Upload
buddy-fowler
View
217
Download
1
Tags:
Embed Size (px)
Citation preview
Enforcing Security Policies using Transactional Memory Introspection
Vinod GanapathyRutgers University
Arnar Birgisson Mohan Dhawan
Ulfar Erlingsson Liviu Iftode
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 2
X server with multiple X clients
REMOTE
LOCAL
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 4
REMOTE
Undesirable information flow
LOCAL
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 5
Desirable information flow
LOCAL
REMOTE
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 6
X server
X server with authorization
X client
Operation request Response
Authorization policy
Reference monitor
Allowed? YES/NO
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 7
Server
The problem
Client
Authorization policy
Reference monitor
Multiple clients
Manages resources
Likely multithreaded
Security enforcement crosscutsapplication functionality
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 8
Outline
• Enforcing authorization policies
• Problems with existing techniques
• Transactional Memory Introspection
• Implementation and experiments
• Open questions and future work
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 9
Existing enforcement interfacedispatch_request ( ) {
...perform_request ( );
}
perform_request ( ) {...
perform_access (resource);
...
perform_access’(resource’);
}
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 10
Existing enforcement interfacedispatch_request ( ) {
...perform_request ( );
}
perform_request ( ) {...
if (allowed(principal,resource,access)){perform_access (resource);
} else { handle_auth_failure1(); }; ...if (allowed(principal,resource’,access’)){perform_access’(resource’);} else { handle_auth_failure2(); };
}
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 11
Three problems
• Violation of complete mediation
• Time-of-check to Time-of-use bugs
• Handing authorization failures
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 12
I. Incomplete mediationdispatch_request ( ) {
…perform_request ( );
}
perform_request ( ) {...
if (allowed(principal,resource,access)){perform_access (resource);
} else { handle_auth_failure1(); }; ...if (allowed(principal,resource’,access’)){
perform_access’(resource’);} else { handle_auth_failure2(); };
}
Must guard each resource access to ensure complete mediation
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 13
I. Incomplete mediationssize_t vfs_read (struct file *file, ...) {
...if (check_permission(file, MAY_READ)) {
file->f_op->read(file, ...);}...
}
int page_cache_read (struct file *file, ...) {struct address_space *mapping =
file->f_dentry->d_inode->i_mapping;...mapping->a_ops->readpage(file, ...);
}
[Zhang et al., USENIX Security ‘02]
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 14
perform_request ( ) {...if (allowed(principal,resource,access)){
perform_access (resource);} else { handle_auth_failure1() }; ...if (allowed(principal,resource’,access’)){
perform_access’(resource’);} else { handle_auth_failure2() };
}
II. TOCTTOU bugs
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 15
perform_request ( ) {...if (allowed(principal,resource,access)){
perform_access (resource);} else { handle_auth_failure1() }; ...if (allowed(principal,resource’,access’)){
perform_access’(resource’);} else { handle_auth_failure2() };
}
II. TOCTTOU bugs
Similar race condition found in the Linux Security Modules framework[Zhang et al. USENIX Security ’02]
Several similar bugs recently found in popular enforcement tools: [Watson, WOOT ’07]
• GSWTK• Systrace [Provos, USENIX Security ’03]
• FreeBSD Sysjail [Johnson and Deksters ’07]
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 16
II. TOCTTOU bugs
perform_request ( ) {...if (allowed(principal,resource,access)){
perform_access (resource);} else { handle_auth_failure1() }; ...if (allowed(principal,resource’,access’)){
perform_access’(resource’);} else { handle_auth_failure2() };
}
Authorization check and resource access must be atomic
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 17
III. Failure handling
perform_request ( ) {...if (allowed(principal,resource,access)){
perform_access (resource);} else { handle_auth_failure1() }; ...if (allowed(principal,resource’,access’)){
perform_access’(resource’);} else { handle_auth_failure2() };
}
Handling authorization failures is ad hoc and error prone
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 18
III. Failure handling
• Exception-handling code accounts for a large fraction of server software – Over two-thirds of server software [IBM ’87]
– Nearly 46% on several Java benchmarks [Weimer & Necula OOPSLA’04]
• Exception-handling code itself is error-prone [Fetzer and Felber ’04]
• SecurityException most often handled erroneously [Weimer & Necula OOPSLA’04]
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 19
Summary of problems
