ABSTRACT
Decentralized Information Flow Control (DIFC) is an approach to security that allows application writers to control how data flows between the pieces of an application and the outside world. As applied to privacy, DIFC allows untrusted software to compute with private data while trusted security code controls the release of that data. As applied to integrity, DIFC allows trusted code to protect untrusted software from unexpected malicious inputs. In either case, only bugs in the trusted code, which tends to be small and isolated, can lead to security violations.
We present Flume, a new DIFC model that applies at the granularity of operating system processes and standard OS abstractions (e.g., pipes and file descriptors). Flume was designed for simplicity of mechanism, to ease DIFC's use in existing applications, and to allow safe interaction between conventional and DIFC-aware processes. Flume runs as a user-level reference monitor onLinux. A process confined by Flume cannot perform most system calls directly; instead, an interposition layer replaces system calls with IPCto the reference monitor, which enforces data flowpolicies and performs safe operations on the process's behalf. We ported a complex web application (MoinMoin Wiki) to Flume, changingonly 2% of the original code. Performance measurements show a 43% slowdown on read workloadsand a 34% slowdown on write workloads, which aremostly due to Flume's user-level implementation.
Supplemental Material
Available for Download
Supplemental material for Information flow control for standard OS abstractions
- D. E. Bell and L. L. Padula. Secure computer system: Unified exposition and multics interpretation. Technical Report MTR-2997, Rev. 1, MITRE Corp., Bedford, MA, March 1976.Google ScholarCross Ref
- K. J. Biba. Integrity considerations for secure computer systems. Technical Report MTR-3153, Rev. 1, MITRE Corp., Bedford, MA, 1976.Google Scholar
- M. Brodsky et al. Toward secure services from untrusted developers. Technical Report TR-2007-041, MIT CSAIL, Aug. 2007.Google ScholarCross Ref
- S. Chong, K. Vikram, and A. C. Myers. SIF: Enforcing confidentiality and integrity in web applications. In Proc. 16th USENIX Security, Aug. 2007. Google ScholarDigital Library
- C. Cowan et al. StackGuard: Automatic detection and prevention of buffer-overflow attacks. In Proc. 11th USENIX Security, Aug. 2002. Google ScholarDigital Library
- D. E. Denning. A lattice model of secure information flow. Communications of the ACM, 19(5):236--243, 1976. Google ScholarDigital Library
- G.W. Dunlap, S. T. King, S. Cinar, M. A. Basrai, and P. M. Chen. ReVirt: Enabling intrusion analysis through virtual-machine logging and replay. In Proc. 2002 OSDI, Dec. 2002. Google ScholarDigital Library
- P. Efstathopoulos et al. Labels and event processes in the Asbestos operating system. In Proc. 20th SOSP, October 2005. Google ScholarDigital Library
- FastCGI. Open Market. http://www.fastcgi.com.Google Scholar
- T. Fraser. LOMAC: Low water-mark integrity protection for COTS environments. In Proc. 2000 IEEE Security and Privacy, May 2000. Google ScholarDigital Library
- T. Fraser, L. Badger, and M. Feldman. Hardening COTS software with generic software wrappers. In Proc. IEEE Security and Privacy, 1999.Google Scholar
- T. Garfinkel, B. Pfaff, and M. Rosenblum. Ostia: A delegating architecture for secure system call interposition. In Proc. 2004 NDSS, February 2004.Google Scholar
- J. Gelinas. Virtual private servers and security contexts, Jan. 2003. http://linux-vserver.org.Google Scholar
- R. Goldberg. Architecture of virtual machines. In 1973 NCC AFIPS Conf. Proc., volume 42, pages 309--318, 1973.Google Scholar
- B. Hicks, K. Ahmadizadeh, and P. McDaniel. Understanding practical application development in security-typed languages. In Proc. 22st ACSAC, December 2006. Google ScholarDigital Library
- M. B. Jones. Interposition agents: Transparently interposing user code at the system interface. In Proc. 14th SOSP, Dec. 1993. Google ScholarDigital Library
- P.-H. Kamp and R. N.M.Watson. Jails: Confining the omnipotent root. In Proc. 2nd SANE, May 2000.Google Scholar
