TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.:
William R. Harris, Nicholas A. Kidd, Sagar Chaki, Somesh Jha, and Thomas Reps TexPoint fonts used in...
29
Verifying Information Flow Control Over Unbounded Processes William R. Harris, Nicholas A. Kidd, Sagar Chaki, Somesh Jha, and Thomas Reps
-
Upload
sheena-copeland -
Category
Documents
-
view
218 -
download
0
description
Privacy of information controlled by application Application uses labels, system enforces label semantics Not multi-trace properties
Transcript of William R. Harris, Nicholas A. Kidd, Sagar Chaki, Somesh Jha, and Thomas Reps TexPoint fonts used in...
William R. Harris, Nicholas A. Kidd, Sagar Chaki, Somesh Jha, and Thomas Reps TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A Trusted Compromised Invalid Request Handler Worker0 Worker1 WorkerN Key: buffer.txt Privacy of information controlled by application Application uses labels, system enforces label semantics Not multi-trace properties Trusted Compromised Invalid Request Handler Worker0 Worker1 WorkerN {0} {1} {n} {0} Key: buffer.txt : ({0} {n}) void Handler() { while (*) { Request r = get_next_http_request(); Endpoint e0, e1; create_channel(&e0, &e1); spawn(/usr/bin/Worker, e1, r); send_ack(); } void Handler() { Label lab, cap; cap = empty_label(); while (*) { Request r = get_next_http_request(); lab = add_Tag(empty_label(), create_tag()); Endpoint e0, e1; create_channel(&e0, &e1); spawn(/usr/bin/Worker, e1, r, lab, cap); send_ack(); } DIFC gives powerful low-level mechanisms Semantic gap between high-level policy, low-level mechanisms Automatically validate that application follows policy DIFC policies are safety properties So apply a model checker for safety properties! Key system objects can be dynamically allocated Summarize? Trusted Compromised Invalid Request Handler Summary Worker 0 {S} Key: buffer.txt {S} {S} Summary Worker 1 Trusted Compromised Invalid Request Handler Worker0 {C} Key: buffer.txt : ({C} {S}) {S} Summary Worker Information flow control policies for DIFC systems are safety properties Summarization makes checking feasible Random isolation makes checking precise Program: Concrete semantics Program: Rand. Iso. semantics Program: Abstract semantics Copper [Chaki 04] SAFE Error Policy InstrumentationAbstraction tutuv lab := create_tag(); lab tu tuv lab := create_tag(); lab sum lab : iso lab tutuv : iso iso if (!has_alloc && nondet()) { lab := create_iso(); has_alloc = true; } else { lab := create_noniso(); } sum : iso conc : iso Instrument allocation functions Every relation is a function {C} {S} = 0 {C} {C} = 1 {C} {C, S} = 1 {S} {S} = * {C, S} {C, S} = * A wiki software package designed for secure information flow. Policies: No Worker sends to another Worker Handler to network never blocks Structure, correctness similar to FlumeWiki Compromised Must-be-valid Invalid ClamAV password.txt bar.txt Network Potential violations: No read Export private Key: OpenVPN Network2 Network1 Potential violations: No read Inter-network leak Trusted Invalid Key: Tool verified all correct programs, found all violations in buggy programs. For no random isolation, a few minutes For random isolation approx. 1 hour DIFC correctness is a safety problem Need summarization for feasibility, random isolation for precision DIFC properties can be checked for real- world programs ProgramSize (LOC) # Procs (runtime) VersionResultTime FlumeWiki110unboundedCorrectSafe1h 9m 16s InterferenceBug37m 53s Apache596unboundedCorrectSafe1h 13m 27s InterferenceBug18m 30s ClamAV34272CorrectSafe7m 55s No ReadBug3m 25s ExportBug3m 25s OpenVPN29,4943CorrectSafe2m 17s No ReadBug2m 52s LeakBug2m 53s
