Slide - SIGOPS

Download Report

Transcript Slide - SIGOPS

Logical Attestation:
An Authorization Architecture for
Trustworthy Computing
Emin Gün Sirer
Willem de Bruijn†, Patrick Reynolds*, Alan Shieh‡,
Kevin Walsh, Dan Williams, Fred B. Schneider
Cornell University
*now
at BlueStripe Software
‡now at Nicira Networks
† now at Google, Inc.
TPMs and Attestation
Secure coprocessors provide a unique key and on-board
cryptographic functions to capture software state
Cheap
Rapidly becoming ubiquitous
Evil
0xab...
Hash-based
Attestation
TCB
Trusted Platform Module
Evils of Hash-based Attestation
0xab...
Supports only axiomatic trust
Eliminates user choice and control over platform
Requires database of trusted configurations
Attestation process violates privacy
Does not capture dynamic run time state or configuration
Trust Establishment
Three techniques for establishing trust:
Axiomatic
trust by fiat
binary hashes, ACLs, vendor crypto-signatures
Analytic
an analyzer checked and ascertained a property
e.g. type checkers, binary analyzers
code contains only forward jumps
code is typesafe
Synthetic
an execution environment assures a desired property
e.g. reference monitors, sandboxes, SFI, binary rewriters
code cannot issue certain system calls
code respects resource limits
Authorization
Comes down to a simple if statement…
“should this principal be allowed to perform
this operation on this resource?”
But how that statement is implemented has profound
consequences
what kinds of policies can be expressed
how practical the system is
what kind of performance it achieves
Goals and Contributions
Logical Attestation: A new attestation scheme that
captures semantic properties of programs through labels
Nexus: A new OS with mechanisms for
generating meaningful and useful credentials
managing credentials, combining them with state
checking credentials efficiently
Applications: Fauxbook, Movie Player, Java Object
Store, CertiPics, TruDocs, NBGP, …
Logical Attestation
A label is a statement attributed to a principal
principal
says statement
Uttered by a labeling function
Unforgeable, backed by a TPM
Expressed in a variant of first-order logic
Logic
Labels are expressed in Nexus Authorization Logic (NAL)
• Similar to CDD and BAN logic, machine-parseable
extensible, terms defined by label producers
• incorporates references to dynamic system state
• Constructive
• reasoning requires positive evidence
• Logic of beliefs
• inference rules preserve justification (not just truth) of statements
• world-views restrict the impact of compromised principals
• Sub-principals and Groups
• in addition to primary principals consisting of keys and processes
Establishing Trust with Logical Attestation
axiomatic
hash
analysis
safe language
synthesis
sandboxing
user.egs
says hash speaksfor user.egs
analyzer
says analyzer.typesafe(“app”)
refmon
says refmon.noaccess(pid1, disk)
Chain of Trust in Logical Attestation
labeling function …
nexus
says executed(labeling function)
bootloader
says sha(nexus) = 0xab..
bios
says sha(bootloader) = 0xbc..
tpm
says sha(bios) = 0xcd..
atmel
says tpm speaksfor atmel
Label Creation
Labels are issued into labelstores with the
say(principal, statement) system call
LF1
LF2
lstore
nexus
Secure channel obviates crypto in the common case
Labels can be externalized to X.509, internalized, copied,
deleted
Authorization with Labels
Nexus enables all resource accesses to be predicated on a
guard
Guards perform authorization, by checking labels against a
goal formula
A NAL statement that needs to be discharged for access
Can capture any provable characteristic
Goal formula provides policy flexibility
setgoal(object, method, goal) system call
setting the goal statement itself requires authorization
if not set, only the creator can set the goal, no super-user
Guards
Clients use labels to construct
proofs that discharge the goal
formula
Guards validate proofs
provides flexibility to clients
Validation may require consulting
authorities
Halt! Prove goal formula to
show that I can trust you
with this resource.
Authorities
Certain statements are time-varying or non-monotonic
They cannot be safely issued as credentials
E.g. time, number of times a file has been read,
current memory consumption, etc.
In logical attestation, the validity of time-varying labels is
checked by consulting an authority
Authorities are designated by the goal formula
Multiple authorities can coexist
Authorization with Logical Attestation
1. Owner sets policy goal(*, write, file) = file
2. User gathers
labels
3. User generates
proof
says time<3pm
L1 timesrv
says time=2:30pm
L2 file
says timesrv speaksfor file
import L1; import L2;
speaksfor; arithmetic-lt
4. Guard verifies proof and labels
Caching
Cache extensively to speed up authorization
An in-kernel decision-cache avoids re-invoking a guard
Hashtable indexed by subject, object, method, proof
A user-level guard-cache avoids re-validating a previously
checked proof or lemma
Dynamically varying parts of the proof are not cached
All caches contain soft-state
Invalidated as necessary when goal formulas are modified
Overview
Caller
Guard
Authority
Goal Store
Labelstore
call(P, S, M, proof)
Proof
Cache
Proof Checker
Interposition Service
nexus
Authority
Decision
Cache
Object
logical attestation
nexus
applications
evaluation
Nexus OS Overview
Microkernel


