article

Labels and event processes in the Asbestos operating system

Authors:

Steve Vandebogart,

Petros Efstathopoulos,

Frans Kaashoek,

David MazièresAuthors Info & Claims

ACM Transactions on Computer Systems (TOCS), Volume 25, Issue 4

Pages 11 - es

https://doi.org/10.1145/1314299.1314302

Published: 01 December 2007 Publication History

Abstract

Asbestos, a new operating system, provides novel labeling and isolation mechanisms that help contain the effects of exploitable software flaws. Applications can express a wide range of policies with Asbestos's kernel-enforced labels, including controls on interprocess communication and system-wide information flow. A new event process abstraction defines lightweight, isolated contexts within a single process, allowing one process to act on behalf of multiple users while preventing it from leaking any single user's data to others. A Web server demonstration application uses these primitives to isolate private user data. Since the untrusted workers that respond to client requests are constrained by labels, exploited workers cannot directly expose user data except as allowed by application policy. The server application requires 1.4 memory pages per user for up to 145,000 users and achieves connection rates similar to Apache, demonstrating that additional security can come at an acceptable cost.

References

[1]

Apache. The Apache HTTP Server Project. http://httpd.apache.org.

[2]

Apache API Notes. Apache API module notes: http://httpd.apache.org/docs/1.3/misc/API.html.

[3]

Bell, D. E. and La Padula, L. 1976. Secure computer system: Unified exposition and Multics interpretation. Tech. Rep. MTR-2997, Rev. 1, MITRE Corp., Bedford, MA.

[4]

Berstis, V. 1980. Security and protection of data in the IBM System/38. In Proceedings of the 7th Annual Symposium on Computer Architecture (ISCA). 245--252.

[5]

Branstad, M., Tajalli, H., Mayer, F., and Dalva, D. 1989. Access mediation in a message passing kernel. In Proceedings of the IEEE Symposium on Security and Privacy. Oakland, CA, 66--72.

[6]

Cheriton, D. R. 1988. The V distributed system. J. ACM 31, 3, 314--33.

[7]

Denning, D. E. 1976. A lattice model of secure information flow. Commun. ACM 19, 5, 236--243.

[8]

Denning, D. E. and Denning, P. J. 1977. Certification of programs for secure information flow. Commun. ACM 20, 7, 504--513.

[9]

Department of Defense. 1985. Trusted Computer System Evaluation Criteria (Orange Book). Department of Defense. DoD 5200.28-STD.

[10]

Dunkels, A. 2003. Full TCP/IP for 8-bit architectures. In Proceedings of the 1st International Conference on Mobile Systems, Applications, and Services (MOBISYS). San Francisco, CA.

[11]

Efstathopoulos, P., Krohn, M., VanDeBogart, S., Frey, C., Ziegler, D., Kohler, E., Mazières, D., Kaashoek, F., and Morris, R. 2005. Labels and event processes in the Asbestos operating system. In Proceedings of the 20th ACM Symposium on Operating Systems Principles. Brighton, England.

[12]

Fraser, T. 2000. LOMAC: Low water-mark integrity protection for COTS environments. In Proceedings of the IEEE Symposium on Security and Privacy. Oakland, CA, 230--245.

[13]

Goldberg, R. P. 1973. Architecture of virtual machines. In Proceedings of the AFIPS National Computer Conference. Vol. 42. 309--318.

[14]

Hardy, N. 1988. The confused deputy (or why capabilities might have been invented). Operat. Syst. Rev. 22, 4, 36--38.

[15]

Hu, W.-M. 1991. Reducing timing channels with fuzzy time. In Proceedings of the IEEE Symposium on Security and Privacy. Oakland, CA, 8--20.

[16]

Jaeger, T., Prakash, A., Liedtke, J., and Islam, N. 1999. Flexible control of downloaded executable content. ACM Trans. Inform. Syst. Secur. 2, 2, 177--228.

[17]

Karger, P. A. 1987. Limiting the damage potential of discretionary Trojan horses. In Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, 32--37.

