40 research outputs found
ECONOMICALLY PROTECTING COMPLEX, LEGACY OPERATING SYSTEMS USING SECURE DESIGN PRINCIPLES
In modern computer systems, complex legacy operating systems, such as Linux, are deployed ubiquitously. Many design choices in these legacy operating systems predate a modern understanding of security risks. As a result, new attack opportunities are routinely discovered to subvert such systems, which reveal design flaws that spur new research about secure design principles and other security mechanisms to thwart these attacks. Most research falls into two categories: encapsulating the threat and redesigning the system from scratch. Each approach has its challenge. Encapsulation can only limit the exposure to the risk, but not entirely prevent it. Rewriting the huge codebase of these operating systems is impractical in terms of developer effort, but appealing inasmuch as it can comprehensively eliminate security risks. This thesis pursues a third, understudied option: retrofitting security design principles in the existing kernel design. Conventional wisdom discourages retrofitting security because retrofitting is a hard problem, may require the use of new abstractions or break backward compatibility, may have unforeseen consequences, and may be equivalent to redesigning the system from scratch in terms of effort. This thesis offers new evidence to challenge this conventional wisdom, indicating that one can economically retrofit a comprehensive security policy onto complex, legacy systems. To demonstrate this assertion, this thesis firstly surveys the alternative of encapsulating the threat to the complex, legacy system by adding a monitoring layer using a technique called Virtual Machine Introspection, and discusses the shortcomings of this technique. Secondly, this thesis shows how to enforce the principle of least privilege by removing the need to run setuid-to-root binaries with administrator privilege. Finally, this thesis takes the first steps to show how to economically retrofit secure design principles to the OS virtualization feature of the Linux kernel called containers without rewriting the whole system. This approach can be applied more generally to other legacy systems.Doctor of Philosoph
From Conventional to State-of-the-Art IoT Access Control Models
open access articleThe advent in Online Social Networks (OSN) and Internet of Things (IoT) has created a new world of collaboration and communication between people and devices. The domain of internet of things uses billions of devices (ranging from tiny sensors to macro scale devices) that continuously produce and exchange huge amounts of data with people and applications. Similarly, more than a billion people are connected through social networking sites to collaborate and share their knowledge. The applications of IoT such as smart health, smart city, social networking, video surveillance and vehicular communication are quickly evolving people’s daily lives. These applications provide accurate, information-rich and personalized services to the users. However, providing personalized information comes at the cost of accessing private information of users such as their location, social relationship details, health information and daily activities. When the information is accessible online, there is always a chance that it can be used maliciously by unauthorized entities. Therefore, an effective access control mechanism must be employed to ensure the security and privacy of entities using OSN and IoT services. Access control refers to a process which can restrict user’s access to data and resources. It enforces access rules to grant authorized users an access to resources and prevent others. This survey examines the increasing literature on access control for traditional models in general, and for OSN and IoT in specific. Challenges and problems related to access control mechanisms are explored to facilitate the adoption of access control solutions in OSN and IoT scenarios. The survey provides a review of the requirements for access control enforcement, discusses several security issues in access control, and elaborates underlying principles and limitations of famous access control models. We evaluate the feasibility of current access control models for OSN and IoT and provide the future development direction of access control for the sam
Secure Messaging with in-app user defined schemes
Cryptography has been the culmination of human trials and mistrials in an attempt to
keep information safe from unintended access. We have learned from our mistakes in
the past, and today with the help of both academician and software developers, we have
robust cryptographic technologies. Cryptography however, is a race between increasing
processing power of modern machines and the complexity of cryptographic systems.
With quantum computing on the horizon, our present cryptographic systems seem to fall
behind in this race. There is a need to catalyze research in the field.
Here, an application is proposed, which empowers users to write their own cryptographic
schemes. It hopes to create a platform where people can share their cryptographic
schemes and have an application that can help them share information securely. The
author hopes, that an application which sources cryptographic schemes from users, would
help catalyze research in the field. An application where the security implementation
is dependent on the whim of the user could prove a hard target for attack. The thesis
starts with a preliminary study of the Android platform. The thesis then analyzes im-
plementations of a few secure messaging applications and then delves into details of NFC.
