skip to main content
10.1145/1294261.1294293acmconferencesArticle/Chapter ViewAbstractPublication PagessospConference Proceedingsconference-collections
Article

Information flow control for standard OS abstractions

Published:14 October 2007Publication History

ABSTRACT

Decentralized Information Flow Control (DIFC) is an approach to security that allows application writers to control how data flows between the pieces of an application and the outside world. As applied to privacy, DIFC allows untrusted software to compute with private data while trusted security code controls the release of that data. As applied to integrity, DIFC allows trusted code to protect untrusted software from unexpected malicious inputs. In either case, only bugs in the trusted code, which tends to be small and isolated, can lead to security violations.

We present Flume, a new DIFC model that applies at the granularity of operating system processes and standard OS abstractions (e.g., pipes and file descriptors). Flume was designed for simplicity of mechanism, to ease DIFC's use in existing applications, and to allow safe interaction between conventional and DIFC-aware processes. Flume runs as a user-level reference monitor onLinux. A process confined by Flume cannot perform most system calls directly; instead, an interposition layer replaces system calls with IPCto the reference monitor, which enforces data flowpolicies and performs safe operations on the process's behalf. We ported a complex web application (MoinMoin Wiki) to Flume, changingonly 2% of the original code. Performance measurements show a 43% slowdown on read workloadsand a 34% slowdown on write workloads, which aremostly due to Flume's user-level implementation.