- V. Kiriansky, D. Bruening, and S. Amarasinghe. Secure execution via program shepherding. In Proc. 11th USENIX Security, Aug. 2002. Google ScholarDigital Library
- M. Krohn, E. Kohler, andM. F. Kaashoek. Events can make sense. In Proc. 2007 USENIX, June 2007. Google ScholarDigital Library
- P. Loscocco and S. Smalley. Integrating flexible support for security policies into the Linux operating system. In Proc. 2001 USENIX, June 2001. FREENIX track. Google ScholarDigital Library
- M. D. McIlroy and J. A. Reeds. Multilevel security in the UNIX tradition. Software Practice and Experience, 22(8):673--694, 1992. Google ScholarDigital Library
- MoinMoin. The MoinMoin Wiki Engine, Dec. 2006. http://moinmoin.wikiwikiweb.de/.Google Scholar
- A. C. Myers and B. Liskov. A decentralized model for information flow control. In Proc. 16th SOSP, Oct. 1997. Google ScholarDigital Library
- A. C. Myers and B. Liskov. Protecting privacy using the decentralized label model. ACM Transactions on Computer Systems, 9(4):410--442, October 2000. Google ScholarDigital Library
- National Vulnerability Database. CVE--2007--2637. http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2637.Google Scholar
- osvdb.org. Open Source Vulnerability Database. http://osvdb.org/searchdb.php?base=moinmoin.Google Scholar
- N. Provos. Improving host security with system call policies. In Proc. 12th USENIX Security, Aug. 2003. Google ScholarDigital Library
- J. H. Saltzer and M. D. Schroeder. The protection of information in computer systems. Proc. IEEE, 63(9):1278--1308, Sept. 1975.Google ScholarCross Ref
- M. Seaborn. Plash: tools for practical least privilege. http://plash.beasts.org.Google Scholar
- S. Smalley, C. Vance, andW. Salamon. Implementing SELinux as a Linux security module, February 2006. http://www.nsa.gov/selinux/papers/module-abs.cfm.Google Scholar
- N. Soffer. MoinBenchmarks. http://moinmoin.wikiwikiweb.de/MoinBenchmarks.Google Scholar
- R. Ta-Min, L. Litty, and D. Lie. Splitting Interfaces: Making trust between applications and operating systems configurable. In Proc. 2006 OSDI, Nov. 2006. Google ScholarDigital Library
- VMware. VMware and the National Security Agency team to build advanced secure computer systems, Jan. 2001. http://www.vmware.com/pdf/TechTrendNotes.pdf.Google Scholar
- R. Watson, W. Morrison, C. Vance, and B. Feldman. The TrustedBSD MAC framework: Extensible kernel access control for FreeBSD 5.0. In Proc. 2003 USENIX, June 2003.Google Scholar
- A. Whitaker, M. Shaw, and S. D. Gribble. Scale and performance in the Denali isolation kernel. In Proc. 2002 OSDI, Dec. 2002. Google ScholarDigital Library
- C. Wright, C. Cowan, S. Smalley, J. Morris, and G. Kroah-Hartman. Linux security modules: General security support for the Linux kernel. In Proc. 11th USENIX Security, Aug. 2002. Google ScholarDigital Library
- A. R. Yumerefendi, B. Mickle, and L. P. Cox. TightLip: Keeping applications from spilling the beans. In Proc. 2007 NSDI, Apr. 2007. Google ScholarDigital Library
- N. B. Zeldovich, S. Boyd-Wickizer, E. Kohler, and D. Mazieres. Making information flow explicit in HiStar. In Proc. 7th OSDI, Nov. 2006. Google ScholarDigital Library
Index Terms
Information flow control for standard OS abstractions
Recommendations
Information flow control for standard OS abstractions
SOSP '07Decentralized Information Flow Control (DIFC) is an approach to security that allows application writers to control how data flows between the pieces of an application and the outside world. As applied to privacy, DIFC allows untrusted software to ...
Manageable fine-grained information flow
Eurosys '08: Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems 2008The continuing frequency and seriousness of security incidents underline the critical importance of application security. Decentralized information flow control (DIFC), a promising tool for improving application security, gives application developers ...
Manageable fine-grained information flow
EuroSys '08The continuing frequency and seriousness of security incidents underline the critical importance of application security. Decentralized information flow control (DIFC), a promising tool for improving application security, gives application developers ...
Comments