Transcript document

Make Least Privilege A Right
(Not a Privilege)
Petros Efstathopoulos, Cliff Frey,
Frans Kaashoek, Eddie Kohler, Max Krohn,
David Mazières, Robert Morris, Michelle
Osborne, Steve VanDeBogart, David Ziegler
(MIT, NYU, UCLA)
Key:
Giving Talk
at HotOS
at HotOS but not in program
1
HotOS Talk Template
• Technique T was tried before but didn't
catch on, but the emergence of X
suggests we should try T again.
• Instantiate With:
T="MANDATORY ACCESS CONTROL"
X="THE INTERNET SECURITY MORASS"
2
The Problem
• Stolen credit cards and SSNs
• Alice can get Bob's data
3
How can she?
•
•
•
•
•
•
•
Buffer overruns
Trojaned machines
SQL injection
Misapplied Access Controls
Social Engineering
Find a UPS box full of hard drives
Sniffed passwords
4
Application Developers Need…
1. To create policies to control data
flow through a complex system.
– Alice can't read Bob's data.
2. To express policy in a simple way
5
Outline
I. Achievable on UNIX?
II. If not UNIX then what?
Running example: Web server
serving private customer data
6
Apache
Apache
Apache
Alice
Bob
Alice
Bob
Alice
Bob
Charlie
Doug
Charlie
Doug
Charlie
Doug
Process 1
Process 2
Process 3
sh
sendmail
r00t sh
database
7
8
9
/etc/passwd
/bin/su
/etc/ssh/ssh_host_key
/usr/lib/sendmail
Apache
Apache
Apache
Alice
Bob
Alice
Bob
Alice
Bob
Charlie
Doug
Charlie
Doug
Charlie
Doug
Process 1
Process 2
Process 3
database
10
Apache Recap
• Process boundaries don't align with
security goals.
• What about a separate process per user?
– Need a helper "demux" process to route
connections.
11
GET /home?u=ALICE&p=PASS
demux
Apache++
Alice
Apache++
Apache++
Bob
Charlie
Process 1
Process 2
Process 3
database
12
UID=0
Apache++
Alice
demux
Apache++
"SHOW ME
YOUR ID"
Apache++
Bob
Charlie
Process 1
logger
Process 2
database
Process 3
"LET'S
SEE
SOME ID"
13
UNIX Shortcomings
• Programming
– Separation of processes is unnatural
• Performance
– memory + CPU
• Security
– Privileged launcher process
– Access control scattered throughout
– All shared resources are in the TCB
14
II. Asbestos: A New OS
• Mandatory access control (MAC)
• Use compartments to track (and control)
data flow.
• Previous systems don't fit the bill:
– rigid policies determined by kernel
– centralized declassification
– taint accumulation
15
Alice
sh
sendmail
16
Asbestos Feature
• Applications can introduce compartments
– Process owns a compartment it creates
– system ensures data does not escape
compartment without the owner's permission
17
GET /home?u=ALICE&p=PASS
Userland TCP
"GRANT
restore()Privilege
To Escape Red
Compartment"
data
tagger
AsbestosWS
restore()
Database
restore()
18
GET /home?u=BOB&p=PFASS
Userland TCP
data
tagger
AsbestosWS
Database
19
GET /home?u=ALICE&p=PASS&kiLL=BaBieS
Userland
Userland TCP
TCP
data
tagger
AsbestosWS
Database
20
GET /home?u=ALICE&p=PASS&SQL=SELECT+*+
TCP
TCP
data
tagger
AsbestosWS
sh
DB
client
Database
21
The Asbestos Web Server
• Trusted components:
THE KERNEL
data
tagger
stats collectors
high-perf DB
• What to audit:
THE KERNEL
data
tagger
stats collectors
high-perf DB
• What can be buggy
– everything else
22
Asbestos Recap
• Programming
– Separation is natural
• Performance
– Probably scalable (memory and CPU)
• Security – The tagger:
– has no privileges with respect to the rest of
the system (i.e., /etc/passwd)
– is a small program
– solely in charge of access control
23
Conclusion
• Need a new OS
– Keeping Alice away from Bob's data is hard
and unnatural on UNIX
• Let's try MAC again!
– more flexible for application designers.
24
Thank you
[email protected]
25
demux
Apache++
Alice
Apache++
Apache++
Bob
Charlie
Process 1
Process 2
Process 3
database
26
demux/VMM
Apache++
Alice
Apache++
Apache++
Bob
Charlie
VM 1
VM 2
VM3
database
27
Capabilities?
• Apache++ / database communicate over
an FD even though Apache++ is jailed
28
demux
Apache++
Alice
Apache++
Apache++
Bob
Charlie
Process 1
Process 2
Process 3
database
29
Related Work
• Capabilities
– ErOS, KeyKOS, L4
• Virtual-machine based isolation
• MAC
– IX, Orange Book, Jif
– Trusted BSD, SE Linux, Trusted Solaris
• Language-based approaches
– Java, Singularity, Cyotos, Perl
30