SECURITY ARCHITECTURES - TU...
Transcript of SECURITY ARCHITECTURES - TU...
Department of Computer Science Institute for System Architecture, Operating Systems Group
CARSTEN WEINHOLD
SECURITY ARCHITECTURES
TU Dresden Security Architectures
Motivation
2
■ Common observations:
■ Users are plagued by malware
■ Companies and government agencies are high value targets
■ Critical data gets stolen
■ ...
■ Sad truth: threats won‘t go away
TU Dresden Security Architectures
Classical Architectures
3
TU Dresden Security Architectures
Isolation■ Isolation in commodity OSes based
on user accounts
■ Problems:
■ Same privileges for all apps
■ Permissive Interfaces (e.g., ptrace to manipulate other address spaces)
■ Malware is dangerous and real
■ Efforts to restrict privileges:
■ SELinux, AppArmor, Seatbelt, ...4
TU Dresden Security Architectures
Physical Isolation■ Separate computers
■ Applications and data physically isolated
■ Effective, but ...
■ High costs
■ Needs more space
■ Inconvenient
■ Exposure to network may pose threat
5
OS
Hardware
App
Hardware
OS
App
PC 1 PC 2
TU Dresden Security Architectures
Virtual Machines■ Multiple VMs, OSes
■ Isolation enforced by virtualization layer
■ Saves space, energy, maintenance effort
■ But still ...
■ Switching between VMs is inconvenient
■ Even more code6
OS
Virtualization Layer
App
Hardware
OS
App
VM 1 VM 2
TU Dresden Security Architectures
So far ...
■ Huge code bases remain
■ Many targets to attack:
■ Application, Commodity OS
■ Virus scanner, firewall, ...
■ Expensive communication via (virtual) Ethernet
■ High resource consumption even for small applications
7
TU Dresden Security Architectures
Microkernel & Multi-server OS
8
TU Dresden Security Architectures
Loader
Nizza Architecture
9
Microkernel
GUINames UserAuth
SecureStorage
I/OSupport
Legacy OS
LegacyApp
SigningApp
E-CommerceApp
BankingApp
TU Dresden Security Architectures
Nizza Key Principles
10
■ Nizza architecture based on basic design concepts:
■ Strong isolation
■ Application-specific TCBs
■ Legacy reuse
■ Trusted wrapper
■ Trusted Computing
TU Dresden Security Architectures
App-specific TCBs
11
Loader
Microkernel
GUINames UserAuth
SecureStorage
I/OSupport
Key Mgt
IP Stack SigningApp
VirtualEthernet
NetworkApp
Legacy OS
LegacyApp
TU Dresden Security Architectures
App-specific TCBs
■ Reflects principle of least privilege
■ TCB of an application includes only components its security relies upon
■ TCB does not include unrelated applications or services
■ Mechanisms:
■ Address spaces for strong isolation
■ Well-defined interfaces
12
TU Dresden Security Architectures
Legacy Reuse
■ New OS? Do not reinvent the wheel!
■ Existing software can be reused:
■ Applications (e.g., e-mail clients, ...)
■ Protocol stacks (e.g., TCP/IP)
■ Commodity OSes (e.g., Linux)
■ Virtualization is important enabler
■ Legacy code often does not need to be trusted
13
TU Dresden Security Architectures
Easy Reuse
■ Run OS in VM to reuse unmodified applications
■ Useful for applications that are not security critical
■ Also improves isolation:
■ Use VM to sandbox applications and OS
■ Isolation at VM granularity
14
Basic Services
Legacy OS
LegacyApp
Microkernel
TU Dresden Security Architectures
TCB--; Security++;■ To further improve security:
■ Reduce size of attack surface
■ Reduce size of TCB
■ First idea:
■ Port application to microkernel-based multi-server OS
■ Removes huge legacy OS from TCB
■ Possible approaches discussed in lecture on „Legacy Containers“
15
TU Dresden Security Architectures
Splitting Components
16
TU Dresden Security Architectures
Split Applications■ Problems with porting applications:
■ Dependencies need to be satisfied
■ Can be complex, even infeasible
■ Stripped down applications may lack functionality / usability
■ Better idea: split application
■ Make only security-critical parts run on microkernel-based OS
■ Reduces size of TCB even further17
TU Dresden Security Architectures
Example 1: eMail
18
■ Critical functionality to support digitally signed e-mails:
