Article

Information flow control for standard OS abstractions

Authors:

M. Frans Kaashoek,

Robert MorrisAuthors Info & Claims

SOSP '07: Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles

Pages 321 - 334

https://doi.org/10.1145/1294261.1294293

Published: 14 October 2007 Publication History

Abstract

Decentralized Information Flow Control (DIFC) is an approach to security that allows application writers to control how data flows between the pieces of an application and the outside world. As applied to privacy, DIFC allows untrusted software to compute with private data while trusted security code controls the release of that data. As applied to integrity, DIFC allows trusted code to protect untrusted software from unexpected malicious inputs. In either case, only bugs in the trusted code, which tends to be small and isolated, can lead to security violations.

We present Flume, a new DIFC model that applies at the granularity of operating system processes and standard OS abstractions (e.g., pipes and file descriptors). Flume was designed for simplicity of mechanism, to ease DIFC's use in existing applications, and to allow safe interaction between conventional and DIFC-aware processes. Flume runs as a user-level reference monitor onLinux. A process confined by Flume cannot perform most system calls directly; instead, an interposition layer replaces system calls with IPCto the reference monitor, which enforces data flowpolicies and performs safe operations on the process's behalf. We ported a complex web application (MoinMoin Wiki) to Flume, changingonly 2% of the original code. Performance measurements show a 43% slowdown on read workloadsand a 34% slowdown on write workloads, which aremostly due to Flume's user-level implementation.

Supplementary Material

JPG File (1294293.jpg)

Download
10.83 KB

index.html (index.html)

Slides from the presentation

Download
.97 KB

ZIP File (p321-slides.zip)

Supplemental material for Information flow control for standard OS abstractions

Download
24.93 MB

Audio only (1294293.mp3)

Download
11.90 MB

Video (1294293.mp4)

Download
164.39 MB

References

[1]

D. E. Bell and L. L. Padula. Secure computer system: Unified exposition and multics interpretation. Technical Report MTR-2997, Rev. 1, MITRE Corp., Bedford, MA, March 1976.

[2]

K. J. Biba. Integrity considerations for secure computer systems. Technical Report MTR-3153, Rev. 1, MITRE Corp., Bedford, MA, 1976.

[3]

M. Brodsky et al. Toward secure services from untrusted developers. Technical Report TR-2007-041, MIT CSAIL, Aug. 2007.

[4]

S. Chong, K. Vikram, and A. C. Myers. SIF: Enforcing confidentiality and integrity in web applications. In Proc. 16th USENIX Security, Aug. 2007.

Digital Library

[5]

C. Cowan et al. StackGuard: Automatic detection and prevention of buffer-overflow attacks. In Proc. 11th USENIX Security, Aug. 2002.

Digital Library

[6]

D. E. Denning. A lattice model of secure information flow. Communications of the ACM, 19(5):236--243, 1976.

Digital Library

[7]

G.W. Dunlap, S. T. King, S. Cinar, M. A. Basrai, and P. M. Chen. ReVirt: Enabling intrusion analysis through virtual-machine logging and replay. In Proc. 2002 OSDI, Dec. 2002.

Digital Library

[8]

P. Efstathopoulos et al. Labels and event processes in the Asbestos operating system. In Proc. 20th SOSP, October 2005.

Digital Library

[9]

FastCGI. Open Market. http://www.fastcgi.com.

[10]

T. Fraser. LOMAC: Low water-mark integrity protection for COTS environments. In Proc. 2000 IEEE Security and Privacy, May 2000.

Digital Library

[11]

T. Fraser, L. Badger, and M. Feldman. Hardening COTS software with generic software wrappers. In Proc. IEEE Security and Privacy, 1999.

[12]

T. Garfinkel, B. Pfaff, and M. Rosenblum. Ostia: A delegating architecture for secure system call interposition. In Proc. 2004 NDSS, February 2004.

[13]

J. Gelinas. Virtual private servers and security contexts, Jan. 2003. http://linux-vserver.org.

[14]

R. Goldberg. Architecture of virtual machines. In 1973 NCC AFIPS Conf. Proc., volume 42, pages 309--318, 1973.

[15]

B. Hicks, K. Ahmadizadeh, and P. McDaniel. Understanding practical application development in security-typed languages. In Proc. 22st ACSAC, December 2006.

Digital Library

[16]

M. B. Jones. Interposition agents: Transparently interposing user code at the system interface. In Proc. 14th SOSP, Dec. 1993.

Digital Library

[17]

P.-H. Kamp and R. N.M.Watson. Jails: Confining the omnipotent root. In Proc. 2nd SANE, May 2000.

[18]

V. Kiriansky, D. Bruening, and S. Amarasinghe. Secure execution via program shepherding. In Proc. 11th USENIX Security, Aug. 2002.