Using the background information accumulated during the course of this study, the
authors attempt to formulate a sound implementation of a messaging application. The
thesis is also accompanied with a proof-of-concept Android application that checks the
viability of concepts discussed herein
Securing unikernels in cloud infrastructures
PhD ThesisCloud computing adoption has seen an increase during the last few years.
However, cloud tenants are still concerned about the security that the Cloud
Service Provider (CSP) offers. Recent security incidents in cloud infrastructures that exploit vulnerabilities in the software layer highlight
the need to develop new protection mechanisms. A recent direction in
cloud computing is toward massive consolidation of resources by using
lightweight Virtual Machines (VMs) called unikernels. Unikernels are
specialised VMs that eliminate the Operating System (OS) layer and include the advantages of small footprint, minimal attack surface, nearinstant boot times and multi-platform deployment. Even though using
unikernels has certain advantages, unikernels employ a number of shortcomings. First, unikernels do not employ context switching from user to
kernel mode. A malicious user could exploit this shortcoming to escape
the isolation boundaries that the hypervisor provides. Second, having a
large number of unikernels in a single virtualised host creates complex security policies that are difficult to manage and can introduce exploitable
misconfigurations. Third, malicious insiders, such as disgruntled system
administrators can use privileged software to exfiltrate data from unikernels. In this thesis, we divide our research into two parts, concerning the
development of software and hardware-based protection mechanisms for
cloud infrastructures that focus on unikernels. In each part, we propose
a new protection mechanism for cloud infrastructures, where tenants develop their workloads using unikernels.
In the first part, we propose a software-based protection mechanism that
controls access to resources, which results on creating least-privileged
unikernels. Current access-control mechanisms that reside in hypervisors
do not confine unikernels to accepted behaviour and are susceptible to
privilege escalation and Virtual Machine escapes attacks. Therefore, current hypervisors need to take into account the possibility of having one or
more malicious unikernels and rethink their access-control mechanisms.
We designed and implemented VirtusCap, a capability-based access control mechanism that acts as a lower layer of regulating access to resources
in cloud infrastructures. Consequently, unikernels are only assigned the
privileges required to perform their task. This ensures that the accesscontrol mechanism that resides in the hypervisor will only grant access to
resources specified with capabilities. In addition, capabilities are easier to
delegate to other unikernels when they need to and the security policies are
less complex. Our performance evaluation shows that up to request rate of
7000 (req/sec) our prototype’s response time is identical to XSM-Flask.
In the second part, we address the following problem: how to guarantee
the confidentiality and integrity of computations executing in a unikernel
even in the presence of privileged software used by malicious insiders?
A research prototype was designed and implemented called UniGuard,
which aims to protect unikernels from an untrusted cloud, by executing
the sensitive computations inside secure enclaves. This approach provides
confidentiality and integrity guarantees for unikernels against software and
certain physical attacks. We show how we integrated Intel SGX with
unikernels and added the ability to spawn enclaves that execute the sensitive computations. We conduct experiments to evaluate the performance
of UniGuard, which show that UniGuard exhibits acceptable performance
overhead in comparison to when the sensitive computations are not executed inside a enclave. To the best of our knowledge, UniGuard is the first
solution that protects the confidentiality and integrity of computations that
execute inside unikernels using Intel SGX.
Currently, unikernels drive the next generation of virtualisation software
and especially the cooperation with other virtualisation technologies, such
as containers to form hybrid virtualisation workloads. Thus, it is paramount
to scrutinise the security of unikernels in cloud infrastructures and propose
novel protection mechanisms that will drive the next cloud evolution
ACCESSIBLE ACCESS CONTROL: A VISUALIZATION SYSTEM FOR ACCESS CONTROL POLICY MANAGEMENT
Attacks on computers today present in many different forms, causing malfunction of operating systems, information leakage and loss of business and public trust. Access control is a technique that stands as the last line of protection restricting the access of users or processes to resources on computers. Throughout the years, many access control models have been implemented to accommodate security requirements under different circumstances. However, the learning of access control models and the management of access control policies are still challenging given its abstract nature, the lack of an environment for practice, and the intricacy of fulfilling complex security goals. These problems seriously reduce the usability of access control models.
