure Security (SIIS) Lab
Pennsylvania State University
October 16, 2007
Systems and Internet Infrastructure Security (SIIS) Laboratory Page
Trent Jaeger – Past Projects/Results
• Linux Security Modules (source code analysis)
‣ Verify Complete Mediation of the Reference Monitor Interface
‣ Found and fixed six bugs [USENIX Sec 2002][ACM CCS 2002][ACM TISSEC 2004]
• SELinux Policy Analysis (policy analysis)
‣ Identify Low Integrity Flows to High Integrity Subjects
‣ Prove Integrity Protection of Apache, SSH, vsftp, and Linux TCB services [USENIX Sec2003][ACM TISSEC 2003][NDSS 2006]
• Labeled IPsec (Linux kernel mechanism)‣ Integration of IPsec and SELinux for Mandatory Network Control
‣ Accepted into mainline Linux kernel in 2.6.16 [SecureComm 2006] applied to distributedsystems access enforcement [ACSAC 2006]
• Lessons Learned‣ Comprehensive Mandatory Access Control for Linux
‣ But Comprehensive MAC policies are complex
‣ And MAC is expanding to distributed systems
• Can We Provide Practical Integrity in Distributed Systems?
Systems and Internet Infrastructure Security (SIIS) Laboratory Page 3
Shared Reference Monitor (Shamon)
Shared Reference Monitor (Shamon)
Virtual Machine Monitor
Virtual Machine
Appl(Jif)
Virtual Machine
Appl
Virtual Machine
Bad
Virtual Machine Monitor
Virtual Machine
Appl(Jif)
Virtual Machine
Appl
Virtual Machine
Bad
Use virtual machines and remote attestation as basis for a distributed systems security architecture
Sponsored by NSF (Cyber Trust) and IBM Research
TPM TPM
Systems and Internet Infrastructure Security (SIIS) Laboratory Page 4
Shamon Motivation• Reference Monitor Goals‣ Can be extended to distributed systems
• Tamperproofing: Remote Attestation‣ Hardware-based integrity measurement‣ Prove integrity to remote parties [USENIX Sec 2004][ACM CCS 2004]
• Complete Mediation: Virtual Machine Systems‣ Coarse-grained Mandatory Access Control (Xen sHype)‣ Simplify MAC policies [ACSAC 2005] [ACSAC 2006]
• Comprehensive Verification: Information Flow Aware SoftwareDevelopment
‣ Generate secure code [IEEE S&P 2006][ICSE 2007][sub to ICSE 2008]‣ Verified MAC Policies [ACM TISSEC 2003][USENIX Sec 2003]
• Meet these requirements!
Systems and Internet Infrastructure Security (SIIS) Laboratory Page 5
Shamon Systems
• Coalitions
• Properties
‣ Compatible Security Policies
‣ Attested Enforcement
‣ Isolated Workloads
‣ Secure Communication
• Promises to reduce the security-relatedcomplexity for distributedapplications
Untrustednetwork
System 1 System 2
System 3 System 4
Alice Alice
Alice Alice
Systems and Internet Infrastructure Security (SIIS) Laboratory Page 6
Shamon Core
• Goal: Verifiable MAC Enforcement Core [ACSAC 2007]
‣ High integrity software and data
‣ System protects itself from runtime or boot vulnerabilities
• Basis for Verification
‣ Root-of-Trust-Installer (ROTI)
Systems and Internet Infrastructure Security (SIIS) Laboratory Page 7
System Policy Compliance• Goal: Ensure that systems can verify an application’s MAC enforcement
[USENIX Tech 2007] [SACMAT 2007]
‣ Lots of applications that are trusted (over 30 in SELinux)
‣ Security-typed languages enable verification of enforcement
• Applied to real applications‣ System services: logrotate
‣ Client programs: Email client and web browser
• DTO/IARPA Funded project
ShamonComplianceChecker
policyAllowed
flows
Systems and Internet Infrastructure Security (SIIS) Laboratory Page 8
High Integrity Systems• Goal: Provide verifiable high integrity core in client systems
‣ Applied to cell phones
‣ Trusted software and random software
• SHIMA integrity measurement enables verification that trusted code isisolated from others
• Sponsored by Raytheon and Samsung
Cell Platform
Systems and Internet Infrastructure Security (SIIS) Laboratory Page 9
Summary
• Emerging Technology Enables Rethinking ofDistributed MAC Enforcement‣ Shared Reference Monitor
• Promote Correct Shamon Systems‣ Root-of-Trust-Install (ROTI), Prescribed Software, Bootcycle Secrets
• Build Distributed Shamon Applications
‣ Coalition Repository
‣ Web Shamon
‣ Verifiable Integrity Cell Systems
Systems and Internet Infrastructure Security (SIIS) Laboratory Page 10
Questions
• Shamon project
‣ http://www.cse.psu.edu/~tjaeger/research/shamon.html
• Penn State SIIS Lab
‣ http://siis.cse.psu.edu/