• Violation of complete mediation– Need to identify all the resources accessed– Example: Bug in Linux Security Modules [Zhang et al.,
USENIX Security ‘02]
• Time-of-check to Time-of-use bugs– Examples: [Zhang et al., USENIX Security ‘02] [Watson,
WOOT ‘07]
• Handing authorization failures– Large fraction of server code relates to error handling
[IBM survey, ’87, Weimer and Necula, ‘04 ]
– Error-handling code is error-prone! [Fetzer & Felber ’04]
Security enforcement crosscutsapplication functionality
Our solution: TMI Decouples security enforcement
from application functionality
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 20
Outline
• Enforcing authorization policies
• Problems with existing techniques
• Transactional Memory Introspection (TMI)– Programmer’s interface– Mechanics of TMI
• Implementation and experiments
• Open questions and future work
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 21
Transactional memory primer
• Alternative to lock-based programming• Reason about atomic sections, not locks
• TM attempts to guarantee ACID semantics
acquire(S1.lock)acquire(S2.lock)value = S1.pop()S2.push(value)Release(S2.lock)Release(S1.lock)
transaction { value = S1.pop() S2.push(value)}
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 22
Programmer’s interface to TMIdispatch_request ( ) {
transaction [ principal ] {...perform_request ( );
}}
perform_request ( ) {...perform_access (resource);...perform_access’(resource’);
}
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 23
Programmer’s interface to TMIdispatch_request ( ) {
transaction [ principal ] {...perform_request ( );
}}
perform_request ( ) {...perform_access (resource);...perform_access’(resource’);
}
Authorization manager:case (resource=R, access_type=A)
if (!allowed(principal, R, A)) then abort_txallowed(principal, resource, access)?
allowed(principal, resource’, access’)?
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 24
I. Complete mediation for freedispatch_request ( ) {
transaction [ principal ] {...perform_request ( );
}}
perform_request ( ) {...perform_access (resource);...perform_access’(resource’);
}
TMI automatically invokesauthorization checks
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 25
II. TOCTTOU-freedom for freedispatch_request ( ) {
transaction [ principal ] {...perform_request ( );
}}
perform_request ( ) {...perform_access (resource);...perform_access’(resource’);
}
Conflicting resource accessesautomatically abort transaction
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 26
III. Error-handling for freedispatch_request ( ) {
transaction [ principal ] {...perform_request ( );
}}
perform_request ( ) {...perform_access (resource);...perform_access’(resource’);
}
Unauthorized resource accessesautomatically abort transaction
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 27
Decouples functionality and securitydispatch_request ( ) {
transaction [ principal ] {...perform_request ( );
}}
perform_request ( ) {...perform_access (resource);...perform_access’(resource’);
}
Authorization manager
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 28
Outline
• Enforcing authorization policies
• Problems with existing techniques
• Transactional Memory Introspection (TMI)– Programmer’s interface– Mechanics of TMI
• Implementation and experiments
• Open questions and future work
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 29
TM runtime system
• The TM runtime maintains per-transaction read/write sets and detects conflicts
transaction { value = S1.pop() S2.push(value)}
val1 = S1.pop()val2 = S1.pop()S2.push(val2)S2.push(val1)
Transaction Read set Write set
Green S1.stkptr S1.stkptr
Red S1.stkptr, S2.stkptr S1.stkptr, S2.stkptr
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 30
TM runtime system
Transactionbody
Execution
Read and Write Sets
Validation
Contentionmanager
Retry
Commitlogic
Commit
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 31
Transactional Memory Introspection
Transactionbody
Execution
Read and Write Sets
Validation
Contentionmanager
Retry
Commitlogic
CommitAuthorization
Auth.checks
Auth.Manager
Success
Failure
Abort
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 32
perform_request ( ) {...perform_access (resource);...perform_access’(resource’);
}
Transactional Memory Introspectiondispatch_request ( ) {
transaction [ principal ] {...perform_request ( );
}}
Present in read/write set
Accesses checkedbefore tx commits
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 33
Outline
• Enforcing authorization policies
• Problems with existing techniques
• Transactional Memory Introspection
• Implementation and experiments
• Open questions and future work
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 34
TMI Implementation: TMI/DSTM2
• Implemented using Sun’s DSTM2
• Object-based software TM system
• TM system modified to– Trigger authorization checks on additions to
read/write set and upon transaction validation– Raise AccessDeniedException upon abort– Integrate transactional I/O libraries
