Results 1 - 10
of
41
Policy-Reduced Integrity Measurement Architecture
- In Proceedings of the 11th ACM SACMAT
, 2006
"... We propose an integrity measurement approach based on information flow integrity, which we call the Policy-Reduced Integrity Measurement Architecture (PRIMA). The recent availability of secure hardware has made it practical for a system to measure its own integrity, such that it can generate an inte ..."
Abstract
-
Cited by 71 (11 self)
- Add to MetaCart
(Show Context)
We propose an integrity measurement approach based on information flow integrity, which we call the Policy-Reduced Integrity Measurement Architecture (PRIMA). The recent availability of secure hardware has made it practical for a system to measure its own integrity, such that it can generate an integrity proof for remote parties. Various approaches have been proposed, but most simply measure the loaded code and static data to approximate runtime system integrity. We find that these approaches suffer from two problems: (1) the load-time measurements of code alone do not accurately reflect runtime behaviors, such as the use of untrusted network data, and (2) they are inefficient, requiring all measured entities to be known and fully trusted even if they have no impact on the target application. Classical integrity models are based on information flow, so we design the PRIMA approach to enable measurement of information flow integrity and prove that it achieves these goals. We prove how a remote party can verify useful information flow integrity properties using PRIMA. A PRIMA prototype has been built based on the open-source Linux Integrity Measurement Architecture (IMA) using SELinux policies to provide the information flow.
Bootstrapping trust in commodity computers.
- In IEEE Symposium on Security and Privacy (S&P),
, 2010
"... Abstract Trusting a computer for a security-sensitive task (such as checking email or banking online) requires the user to know something about the computer's state. We examine research on securely capturing a computer's state, and consider the utility of this information both for improvi ..."
Abstract
-
Cited by 48 (5 self)
- Add to MetaCart
(Show Context)
Abstract Trusting a computer for a security-sensitive task (such as checking email or banking online) requires the user to know something about the computer's state. We examine research on securely capturing a computer's state, and consider the utility of this information both for improving security on the local computer (e.g., to convince the user that her computer is not infected with malware) and for communicating a remote computer's state (e.g., to enable the user to check that a web server will adequately protect her data). Although the recent "Trusted Computing" initiative has drawn both positive and negative attention to this area, we consider the older and broader topic of bootstrapping trust in a computer. We cover issues ranging from the wide collection of secure hardware that can serve as a foundation for trust, to the usability issues that arise when trying to convey computer state information to humans. This approach unifies disparate research efforts and highlights opportunities for additional work that can guide real-world improvements in computer security.
Usable Mandatory Integrity Protection for Operating Systems
, 2007
"... Existing mandatory access control systems for operating systems are difficult to use. We identify several principles for designing usable access control systems and introduce the Usable Mandatory Integrity Protection (UMIP) model that adds usable mandatory access control to operating systems. The UM ..."
Abstract
-
Cited by 36 (2 self)
- Add to MetaCart
(Show Context)
Existing mandatory access control systems for operating systems are difficult to use. We identify several principles for designing usable access control systems and introduce the Usable Mandatory Integrity Protection (UMIP) model that adds usable mandatory access control to operating systems. The UMIP model is designed to preserve system integrity in the face of network-based attacks. The usability goals for UMIP are twofold. First, configuring a UMIP system should not be more difficult than installing and configuring an operating system. Second, existing applications and common usage practices can still be used under UMIP. UMIP has several novel features to achieve these goals. For example, it introduces several concepts for expressing partial trust in programs. Furthermore, it leverages information in the existing discretionary access control mechanism to derive file labels for mandatory integrity protection. We also discuss our implementation of the UMIP model for Linux using the Linux Security Modules framework, and show that it is simple to configure, has low overhead, and effectively defends against a number of network-based attacks.
From trusted to secure: Building and executing applications that enforce system security
- USENIX ANNUAL TECHNICAL CONFERENCE
, 2007
"... Commercial operating systems have recently introduced mandatory access controls (MAC) that can be used to ensure system-wide data confidentiality and integrity. These protections rely on restricting the flow of information between processes based on security levels. The problem is, there are many ap ..."
Abstract
-
Cited by 29 (11 self)
- Add to MetaCart
(Show Context)
Commercial operating systems have recently introduced mandatory access controls (MAC) that can be used to ensure system-wide data confidentiality and integrity. These protections rely on restricting the flow of information between processes based on security levels. The problem is, there are many applications that defy simple classification by security level, some of them essential for system operation. Surprisingly, the common practice among these operating systems is simply to mark these applications as “trusted”, and thus allow them to bypass label protections. This compromise is not a limitation of MAC or the operating system services that enforce it, but simply a fundamental inability of any operating system to reason about how applications treat sensitive data internally—and thus the OS must either restrict the data that they receive or trust them to handle it correctly. These practices were developed prior to the advent security-typed languages. These languages provide a means of reasoning about how the OS’s sensitive data is handled within applications. Thus, applications can be shown to enforce system security by guaranteeing, in advance of execution, that they will adhere to the OS’s MAC policy. In this paper, we provide an architecture for an operating system service, that integrate security-typed language with operating system MAC services. We have built an implementation of this service, called SIESTA, which handles applications developed in the securitytyped language, Jif, running on the SELinux operating system. We also provide some sample applications to demonstrate the security, flexibility and efficiency of our approach.