Skip Supplemental Material Section

Supplemental Material

Video

References

  1. D. E. Bell and L. L. Padula. Secure computer system: Unified exposition and multics interpretation. Technical Report MTR-2997, Rev. 1, MITRE Corp., Bedford, MA, March 1976.Google ScholarGoogle ScholarCross RefCross Ref
  2. K. J. Biba. Integrity considerations for secure computer systems. Technical Report MTR-3153, Rev. 1, MITRE Corp., Bedford, MA, 1976.Google ScholarGoogle Scholar
  3. M. Brodsky et al. Toward secure services from untrusted developers. Technical Report TR-2007-041, MIT CSAIL, Aug. 2007.Google ScholarGoogle ScholarCross RefCross Ref
  4. S. Chong, K. Vikram, and A. C. Myers. SIF: Enforcing confidentiality and integrity in web applications. In Proc. 16th USENIX Security, Aug. 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. C. Cowan et al. StackGuard: Automatic detection and prevention of buffer-overflow attacks. In Proc. 11th USENIX Security, Aug. 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. D. E. Denning. A lattice model of secure information flow. Communications of the ACM, 19(5):236--243, 1976. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. G.W. Dunlap, S. T. King, S. Cinar, M. A. Basrai, and P. M. Chen. ReVirt: Enabling intrusion analysis through virtual-machine logging and replay. In Proc. 2002 OSDI, Dec. 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. P. Efstathopoulos et al. Labels and event processes in the Asbestos operating system. In Proc. 20th SOSP, October 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. FastCGI. Open Market. http://www.fastcgi.com.Google ScholarGoogle Scholar
  10. T. Fraser. LOMAC: Low water-mark integrity protection for COTS environments. In Proc. 2000 IEEE Security and Privacy, May 2000. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. T. Fraser, L. Badger, and M. Feldman. Hardening COTS software with generic software wrappers. In Proc. IEEE Security and Privacy, 1999.Google ScholarGoogle Scholar
  12. T. Garfinkel, B. Pfaff, and M. Rosenblum. Ostia: A delegating architecture for secure system call interposition. In Proc. 2004 NDSS, February 2004.Google ScholarGoogle Scholar
  13. J. Gelinas. Virtual private servers and security contexts, Jan. 2003. http://linux-vserver.org.Google ScholarGoogle Scholar
  14. R. Goldberg. Architecture of virtual machines. In 1973 NCC AFIPS Conf. Proc., volume 42, pages 309--318, 1973.Google ScholarGoogle Scholar
  15. B. Hicks, K. Ahmadizadeh, and P. McDaniel. Understanding practical application development in security-typed languages. In Proc. 22st ACSAC, December 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. M. B. Jones. Interposition agents: Transparently interposing user code at the system interface. In Proc. 14th SOSP, Dec. 1993. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. P.-H. Kamp and R. N.M.Watson. Jails: Confining the omnipotent root. In Proc. 2nd SANE, May 2000.Google ScholarGoogle Scholar
  18. V. Kiriansky, D. Bruening, and S. Amarasinghe. Secure execution via program shepherding. In Proc. 11th USENIX Security, Aug. 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. M. Krohn, E. Kohler, andM. F. Kaashoek. Events can make sense. In Proc. 2007 USENIX, June 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. P. Loscocco and S. Smalley. Integrating flexible support for security policies into the Linux operating system. In Proc. 2001 USENIX, June 2001. FREENIX track. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. M. D. McIlroy and J. A. Reeds. Multilevel security in the UNIX tradition. Software Practice and Experience, 22(8):673--694, 1992. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. MoinMoin. The MoinMoin Wiki Engine, Dec. 2006. http://moinmoin.wikiwikiweb.de/.Google ScholarGoogle Scholar
  23. A. C. Myers and B. Liskov. A decentralized model for information flow control. In Proc. 16th SOSP, Oct. 1997. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. A. C. Myers and B. Liskov. Protecting privacy using the decentralized label model. ACM Transactions on Computer Systems, 9(4):410--442, October 2000. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. National Vulnerability Database. CVE--2007--2637. http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2637.Google ScholarGoogle Scholar
  26. osvdb.org. Open Source Vulnerability Database. http://osvdb.org/searchdb.php?base=moinmoin.Google ScholarGoogle Scholar
  27. N. Provos. Improving host security with system call policies. In Proc. 12th USENIX Security, Aug. 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. J. H. Saltzer and M. D. Schroeder. The protection of information in computer systems. Proc. IEEE, 63(9):1278--1308, Sept. 1975.Google ScholarGoogle ScholarCross RefCross Ref
  29. M. Seaborn. Plash: tools for practical least privilege. http://plash.beasts.org.Google ScholarGoogle Scholar
  30. S. Smalley, C. Vance, andW. Salamon. Implementing SELinux as a Linux security module, February 2006. http://www.nsa.gov/selinux/papers/module-abs.cfm.Google ScholarGoogle Scholar
  31. N. Soffer. MoinBenchmarks. http://moinmoin.wikiwikiweb.de/MoinBenchmarks.Google ScholarGoogle Scholar
  32. R. Ta-Min, L. Litty, and D. Lie. Splitting Interfaces: Making trust between applications and operating systems configurable. In Proc. 2006 OSDI, Nov. 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. VMware. VMware and the National Security Agency team to build advanced secure computer systems, Jan. 2001. http://www.vmware.com/pdf/TechTrendNotes.pdf.Google ScholarGoogle Scholar
  34. R. Watson, W. Morrison, C. Vance, and B. Feldman. The TrustedBSD MAC framework: Extensible kernel access control for FreeBSD 5.0. In Proc. 2003 USENIX, June 2003.Google ScholarGoogle Scholar
  35. A. Whitaker, M. Shaw, and S. D. Gribble. Scale and performance in the Denali isolation kernel. In Proc. 2002 OSDI, Dec. 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. C. Wright, C. Cowan, S. Smalley, J. Morris, and G. Kroah-Hartman. Linux security modules: General security support for the Linux kernel. In Proc. 11th USENIX Security, Aug. 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. A. R. Yumerefendi, B. Mickle, and L. P. Cox. TightLip: Keeping applications from spilling the beans. In Proc. 2007 NSDI, Apr. 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. N. B. Zeldovich, S. Boyd-Wickizer, E. Kohler, and D. Mazieres. Making information flow explicit in HiStar. In Proc. 7th OSDI, Nov. 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Information flow control for standard OS abstractions

                  Recommendations

                  Comments

                  Login options

                  Check if you have access through your login credentials or your institution to get full access on this article.

                  Sign in

                  PDF Format

                  View or Download as a PDF file.

                  PDF

                  eReader

                  View online with eReader.

                  eReader
                  About Cookies On This Site

                  We use cookies to ensure that we give you the best experience on our website.

                  Learn more

                  Got it!