• Fewer than 500 lines changed in DSTM2
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 35
Porting software to TMI/DSTM2
1. Mark transactional objects with @atomic– Also require @atomic wrappers for libraries:
java.util.HashMap, java.util.Vector
2. Reads and writes to fields of @atomic objects replaced with DSTM2 accessors
3. Place transaction{…} blocks around client requests
4. Write an authorization manager
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 36
Dealing with side-effects
• Problem:– TM provides ACID semantics to memory
updates– System calls inside transaction{…} block can
violate atomicity and isolation
• Use transactional I/O packages• Integrate with commit logic
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 37
Dealing with side-effects
Transactionbody
Execution
Read and Write Sets
Validation
Contentionmanager
Retry
2-phasecommit
CommitAuthorization
Auth.checks
Auth.Manager
Success
Failure
Abort
TX I/O
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 39
Evaluation
• Ported four Java-based servers
• GradeSheet: A grade-management server
• FreeCS: A chat server
• WeirdX: An X window management server– Enforced a simple XACML based policy
• Tar: A tar archive service– Enforced Java stack inspection policy
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 40
Modifications needed
Server LOC Lines modified Transactions
GradeSheet 900 300 1
Tar service 5,000 < 50 1
FreeCS 22,000 860 47
WeirdX 27,000 4,800 108
Authorization managers were approximately 200 lines of code in each case
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 41
REMOTE
Example policy enforced in WeirdX
LOCAL
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 42
perform_request ( ) {...perform_access (resource);...perform_access’(resource’);
}
When to enforce policy?dispatch_request ( ) {
transaction [ principal ] {...perform_request ( );
}}
allowed(principal, resource, access)?
allowed(principal, resource’, access’)?
Eager
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 43
perform_request ( ) {...perform_access (resource);...perform_access’(resource’);
}
When to enforce policy?dispatch_request ( ) {
transaction [ principal ] {...perform_request ( );
}}
allowed(principal, resource, access)?
allowed(principal, resource’, access’)?
Lazy
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 44
perform_request ( ) {...perform_access (resource);...perform_access’(resource’);
}
When to enforce policy?dispatch_request ( ) {
transaction [ principal ] {...perform_request ( );
}}
allowed(principal, resource, access)?
allowed(principal, resource’, access’)?
Parallel
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 45
Performance overheads of TMI
-20
-10
0
10
20
30
40
50
60
GradeSheet Tar FreeCS WeirdX
TMI/Eager
TMI/Lazy
TMI/Parallel
10x
-15.8%
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 46
Performance overheads of STM• Software transactional memory imposes a
significant overheadServer Native TMI-ported Overhead
GradeSheet 395μs 451μs 14.7%
Tar service 4.96s 15.40s 2.1x
FreeCS 321μs 3907μs 11.2x
WeirdX 0.23ms 6.40ms 26.8x
Hardware-accelerated STM will reduce runtime overheads of TM runtime systems
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 47
Outline
• Enforcing authorization policies
• Problems with existing techniques
• Transactional Memory Introspection
• Implementation and experiments
• Open questions and future work
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 48
Hardware support for TMI
• Problem: – STM imposes high runtime overheads – Want to make TMI practical for adoption on
real-world servers
• Solution: Implementing TMI in hardware transactional memory (HTM) systems– HTM-based software as fast (or faster than)
as lock-based software.
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 49
Interaction of TMI and I/O
• Problem: I/O instructions in transactions violate atomicity and isolation
• Can deal with file and database I/O with transactional libraries
• Network I/O? Display? Other devices?
• Possible solution: Combine TMI and virtual machine introspection
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 50
A formal semantics of TMI
• Problem:– Pathological interactions of TMI with STM
implementation details
• Example: Weak-atomicity, in-place updates– With Lazy enforcement, TMI can leak
sensitive information
• Solution:– Need a formal semantics for TMI
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 51
Summary
• Transactional Memory Introspection– A new reference monitor architecture– Decouples application functionality from
security policy enforcement
• Benefits– Better guarantees on complete mediation– Freedom from TOCTTOU bugs– Better handling of authorization failures
Enforcing Security Policies using Transactional Memory Introspection
Reference: Upcoming CCS 2008 paper
Vinod GanapathyRutgers [email protected]
http://www.cs.rutgers.edu/~vinodg
Thank you!