In this dissertation, we present a set of pedagogical systems that facilitates the teaching and studying of access control models and a visualization system that aids the authoring and analysis of access control policies. These systems are designed to tackle the usability problems in two steps. First, the pedagogical systems were designed for new learners to overcome the obstacles of learning access control and the lack of practicing environment at the very beginning. Contrary to the traditional lecture and in-paper homework method, the tool allows users to write/import a policy file, follow the visual steps to understand the concepts and access mechanisms of a model and conduct self-evaluation through Quiz and Query modules. Each of the four systems is specifically designed for a model of the Domain Type Enforcement, Multi-level Security, Role-based Access Control, or UNIX permissions. Through these systems, users are able to take an active role in exploring the effect of a policy with a safe and intact underlying operating systems. Second, writing and evaluating the effect of a policy could also be challenging and tedious even for security professionals when there are thousands of lines of rules. We believe that writing an access control policy should not include the complexity of learning a new language, and managing the policies should never be manual when automatic examination could take the place. In the aspect of policy writing, the visualization system kept the least number of key elements for specifying a rule: user, object, and action. They describe the active entity who takes the action, the file or directory which the action is applied to, and the type of accesses allowed, respectively. Because of its simple form without requiring the learning of a programming-like language, we hope that specifying policies using our language could be accomplished effortlessly not only by security professionals but also by anyone who is interested in access control. Moreover, policies can often be left unexamined when deployed. This is similar to releasing program which was untested and could lead to dangerous results. Therefore, the visualization system provides ways to explore and analyze access control policies to help confirm the effect of the policies. Through interactive textual and graphical illustrations, users could specify the accesses to check, and be notified when problems exist
An Historical Analysis of the SEAndroid Policy Evolution
Android adopted SELinux's mandatory access control (MAC) mechanisms in 2013.
Since then, billions of Android devices have benefited from mandatory access
control security policies. These policies are expressed in a variety of rules,
maintained by Google and extended by Android OEMs. Over the years, the rules
have grown to be quite complex, making it challenging to properly understand or
configure these policies.
In this paper, we perform a measurement study on the SEAndroid repository to
understand the evolution of these policies. We propose a new metric to measure
the complexity of the policy by expanding policy rules, with their abstraction
features such as macros and groups, into primitive "boxes", which we then use
to show that the complexity of the SEAndroid policies has been growing
exponentially over time. By analyzing the Git commits, snapshot by snapshot, we
are also able to analyze the "age" of policy rules, the trend of changes, and
the contributor composition. We also look at hallmark events in Android's
history, such as the "Stagefright" vulnerability in Android's media facilities,
pointing out how these events led to changes in the MAC policies. The growing
complexity of Android's mandatory policies suggests that we will eventually hit
the limits of our ability to understand these policies, requiring new tools and
techniques.Comment: 16 pages, 11 figures, published in ACSAC '1
On component-oriented access control in lightweight virtualized server environments
2017 Fall.Includes bibliographical references.With the advancements in contemporary multi-core CPU architectures and increase in main memory capacity, it is now possible for a server operating system (OS), such as Linux, to handle a large number of concurrent services on a single server instance. Individual components of such services may run in different isolated runtime environments, such as chrooted jails or related forms of OS-level containers, and may need restricted access to system resources and the ability to share data and coordinate with each other in a regulated and secure manner. In this dissertation we describe our work on the access control framework for policy formulation, management, and enforcement that allows access to OS resources and also permits controlled data sharing and coordination for service components running in disjoint containerized environments within a single Linux OS server instance. The framework consists of two models and the policy formulation is based on the concept of policy classes for ease of administration and enforcement. The policy classes are managed and enforced through a Lightweight Policy Machine for Linux (LPM) that acts as the centralized reference monitor and provides a uniform interface for regulating access to system resources and requesting data and control objects. We present the details of our framework and also discuss the preliminary implementation and evaluation to demonstrate the feasibility of our approach