Digital Library

[19]

M. Krohn, E. Kohler, andM. F. Kaashoek. Events can make sense. In Proc. 2007 USENIX, June 2007.

Digital Library

[20]

P. Loscocco and S. Smalley. Integrating flexible support for security policies into the Linux operating system. In Proc. 2001 USENIX, June 2001. FREENIX track.

Digital Library

[21]

M. D. McIlroy and J. A. Reeds. Multilevel security in the UNIX tradition. Software Practice and Experience, 22(8):673--694, 1992.

Digital Library

[22]

MoinMoin. The MoinMoin Wiki Engine, Dec. 2006. http://moinmoin.wikiwikiweb.de/.

[23]

A. C. Myers and B. Liskov. A decentralized model for information flow control. In Proc. 16th SOSP, Oct. 1997.

Digital Library

[24]

A. C. Myers and B. Liskov. Protecting privacy using the decentralized label model. ACM Transactions on Computer Systems, 9(4):410--442, October 2000.

Digital Library

[25]

National Vulnerability Database. CVE--2007--2637. http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2637.

[26]

osvdb.org. Open Source Vulnerability Database. http://osvdb.org/searchdb.php?base=moinmoin.

[27]

N. Provos. Improving host security with system call policies. In Proc. 12th USENIX Security, Aug. 2003.

Digital Library

[28]

J. H. Saltzer and M. D. Schroeder. The protection of information in computer systems. Proc. IEEE, 63(9):1278--1308, Sept. 1975.

[29]

M. Seaborn. Plash: tools for practical least privilege. http://plash.beasts.org.

[30]

S. Smalley, C. Vance, andW. Salamon. Implementing SELinux as a Linux security module, February 2006. http://www.nsa.gov/selinux/papers/module-abs.cfm.

[31]

N. Soffer. MoinBenchmarks. http://moinmoin.wikiwikiweb.de/MoinBenchmarks.

[32]

R. Ta-Min, L. Litty, and D. Lie. Splitting Interfaces: Making trust between applications and operating systems configurable. In Proc. 2006 OSDI, Nov. 2006.

Digital Library

[33]

VMware. VMware and the National Security Agency team to build advanced secure computer systems, Jan. 2001. http://www.vmware.com/pdf/TechTrendNotes.pdf.

[34]

R. Watson, W. Morrison, C. Vance, and B. Feldman. The TrustedBSD MAC framework: Extensible kernel access control for FreeBSD 5.0. In Proc. 2003 USENIX, June 2003.

[35]

A. Whitaker, M. Shaw, and S. D. Gribble. Scale and performance in the Denali isolation kernel. In Proc. 2002 OSDI, Dec. 2002.

Digital Library

[36]

C. Wright, C. Cowan, S. Smalley, J. Morris, and G. Kroah-Hartman. Linux security modules: General security support for the Linux kernel. In Proc. 11th USENIX Security, Aug. 2002.

Digital Library

[37]

A. R. Yumerefendi, B. Mickle, and L. P. Cox. TightLip: Keeping applications from spilling the beans. In Proc. 2007 NSDI, Apr. 2007.

Digital Library

[38]

N. B. Zeldovich, S. Boyd-Wickizer, E. Kohler, and D. Mazieres. Making information flow explicit in HiStar. In Proc. 7th OSDI, Nov. 2006.

Digital Library

Cited By

Lamba ATaylor MBeardsley VBambeck JBond MLin Z(2024)Cocoon: Static Information Flow Control in RustProceedings of the ACM on Programming Languages10.1145/36498178:OOPSLA1(166-193)Online publication date: 29-Apr-2024
https://dl.acm.org/doi/10.1145/3649817
Kafle KJagtap KAhmed-Rengers MJaeger TNadkarni AKim YKim JKoushanfar FRasmussen K(2024)Practical Integrity Validation in the Smart Home with HomeEndorserProceedings of the 17th ACM Conference on Security and Privacy in Wireless and Mobile Networks10.1145/3643833.3656116(207-218)Online publication date: 27-May-2024
https://dl.acm.org/doi/10.1145/3643833.3656116
Geraldo ECosta Seco JHildebrandt T(2023)Data-Dependent Confidentiality in DCR GraphsProceedings of the 25th International Symposium on Principles and Practice of Declarative Programming10.1145/3610612.3610619(1-13)Online publication date: 22-Oct-2023
https://dl.acm.org/doi/10.1145/3610612.3610619
Show More Cited By

Recommendations

Information flow control for standard OS abstractions
SOSP '07

Decentralized Information Flow Control (DIFC) is an approach to security that allows application writers to control how data flows between the pieces of an application and the outside world. As applied to privacy, DIFC allows untrusted software to ...
Manageable fine-grained information flow
Eurosys '08: Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems 2008

