Information Flow Control in the Asbestos Operating System - PowerPoint PPT Presentation

1 / 28

About This Presentation

Title:

Information Flow Control in the Asbestos Operating System

Description:

Cliff Frey David Ziegler Eddie Kohler* David Mazi res. Frans Kaashoek Robert Morris ... Goal: operating system support to protect private data ... – PowerPoint PPT presentation

Number of Views:144

Avg rating:3.0/5.0

Slides: 29

Provided by: wikiNrc

Category:

more less

Transcript and Presenter's Notes

Title: Information Flow Control in the Asbestos Operating System

1
Information Flow Control in theAsbestos
Operating System

Petros Efstathopoulos Maxwell Krohn Steve
VanDeBogart
Cliff Frey David Ziegler Eddie Kohler David
Mazières
Frans Kaashoek Robert Morris
UCLA MIT Stanford
http//asbestos.cs.ucla.edu

2
Asbestos project overview

Goal operating system support to protect private
data
Initial implementation designed for Web servers
Joint work with Stanford and UCLA
Released as open source
This talk ideas for using Asbestos on cell
phones

3
The problem disclosure of private data
my password Visa 4510-2297-4519-8332 Jun 5
secret Nokia meeting
4
Asbestos helps keep data private
www.evil.com
my password Visa 4510-2297-4519-8332 Jun 5
secret Nokia meeting
5
Data privacy risks on cell-phones

Personal and confidential data
Credit cards, passwords, e-mail, calendar items
Connection to the Internet
Third-party applications, downloaded software
Complex and potentially buggy software

6
An example problem
Cell Phone / PDA
Calendar Manager
www.???.com
Calendar file
7
Existing data privacy ideas

Dont let downloaded code read files
Dont let downloaded code use the network
Trust only signed applications
Ask the user

8
Asbestos information flow control
Cell Phone / PDA
Calendar Manager
www.???.com
Calendar file
New Manager
9
Asbestos labels

Message-passing kernel
Kernel enforces rules on message flow
A compartment indicates the owner of private
data
A label is a set of compartments
Each process, message, and file has a label
Application sets policy by setting initial labels
Kernel tracks message/label flow and enforces
policy

10
Label rules
Process Two
Process One
Label
11
Compartment creation and privilege
Process Two
Process One
Net Server
File Server
Label
12
Compartment creation and privilege
Process Two
Process One
Net Server
File Server
Label
A privileged process can give away its privilege
for a compartment
13
Privilege allows declassification
Process Two
Process One
Net Server
File Server
Label
No taint
14
Default Network rejects all compartments
Process Two
Process One
Net Server
File Server
X
Label
15
Calendar manager example
Net Server
Calendar Mgr
File Server
Label
16
Create new compartment
Net Server
File Server
Calendar Mgr
Label
17
Give privilege to file server
Net Server
File Server
Calendar Mgr
Label
18
Drop privilege
Net Server
File Server
Calendar Mgr
Label
19
Write the calendar file
Calendar File
Net Server
File Server
Calendar Mgr
Label
20
User downloads new calendar manager
Calendar File
Net Server
New Mgr
File Server
Calendar Mgr
Label
21
New manager can use network, files, c
New File
Net Server
New Mgr
File Server
Calendar Mgr
Label
22
New manager is tainted if it reads calendar file
Calendar File
Net Server
New Mgr
File Server
Calendar Mgr
Label
23
Tainted manager cannot use network
Calendar File
Net Server
New Mgr
File Server
Calendar Mgr
X
Label
24
Can new manager exploit bugs in other apps?
Calendar File
Net Server
New Mgr
Instant Messgr
File Server
Calendar Mgr
OK
Label
25
Labels prevent all disclosure, even indirect
Calendar File
Net Server
New Mgr
Instant Messgr
File Server
Calendar Mgr
X
OK
Label
26
Accumulation of Taint