skip to main content
10.1145/1294261.1294293acmconferencesArticle/Chapter ViewAbstractPublication PagessospConference Proceedingsconference-collections
Article

Information flow control for standard OS abstractions

Published:14 October 2007Publication History

ABSTRACT

Decentralized Information Flow Control (DIFC) is an approach to security that allows application writers to control how data flows between the pieces of an application and the outside world. As applied to privacy, DIFC allows untrusted software to compute with private data while trusted security code controls the release of that data. As applied to integrity, DIFC allows trusted code to protect untrusted software from unexpected malicious inputs. In either case, only bugs in the trusted code, which tends to be small and isolated, can lead to security violations.

We present Flume, a new DIFC model that applies at the granularity of operating system processes and standard OS abstractions (e.g., pipes and file descriptors). Flume was designed for simplicity of mechanism, to ease DIFC's use in existing applications, and to allow safe interaction between conventional and DIFC-aware processes. Flume runs as a user-level reference monitor onLinux. A process confined by Flume cannot perform most system calls directly; instead, an interposition layer replaces system calls with IPCto the reference monitor, which enforces data flowpolicies and performs safe operations on the process's behalf. We ported a complex web application (MoinMoin Wiki) to Flume, changingonly 2% of the original code. Performance measurements show a 43% slowdown on read workloadsand a 34% slowdown on write workloads, which aremostly due to Flume's user-level implementation.