From Languages to Systems: Understanding Practical Application Development in Security-typed Languages
- In Proceedings of the 22nd Annual Computer Security Applications Conference (ACSAC 2006
, 2006
"... Security-typed languages are an evolving tool for implementing systems with provable security guarantees. However, to date, these tools have only been used to build simple “toy ” programs. As described in this paper, we have developed the first real-world, security-typed application: a secure email ..."
Abstract
-
Cited by 17 (5 self)
- Add to MetaCart
(Show Context)
Security-typed languages are an evolving tool for implementing systems with provable security guarantees. However, to date, these tools have only been used to build simple “toy ” programs. As described in this paper, we have developed the first real-world, security-typed application: a secure email system written in the Java language variant Jif. Real-world policies are mapped onto the information flows controlled by the language primitives, and we consider the process and tractability of broadly enforcing security policy in commodity applications. We find that while the language provided the rudimentary tools to achieve low-level security goals, additional tools, services, and language extensions were necessary to formulate and enforce application policy. We detail the design and use of these tools. We also show how the strong guarantees of Jif in conjunction with our policy tools can be used to evaluate security. This work serves as a starting point–we have demonstrated that it is possible to implement real-world systems and policy using security-typed languages. However, further investigation of the developer tools and supporting policy infrastructure is necessary before they can fulfill their considerable promise of enabling more secure systems. 1
A Type System for Data-Flow Integrity on Windows Vista
, 2007
"... The Microsoft Windows Vista operating system implements mandatory access control (MAC) for multi-level integrity. Vista’s MAC implementation is designed to balance security with functionality—trusted processes may read untrusted values, and integrity labels may be changed dynamically. While such fle ..."
Abstract
-
Cited by 12 (9 self)
- Add to MetaCart
(Show Context)
The Microsoft Windows Vista operating system implements mandatory access control (MAC) for multi-level integrity. Vista’s MAC implementation is designed to balance security with functionality—trusted processes may read untrusted values, and integrity labels may be changed dynamically. While such flexibility makes the system more usable, it also opens the door for information flow vulnerabilities. We propose data-flow integrity (DFI) as a practical security property in this context, and present a type system to enforce DFI in Vista. As long as all trusted code is certified by the type system, we guarantee that locations whose contents are trusted never contain untrusted values, regardless of what untrusted code runs in the environment. Our type system relies on Vista’s dynamic MAC checks for soundness, and illustrates the genuine interplay between static analysis and runtime checks that is needed to ensure such protection. Our study may be viewed as a formalization of the security design of Vista; in particular, our type system formalizes conjectured best practices for secure programming on Vista. Further, we show that while Vista’s write access checks are necessary to enforce DFI, the access control on execution of binaries can in fact be eliminated as a runtime optimization if trusted code is typed using our type system.
Integrity walls: Finding attack surfaces from mandatory access control policies
- in Proceedings of the 7th ACM Symposium on Information, Computer, and Communications Security (ASIACCS 2012
, 2012
"... Adding new programs or configuration options to a system often leads to new exploits because it provides adversaries with new ways to access possible vulnerabilities. As a result, application developers often must react to exploits as they are found. One proactive defense is to protect programs at t ..."
Abstract
-
Cited by 11 (7 self)
- Add to MetaCart
(Show Context)
Adding new programs or configuration options to a system often leads to new exploits because it provides adversaries with new ways to access possible vulnerabilities. As a result, application developers often must react to exploits as they are found. One proactive defense is to protect programs at their attack surfaces, the program entry points (e.g., system calls) accessible to adversaries. However, experience has shown that developers often fail to defend these entry points because they do not locate all such system calls where programs access system resources controlled by attackers. In this paper, we develop a runtime analysis method to compute program attack surfaces in system deployments, which uses a novel approach to computing program adversaries to determine which program entry points access adversarycontrolled objects. We implemented our design as a Linux kernel mechanism capable of identifying entry points for both binary and interpreted programs. Using this mechanism, we computed the attack surfaces for all the programs in the Ubuntu Linux 10.04 Desktop distribution automatically. On examining located attack surfaces, we discovered previously unknown vulnerabilities in an X Windows startup script available since 2006 and the GNU Icecat web browser. Our tools enable developers to find attack surfaces for their programs quickly and to produce defenses prior to the emergence of attacks, potentially moving us away from the penetrate-and-patch rut. 1.