■ Handling of signature keys
■ Requesting passphrase to unlock secret signature key
■ Presenting e-mail message:■ Before sending: „What You See Is What
You Sign“■ After receiving: verify signature, identify
sender
TU Dresden Security Architectures
Signing eMails
19
Loader
Microkernel
GUINames UserAuth
SecureStorage
I/OSupport
Legacy OS
LegacyApp
SigningApp
TU Dresden Security Architectures
Benefit of Splitting
20
■ >1,500,000 SLOC no longer in TCB:
■ Linux kernel, drivers, X-Server
■ C and GUI libraries, Thunderbird
■ TCB size reduced to ~150,000 SLOC:
■ GNU Privacy Guard, e-mail viewer
■ Basic L4 system
■ At least 10 times less code in TCB
■ Method not restricted to applications
TU Dresden Security Architectures
Reuse OS Services?■ Network and file system stacks are
virtually essential subsystems
■ Generally well tested
■ Ready for production use
■ ... but not bug free:
■ Month of Kernel Bugs 2006 [1,2]:■ 14 exploitable flaws in file systems:
UFS, ISO 9660, Ext3, SquashFS, ...■ WiFi drivers: remotely exploitable bugs
21
TU Dresden Security Architectures
Trusted Wrappers
■ Complex protocol stacks should not be part of TCB
■ Reuse untrusted infrastructure through trusted wrapper:
■ Add security measures around existing APIs■ Cryptography■ Redundancy
■ Similar approaches: SSL, VPN22
TU Dresden Security Architectures
Example 2: VPN■ SINA box used by German „BSI“:
23
■ VPN gateway
■ Implements IPSec & PKI
■ Intrusion detection & response
■ Used for secure access to government networks, e.g. in German embassies Image source:
http://www.secunet.com/de/das-unternehmen/presse/bilddatenbank/
TU Dresden Security Architectures
SINA Box Overview
■ Hardware:
■ Different kinds of networks interfaces:■ Red: plaintext, no protection■ Black: encrypted, MACs
■ Tamper / EM protected casing
■ Software:
■ Minimized and hardened Linux
■ Runs only from CD-ROM or Flash24
TU Dresden Security Architectures
Linux is Complex■ Linux is complex!
■ SLOC for Linux 2.6.18:
■ Architecture specific: 817.880
■ x86 specific: 55.463
■ Drivers: 2.365.256
■ Common: 1.800.587
■ Typical config: ~ 2.000.000
■ Minimized & hardened: > 500.00025
TU Dresden Security Architectures
Mikro-SINA
■ Research project Mikro-SINA:
■ Reduce TCB of VPN gateway
■ Enable high-level evaluation for high assurance scenarios
■ Ensure confidentiality and integrity of sensitive data within the VPN
■ Exploit microkernel architecture
26
TU Dresden Security Architectures
IPSec in a Nutshell■ Protocol suite for securing
IP-based communication■ Authentication header (AH)■ Integrity■ Authentication
■ Encapsulating Security Payload (ESP)■ Confidentiality
■ Tunnel mode / transport mode27
Data Link Layer
IPSec
IP
TCP / UDP
Application
TU Dresden Security Architectures
IPSec in L4Linux
■ IPSec is security critical component
■ ... but is integrated into Linux kernel
28
Microkernel
L4Linux
IP Stack
IPSec
TU Dresden Security Architectures
IPSec „Viaduct“■ IPSec code is isolated in „Viaduct“
■ IPSec packets sent/received through TUN/TAP device
29
Microkernel
L4Linux
IP StackIPSec
„Viaduct“eth0
tun0
TU Dresden Security Architectures
Fragmentation■ Problem: Routers can fragment
IPSec packets on the way
■ Let L4Linux reassemble them
30
Microkernel
L4Linux
IP StackIPSec
„Viaduct“eth0
tun0AH /ESP
TU Dresden Security Architectures
L4LinuxL4Linux
Confidentiality■ Untrusted L4Linux must not see both
plaintext and encrypted data
■ Dedicated L4Linux for black/red networks
31
Microkernel
L4Linux
IP StackIPSec
„Viaduct“eth0
tun0AH /ESP
L4Linux
IP Stacketh1
tun0
TU Dresden Security Architectures
Mikro-SINA Results
■ Trusted wrapper for VPN
■ Small TCB:
■ 5.000 SLOC for „Viaduct“
■ Fine grain isolation ■ Principle of least privilege
■ Extensive reuse of legacy code (Drivers, IP stack, ...)
■ More details in [5]32
TU Dresden Security Architectures
Loader
Example 3: Storage
33
Microkernel
GUINames UserAuth
SecureStorage
I/OSupport
Legacy OS
LegacyApp
SigningApp
E-CommerceApp
BankingApp
How to provide secure and reliable storage for trusted applications?
