research-article

Enforcing authorization policies using transactional memory introspection

Authors:

Arnar Birgisson,

Úlfar Erlingsson,

Vinod Ganapathy,

Liviu IftodeAuthors Info & Claims

CCS '08: Proceedings of the 15th ACM conference on Computer and communications security

Pages 223 - 234

https://doi.org/10.1145/1455770.1455800

Published: 27 October 2008 Publication History

Abstract

Correct enforcement of authorization policies is a difficult task, especially for multi-threaded software. Even in carefully-reviewed code, unauthorized access may be possible in subtle corner cases. We introduce Transactional Memory Introspection (TMI), a novel reference monitor architecture that builds on Software Transactional Memory--a new, attractive alternative for writing correct, multi-threaded software.

TMI facilitates correct security enforcement by simplifying how the reference monitor integrates with software functionality. TMI can ensure complete mediation of security-relevant operations, eliminate race conditions related to security checks, and simplify handling of authorization failures. We present the design and implementation of a TMI-based reference monitor and experiment with its use in enforcing authorization policies on four significant servers. Our experiments confirm the benefits of the TMI architecture and show that it imposes an acceptable runtime overhead.

References

[1]

M. Abadi, A. Birrell, T. Harris, and M. Isard. Semantics of transactional memory and automatic mutual exclusion. In ACM POPL, Jan 2008.

Digital Library

[2]

M. Abadi and C. Fournet. Access control based on execution history. In NDSS, 2003.

[3]

A. Adi--Tabatabai, B. T. Lewis, V. Menon, B. R. Murphy, B. Saha, and T. Shpeisman. Compiler and runtime support for efficient software transactional memory. In ACM PLDI, June 2006.

Digital Library

[4]

The home of AspectC. http://www.aspectc.org.

[5]

AspectJ project. http://www.eclipse.org/aspectj.

[6]

F. Besson, T. Blanc, C. Fournet, and A.D. Gordon. From stack inspection to access control: a security analysis for libraries. In IEEE CSFW, June 2004.

Digital Library

[7]

A. Birgisson and Ú. Erlingsson. An implementation and semantics for transactional memory introspection in Haskell. Technical Report RUTR-CS08007, Reykjav'ik University, Aug 2008.

[8]

M. Bishop and M. Digler. Checking for race conditions in file accesses. Computer Systems, 9(2):131--152, Spring 1996.

[9]

G. Candea, S. Kawamoto, Y. Fujiki, G. Friedman, and A. Fox. Microreboot: A technique for cheap recovery. In USENIX OSDI, Dec 2004.

Digital Library

[10]

T. Cargill. Exception handling: A false sense of security. C Report, 6(9), Nov 1994.

[11]

P. M. Chen and B. Noble. When virtual is better than real. In USENIX HotOS, May 2001.

Digital Library

[12]

F. Christian. Exception handling. Technical Report RJ5724, IBM Research, 1987.

[13]

J. Chung, M. Dalton, H. Kannan, and C. Kozyrakis. Thread-safe dynamic binary translaction using transactional memory. In IEEE HPCA, Feb 2008.

[14]

D. D. Clark and D. R. Wilson. A comparison of commercial and military computer security policies. In IEEE S&P, May 1987.

[15]

F. Cristian. Exception handling and tolerance of software faults. In Software Fault Tolerance. Wiley, 1995.

[16]

G. W. Dunlap, S. T. King, S. Cinar, M. Basrai, and P. M. Chen. ReVirt: Enabling intrusion analysis through virtual-machine logging and replay. In USENIX OSDI, Dec 2002.

Digital Library

[17]

Ú. Erlingsson and F.B. Schneider. SASI enforcement of security policies: A retrospective. In New Security Paradigms Workshop, 1999.

Digital Library

[18]

C. Cao Minh et al. An effective hybrid transactional memory system with strong isolation guarantees. In ISCA, June 2007.

Digital Library

[19]

K. E. Moore et al. Log™: Log-based transactional memory. In IEEE HPCA, Feb 2006.

[20]

L. Hammond et al. Transactional memory coherence and consistency. In ISCA, June 2004.

Digital Library

[21]

M. J. Moravan et al. Supporting nested transactional memory in Log™. In ACM ASPLOS, Oct 2006.

Digital Library

[22]

P. Damron et al. Hybrid transactional memory. In ACM ASPLOS, Oct 2006.

Digital Library

[23]

Extensible access control markup language. http://xml.coverpages.org/xacml.html.

