Practical Fine-grained Privilege Separation in Multithreaded Applications

An inherent security limitation with the classic multithreaded programming model is that all the threads share the same address space and, therefore, are implicitly assumed to be mutually trusted. This assumption, however, does not take into consideration of many modern multithreaded applications that involve multiple principals which do not fully trust each other. It remains challenging to retrofit the classic multithreaded programming model so that the security and privilege separation in multi-principal applications can be resolved. This paper proposes ARBITER, a run-time system and a set of security primitives, aimed at fine-grained and data-centric privilege separation in multithreaded applications. While enforcing effective isolation among principals, ARBITER still allows flexible sharing and communication between threads so that the multithreaded programming paradigm can be preserved. To realize controlled sharing in a fine-grained manner, we created a novel abstraction named ARBITER Secure Memory Segment (ASMS) and corresponding OS support. Programmers express security policies by labeling data and principals via ARBITER's API following a unified model. We ported a widely-used, in-memory database application (memcached) to ARBITER system, changing only around 100 LOC. Experiments indicate that only an average runtime overhead of 5.6% is induced to this security enhanced version of application

50 years of isolation

The traditional means for isolating applications from each other is via the use of operating system provided “process” abstraction facilities. However, as applications now consist of multiple fine-grained components, the traditional process abstraction model is proving to be insufficient in ensuring this isolation. Statistics indicate that a high percentage of software failure occurs due to propagation of component failures. These observations are further bolstered by the attempts by modern Internet browser application developers, for example, to adopt multi-process architectures in order to increase robustness. Therefore, a fresh look at the available options for isolating program components is necessary and this paper provides an overview of previous and current research on the area

Lessons from Formally Verified Deployed Software Systems (Extended version)

The technology of formal software verification has made spectacular advances, but how much does it actually benefit the development of practical software? Considerable disagreement remains about the practicality of building systems with mechanically-checked proofs of correctness. Is this prospect confined to a few expensive, life-critical projects, or can the idea be applied to a wide segment of the software industry? To help answer this question, the present survey examines a range of projects, in various application areas, that have produced formally verified systems and deployed them for actual use. It considers the technologies used, the form of verification applied, the results obtained, and the lessons that can be drawn for the software industry at large and its ability to benefit from formal verification techniques and tools. Note: a short version of this paper is also available, covering in detail only a subset of the considered systems. The present version is intended for full reference.Comment: arXiv admin note: text overlap with arXiv:1211.6186 by other author

Trusted Collaborative Real Time Scheduling in a Smart Card Exokernel

This paper presents the work we have conducted concerning real time scheduling in Camille, an exokernel dedicated to smart cards. We show that it is possible to embedded a flexible real-time operating system despite the important hardware limitations of the smart card platform. We present the major difficulties one has to face when integrating real time support in an exokernel embedded on a very resource-limited platform. We first present a naive solution consisting in allocating an equal time slice to every system extensions and letting each one share it as needed amongst its tasks. We show that this solution does not account for loading of new extensions in the system, and that it can fail if some extensions have much more work to carry out than the others. We then present a more complex solution based upon collaborative schedulers grouped as virtual extensions. We show that this solution supports dynamic loading of new extensions and works even for very unbalanced task repartitions. We finally address the issue of trust between the collaborating extensions and we propose a solution based on exhaustive testing and formal proving of the plan functions

webComputing Service Framework

Presented is webComputing – a general framework of mathematically oriented services including remote access to hardware and software resources for mathematical computations, and web interface to dynamic interactive computations and visualization in a diversity of contexts: mathematical research and engineering, computer-aided mathematical/technical education and distance learning. webComputing builds on the innovative webMathematica technology connecting technical computing system Mathematica to a web server and providing tools for building dynamic and interactive web-interface to Mathematica-based functionality. Discussed are the conception and some of the major components of webComputing service: Scientific Visualization, Domain- Specific Computations, Interactive Education, and Authoring of Interactive Pages

Behavioural access control in distributed environments

Applications and services in distributed environments are an increasingly important topic. Hence approaches to security issues in such applications are also becoming essential. Crucial information is needed to be protected properly and mechanisms must be developed for this protection. Access control is one of the topics that underline security problems. It concerns assuring that data or resources are accessed by the correct entities. A commonly used access control approach is called access control lists, which is widely applied in most operating systems. However, this approach has some weaknesses with regard to scalability, and so it is not very suitable for distributed environments that usually have variable populations. Capabilities on the other hand offer scalability and adaptability advantages over access control lists. Capabilities are unforgeable tickets that can be propagated between entities, and fit well in distributed environments. But capabilities also have limits due to their simple structure. They grant infinite number of accesses for given types of actions, but are not able to capture sequences and branches of actions, which may be called aspects of behaviours. In this thesis, behaviour control approaches are introduced, through Vistas to Treaties. Vistas can provide explicit access control for each component of objects, and provide primitive control over action sequences. Treaties develop behaviour control further by containing behaviour descriptors which can specify those sequencing, branching and terminating aspects, and hence can provide much finer control over behaviours. Because treaties inherit the scalable attributes of capabilities, they also fit well in distributed environments. An interesting feature in treaty systems is that they allow users to refine the specifications of behaviours and generate new treaties from existing ones. A number of treaty combinator operations are proposed to realize this functionality, and they are shown to be safe with respect to the security of access control. A novel issue created by the treaty approach is identified in the thesis. The new problem is called the duplication problem, which could cause users being able to gain more permissions than they should have by making copies of unprotected treaties. Any treaty systems must provide solutions to this problem. Three models which solve the duplication problem are proposed, with an analysis of their differences, and advantages and disadvantages. Treaties are a general concept and in real cases they can be represented in various ways. There are components in treaties that have given a variety of implementation options, and the developers of services and applications can choose to combine these options to fit their special requirements. This makes treaties more flexible and adaptable. The implementations of concreted treaties and treaty systems are introduced, and these implemented treaties are used to test their behaviour control abilities. Evaluations for different treaty representations are provided to compare their performance. Scalability of treaty systems is also evaluated, showing that treaties are good to be deployed in distributed environments