Skip Supplemental Material Section

Supplemental Material

Video

References

  1. D. E. Bell and L. L. Padula. Secure computer system: Unified exposition and multics interpretation. Technical Report MTR-2997, Rev. 1, MITRE Corp., Bedford, MA, March 1976.Google ScholarGoogle ScholarCross RefCross Ref
  2. K. J. Biba. Integrity considerations for secure computer systems. Technical Report MTR-3153, Rev. 1, MITRE Corp., Bedford, MA, 1976.Google ScholarGoogle Scholar
  3. M. Brodsky et al. Toward secure services from untrusted developers. Technical Report TR-2007-041, MIT CSAIL, Aug. 2007.Google ScholarGoogle ScholarCross RefCross Ref
  4. S. Chong, K. Vikram, and A. C. Myers. SIF: Enforcing confidentiality and integrity in web applications. In Proc. 16th USENIX Security, Aug. 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. C. Cowan et al. StackGuard: Automatic detection and prevention of buffer-overflow attacks. In Proc. 11th USENIX Security, Aug. 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. D. E. Denning. A lattice model of secure information flow. Communications of the ACM, 19(5):236--243, 1976. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. G.W. Dunlap, S. T. King, S. Cinar, M. A. Basrai, and P. M. Chen. ReVirt: Enabling intrusion analysis through virtual-machine logging and replay. In Proc. 2002 OSDI, Dec. 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. P. Efstathopoulos et al. Labels and event processes in the Asbestos operating system. In Proc. 20th SOSP, October 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. FastCGI. Open Market. http://www.fastcgi.com.Google ScholarGoogle Scholar
  10. T. Fraser. LOMAC: Low water-mark integrity protection for COTS environments. In Proc. 2000 IEEE Security and Privacy, May 2000. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. T. Fraser, L. Badger, and M. Feldman. Hardening COTS software with generic software wrappers. In Proc. IEEE Security and Privacy, 1999.Google ScholarGoogle Scholar
  12. T. Garfinkel, B. Pfaff, and M. Rosenblum. Ostia: A delegating architecture for secure system call interposition. In Proc. 2004 NDSS, February 2004.Google ScholarGoogle Scholar
  13. J. Gelinas. Virtual private servers and security contexts, Jan. 2003. http://linux-vserver.org.Google ScholarGoogle Scholar
  14. R. Goldberg. Architecture of virtual machines. In 1973 NCC AFIPS Conf. Proc., volume 42, pages 309--318, 1973.Google ScholarGoogle Scholar
  15. B. Hicks, K. Ahmadizadeh, and P. McDaniel. Understanding practical application development in security-typed languages. In Proc. 22st ACSAC, December 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. M. B. Jones. Interposition agents: Transparently interposing user code at the system interface. In Proc. 14th SOSP, Dec. 1993. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. P.-H. Kamp and R. N.M.Watson. Jails: Confining the omnipotent root. In Proc. 2nd SANE, May 2000.Google ScholarGoogle Scholar
  18. V. Kiriansky, D. Bruening, and S. Amarasinghe. Secure execution via program shepherding. In Proc. 11th USENIX Security, Aug. 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. M. Krohn, E. Kohler, andM. F. Kaashoek. Events can make sense. In Proc. 2007 USENIX, June 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. P. Loscocco and S. Smalley. Integrating flexible support for security policies into the Linux operating system. In Proc. 2001 USENIX, June 2001. FREENIX track. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. M. D. McIlroy and J. A. Reeds. Multilevel security in the UNIX tradition. Software Practice and Experience, 22(8):673--694, 1992. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. MoinMoin. The MoinMoin Wiki Engine, Dec. 2006. http://moinmoin.wikiwikiweb.de/.Google ScholarGoogle Scholar
  23. A. C. Myers and B. Liskov. A decentralized model for information flow control. In Proc. 16th SOSP, Oct. 1997. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. A. C. Myers and B. Liskov. Protecting privacy using the decentralized label model. ACM Transactions on Computer Systems, 9(4):410--442, October 2000. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. National Vulnerability Database. CVE--2007--2637. http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2637.Google ScholarGoogle Scholar
  26. osvdb.org. Open Source Vulnerability Database. http://osvdb.org/searchdb.php?base=moinmoin.Google ScholarGoogle Scholar
  27. N. Provos. Improving host security with system call policies. In Proc. 12th USENIX Security, Aug. 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. J. H. Saltzer and M. D. Schroeder. The protection of information in computer systems. Proc. IEEE, 63(9):1278--1308, Sept. 1975.Google ScholarGoogle ScholarCross RefCross Ref
  29. M. Seaborn. Plash: tools for practical least privilege. http://plash.beasts.org.Google ScholarGoogle Scholar
  30. S. Smalley, C. Vance, andW. Salamon. Implementing SELinux as a Linux security module, February 2006. http://www.nsa.gov/selinux/papers/module-abs.cfm.Google ScholarGoogle Scholar
  31. N. Soffer. MoinBenchmarks. http://moinmoin.wikiwikiweb.de/MoinBenchmarks.Google ScholarGoogle Scholar
  32. R. Ta-Min, L. Litty, and D. Lie. Splitting Interfaces: Making trust between applications and operating systems configurable. In Proc. 2006 OSDI, Nov. 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. VMware. VMware and the National Security Agency team to build advanced secure computer systems, Jan. 2001. http://www.vmware.com/pdf/TechTrendNotes.pdf.Google ScholarGoogle Scholar
  34. R. Watson, W. Morrison, C. Vance, and B. Feldman. The TrustedBSD MAC framework: Extensible kernel access control for FreeBSD 5.0. In Proc. 2003 USENIX, June 2003.Google ScholarGoogle Scholar
  35. A. Whitaker, M. Shaw, and S. D. Gribble. Scale and performance in the Denali isolation kernel. In Proc. 2002 OSDI, Dec. 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. C. Wright, C. Cowan, S. Smalley, J. Morris, and G. Kroah-Hartman. Linux security modules: General security support for the Linux kernel. In Proc. 11th USENIX Security, Aug. 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. A. R. Yumerefendi, B. Mickle, and L. P. Cox. TightLip: Keeping applications from spilling the beans. In Proc. 2007 NSDI, Apr. 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. N. B. Zeldovich, S. Boyd-Wickizer, E. Kohler, and D. Mazieres. Making information flow explicit in HiStar. In Proc. 7th OSDI, Nov. 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Information flow control for standard OS abstractions

                  Recommendations

                  Comments

                  Login options

                  Check if you have access through your login credentials or your institution to get full access on this article.

                  Sign in
                  • Published in

                    cover image ACM Conferences
                    SOSP '07: Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
                    October 2007
                    378 pages
                    ISBN:9781595935915
                    DOI:10.1145/1294261
                    • cover image ACM SIGOPS Operating Systems Review
                      ACM SIGOPS Operating Systems Review  Volume 41, Issue 6
                      SOSP '07
                      December 2007
                      363 pages
                      ISSN:0163-5980
                      DOI:10.1145/1323293
                      Issue’s Table of Contents

                    Copyright © 2007 ACM

                    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

                    Publisher

                    Association for Computing Machinery

                    New York, NY, United States

                    Publication History

                    • Published: 14 October 2007

                    Permissions

                    Request permissions about this article.

                    Request Permissions

                    Check for updates

                    Qualifiers

                    • Article

                    Acceptance Rates

                    Overall Acceptance Rate131of716submissions,18%

                    Upcoming Conference

                    SOSP '24

                  PDF Format

                  View or Download as a PDF file.

                  PDF

                  eReader

                  View online with eReader.

                  eReader