[24]

C. Fetzer, P. Felber, and K. Hogstedt. Automatic detection and masking of nonatomic exception handling. IEEE Trans. on Software Engineering, 30(8):547--560, 2004.

Digital Library

[25]

B. Fletcher. Case study: Open source and commercial applications in a Java-based SELinux cross-domain solution. In Annual SELinux Symp., Mar 2006.

[26]

FreeCS--the free chatserver. http://freecs.sourceforge.net.

[27]

V. Ganapathy, T. Jaeger, and S. Jha. Retrofitting legacy code for authorization policy enforcement. In IEEE S&P, May 2006.

Digital Library

[28]

V. Ganapathy, D. King, T. Jaeger, and S. Jha. Mining security-sensitive operations in legacy code using concept analysis. In ACM/IEEE ICSE, May 2007.

Digital Library

[29]

T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. In NDSS, Feb 2003.

[30]

L. Gong, G. Ellison, and M. Dageforde. Inside Java 2 Platform Security. Addison-Wesley, second edition, September 2003.

Digital Library

[31]

J. Gray and A. Reuter. Transaction Processing: Concepts and Techniques. Morgan Kaufmann, 1993.

Digital Library

[32]

T. Harris and K. Fraser. Language support for lightweight transactions. SIGPLAN Not., 38(11):388--402, 2003.

Digital Library

[33]

T. Harris, S. Marlow, S. Peyton Jones, and M. Herlihy. Composable memory transactions. In PPoPP, Feb 2005.

Digital Library

[34]

M. Herlihy, V. Luchango, and M. Moir. A flexible framework for implementing software transactional memory. In ACM SIGPLAN OOPSLA, Oct 2006.

Digital Library

[35]

M. Herlihy, V. Luchango, M. Moir, and W. Scherer. Software transactional memory for dynamic--sized data structures. In ACM PODC, July 2003.

Digital Library

[36]

M. Hocking, K. Macmillan, and D. Shankar. Case study: Enhancing IBM Websphere with SELinux. In Annual SELinux Symp., Mar 2006.

[37]

T. Jaeger, A. Edwards, and X. Zhang. Consistency analysis of authorization hook placement in the Linux security modules framework. ACM TISSEC, 7(2):175--205, May 2004.

Digital Library

[38]

Jakarta Apache Commons. http://commons.apache.org/transaction.

[39]

JCraft. WeirdX--pure Java window system server under GPL. http://www.jcraft.com/weirdx.

[40]

D. Kilpatrick, W. Salamon, and C. Vance. Securing the X Window system with SELinux. Technical Report 03-006, NAI Labs, Mar 2003.

[41]

S. T. King and P. M. Chen. Backtracking intrusions. In ACM SOSP, Oct 2003.

Digital Library

[42]

J. R. Larus and R. Rajwar. Transactional Memory. Synthesis Lectures on Computer Architecture. Morgan Claypool, 2006.

Digital Library

[43]

M. E. Locasto, A. Stavrou, G. Cretu, and A. Keromytis. From STEM to SEAD: Speculative execution for automated defense. In USENIX Annual Technical, June 2007.

Digital Library

[44]

M.D. Matthews. Distributed transactions with MYSQL XA, 2005.

[45]

Microsoft. Transactional NTFS in Windows Vista. http://msdn2.microsoft.com/en--us/library/aa363764.aspx.

[46]

E. Nightingale, D. Peek, P. M. Chen, and J. Flinn. Parallelizing security checks on commodity hardware. In ACM ASPLOS, 2008.

Digital Library

[47]

S. Peyton-Jones and T. Harris. Transactional memory with data invariants. In ACM SIGPLAN TRANSACT, 2006.

[48]

C. J. Rossbach, O. S. Hofmann, D. E. Porter, H. E. Ramadan, A. Bhandari, and E. Witchel. TxLinux: Using and managing transactional memory in an operating system. In ACM SOSP, Oct 2007.