[18]

Karger, P. A. and Herbert, A. J. 1984. An augmented capability architecture to support lattice security and traceability of access. In Proceedings of the IEEE Symposium on Security and Privacy. Oakland, CA, 2--12.

[19]

Karger, P. A., Zurko, M. E., Bonin, D. W., Mason, A. H., and Kahn, C. E. 1990. A VMM security kernel for the VAX architecture. In Proceedings of the IEEE Symposium on Security and Privacy. Oakland, CA, 2--19.

[20]

Key Logic. 1989. The KeyKOS/KeySAFE system design. Key Logic. Tech. Rep. SEC009-01. http://www.cis.upenn.edu/~KeyKOS/.

[21]

King, S. T. and Chen, P. M. 2003. Operating system support for virtual machines. In Proceedings of the USENIX Annual Technical Conference, San Antonio, TX.

[22]

Krohn, M. 2004. Building secure high-performance web services with OKWS. In Proceedings of the USENIX Annual Technical Conference. Boston, MA, 185--198.

[23]

Krohn, M., Efstathopoulos, P., Frey, C., Kaashoek, F., Kohler, E., Mazières, D., Morris, R., Osborne, M., VanDeBogart, S., and Ziegler, D. 2005. Make least privilege a right (not a privilege). In Proceedings of the 10th Hot Topics in Operating Systems Symposium (HotOS-X). Santa Fe, NM.

[24]

Landwehr, C. E. 1981. Formal models for computer security. ACM Comput. Surv. 13, 3 (Sept.), 247--278.

[25]

Lemos, R. 2005. News.com: Payroll site closes on security worries, Feb. 25, 2005. http://news.com.com/2102-1029_3-5587859.html.

[26]

Liedtke, J. 1995. On microkernel construction. In Proceedings of the 15th ACM Symposium on Operating Systems Principles. Copper Mountain Resort, CO.

[27]

Loscocco, P. and Smalley, S. 2001. Integrating flexible support for security policies into the Linux operating system. In Proceedings of the USENIX Annual Technical Conference---FREENIX Track. 29--40.

[28]

MacMillan, K., Brindle, J., Mayer, F., Caplan, D., and Tang, J. 2006. Design and implementation of the SELinux policy management server. In Proceedings of the Security Enhanced Linux Symposium. Baltimore, MD.

[29]

McCollum, C. J., Messing, J. R., and Notargiacomo, L. 1990. Beyond the pale of MAC and DAC---defining new forms of access control. In Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, 190--200.

[30]

McIlroy, M. D. and Reeds, J. A. 1992. Multilevel security in the UNIX tradition. Softw.---Pract. Exper. 22, 8, 673--694.

[31]

Mitchell, J. G., Gibbons, J., Hamilton, G., Kessler, P. B., Khalidi, Y. Y. A., Kougiouris, P., Madany, P., Nelson, M. N., Powell, M. L., and Radia, S. R. 1994. An overview of the Spring system. In Proceedings of COMPCON 1994. 122--131.

[32]

Myers, A. C. and Liskov, B. 2000. Protecting privacy using the decentralized label model. ACM Trans. Comput. Syst. 9, 4 Oct., 410--442.

[33]

News10. 2005. Hacker accesses thousands of personal data files at CSU Chico, March 17, 2005. http://www.news10.net/display_story.aspx?storyid=9784.

[34]

Pai, V. S., Druschel, P., and Zwaenepoel, W. 1999. Flash: An efficient and portable Web server. In Proceedings of the USENIX Annual Technical Conference. Monterey, CA, 199--212.

[35]

Pike, R., Presotto, D., Dorward, S., Flandrena, B., Thompson, K., Trickey, H., and Winterbottom, P. 1995. Plan 9 from Bell Labs. Comput. Syst. 8, 3, 221--254.

[36]

Rashid, R. F. and Robertson, G. G. 1981. Accent: A communication oriented network operating system kernel. In Proceedings of the 8th ACM Symposium on Operating Systems Principles. Pacific Grove, CA, 64--75.