unique driver architecture
21K loc
Somewhat Posix compatible


python, lighttpd, sqlite, mplayer, …
Xen, Linux
Non-standard services



labels, labelstores, guards, authorities
introspection & interposition
protected persistent storage
Analysis
some analysis involve examining the application
no system support needed
Introspection: live kernel metadata
Many analyses involve the application’s environment
Nexus provides a /proc filesystem on steroids
access by labeling functions is mediated by the app
Interpositioning
app
interpose(prin, obj, method)
system call enables a process to
interpose on any IPC
Can interpose on any subject,
object, operation triple, with
wildcards
interposition itself is guarded
by a goal formula
nexus
Interpositioning
app
ref mon
nexus
interpose(subj, obj, method)
system call enables a process to
interpose on any IPC
Can interpose on any subject,
object, operation triple, with
wildcards
interposition itself is guarded
by a goal formula
logical attestation
nexus
applications
evaluation
Movie Player
GNU
app
nexus
labeling
function
labeling functions can be written by third-parties
Movie Player
app
GNU
labeling
function
nexus
they use the introspection and/or interposition service
to examine and modify the application’s behavior
Movie Player
app
GNU
labeling
function
ref
mon
nexus
proc17
says sonyLF.nowrite(app, disk|network)
os
says proc17 speaks-for sonyLF
they generate attributable statements
Movie Player
app
GNU
labeling
function
ref
mon
nexus
labels are combined into proofs, which are shipped to
consumers to form the basis of trust decisions
Fauxbook
• Privacy-preserving social networking application
deployed in the cloud
• Three classes of principals:
– Cloud operator
– Cloud application developers
– Users
• Cloud application developer receives assurance that
he will get a desired share of resources
• User receives assurance that her data will not leak
beyond her social circle, even if the developer is
adversarial
Fauxbook Mechanism
• Insight: many applications are data-independent
– Possible to implement the core data-sharing functionality in a social
networking application without examining the data
• Core mechanism:
– A reference monitor wraps all incoming data into a Python object, called a
constrained buffer (cobuf)
– Applications may slice, dice, concatenate cobufs, but may not peek at
contents
• Bases of trust:
– Axiomatic trust in the device driver
– Analytic trust in a Python analyzer that ensures that Fauxbook code will
not use Python features to violate the cobuf abstraction
– Synthetic trust in Fauxbook’s access to the social graph
Fauxbook
Driver provides labels showing that it can only talk
to the web framework and that it lacks the ability
to modify or divert packets
Cloud
Operator
net
drv
nexus
framework
analyzer
lighttpd
cobuf
social
db
Fauxbook
lighttpd is axiomatically trusted to deliver packets
to the framework without modification
it lacks the capability to leak to other processes
Cloud
Operator
net
drv
nexus
framework
analyzer
lighttpd
cobuf
social
db
Fauxbook
Analyzer ensures that fauxbook code does not
use Python reflection to violate the cobuf interface
fauxbook
framework
analyzer
net
drv
nexus
lighttpd
cobuf
social
db
Fauxbook
adding a friend adds a speaks-for label into the
social database
fauxbook
framework
analyzer
net
drv
lighttpd
friend(egs, alice)
friend(egs, bob)
friend(bob, charlie)
nexus bob)
friend(alice,
cobuf
social
db
Fauxbook
cobufs wrap user data into opaque objects, and tag
it with the user’s id
fauxbook
framework
analyzer
net
drv
nexus
alice
says hey!
lighttpd
cobuf
social
db
Fauxbook
fauxbook
Fauxbook may slice and dice user data, but may not
leak it to another user or gain raw access to it
fauxbook
framework
analyzer
net
drv
nexus
lighttpd
cobuf
social
db
Fauxbook
Fauxbook may slice and dice user data, but may not
leak it to another user or gain raw access to it
fauxbook
fauxbook
framework
cobuf
analyzer
alice says hey!
net
drv
nexus
lighttpd
social
db
logical attestation
nexus
applications
evaluation
Microbenchmarks
Protected Nexus calls incur overheads comparable to
regular Linux calls
but the microkernel architecture of the Nexus can necessitate additional
and costly process boundary crossings
Proof-checking overhead
Cached decisions incur <500 cycles (<1usec)
Guard invocations are 20x more expensive
Related Work
• Secure boot
– Gasser et al 89, Haertig et al 93, Arbaugh et al. 97
• Attestation
– Property-based: Haldar et al. 04, Sadeghi et al. 08
– Binary: TCGLinux
– Software: Seshadri et al. 04-05, BIND, Flicker
• Credentials-based Authorization
– Appel & Felten 99, Lampson ‘04, Parno & Perrig ‘10
• Systems
– Terra, Nizza, BirliX, XOMOS, sHype, Wedge, HiStar, Asbestos, EROS, Flask
• Others
– Not-a-bot, TrInc, …
Conclusions and Future Work
• TPMs can be used to build the next generation of
trustworthy applications
– need not impinge on user choice over software
– can provide qualitatively richer guarantees
• Novel labeling functions enable new functionality
http://www.cs.cornell.edu/people/egs/nexus/
git.systems.cs.cornell.edu/nexus
screenshot
Macrobenchmark: Packet Processing
Caching enables packet processing overhead to be <6%
Cryptographic Overhead
Avoiding cryptography leads to 3 orders of magnitude
performance gain
kernel size
application: web application server
interpositioning: kernel message hooks
synthesis: (subject,
*) → ipcport
allow /operation,
block
<transformed
authorization: (*,
operation,call>
object) → ipcport
cache / nocache
CertiPics: problem
CertiPics: certified chain-of-custody
• NY Times Policy: Image
comes from a legitimate
camera,with only acceptable
adjustments:
–
–
Cropping, captions, redaction, color
balancing, …
Compositing/splicing after adding
borders
IRAN
?
CertiPics: design options
• trusted photo editor:
– Incapable of modifying image in undesirable ways
– evidence: editor is the trusted version
• image analysis:
– evidence: analyzer input and output
• audit trail:
– image modification tools generate logical labels at each step
– evidence: data from each modification
IRAN
?
CertiPics: demo
user input
crop.exe
splice.exe
caption.exe
Nexus
Nexus
Nexus
IRAN
EOS says pristine(«im1»)
ipd3 says crop(«im1», 20%) = «im2»
nexus
says
hash(ipd3)
==«hash1»
nexus
says
hash(ipd3)
nexus
says
hash(ipd3)
==«hash1»
«hash1»
nexus
says
hash(ipd3)
«hash1»
nexus
nexussays
sayshash(ipd3)
hash(ipd3)==«hash1»
«hash1»
?
NYTimes policy
52
TruDocs: documents with excerpts
“
One cannot look at this
Universe with all living
productions & man without
believing that all has been
intelligently designed;
yet when I look to each
individual organism, I can
see no evidence of this.
”
”
– Charles Darwin, 1861
53
TruDocs: document integrity examples
Wesleyan Cinema Archive
may quote 75 words at a time
 20 quotes per derivative work

New International Version Bible
at most 500 verses, verbatim only
 at most 25% of derivative work

W3C Logo
may embed if validator passes
 must retain attribution, link to W3C URL

54
TruDocs with logical attestation
Let
• D be a document
– D is a corresponding principal
– W(D) are statements conveyed in D
• E be an excerpt from D’ appearing in D
– Src(E) =D’
Src(E) = D’
– E<D: E appears in D
TruDocs says (E<D: E  Src(E))
TruDocs: labeling function design
Approximating: E  Src(E)
usePolD’(E,D): an analytic basis for trust:
– Find some E’ in D’;
– make “acceptable” edits to E’, getting E in D.
D’ says ( usePolD’(E,D)  E  D’ )
usePol is defined by author of D’.
TruDocs says (E<D: usePolSrc(E)(E,D))
56
trust in the network
Existing networks cannot provide strong security
guarantees
All networks look the same
All clients look the same
Cannot tell what a router is actually doing
Network elements constructed from untrustworthy components
No mechanisms for querying the properties of
network participants
no mechanisms for querying network
properties
clients cannot differentiate between different networks
Internet
1 Mb/s
100 Mb/s
?
ISP A
90% uptime
Identical WiFi base
stations!
?
ISP B
99% uptime
fault-tolerant
no mechanisms for querying network
properties
networks cannot differentiate between clients
Identical Ethernet
stations!
???
no mechanisms for querying network
properties
networks cannot differentiate between other networks
Identical IP packet delivery
interface!
ISP A
Forward all packets
?
?
Customer AS
ISP B
DoS filter
S
T
L1
L2
R1
L4
Every
network
participant
corresponds
to a tuple
U
M1
L5
Network
Tuplespace
R2: Type = Router
ISP: Type = Link
ISP: Type = Link
R2: NextHop =
ISP: Ends = (R1, R2)
ISP: Ends = (R2, T)
{ [IP_T] = L3, ... }
R1: Type = Router
ISP: Type = Link
R1: NextHop =
ISP: Ends = (S, R1)
{ [IP_T] = L2, ...] }
S: Type = Host
S: Name = HostS
S: NextHop =
{ [IP_T] = L2, ... }
L3
R2
T: Type = Host
T: Name = HostT
M1: Type = Sniffer
ISP: Type = Link
ISP: Type = Link
M1: NextHop =
ISP: Ends = (R1, R3)
ISP: Ends = (R3, T)
{ [IP_T] = L5, ... }
a single, distributed tuplespace covers the
Internet

every information provider is responsible for provisioning a
sub-tuplespace for storing local information
AS1
AS2
R1
POP1
R2
POP2
Global Tuplespace
AS1
AS2
R1
POP1
R2
POP2
information management

anyone can annotate any tuple
–

New, unanticipated attributes are organically
supported
attributes can be added by anyone
–
best done by a TPM, signed, unforgeable
–
signed attributes can be inserted manually

attributes are masked for privacy according to an export
policy

applications import annotations only from sources they
trust, according to an import policy
querying the tuplespace
Is there a packet sniffer on (S,T) path?
Queries
retrieve(S.nexthop[IP_T])
-> S:S.NextHop[IP_T] = L1
retrieve(L1.endpoints)
-> S:L1.endpoints = (S,R1)
...
Detected properties
Path(S,T) = [L1,R1,L2,R2,L3]
Apps can detect properties at
a single point in time
monitoring the tuplespace
Detect new packet sniffers on (S,T) path
Trigger installation
Trigger notification
Path(S,T) = [L1,R1,L4,M1,L5]
install_trigger(
R1.NextHop[IP_T],IP_S)
S
R1
Apps can maintain
properties over
time
T
X
L2
L4
Change @ R1.NextHop
R1: Type = Router
R1: NextHop =
{ [IP_T] = L2, ... }
L5
M1
R1: Type = Router
R1: NextHop =
{ [IP_T] = L4, ... }
collaborators
• Fred Schneider
• William de Bruijn
• Alan Shieh
• Patrick Reynolds
• Kevin Walsh
backups
proof evaluation cost
control operation cost
dynamic state
labels can be shared
labels may not encode false statements
→
live authority protocol
over ipc or network
subscribes to statement, but without attribution
statement cannot be shared
protected storage
confidentiality: block cipher
integrity: hash trees
proof caching
1. kernel decision cache
2a. guard credential cache
only labels: revisit all missing and authorities
2b. guard deduction cache
also cache goal/conclusion matching
Safe Python
Analysis: Safe Python
restrict python to safe subset:
no arbitrary system access
no modules os, ..
no builtins file, exec, ..
no reflection
no modules ast, inspect, ..
no builtins compile, eval, ..
offline analyzer
no arbitrary import
pruned builtins
alternative interface to webserver and storage
unchecked_...
no access to global & builtins __dict__
Safe Python: module protect
restricted namespace
restricted fileops: append, remove
restricted import
pbuf
pbufres = app.callback(pbufreq)
Safe Python: PBuf

list of strings ..
Safe Python: PBuf

list of strings and pbufs
Safe Python: PBuf

list of strings and pbufs

with protection bit

and optional dictionary
python iterable & map operations
privileged unchecked_.. extensions
Safe Python: module protect
Secure Persistent Storage
confidentiality
CTR mode random-access AES
integrity
Merkle hash tree
interface
unix fcntl flags: F_SETENC, F_SIGN, F_SIGNED
root
lockbox: virtualize TPM
Storage: Lockbox hierarchy
lockbox application
table of keys and signatures
software seal/sign/encrypt
ipc interface
minimizes key access (TCB)
hierarchy
store bundles backed by TPM (or remotely)
introspectionfs
per process: to display state
kernel: process memory, network ports, ipc channels, …
nonvolatile statements exported as labels
os says netport.80 speaksfor process.www
volatile state exported only as authority
os says not netport.81 speaksfor process.www
may still change
define private notions of trust
user.bob
says os speaksfor user.bob
os
says ...
example revisited
example revisited
label consumers
Is this principal
trustworthy?
• Every entity that wants to reason
about the state of a remote computer
can act as a label consumer
• Typically, the consumer is looking for
a goal formula
• The user has one or more labels
available
labels are combined to create proofs that demonstrate
the desired goal formula
authorization today
Client A
A says read(f)
File system
Access control list for f:
[ …. A-(read,write), … ]
authorization based on
requestor identifier
authorization with labels
Univ says RC  Univ
Client A
A says read(f)
RC says student(A)
Univ says RC  Univ
File system
RC says student(A)

Policy is decentralized
 (“speaksfor”) models delegation


Policy for read(f): Exists i :
0900 <timeNow < 1700 and
i says read(f) and
Univ says student(i )
Policy involves state
Policy involves deduction
88