Digital Library

[49]

B. Saha, A.-R. Adl-Tabatabai, and Q. Jacobson. Architectural support for software transactional memory. In IEEE Symp. on Microarchitecture, Dec 2006.

Digital Library

[50]

F. B. Schneider. Enforceable security policies. ACM TISSEC, 3(1):30--50, Feb 2000.

Digital Library

[51]

M. I. Seltzer, Y. Endo, C. Small, and K. A. Smith. Dealing with disaster: Surviving misbehaved kernel extensions. In USENIX OSDI, Oct 1996.

Digital Library

[52]

N. Shavit and D. Touitou. Software transactional memory. In ACM PODC, Aug 1995.

Digital Library

[53]

T. Shpeisman, V. Menon, A. Adl--Tabatabai, S. Balensiefer, D. Grossman, R. L. Hudson, K. F. Moore, and B. Saha. Enforcing isolation and ordering in S™. In ACM PLDI, June 2007.

Digital Library

[54]

N. Swamy, M. Hicks, S. Tse, and S. Zdancewic. Managing policy updates in security-typed languages. In Computer Security Foundations Workshop, July 2006.

Digital Library

[55]

Tar for Java: The com.ice.tar package. http://trustice.com/java/tar/.

[56]

E. Walsh. Integrating X.Org with security-enhanced Linux. In Annual SELinux Symp., Mar 2007.

[57]

W. Weimer and G. C. Necula. Exceptional situations and program reliability. ACM TOPLAS, 30(2), Mar 2008.

Digital Library

[58]

C. Wright, C. Cowan, S. Smalley, J. Morris, and G. Kroah-Hartman. Linux security modules: General security support for the Linux kernel. In USENIX Security, Aug 2002.

Digital Library

[59]

x11perf: The X11 server performance test program suite.

[60]

The X11 Server, version X11R6.8 (X.Org Foundation).

[61]

A. Yumerefendi, B. Mickle, and L. Cox. TightLip: Keeping applications from spilling the beans. In USENIX NSDI, April 2007.

Digital Library

[62]

X. Zhang, A. Edwards, and T. Jaeger. Using CQUAL for static analysis of authorization hook placement. In USENIX Security, Aug 2002.

Digital Library

Cited By

Li CGuan LLin JLuo BCai QJing JWang J(2021)Mimosa: Protecting Private Keys Against Memory Disclosure Attacks Using Hardware Transactional MemoryIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2019.289766618:3(1196-1213)Online publication date: 1-May-2021
https://doi.org/10.1109/TDSC.2019.2897666
Falcone YPinisetty S(2019)On the Runtime Enforcement of Timed PropertiesRuntime Verification10.1007/978-3-030-32079-9_4(48-69)Online publication date: 8-Oct-2019
https://dl.acm.org/doi/10.1007/978-3-030-32079-9_4
Botacin MGeus Pgrégio A(2018)Who Watches the WatchmenACM Computing Surveys10.1145/319967351:4(1-34)Online publication date: 13-Jul-2018
https://dl.acm.org/doi/10.1145/3199673
Show More Cited By

Index Terms

Enforcing authorization policies using transactional memory introspection

Recommendations

Unbounded page-based transactional memory
Proceedings of the 2006 ASPLOS Conference

Exploiting thread level parallelism is paramount in the multicore era. Transactions enable programmers to expose such parallelism by greatly simplifying the multi-threaded programming model. Virtualized transactions (unbounded in space and time) are ...
Hybrid transactional memory
Proceedings of the 2006 ASPLOS Conference

Transactional memory (TM) promises to substantially reduce the difficulty of writing correct, efficient, and scalable concurrent programs. But "bounded" and "best-effort" hardware TM proposals impose unreasonable constraints on programmers, while more ...
Transactional memory: from semantics to silicon
IWMSE '08: Proceedings of the 1st international workshop on Multicore software engineering

Multi-core architectures bring parallel programming into the mainstream. Parallel programming poses many new challenges to the developer, one of which is synchronizing concurrent access to shared memory by multiple threads. Programmers have ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '08: Proceedings of the 15th ACM conference on Computer and communications security

