Securing Distributed Systems with Information Flow Control
description
Transcript of Securing Distributed Systems with Information Flow Control
![Page 1: Securing Distributed Systems with Information Flow Control](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681626f550346895dd2dd3b/html5/thumbnails/1.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Securing Distributed Systems with Information Flow Control
CS6204 Privacy and SecurityVirginia Tech
-Nikhil KomawarOct 6, 2011
![Page 2: Securing Distributed Systems with Information Flow Control](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681626f550346895dd2dd3b/html5/thumbnails/2.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
2Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
IntroductionInformation Flow ControlDesignImplementationInstance applicationsEvaluation
Outline
![Page 3: Securing Distributed Systems with Information Flow Control](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681626f550346895dd2dd3b/html5/thumbnails/3.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
3Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
We try to design system which remain secure despite of the untrustworthy code.
Decentralized trust:- OS has have it entirely trusted kernel Not the same case for a Distributed System One solution: centralize trust mechanism (Not the most effective!)
Egalitarian Mechanism:- Specifically designed for applications Even unprivileged code can use DIFC
No inherent covert channels:- Avoid any covert channels in Dstar’s interface to meet different
security requirements.
Introduction
![Page 4: Securing Distributed Systems with Information Flow Control](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681626f550346895dd2dd3b/html5/thumbnails/4.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
4Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
A typical web application.
![Page 5: Securing Distributed Systems with Information Flow Control](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681626f550346895dd2dd3b/html5/thumbnails/5.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
5Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Labels: Ensure the communication between two processes Direction of communication
Processes S and R: Flows from S to R Flows even from R to S
On a distributed system, label LM for a message M
Information Flow Control
![Page 6: Securing Distributed Systems with Information Flow Control](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681626f550346895dd2dd3b/html5/thumbnails/6.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
6Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
If information flows to higher label then we will not get anything out of the system
S can send message M to R if
.
Downgrading privileges
![Page 7: Securing Distributed Systems with Information Flow Control](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681626f550346895dd2dd3b/html5/thumbnails/7.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
7Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
A process P’s downgrading are also represented as categories:
P owns a category
Set of categories in DStar message M
Categories
![Page 8: Securing Distributed Systems with Information Flow Control](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681626f550346895dd2dd3b/html5/thumbnails/8.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
8Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Lattice structure
![Page 9: Securing Distributed Systems with Information Flow Control](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681626f550346895dd2dd3b/html5/thumbnails/9.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
9Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Each process has third set of categories CP besides LP and OP
. Are called clearance: which gives a right to the process P to raise its own label say
Now
Clearance
![Page 10: Securing Distributed Systems with Information Flow Control](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681626f550346895dd2dd3b/html5/thumbnails/10.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
10Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Example
![Page 11: Securing Distributed Systems with Information Flow Control](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681626f550346895dd2dd3b/html5/thumbnails/11.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
11Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Run on each host: an exporter daemon which provides three requirements:- Track labels assigned to and categories owned by
each process on the machine A process cannot send messages with
inappropriate label Send and accept network message M when a
remote exporter can be trusted
DSTAR EXPORTER
![Page 12: Securing Distributed Systems with Information Flow Control](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681626f550346895dd2dd3b/html5/thumbnails/12.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
12Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
We may have different host Oses Asbestos, HiStar, Flume.
We refer to their categories as OS categories and OS labels
Downgrading privilages:Corresponding category
Local OS DIFC
![Page 13: Securing Distributed Systems with Information Flow Control](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681626f550346895dd2dd3b/html5/thumbnails/13.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
13Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Local checks, Trust and Addressing
Local Checks
Addressing
Decentralized Trust
![Page 14: Securing Distributed Systems with Information Flow Control](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681626f550346895dd2dd3b/html5/thumbnails/14.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
14Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Exporter Interface
![Page 15: Securing Distributed Systems with Information Flow Control](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681626f550346895dd2dd3b/html5/thumbnails/15.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
15Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Delegation service Local process to another exporter
Mapping service Mapping between DStar and local OS categories
Guarded invocation service Launches executables with specified arguments
and privilegesResource allocation service
Allocates space for data, CPU time for threads
Management Service
![Page 16: Securing Distributed Systems with Information Flow Control](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681626f550346895dd2dd3b/html5/thumbnails/16.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
16Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Object types in HiStar Segments: 0 or more memory pages Containers: similar to directories Threads: execute code Gates: used for IPC and privilege transfer
HiStar
![Page 17: Securing Distributed Systems with Information Flow Control](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681626f550346895dd2dd3b/html5/thumbnails/17.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
17Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
DStar and HiStar Mapping
Object is in a container
HiStar category c DStar category d
Binding segment
![Page 18: Securing Distributed Systems with Information Flow Control](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681626f550346895dd2dd3b/html5/thumbnails/18.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
18Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
HiStar SSL web server
![Page 19: Securing Distributed Systems with Information Flow Control](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681626f550346895dd2dd3b/html5/thumbnails/19.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
19Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Code complexity
Lines of C Code
![Page 20: Securing Distributed Systems with Information Flow Control](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681626f550346895dd2dd3b/html5/thumbnails/20.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
20Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Web application on many HiStar machines
![Page 21: Securing Distributed Systems with Information Flow Control](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681626f550346895dd2dd3b/html5/thumbnails/21.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
21Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Size of DStar structures
Compression of data using zlib
![Page 22: Securing Distributed Systems with Information Flow Control](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681626f550346895dd2dd3b/html5/thumbnails/22.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
22Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Microbenchmarks measuring time to sign and verify certificates
Microbenchmarks
![Page 23: Securing Distributed Systems with Information Flow Control](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681626f550346895dd2dd3b/html5/thumbnails/23.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
23Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Throughput and Latency
![Page 24: Securing Distributed Systems with Information Flow Control](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681626f550346895dd2dd3b/html5/thumbnails/24.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
24Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Different configurations
![Page 25: Securing Distributed Systems with Information Flow Control](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681626f550346895dd2dd3b/html5/thumbnails/25.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
25Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
DStar: Framework for securing distributed systems Uses security label mechanisms of DIFC Oses Exporter daemon on every machine Exporter ensures safe communication Trust relation left to the applications Self certifying categories – fully trusted machines not
needed Showed a DStar implementation of a three tired Web
Server Web server scales well
Summary
![Page 26: Securing Distributed Systems with Information Flow Control](https://reader036.fdocuments.in/reader036/viewer/2022062323/5681626f550346895dd2dd3b/html5/thumbnails/26.jpg)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Thank You!