71 research outputs found
Making information flow explicit in HiStar
HiStar is a new operating system designed to minimize the amount of code that must be trusted. HiStar provides strict information flow control, which allows users to specify precise data security policies without unduly limiting the structure of applications. HiStar's security features make it possible to implement a Unix-like environment with acceptable performance almost entirely in an untrusted user-level library. The system has no notion of superuser and no fully trusted code other than the kernel. HiStar's features permit several novel applications, including privacy-preserving, untrusted virus scanners and a dynamic Web server with only a few thousand lines of trusted code.National Science Foundation (U.S.) (Cybertrust Award CNS-0716806)National Science Foundation (U.S.) (Cybertrust/DARPA Grant CNS-0430425
Plugging Side-Channel Leaks with Timing Information Flow Control
The cloud model's dependence on massive parallelism and resource sharing
exacerbates the security challenge of timing side-channels. Timing Information
Flow Control (TIFC) is a novel adaptation of IFC techniques that may offer a
way to reason about, and ultimately control, the flow of sensitive information
through systems via timing channels. With TIFC, objects such as files,
messages, and processes carry not just content labels describing the ownership
of the object's "bits," but also timing labels describing information contained
in timing events affecting the object, such as process creation/termination or
message reception. With two system design tools-deterministic execution and
pacing queues-TIFC enables the construction of "timing-hardened" cloud
infrastructure that permits statistical multiplexing, while aggregating and
rate-limiting timing information leakage between hosted computations.Comment: 5 pages, 3 figure
Icebergs in the Clouds: the Other Risks of Cloud Computing
Cloud computing is appealing from management and efficiency perspectives, but
brings risks both known and unknown. Well-known and hotly-debated information
security risks, due to software vulnerabilities, insider attacks, and
side-channels for example, may be only the "tip of the iceberg." As diverse,
independently developed cloud services share ever more fluidly and aggressively
multiplexed hardware resource pools, unpredictable interactions between
load-balancing and other reactive mechanisms could lead to dynamic
instabilities or "meltdowns." Non-transparent layering structures, where
alternative cloud services may appear independent but share deep, hidden
resource dependencies, may create unexpected and potentially catastrophic
failure correlations, reminiscent of financial industry crashes. Finally, cloud
computing exacerbates already-difficult digital preservation challenges,
because only the provider of a cloud-based application or service can archive a
"live," functional copy of a cloud artifact and its data for long-term cultural
preservation. This paper explores these largely unrecognized risks, making the
case that we should study them before our socioeconomic fabric becomes
inextricably dependent on a convenient but potentially unstable computing
model.Comment: 6 pages, 3 figure
Linux Kernel Vulnerabilities: State-of-the-Art Defenses and Open Problems
Avoiding kernel vulnerabilities is critical to achieving security of many systems, because the kernel is often part of the trusted computing base. This paper evaluates the current state-of-the-art with respect to kernel protection techniques, by presenting two case studies of Linux kernel vulnerabilities. First, this paper presents data on 141 Linux kernel vulnerabilities discovered from January 2010 to March 2011, and second, this paper examines how well state-of-the-art techniques address these vulnerabilities. The main findings are that techniques often protect against certain exploits of a vulnerability but leave other exploits of the same vulnerability open, and that no effective techniques exist to handle semantic vulnerabilities---violations of high-level security invariants.United States. Defense Advanced Research Projects Agency. Clean-slate design of Resilient, Adaptive, Secure Hosts (Contract #N66001-10-2-4089
Apprehending Joule Thieves with Cinder
Energy is the critical limiting resource to mobile computing devices. Correspondingly, an operating system must track, provision, and ration how applications consume energy. The emergence of third-party application stores and marketplaces makes this concern even more pressing. A third-party application must not deny service through excessive, unforeseen energy expenditure, whether accidental or malicious. Previous research has shown promise in tracking energy usage and rationing it to meet device lifetime goals, but such mechanisms and policies are still nascent, especially regarding user interaction. We argue for a new operating system, called Cinder, which builds on top of the HiStar OS. Cinder's energy awareness is based on hierarchical capacitors and task profiles. We introduce and explore these abstractions, paying particular attention to the ways in which policies could be generated and enforced in a dynamic system
World Wide Web Without Walls
Today's Web is built upon a particular symbiotic relationship betweensites and users: the sites invest capital to create and market a setof features, and users gain access to the sites often in exchange fortheir data (e.g., photos, personal information, creative musings,etc.). This paper imagines a very different Web ecosystem, in whichusers retain control of their data and developers can justify theirexistence without hoarding user data
iLeak: A Lightweight System for Detecting Inadvertent Information Leaks
Data loss incidents, where data of sensitive nature are exposed to the public, have become too frequent and have caused damages of millions of dollars to companies and other organizations. Repeatedly, information leaks occur over the Internet, and half of the time they are accidental, caused by user negligence, misconfiguration of software, or inadequate understanding of an application's functionality. This paper presents iLeak, a lightweight, modular system for detecting inadvertent information leaks. Unlike previous solutions, iLeak builds on components already present in modern computers. In particular, we employ system tracing facilities and data indexing services, and combine them in a novel way to detect data leaks. Our design consists of three components: uaudits are responsible for capturing the information that exits the system, while Inspectors use the indexing service to identify if the transmitted data belong to files that contain potentially sensitive information. The Trail Gateway handles the communication and synchronization of uaudits and Inspectors. We implemented iLeak on Mac OS X using DTrace and the Spotlight indexing service. Finally, we show that iLeak is indeed lightweight, since it only incurs 4% overhead on protected applications
Practical Fine-grained Privilege Separation in Multithreaded Applications
An inherent security limitation with the classic multithreaded programming
model is that all the threads share the same address space and, therefore, are
implicitly assumed to be mutually trusted. This assumption, however, does not
take into consideration of many modern multithreaded applications that involve
multiple principals which do not fully trust each other. It remains challenging
to retrofit the classic multithreaded programming model so that the security
and privilege separation in multi-principal applications can be resolved.
This paper proposes ARBITER, a run-time system and a set of security
primitives, aimed at fine-grained and data-centric privilege separation in
multithreaded applications. While enforcing effective isolation among
principals, ARBITER still allows flexible sharing and communication between
threads so that the multithreaded programming paradigm can be preserved. To
realize controlled sharing in a fine-grained manner, we created a novel
abstraction named ARBITER Secure Memory Segment (ASMS) and corresponding OS
support. Programmers express security policies by labeling data and principals
via ARBITER's API following a unified model. We ported a widely-used, in-memory
database application (memcached) to ARBITER system, changing only around 100
LOC. Experiments indicate that only an average runtime overhead of 5.6% is
induced to this security enhanced version of application
- …