[37]

Rozier, M., Abrossimov, V., Armand, F., Boule, I., Gien, M., Guillemont, M., Herrmann, F., Kaiser, C., Langlois, S., Leonard, P., and Neuhauser, W. 1988. CHORUS distributed operating system. Comput. Syst. 1, 305--370.

[38]

Saltzer, J. H. and Schroeder, M. D. 1975. The protection of information in computer systems. Proceedings of the IEEE 63, 9, 1278--1308.

[39]

Schneier, B. 1993. Description of a new variable-length key, 64-bit block cipher (Blowfish). In Proceedings of Fast Software Encryption, Cambridge Security Workshop. Springer-Verlag, 191--204.

[40]

Shapiro, J. S. and Hardy, N. 2002. EROS: A principle-driven operating system from the ground up. IEEE Softw. 19, 1, 26--33.

[41]

Shapiro, J. S., Smith, J. M., and Farber, D. J. 1999. EROS: A fast capability system. In Proceedings of the 17th ACM Symposium on Operating Systems Principles. Kiawah Island, SC, 170--185.

[42]

SQLite. http://www.sqlite.org. Version 3.2.1.

[43]

Tanenbaum, A. S., van Renesse, R., van Staveren, H., Sharp, G. J., Mullender, S. J., Jansen, J., and van Rossum, G. 1990. Experiences with the Amoeba distributed operating system. Commun. ACM 33, 12, 46--63.

[44]

Trounson, R. 2006. Major breach of UCLA’s computer files. Los Angeles Times, Dec. 12, 2006. http://www.latimes.com/news/local/la-me-ucla12dec12,0,7111141.story.

[45]

VMware. 2000. VMware and the National Security Agency team to build advanced secure computer systems. Tech Trend Notes 9, 4, 3--11. http://www.vmware.com/pdf/TechTrendNotes.pdf.

[46]

von Behren, R., Condit, J., Zhou, F., Necula, G. C., and Brewer, E. 2003. Capriccio: Scalable threads for Internet services. In Proceedings of the 19th ACM Symposium on Operating Systems Principles. Bolton Landing, Lake George, NY, 268--281.

[47]

Watson, R., Morrison, W., Vance, C., and Feldman, B. 2003. The TrustedBSD MAC framework: Extensible kernel access control for FreeBSD 5.0. In Proceedings of the USENIX Annual Technical Conference, San Antonio, TX, 285--296.

[48]

Whitaker, A., Shaw, M., and Gribble, S. D. 2002. Scale and performance in the Denali isolation kernel. In Proceedings of the 5th Symposium on Operating Systems Design and Implementation (OSDI '02). Boston, MA, 195--210.

[49]

Zeldovich, N. B., Boyd-Wickizer, S., Kohler, E., and Mazières, D. 2006. Making information flow explicit in HiStar. In Proceedings of the 7th Symposium on Operating Systems Design and Implementation (OSDI'06). Seattle, WA.

Cited By

Hou ZXiao LZhu HVinh P(2024)Formalization and Analysis of Aeolus-based File System from Process Algebra PerspectiveMobile Networks and Applications10.1007/s11036-024-02332-w29:1(273-285)Online publication date: 1-Feb-2024
https://dl.acm.org/doi/10.1007/s11036-024-02332-w
Yang ZLi XXu HChao FJin SYuan Z(2022)Analysis of the Expressive Power of DIFC Model Based on Temporal Logic2022 7th International Conference on Signal and Image Processing (ICSIP)10.1109/ICSIP55141.2022.9886686(792-798)Online publication date: 20-Jul-2022
https://doi.org/10.1109/ICSIP55141.2022.9886686
Li WYang ZLiu J(2022)Automatic analysis of DIFC systems using noninterference with declassificationNeural Computing and Applications10.1007/s00521-021-06334-734:12(9385-9396)Online publication date: 1-Jun-2022
https://dl.acm.org/doi/10.1007/s00521-021-06334-7
Show More Cited By