TU Dresden Security Architectures
Loader
Split File System
34
Microkernel
GUINames UserAuth
SecureStorage
I/OSupport
Legacy OS
UntrustedStorage Proxy
SigningApp
TU Dresden Security Architectures
Protection Goals
35
■ Confidentiality: only authorized applications can access file system, all untrusted software cannot get any useful information
■ Integrity: all data and meta data is correct, complete, and up to date; otherwise report integrity error
■ Recoverability: damaged data in untrusted file system can be recovered from trusted backup
TU Dresden Security Architectures
Design Space
36
Protection
Disk Driver
Block Layer
File System
VFS
App
Buffer Cache
■ First end of design space: Protect whole file system at block layer:
■ Common solution (e.g., dm_crypt in Linux)
■ Easy protection for all data
■ A lot of code in TCB
■ Little flexibility
TU Dresden Security Architectures
Design Space
■ Second end of design space: Protect individual files near VFS / API layer:
■ Stacked file system (e.g., ecryptfs in Linux)
■ Flexible protection policies
■ Most parts of file system stack not part of TCB
■ Ideal for trusted wrapper
37
Protection
Disk Driver
Block Layer
File System
VFS
App
Buffer Cache
TU Dresden Security Architectures
VPFS Architecture
38
Wrapper
Disk Driver
Block Layer
File System
VFS
Trusted App
Buffer Cache
Crypto Layer
Proxy Stub
Buffer Cache
FS Proxy
Untrusted Trusted
TU Dresden Security Architectures
File Encryption
39
■ Files in untrusted legacy file system are arrays of encrypted blocks
■ VPFS Server takes care of on the fly encryption / decryption
■ Only buffer cache contains plaintext
TU Dresden Security Architectures
File Integrity
40
0 1 2 3 4 5 6 7 8
■ Hash tree embedded in files
■ Parents authenticate child nodes
TU Dresden Security Architectures
Meta Data Integrity
41
Master Hash File
File
„Small SecureStorage“
File File File
Dir
Dir
Dir
TU Dresden Security Architectures
Validity Checks
42
■ How to trust untrusted meta data?
■ „File exists“ / „File does not exist“:■ Validated inside TCB using cryptographic
proof and hash tree■ Efficient solution possible
■ Directory listings:■ Efficient solution requires functionality to
be implemented in TCB
■ Details in [3]
TU Dresden Security Architectures
VPFS Summary
43
■ Trusted wrapper shown to work for file systems
■ VPFS is general purpose file system
■ Significant reduction in code size:
■ VPFS adds 4,000 to 4,600 SLOC to application TCB
■ Standard Linux file system stack comprises >50,000 SLOC
TU Dresden Security Architectures
User Interfaces
44
TU Dresden Security Architectures
Sharing The Screen
45
■ Isolated applications run in different domains of trust, but separate screens are inconvenient
■ The Nitpicker solution [4]:
■ Let all windows share the same screen
■ ... but securely:■ Make windows & applications identifiable■ Prevent them from spying on each other:
route input securely, no screenshots
TU Dresden Security Architectures
Concepts
46
Buffers
Views
TU Dresden Security Architectures
How It Works
47
Buffers
Views
TU Dresden Security Architectures
Nitpicker In Action
48
TU Dresden Security Architectures
Demo
49
TU Dresden Security Architectures
Open Questions
50
■ A few things not discussed today:
■ Where does VPFS store its secrets?
■ How does VPFS detect corrupt data?
■ How can a remote server be trusted?
■ How can we trust in what we see on the screen?
■ Missing element: Root of Trust
■ Discussed next week
TU Dresden Security Architectures
Coming up next ...
51
■ Later today:
■ Paper reading exercise
■ January 19, 2010
■ Lecture „Trusted Computing“
■ no exercise (but complex lab)
TU Dresden Security Architectures
References■ [1] http://www.heise.de/newsticker/Month-of-Kernel-Bugs-Ein-Zwischenstand--/meldung/81454
■ [2] http://projects.info-pull.com/mokb/
■ [3] Carsten Weinhold and Hermann Härtig, „VPFS: Building a Virtual Private File System with a Small Trusted Computing Base“, Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems 2008, 2008, Glasgow, Scotland UK
■ [4] Norman Feske and Christian Helmuth, „A Nitpicker's guide to a minimal-complexity secure GUI“, ACSAC '05: Proceedings of the 21st Annual Computer Security Applications Conference, 2005, Washington, DC, USA
■ [5] Christian Helmuth, Alexander Warg, Norman Feske, „Mikro-SINA - Hands-on Experiences with the Nizza Security Architecture“, D.A.CH Security 2005, 2005, Darmstadt, Germany
52