Verifying Compliance of Trusted Programs
- CONFERENCE ON SECURITY SYMPOSIUM
, 2008
"... In this paper, we present an approach for verifying that trusted programs correctly enforce system security goals when deployed. A trusted program is trusted to only perform safe operations despite have the authority to perform unsafe operations; for example, initialization programs, administrative ..."
Abstract
-
Cited by 10 (7 self)
- Add to MetaCart
(Show Context)
In this paper, we present an approach for verifying that trusted programs correctly enforce system security goals when deployed. A trusted program is trusted to only perform safe operations despite have the authority to perform unsafe operations; for example, initialization programs, administrative programs, root network daemons, etc. Currently, these programs are trusted without concrete justification. The emergence of tools for building programs that guarantee policy enforcement, such as security-typed languages (STLs), and mandatory access control systems, such as user-level policy servers, finally offers a basis for justifying trust in such programs: we can determine whether these programs can be deployed in compliance with the reference monitor concept. Since program and system policies are defined independently, often using different access control models, compliance for all program deployments may be difficult to achieve in practice, however. We observe that the integrity of trusted programs must dominate the integrity of system data, and use this insight, which we call the PIDSI approach, to infer the relationship between program and system policies, enabling automated compliance verification. We find that the PIDSI approach is consistent with the SELinux reference policy for its trusted programs. As a result, trusted program policies can be designed independently of their target systems, yet still be deployed in a manner that ensures enforcement of system security goals.
Trojan Horse Resistant Discretionary Access Control
"... Modern operating systems primarily use Discretionary Access Control (DAC) to protect files and other operating system resources. DAC mechanisms are more user-friendly than Mandatory Access Control (MAC) systems, but are vulnerable to trojan horse attacks and attacks exploiting buggy software. We sho ..."
Abstract
-
Cited by 7 (0 self)
- Add to MetaCart
Modern operating systems primarily use Discretionary Access Control (DAC) to protect files and other operating system resources. DAC mechanisms are more user-friendly than Mandatory Access Control (MAC) systems, but are vulnerable to trojan horse attacks and attacks exploiting buggy software. We show that it is possible to have the best of both worlds: DAC’s easy-to-use discretionary policy specification and MAC’s defense against trojan horses and buggy programs. This is made possible by a key new insight that DAC has this weakness not because it uses the discretionary principle, but because existing DAC enforcement mechanisms assume that a single principal is responsible for any request, whereas in reality a request may be influenced by multiple principals; thus these mechanisms cannot correctly identify the true origin(s) of a request and fall prey to trojan horses. We propose to solve this problem by combining DAC’s policy specification with new enforcement techniques that use ideas from MAC’s information flow tracking. Our model, called Information Flow Enhanced Discretionary Access Control (IFEDAC), is the first DAC model that can defend against trojan horses and attacks exploiting buggy software. IFEDAC significantly strengthens end host security, while preserving to a large degree DAC’s ease of use. In this paper, we present the IFEDAC model, analyze its security properties, and discuss our design and implementation for Linux.
P.: Justifying integrity using a virtual machine verifier
- In: Annual Computer Security Applications Conference
, 2009
"... Abstract—Emerging distributed computing architectures, such as grid and cloud computing, depend on the high integrity execution of each system in the computation. While integrity measurement enables systems to generate proofs of their integrity to remote parties, we find that current integrity measu ..."
Abstract
-
Cited by 6 (4 self)
- Add to MetaCart
(Show Context)
Abstract—Emerging distributed computing architectures, such as grid and cloud computing, depend on the high integrity execution of each system in the computation. While integrity measurement enables systems to generate proofs of their integrity to remote parties, we find that current integrity measurement approaches are insufficient to prove runtime integrity for systems in these architectures. Integrity measurement approaches that are flexible enough have an incomplete view of runtime integrity, possibly leading to false integrity claims, and approaches that provide comprehensive integrity do so only for computing environments that are too restrictive. In this paper, we propose an architecture for building comprehensive runtime integrity proofs for general purpose systems in distributed computing architectures. In this architecture, we strive for classical integrity, using an approximation of the Clark-Wilson integrity model as our target. Key to building such integrity proofs is a carefully crafted host system whose long-term integrity can be justified easily using current techniques and a new component, called a VM verifier, which comprehensively enforces our integrity target on VMs. We have built a prototype based on the Xen virtual machine system for SELinux VMs, and find that distributed compilation can be implemented, providing accurate proofs of our integrity target with less than 4 % overhead. Keywords-cloud computing, integrity measurement, virtual machines I.