Recommendations

Labels and event processes in the asbestos operating system
SOSP '05

Asbestos, a new prototype operating system, provides novel labeling and isolation mechanisms that help contain the effects of exploitable software flaws. Applications can express a wide range of policies with Asbestos's kernel-enforced label mechanism, ...
Labels and event processes in the asbestos operating system
SOSP '05: Proceedings of the twentieth ACM symposium on Operating systems principles

Asbestos, a new prototype operating system, provides novel labeling and isolation mechanisms that help contain the effects of exploitable software flaws. Applications can express a wide range of policies with Asbestos's kernel-enforced label mechanism, ...
Policy management and decentralized debugging in the asbestos operating system

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Computer Systems

ACM Transactions on Computer Systems Volume 25, Issue 4

December 2007

119 pages

ISSN:0734-2071

EISSN:1557-7333

DOI:10.1145/1314299

Issue’s Table of Contents

Copyright © 2007 ACM.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 December 2007

Published in TOCS Volume 25, Issue 4

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

79
Total Citations
View Citations
994
Total Downloads

Downloads (Last 12 months)16
Downloads (Last 6 weeks)4

Reflects downloads up to 16 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Hou ZXiao LZhu HVinh P(2024)Formalization and Analysis of Aeolus-based File System from Process Algebra PerspectiveMobile Networks and Applications10.1007/s11036-024-02332-w29:1(273-285)Online publication date: 1-Feb-2024
https://dl.acm.org/doi/10.1007/s11036-024-02332-w
Yang ZLi XXu HChao FJin SYuan Z(2022)Analysis of the Expressive Power of DIFC Model Based on Temporal Logic2022 7th International Conference on Signal and Image Processing (ICSIP)10.1109/ICSIP55141.2022.9886686(792-798)Online publication date: 20-Jul-2022
https://doi.org/10.1109/ICSIP55141.2022.9886686
Li WYang ZLiu J(2022)Automatic analysis of DIFC systems using noninterference with declassificationNeural Computing and Applications10.1007/s00521-021-06334-734:12(9385-9396)Online publication date: 1-Jun-2022
https://dl.acm.org/doi/10.1007/s00521-021-06334-7
Zhang WLiu PJaeger TCao JHo Au MLin ZYung M(2021)Analyzing the Overhead of File Protection by Linux Security ModulesProceedings of the 2021 ACM Asia Conference on Computer and Communications Security10.1145/3433210.3453078(393-406)Online publication date: 24-May-2021
https://dl.acm.org/doi/10.1145/3433210.3453078
Hallé STremblay H(2021)Foundations of Fine-Grained ExplainabilityComputer Aided Verification10.1007/978-3-030-81688-9_24(500-523)Online publication date: 20-Jul-2021
https://dl.acm.org/doi/10.1007/978-3-030-81688-9_24
Alqahtani FDuraibi STosic PSheldon F(2020)Information Flow Control to Secure Data in the Cloud2020 International Conference on Computational Science and Computational Intelligence (CSCI)10.1109/CSCI51800.2020.00241(1288-1294)Online publication date: Dec-2020
https://doi.org/10.1109/CSCI51800.2020.00241
Ben Said NCristescu I(2020)End-to-end information flow security for web services orchestrationScience of Computer Programming10.1016/j.scico.2019.102376187(102376)Online publication date: Feb-2020
https://doi.org/10.1016/j.scico.2019.102376
Hunt TZhu ZXu YPeter SWitchel E(2018)RyoanACM Transactions on Computer Systems10.1145/323159435:4(1-32)Online publication date: 16-Dec-2018
https://dl.acm.org/doi/10.1145/3231594
Shyamasundar RNarendra Kumar NTaware AVyas P(2018)An Experimental Flow Secure File System2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/ 12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE)10.1109/TrustCom/BigDataSE.2018.00113(790-799)Online publication date: Aug-2018
https://doi.org/10.1109/TrustCom/BigDataSE.2018.00113
Tai YHu WMu DMao BZhang L(2018)Towards Quantified Data Analysis of Information Flow Tracking for Secure System DesignIEEE Access10.1109/ACCESS.2017.27802546(1822-1831)Online publication date: 2018
https://doi.org/10.1109/ACCESS.2017.2780254
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents