1,185 research outputs found
Cryptographically Secure Information Flow Control on Key-Value Stores
We present Clio, an information flow control (IFC) system that transparently
incorporates cryptography to enforce confidentiality and integrity policies on
untrusted storage. Clio insulates developers from explicitly manipulating keys
and cryptographic primitives by leveraging the policy language of the IFC
system to automatically use the appropriate keys and correct cryptographic
operations. We prove that Clio is secure with a novel proof technique that is
based on a proof style from cryptography together with standard programming
languages results. We present a prototype Clio implementation and a case study
that demonstrates Clio's practicality.Comment: Full version of conference paper appearing in CCS 201
Capacity: Cryptographically-Enforced In-Process Capabilities for Modern ARM Architectures (Extended Version)
In-process compartmentalization and access control have been actively
explored to provide in-place and efficient isolation of in-process security
domains. Many works have proposed compartmentalization schemes that leverage
hardware features, most notably using the new page-based memory isolation
feature called Protection Keys for Userspace (PKU) on x86. Unfortunately, the
modern ARM architecture does not have an equivalent feature. Instead, newer ARM
architectures introduced Pointer Authentication (PA) and Memory Tagging
Extension (MTE), adapting the reference validation model for memory safety and
runtime exploit mitigation. We argue that those features have been
underexplored in the context of compartmentalization and that they can be
retrofitted to implement a capability-based in-process access control scheme.
This paper presents Capacity, a novel hardware-assisted intra-process access
control design that embraces capability-based security principles. Capacity
coherently incorporates the new hardware security features on ARM that already
exhibit inherent characteristics of capability. It supports the life-cycle
protection of the domain's sensitive objects -- starting from their import from
the file system to their place in memory. With intra-process domains
authenticated with unique PA keys, Capacity transforms file descriptors and
memory pointers into cryptographically-authenticated references and completely
mediates reference usage with its program instrumentation framework and an
efficient system call monitor. We evaluate our Capacity-enabled NGINX web
server prototype and other common applications in which sensitive resources are
isolated into different domains. Our evaluation shows that Capacity incurs a
low-performance overhead of approximately 17% for the single-threaded and
13.54% for the multi-threaded webserver.Comment: Accepted at ACM CCS 202
ANCHOR: logically-centralized security for Software-Defined Networks
While the centralization of SDN brought advantages such as a faster pace of
innovation, it also disrupted some of the natural defenses of traditional
architectures against different threats. The literature on SDN has mostly been
concerned with the functional side, despite some specific works concerning
non-functional properties like 'security' or 'dependability'. Though addressing
the latter in an ad-hoc, piecemeal way, may work, it will most likely lead to
efficiency and effectiveness problems. We claim that the enforcement of
non-functional properties as a pillar of SDN robustness calls for a systemic
approach. As a general concept, we propose ANCHOR, a subsystem architecture
that promotes the logical centralization of non-functional properties. To show
the effectiveness of the concept, we focus on 'security' in this paper: we
identify the current security gaps in SDNs and we populate the architecture
middleware with the appropriate security mechanisms, in a global and consistent
manner. Essential security mechanisms provided by anchor include reliable
entropy and resilient pseudo-random generators, and protocols for secure
registration and association of SDN devices. We claim and justify in the paper
that centralizing such mechanisms is key for their effectiveness, by allowing
us to: define and enforce global policies for those properties; reduce the
complexity of controllers and forwarding devices; ensure higher levels of
robustness for critical services; foster interoperability of the non-functional
property enforcement mechanisms; and promote the security and resilience of the
architecture itself. We discuss design and implementation aspects, and we prove
and evaluate our algorithms and mechanisms, including the formalisation of the
main protocols and the verification of their core security properties using the
Tamarin prover.Comment: 42 pages, 4 figures, 3 tables, 5 algorithms, 139 reference
- …