The continuing frequency and seriousness of security incidents underline the critical importance of application security. Decentralized information flow control (DIFC), a promising tool for improving application security, gives application developers ...
Manageable fine-grained information flow
EuroSys '08

The continuing frequency and seriousness of security incidents underline the critical importance of application security. Decentralized information flow control (DIFC), a promising tool for improving application security, gives application developers ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SOSP '07: Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles

October 2007

378 pages

ISBN:9781595935915

DOI:10.1145/1294261

General Chair:
Thomas C. Bressoud
Denison University, USA
,
Program Chair:
M. Frans Kaashoek
Massachusetts Institute of Technology, USA

ACM SIGOPS Operating Systems Review Volume 41, Issue 6
SOSP '07
December 2007
363 pages
ISSN:0163-5980
DOI:10.1145/1323293
Issue’s Table of Contents

Copyright © 2007 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 14 October 2007

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

SOSP07

Sponsor:

SOSP07: ACM SIGOPS 21st Symposium on Operating Systems Principles 2007

October 14 - 17, 2007

Washington, Stevenson, USA

Acceptance Rates

Overall Acceptance Rate 131 of 716 submissions, 18%

Upcoming Conference

SOSP '24

Sponsor:
sigops

ACM SIGOPS 30th Symposium on Operating Systems Principles

November 5 - 8, 2024

Austin , TX , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

329
Total Citations
View Citations
2,304
Total Downloads

Downloads (Last 12 months)120
Downloads (Last 6 weeks)4

Reflects downloads up to 11 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Lamba ATaylor MBeardsley VBambeck JBond MLin Z(2024)Cocoon: Static Information Flow Control in RustProceedings of the ACM on Programming Languages10.1145/36498178:OOPSLA1(166-193)Online publication date: 29-Apr-2024
https://dl.acm.org/doi/10.1145/3649817
Kafle KJagtap KAhmed-Rengers MJaeger TNadkarni AKim YKim JKoushanfar FRasmussen K(2024)Practical Integrity Validation in the Smart Home with HomeEndorserProceedings of the 17th ACM Conference on Security and Privacy in Wireless and Mobile Networks10.1145/3643833.3656116(207-218)Online publication date: 27-May-2024
https://dl.acm.org/doi/10.1145/3643833.3656116
Geraldo ECosta Seco JHildebrandt T(2023)Data-Dependent Confidentiality in DCR GraphsProceedings of the 25th International Symposium on Principles and Practice of Declarative Programming10.1145/3610612.3610619(1-13)Online publication date: 22-Oct-2023
https://dl.acm.org/doi/10.1145/3610612.3610619
McCall MBichhawat AJia LMeng WJensen CCremers CKirda E(2023)Tainted Secure Multi-Execution to Restrict Attacker InfluenceProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623110(1732-1745)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623110
Hong SXu LHuang JLi HHu HGu G(2023)SysFlow: Toward a Programmable Zero Trust Framework for System SecurityIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.326415218(2794-2809)Online publication date: 2023
https://doi.org/10.1109/TIFS.2023.3264152
Mani GRao BKumar DPrasad C(2022)Distributed Information Flow Control in Serverless Computing2022 4th International Conference on Smart Systems and Inventive Technology (ICSSIT)10.1109/ICSSIT53264.2022.9716444(1557-1561)Online publication date: 20-Jan-2022
https://doi.org/10.1109/ICSSIT53264.2022.9716444
Yang ZLi XXu HChao FJin SYuan Z(2022)Analysis of the Expressive Power of DIFC Model Based on Temporal Logic2022 7th International Conference on Signal and Image Processing (ICSIP)10.1109/ICSIP55141.2022.9886686(792-798)Online publication date: 20-Jul-2022
https://doi.org/10.1109/ICSIP55141.2022.9886686
Liu JKandikuppa ABates A(2022)Transparent DIFC: Harnessing Innate Application Event Logging for Fine-Grained Decentralized Information Flow Control2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP53844.2022.00037(487-501)Online publication date: Jun-2022
https://doi.org/10.1109/EuroSP53844.2022.00037
McCall MBichhawat AJia L(2022)Compositional Information Flow Monitoring for Reactive Programs2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP53844.2022.00036(467-486)Online publication date: Jun-2022
https://doi.org/10.1109/EuroSP53844.2022.00036
Lu JSun JXiao RJin S(2022)DIFCSComputers and Security10.1016/j.cose.2022.102678117:COnline publication date: 1-Jun-2022
https://dl.acm.org/doi/10.1016/j.cose.2022.102678
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents