Labels and Information Flow

Robert Soule

March 21, 2007

Problem Motivation and History

I The military cares about information flowI Everyone can read “Unclassified”I Few can read “Top Secret”

I So computer scientists care about information flowI Bell and LaPadula 1973, “No read up, no write down”I Denning 1976, Lattice ModelI The “Orange Book” 1985, Trusted Computer System

Evaluation

Problem Motivation and History

I The military cares about information flowI Everyone can read “Unclassified”I Few can read “Top Secret”

I So computer scientists care about information flowI Bell and LaPadula 1973, “No read up, no write down”I Denning 1976, Lattice ModelI The “Orange Book” 1985, Trusted Computer System

Evaluation

We Care Too

I We aren’t the Dept. of Defense, but it is still importantI How do I know my free software doesn’t steal my private

data?I PasswordsI Social Security numbersI Financial Records

Three Recent Approaches

I JIF - A language based solution

I Asbestos - A kernel based solution

I Hi Star - Also kernel based, re-imagining Asbestos

Java Information Flow (JIF), What Is New and Different?

I The decentralized label model.I Very different from the DoD’s security modelI Avoids rigid constraints of traditional multilevel security

systemsI Allows users to control their own information flowI Declassification is part of the model

JIF - How Does This Work?

I Mutually distrusting users and programs

I All data is labeled

I When you make variable assignments, labels propagate

I Compiler and runtime ensures that information flow rules arenot violated

Who Are These Users?I JIF Principals are owners/readers/writersI A principal can be a user or a groupI Can be authorized to act for other principalsI “acts for” allows for a delegation of powers

I declassifies-forI reads-for

I These relationships from a principal-hierarchy

How Is The Data Labeled?

I Add label constructs to the languageI Privacy labels restrict read accessI Integrity labels restrict write access

I Labels and built in Java types form an extended type system

I Checking for type safety enforces flow rules

JIF Labels Details

I Privacy Labels - restrict read accessI A component (policy) has two parts, owner and readers

I Owners are the source of the dataI Readers are possible destinations

I L = {o1:r1,r2; o2:r2,r3}I Integrity Labels - restrict write access

I Components have two parts, owner and writersI Owners are the source of the dataI Writers are possible modifiers

I L = {o1:w1,w2; o2:w2,w3}

How Do Labels Propagate?

I Every assignment is a relabeling

I Relabeling is permitted according to certain rules

I Let’s look at an example:

i n t { A l i c e : Bob} x ; // A l i c e owns x , Bob can readi n t z ;z = x ; // z g e t s x ’ s l a b e l

i n t { A l i c e : Bob , Chuck} y ;x = y ; // OK: p o l i c y on x i s s t r o n g e ry = x ; // BAD: p o l i c y on y i s not as s t r ong as x

Relabeling Details

I Privacy labels may be safely changed in four ways:I Remove a reader - more restrictiveI Add a policy - more restrictiveI Add a reader - it is safe to add a reader r ′ if there is already a

reader r , and r ′ acts for r .I Replace an owner - it is safe to replace an owner o with a new

owner o′ if o acts for o.

I Integrity labels may be safely changed in four ways:I Add a writer - more restricted in subsequent useI Remove a policy - restricts the number of allowed writers.I Replace a writer -it is safe to replace a writer w ′ with a writer

w if w ′ acts for w (really adding a writer).I Add a policy - only if the new policy J is more restrictive than

the old policy I .

Label Notation Basics

I Introduce a formalism so we can reason about flow

I The notation L1 v L2 means L1 is at most as restrictive as L2.

I Some policy label examples:

I {amy : bob, carl} v {amy : carl}I {amy : manager} 6v {amy : bob}

I Relabeling is permitted only if labels become more restrictive.

So What Is z’s Label?

I Recall:

i n t { A l i c e : Bob} x ;i n t { A l i c e : Bob , Chuck} y ;i n t z = x + y ;

I The new value is the least upper bound or join

L1 v L1 t L2

I {amy : bob} t {amy : bob, chuck} = {amy : bob; amy :bob, chuck} = {amy : bob}

How Do I System.out.println?

I Additional mechanism: the label {} is used for raw outputchannels.

I Data can only be written only if it has no privacy restrictions.

I Example: data labeled {bob : bob} cannot be written to thenetwork because {bob : bob} 6v {}

I We need a way to declassify this data so that it can bewritten.

Declassification for Privacy Labels

I A process is authorized to act on behalf of some set ofprincipals

I This set is the authority of a process

I Data can be declassified with respect to a policy owned by aprincipal

I L1 may be declassified to L2 when

L1 v L2 t LA

where LA is a label containing exactly the policies of the form{p:} for every principal p in the current authority

Declassification for Integrity Labels

I L1 may be declassified to L2 when

L2 u LIA v L1

where LIA is an integrity label in which there is a policy for

every principal in the authority of the process.

I u is the meet or greatest lower bound

Jif Language Overview

I Jif extends Java, supports:I Mutable objects, Subclasses, Dynamic type tests, Access

control, Exceptions

I Every expression has a labeled type

I a declassify operator

I An actsFor statement

I A switch label statement - if label is x, do this...

I Procedure call may grant authority possessed by the caller

Implicit Flows

I Use the program counter to control implicit information flows

I An expression is always at least as restrictive as the pc label

I Consider the code:

x = 0 ;i f ( b ) {

x = 1 ;}

I Initially the pc is {}I At if(b) the pc is {b}I At the assignment, enforce {b} v {x}

Contributions and Limitations

I ContributionsI Decentralizes authorityI Focus on a usable programming modelI Makes information flow accessible to developers

I LimitationsI Assumes a trusted execution platformI Assumes a trusted compiler.I Assumes a principle hierarchy. Cannot express arbitrary,

non-hierarchical relationships

Another Approach

I JIF offers a solution at the language levelI Allows for fine granularityI Enforces a choice of language and compiler

I Perhaps this isn’t the right place?

Asbestos

I Operating system level solution

I Supports server applications that keeps users isolated

I A web server is the running exampleI Each application defines its own policies

I Every process has a send and receive label

I Processed communicate using messages sent to ports

I Kernel ensures that a process is permitted to send to anotherprocess’s receive port.

Asbestos Labels

I Labels support decentralized compartments

I A program has discretionary right to declassify data in thecompartment it created (similar to capabilities).

I Can give rights to declassify to other trusted programs

I Separate send and receive labels with different defaults

Asbestos Labels

I A label L is a function that maps handles to taint levels

I Handles: 61-bit opaque identifiers

I Levels: { *, 0, 1, 2, 3 }I Syntax: { handle-1 level-1, handle-2 level-2, ..., default-level }I Default-level applies to all handles not explicitly mentioned

I For send, * is the most privileged, 1 is the default. Forreceive, 2 is the default.

Asbestos Label Basics

I Process P can send to Q if

Ps v Qr

I When a message is delivered to Q, Q’s send label iscontaminated by P,

Qs ← Qs t Ps

Discretionary Contamination (Optional Detail)

I A process may want to make a message more tainted C2

I This is okay, it doesn’t violate flow properties

I The sender’s new label becomes

Es = Ps t Cs

I Q’s send label is contaminated by Es

Es v Qr

Qs ← Qs t Es

Declassification

I A process with Ps(h) = ∗ has declassification privilege for h

I If P receives a message from process Q with Qs(h) = 3,Ps(h)remains ∗.

I P can forward data from Q with less taint

Qs ← Qs t (Es u Qs∗)

I (Es u Qs∗) has precedence

Decontamination (Optional Detail)

I A process with privilege can distribute privilege to otherprocesses

I Note that this is different from Jif, which has a fixed hierarchyof users controlling I/O channels

I A process can decontaminate another process by loweringtheir send label and raising their receive label

I This makes the system more permissive

I P can forward data from Q with less taint

Es v Qs t Dr

Qs ← (Qs u Ds) t (Es u Qs∗),Qr ← Qr t Dr

I Where Ds is the decontamination send label and Dr is thedecontamination receive label

Integrity (Optional Detail)

I A process may speak for a user u and therefore write to u’s file

I This is a positive right, not a taint

I Asbestos must verify that a process speaks for u beforepermitting

I A verification label temporarily restricts the receiver’s effectivereceive label

Es v (Qr t Dr ) u V

I where V is the verification label

Event Processes Continued

I Processes quickly become over contaminated

I Event processes abstracts the notion of a single user’s processstate

I Associated with a base processI Kernel state consists of:

I send label,I receive labelI port receive rights,I private set of memory pages

OK Web Server

I Demultiplexor process accepts connection, and hands it off

I One of several worker processes service the request

I OKWS isolates services in different processes

I Asbestos provides additional isolation within the process withevent processes

I Supports database access through a proxyI Adds a “user ID” column to underlying database

Limitations

I Label operations must be performed with every IPC (is thisslow?)

I How are labels propagated between nodes?

I Limits choice of concurrency

I Size of the labels in the system increase with the number ofsessions/users

Hi Star - What Was Wrong With Asbestos?

I Different goals: Unix vs. specialized web serverI Hi Star closes covert channels inherent to Asbestos

I mutable labels, IPC

I Lower Level kernel interfaceI Process vs. Container+Thread+AS+Segments+GatesI One third the kernel codeI Adds generality with user-space Unix Library

I System-wide support for persistent storageI Asbestos uses trusted user-space file server

I Resources are manageableI In Asbestos, had to reboot to kill a runaway process

* source: OSDI 2006 Hi Star slides

Labels in Hi Star

I Hi Star uses Asbestos’ labeling system, with one clarificationI Recall the Asbestos Label levels:

I * has untainting privilegesI 0 cannot be written/modified by defaultI 1 default level , no restrictionI 2 cannot be untainted/ exported by defaultI 3 cannot be read/observed by default

Labels in Hi Star Continued

I * denoted untainting privilege, not a taint (breaks lattice)I Acts in two contexts

I When T reads an object, treated as higher than a numberI When T writes an object, treated as less than a number

I To avoid confusion, use a new high star symbol, J,

I Only appears in the notation, not in the labels

I ∗ < 1 < 2 < 3 < J

Labels: New Rules

I T observes O requires:

LO v LJT

I T modifies O requires:

LT v LO v LJT

I Note this affects how much T must raise label to observeobject O

I Before said lowest possible value was LO t LP

I Now lowest value is (LO t LJT )∗

I i.e., “T can keep its stars”

Kernel Design

I Six object typesI Segment (Data), Threads, Containers (Directory), Address

Space, Gate (IPC), Device (Network)

I Each object has:I 61 bit object IDI LabelI Quota, to bound storage usageI 64 bytes of metadata (modification time, etc.)I Flags

I Immutable flag makes the object read only

Single Level Store

I Single-level means no distinction between memory andsecondary storage

I View memory as just a cache for disk–everything persistsacross reboots

I Solves the system initialization problem without a superuser

I Otherwise, how would users get their *s back after a reboot?

No Superuser

I Root is a big security hole for information flowI Can read/modify anything, violating any policy

I But then can you create a process you can’t kill?I No–because allocation uses container hierarchyI Any object you create is “charged” against a container’s space

quota

I Idea: no implicit resource allocation

Resource Exhaustion

I This is troublesome for both Asbestos and Hi Star

I The single level store and quotas help ameliorate this problem

I Quotas form a hierarchy under control of the systemadministrator

I This is, notably, the only inherent hierarchy in Hi Star

The wrap Program

I 110 line trusted programI Has untainting privileges

I Example: untaint the virus scanner’s results, and report backto the user

I A program cannot read tainted data unless first tainting itself

I If wrap is correctly implemented, program launched by wrapcannot leak information

Emulating UNIX Environment

I Implemented as a library in user spaceI Information such as the exit status of the child process is made

explicit by the UNIX library

I Hi Star file system uses segments and containers

I Files map to segments, directories to containersI Processes are user space conventions

I Actually map to containers, segments, gates, threads, andaddress space objects

I File descriptors are mapped to segments

Emulating UNIX Permissions

I World-readable file, only writable by owner?I Each user u owns two categories, ur and uw , gets * on loginI Set file’s label to {uw0, 1}I Now default process with label {1} can’t write file, but can

read

I Group-readable file, only writable by owner?I Have to introduce categories gr , gw for group,I give gr∗, gw∗ on loginI Set file label to {gr3, uw0, 1}

IPC

I Gates provide the mechanism for IPCI Example: Timestamped digital signature daemon (pg. 271)

I Daemon knows secret signature key labeled {dr3, dw0, 1}I Daemon creates a service gate G with {dr∗, dw∗, 1}I Client running with process categories pr∗, pw∗I Client allocates a new category rI Client allocates a ”return gate” Gr with label {pr∗, pw∗, 1},

clearance {r0, 2}I Client jumps through gate G, starts server code with dr∗, dw∗I Server code now has access to secret key, computes signatureI Returns to client by jumping through Gr ; resets thread’s labe

from {dr∗, dw∗, r∗, 1} → {pr∗, dw∗, r∗, 1}

Signals

I Implemented by sending an alert to a thread in a process

I Requires the permission to modify the thread’s address spaceobject

I Each process exposes a signal gate

I The gate has label {pr∗, pw∗, 1}I The clearance of the gate is {uw0, 2}I Only threads that have the user’s privilege can send signals to

that user’s process

Authentication

I Hi Star authenticates without any highly trusted process

I Users may supply their own authentication service

I Four separate entities coordinate to authenticate a user

I Login client, directory service, per-user authentication service,logging service