October 2008

590 pages

ISBN:9781595938107

DOI:10.1145/1455770

General Chair:
Peng Ning
North Carolina State University, USA
,
Program Chairs:
Paul Syverson
Naval Research Laboratory, USA
,
Somesh Jha
University of Wisconsin, USA

Copyright © 2008 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 October 2008

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS08

Sponsor:

CCS08: 15th ACM Conference on Computer and Communications Security 2008

October 27 - 31, 2008

Virginia, Alexandria, USA

Acceptance Rates

CCS '08 Paper Acceptance Rate 51 of 280 submissions, 18%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

24
Total Citations
View Citations
647
Total Downloads

Downloads (Last 12 months)10
Downloads (Last 6 weeks)1

Reflects downloads up to 28 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Li CGuan LLin JLuo BCai QJing JWang J(2021)Mimosa: Protecting Private Keys Against Memory Disclosure Attacks Using Hardware Transactional MemoryIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2019.289766618:3(1196-1213)Online publication date: 1-May-2021
https://doi.org/10.1109/TDSC.2019.2897666
Falcone YPinisetty S(2019)On the Runtime Enforcement of Timed PropertiesRuntime Verification10.1007/978-3-030-32079-9_4(48-69)Online publication date: 8-Oct-2019
https://dl.acm.org/doi/10.1007/978-3-030-32079-9_4
Botacin MGeus Pgrégio A(2018)Who Watches the WatchmenACM Computing Surveys10.1145/319967351:4(1-34)Online publication date: 13-Jul-2018
https://dl.acm.org/doi/10.1145/3199673
Li CLin JCai QLuo B(2018)Peapods: OS-Independent Memory Confidentiality for Cryptographic Engines2018 IEEE Intl Conf on Parallel & Distributed Processing with Applications, Ubiquitous Computing & Communications, Big Data & Cloud Computing, Social Computing & Networking, Sustainable Computing & Communications (ISPA/IUCC/BDCloud/SocialCom/SustainCom)10.1109/BDCloud.2018.00128(862-869)Online publication date: Dec-2018
https://doi.org/10.1109/BDCloud.2018.00128
Rajani VGarg DRezk T(2016)On Access Control, Capabilities, Their Equivalence, and Confused Deputy Attacks2016 IEEE 29th Computer Security Foundations Symposium (CSF)10.1109/CSF.2016.18(150-163)Online publication date: Jul-2016
https://doi.org/10.1109/CSF.2016.18
Chen JChen HBauman ELin ZZang BGuan H(2015)You shouldn't collect my secretsProceedings of the 24th USENIX Conference on Security Symposium10.5555/2831143.2831186(675-690)Online publication date: 12-Aug-2015
https://dl.acm.org/doi/10.5555/2831143.2831186
Guan LLin JLuo BJing JWang J(2015)Protecting Private Keys against Memory Disclosure Attacks Using Hardware Transactional MemoryProceedings of the 2015 IEEE Symposium on Security and Privacy10.1109/SP.2015.8(3-19)Online publication date: 17-May-2015
https://dl.acm.org/doi/10.1109/SP.2015.8
Porter DBond MRoy IMckinley KWitchel E(2014)Practical Fine-Grained Information Flow Control Using LaminarACM Transactions on Programming Languages and Systems10.1145/263854837:1(1-51)Online publication date: 17-Nov-2014
https://dl.acm.org/doi/10.1145/2638548
Joiner RReps TJha SDhawan MGanapathy VCheung SOrso AStorey M(2014)Efficient runtime-enforcement techniques for policy weavingProceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering10.1145/2635868.2635907(224-234)Online publication date: 11-Nov-2014
https://dl.acm.org/doi/10.1145/2635868.2635907
Liu YXia YGuan HZang BChen H(2014)Concurrent and consistent virtual machine introspection with hardware transactional memory2014 IEEE 20th International Symposium on High Performance Computer Architecture (HPCA)10.1109/HPCA.2014.6835951(416-427)Online publication date: Mar-2014
https://doi.org/10.1109/HPCA.2014.6835951
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten