Enforcing Security Policies using Transactional Memory Introspection Vinod Ganapathy Arnar Birgisson
advertisement
Enforcing Security Policies using
Transactional Memory Introspection
Vinod Ganapathy
Rutgers University
Arnar Birgisson
Ulfar Erlingsson
Mohan Dhawan
Liviu Iftode
X server with multiple X clients
REMOTE
LOCAL
Vinod Ganapathy
Transactional Memory Introspection/IPAM'08
2
Malicious remote X client
REMOTE
LOCAL
Vinod Ganapathy
Transactional Memory Introspection/IPAM'08
3
Undesirable information flow
REMOTE
LOCAL
Vinod Ganapathy
Transactional Memory Introspection/IPAM'08
4
Desirable information flow
REMOTE
LOCAL
Vinod Ganapathy
Transactional Memory Introspection/IPAM'08
5
X server with authorization
X client
Operation request
Response
X server
Reference monitor
Allowed?
YES/NO
Authorization policy
Vinod Ganapathy
Transactional Memory Introspection/IPAM'08
6
The problem
Multiple clients
Client
Security enforcement crosscuts
Manages resources
application
functionality
Server
Likely multithreaded
Reference monitor
Authorization policy
Vinod Ganapathy
Transactional Memory Introspection/IPAM'08
7
Outline
•
•
•
•
•
Enforcing authorization policies
Problems with existing techniques
Transactional Memory Introspection
Implementation and experiments
Open questions and future work
Vinod Ganapathy
Transactional Memory Introspection/IPAM'08
8
Existing enforcement interface
dispatch_request ( ) {
...
perform_request ( );
}
perform_request ( ) {
...
perform_access (resource);
...
perform_access’(resource’);
}
Vinod Ganapathy
Transactional Memory Introspection/IPAM'08
9
Existing enforcement interface
dispatch_request ( ) {
...
perform_request ( );
}
perform_request ( ) {
...
if (allowed(principal,resource,access)){
perform_access (resource);
} else { handle_auth_failure1(); };
...
if (allowed(principal,resource’,access’)){
perform_access’(resource’);
} else { handle_auth_failure2(); };
}
Vinod Ganapathy
Transactional Memory Introspection/IPAM'08
10
Three problems
• Violation of complete mediation
• Time-of-check to Time-of-use bugs
• Handing authorization failures
Vinod Ganapathy
Transactional Memory Introspection/IPAM'08
11
I. Incomplete mediation
dispatch_request ( ) {
…
perform_request ( );
}
Must guard each resource access
to ensure complete mediation
perform_request ( ) {
...
if (allowed(principal,resource,access)){
perform_access (resource);
} else { handle_auth_failure1(); };
...
if (allowed(principal,resource’,access’)){
perform_access’(resource’);
} else { handle_auth_failure2(); };
}
Vinod Ganapathy
Transactional Memory Introspection/IPAM'08
12
I. Incomplete mediation
[Zhang et al., USENIX Security ‘02]
ssize_t vfs_read (struct file *file, ...) {
...
if (check_permission(file, MAY_READ)) {
file->f_op->read(file, ...);
}
...
}
int page_cache_read (struct file *file, ...) {
struct address_space *mapping =
file->f_dentry->d_inode->i_mapping;
...
mapping->a_ops->readpage(file, ...);
}
Vinod Ganapathy
Transactional Memory Introspection/IPAM'08
13
II. TOCTTOU bugs
perform_request ( ) {
...
if (allowed(principal,resource,access)){
perform_access (resource);
} else { handle_auth_failure1() };
...
if (allowed(principal,resource’,access’)){
perform_access’(resource’);
} else { handle_auth_failure2() };
}
Vinod Ganapathy
Transactional Memory Introspection/IPAM'08
14
II. TOCTTOU bugs
Similar race condition found in the
Linux Security Modules framework
[Zhang et al. USENIX Security ’02]
perform_request ( ) {
...
if (allowed(principal,resource,access)){
Several
similar bugs recently found in
perform_access (resource);
popular
enforcement
tools: [Watson,};
WOOT ’07]
} else
{ handle_auth_failure1()
...
• GSWTK
if (allowed(principal,resource’,access’)){
• Systrace perform_access’(resource’);
[Provos, USENIX Security ’03]
} else Sysjail
{ handle_auth_failure2()
• FreeBSD
[Johnson and Deksters ’07]};
}
Vinod Ganapathy
Transactional Memory Introspection/IPAM'08
15
II. TOCTTOU bugs
Authorization check and
resource access must be atomic
perform_request ( ) {
...
if (allowed(principal,resource,access)){
perform_access (resource);
} else { handle_auth_failure1() };
...
if (allowed(principal,resource’,access’)){
perform_access’(resource’);
} else { handle_auth_failure2() };
}
Vinod Ganapathy
Transactional Memory Introspection/IPAM'08
16
III. Failure handling
Handling authorization failures
is ad hoc and error prone
perform_request ( ) {
...
if (allowed(principal,resource,access)){
perform_access (resource);
} else { handle_auth_failure1() };
...
if (allowed(principal,resource’,access’)){
perform_access’(resource’);
} else { handle_auth_failure2() };
}
Vinod Ganapathy
Transactional Memory Introspection/IPAM'08
17
III. Failure handling
• Exception-handling code accounts for a
large fraction of server software
– Over two-thirds of server software [IBM ’87]
– Nearly 46% on several Java benchmarks
[Weimer & Necula OOPSLA’04]
• Exception-handling code itself is errorprone [Fetzer and Felber ’04]
• SecurityException most often handled
erroneously [Weimer & Necula OOPSLA’04]
Vinod Ganapathy
Transactional Memory Introspection/IPAM'08
18
Summary of problems
• Violation of complete mediation
– Need to identify
all the resources accessed
Security
enforcement
crosscuts
– Example: Bug in Linux Security Modules [Zhang et al.,
application
functionality
USENIX
Security ‘02]
• Time-of-check to Time-of-use bugs
– Examples: [Zhang et al., USENIX Security ‘02] [Watson,
WOOT ‘07]
• Handing authorization
failuresTMI
Our solution:
– Large fraction of server code relates to error handling
Decouples
security
enforcement
[IBM survey, ’87, Weimer
and Necula,
‘04 ]
– from
Error-handling
code is error-prone!
[Fetzer & Felber ’04]
application
functionality
Vinod Ganapathy
Transactional Memory Introspection/IPAM'08
19
Outline
• Enforcing authorization policies
• Problems with existing techniques
• Transactional Memory Introspection (TMI)
– Programmer’s interface
– Mechanics of TMI
• Implementation and experiments
• Open questions and future work
Vinod Ganapathy
Transactional Memory Introspection/IPAM'08
20
Transactional memory primer
• Alternative to lock-based programming
• Reason about atomic sections, not locks
acquire(S1.lock)
acquire(S2.lock)
value = S1.pop()
S2.push(value)
Release(S2.lock)
Release(S1.lock)
transaction {
value = S1.pop()
S2.push(value)
}
• TM attempts to guarantee ACID semantics
Vinod Ganapathy
Transactional Memory Introspection/IPAM'08
21
Programmer’s interface to TMI
dispatch_request ( ) {
transaction [ principal ] {
...
perform_request ( );
}
}
perform_request ( ) {
...
perform_access (resource);
...
perform_access’(resource’);
}
Vinod Ganapathy
Transactional Memory Introspection/IPAM'08
22
Programmer’s interface to TMI
dispatch_request ( ) {
transaction [ principal ] {
...
perform_request ( );
}
}
Authorization manager:
case
(resource=R,( access_type=A)
perform_request
) {
if
(!allowed(principal,
R, A))access)?
then abort_tx
allowed(principal,
resource,
...
perform_access (resource);
allowed(principal, resource’, access’)?
...
perform_access’(resource’);
}
Vinod Ganapathy
Transactional Memory Introspection/IPAM'08
23
I. Complete mediation for free
dispatch_request ( ) {
transaction [ principal ] {
...
perform_request ( );
}
}
TMI automatically invokes
perform_request
( ) {
authorization
checks
...
perform_access (resource);
...
perform_access’(resource’);
}
Vinod Ganapathy
Transactional Memory Introspection/IPAM'08
24
II. TOCTTOU-freedom for free
dispatch_request ( ) {
transaction [ principal ] {
...
perform_request ( );
}
}
Conflicting resource accesses
perform_request
( ) { abort transaction
automatically
...
perform_access (resource);
...
perform_access’(resource’);
}
Vinod Ganapathy
Transactional Memory Introspection/IPAM'08
25
III. Error-handling for free
dispatch_request ( ) {
transaction [ principal ] {
...
perform_request ( );
}
}
Unauthorized resource accesses
perform_request
( ) { abort transaction
automatically
...
perform_access (resource);
...
perform_access’(resource’);
}
Vinod Ganapathy
Transactional Memory Introspection/IPAM'08
26
Decouples functionality and security
dispatch_request ( ) {
transaction [ principal ] {
...
perform_request ( );
}
}
Authorization manager
perform_request ( ) {
...
perform_access (resource);
...
perform_access’(resource’);
}
Vinod Ganapathy
Transactional Memory Introspection/IPAM'08
27
Outline
• Enforcing authorization policies
• Problems with existing techniques
• Transactional Memory Introspection (TMI)
– Programmer’s interface
– Mechanics of TMI
• Implementation and experiments
• Open questions and future work
Vinod Ganapathy
Transactional Memory Introspection/IPAM'08
28
TM runtime system
• The TM runtime maintains per-transaction
read/write sets and detects conflicts
transaction {
value = S1.pop()
S2.push(value)
}
Transaction
Green
Red
Vinod Ganapathy
val1 = S1.pop()
val2 = S1.pop()
S2.push(val2)
S2.push(val1)
Read set
S1.stkptr
Write set
S1.stkptr
S1.stkptr, S2.stkptr S1.stkptr, S2.stkptr
Transactional Memory Introspection/IPAM'08
29
TM runtime system
Execution
Validation
Commit
Read and
Write Sets
Transaction
body
Contention
manager
Commit
logic
Retry
Vinod Ganapathy
Transactional Memory Introspection/IPAM'08
30
Transactional Memory Introspection
Execution
Validation
Read and
Write Sets
Authorization
Commit
Auth.
Manager
Success
Transaction
body
Contention
manager
Auth.
checks
Commit
logic
Failure
Retry
Abort
Vinod Ganapathy
Transactional Memory Introspection/IPAM'08
31
Transactional Memory Introspection
dispatch_request ( ) {
transaction [ principal ] {
...
perform_request ( );
Accesses checked
}
before tx commits
}
perform_request ( ) {
...
perform_access (resource);
...
perform_access’(resource’);
Present in
read/write set
}
Vinod Ganapathy
Transactional Memory Introspection/IPAM'08
32
Outline
•
•
•
•
•
Enforcing authorization policies
Problems with existing techniques
Transactional Memory Introspection
Implementation and experiments
Open questions and future work
Vinod Ganapathy
Transactional Memory Introspection/IPAM'08
33
TMI Implementation: TMI/DSTM2
• Implemented using Sun’s DSTM2
• Object-based software TM system
• TM system modified to
– Trigger authorization checks on additions to
read/write set and upon transaction validation
– Raise AccessDeniedException upon abort
– Integrate transactional I/O libraries
• Fewer than 500 lines changed in DSTM2
Vinod Ganapathy
Transactional Memory Introspection/IPAM'08
34
Porting software to TMI/DSTM2
1. Mark transactional objects with @atomic
– Also require @atomic wrappers for libraries:
java.util.HashMap, java.util.Vector
2. Reads and writes to fields of @atomic
objects replaced with DSTM2 accessors
3. Place transaction{…} blocks around
client requests
4. Write an authorization manager
Vinod Ganapathy
Transactional Memory Introspection/IPAM'08
35
Dealing with side-effects
• Problem:
– TM provides ACID semantics to memory
updates
– System calls inside transaction{…} block can
violate atomicity and isolation
• Use transactional I/O packages
• Integrate with commit logic
Vinod Ganapathy
Transactional Memory Introspection/IPAM'08
36
Dealing with side-effects
Execution
Validation
Read and
Write Sets
Authorization
Commit
Auth.
Manager
TX I/O
Success
Transaction
body
Contention
manager
Auth.
checks
2-phase
commit
Failure
Retry
Abort
Vinod Ganapathy
Transactional Memory Introspection/IPAM'08
37
GradeSheet in TMI/DSTM2
Vinod Ganapathy
Transactional Memory Introspection/IPAM'08
38
Evaluation
•
•
•
•
Ported four Java-based servers
GradeSheet: A grade-management server
FreeCS: A chat server
WeirdX: An X window management server
– Enforced a simple XACML based policy
• Tar: A tar archive service
– Enforced Java stack inspection policy
Vinod Ganapathy
Transactional Memory Introspection/IPAM'08
39
Modifications needed
Server
LOC
Lines modified Transactions
GradeSheet
900
300
1
Tar service
5,000
< 50
1
FreeCS
WeirdX
22,000
27,000
860
4,800
47
108
Authorization managers were approximately
200 lines of code in each case
Vinod Ganapathy
Transactional Memory Introspection/IPAM'08
40
Example policy enforced in WeirdX
REMOTE
LOCAL
Vinod Ganapathy
Transactional Memory Introspection/IPAM'08
41
When to enforce policy?
dispatch_request ( ) {
transaction [ principal ] {
...
perform_request ( );
}
}
Eager
perform_request ( ) {
... allowed(principal, resource, access)?
perform_access (resource);
... allowed(principal, resource’, access’)?
perform_access’(resource’);
}
Vinod Ganapathy
Transactional Memory Introspection/IPAM'08
42
When to enforce policy?
dispatch_request ( ) {
transaction [ principal ] {
...
perform_request ( );
}
allowed(principal, resource, access)?
}
allowed(principal, resource’, access’)?
Lazy
perform_request ( ) {
...
perform_access (resource);
...
perform_access’(resource’);
}
Vinod Ganapathy
Transactional Memory Introspection/IPAM'08
43
When to enforce policy?
dispatch_request ( ) {
transaction [ principal ] {
...
perform_request ( );
}
}
Parallel
perform_request ( ) {
... allowed(principal, resource, access)?
perform_access (resource);
... allowed(principal, resource’, access’)?
perform_access’(resource’);
}
Vinod Ganapathy
Transactional Memory Introspection/IPAM'08
44
Performance overheads of TMI
60
TMI/Eager
10x
TMI/Lazy
50
TMI/Parallel
40
30
20
10
0
-10
-15.8%
-20
GradeSheet
Vinod Ganapathy
Tar
FreeCS
Transactional Memory Introspection/IPAM'08
WeirdX
45
Performance overheads of STM
• Software transactional memory imposes a
significant overhead
Server
Native
TMI-ported
Overhead
GradeSheet
Tar service
395μs
4.96s
451μs
15.40s
14.7%
2.1x
FreeCS
WeirdX
321μs
0.23ms
3907μs
6.40ms
11.2x
26.8x
Hardware-accelerated STM will reduce
runtime overheads of TM runtime systems
Vinod Ganapathy
Transactional Memory Introspection/IPAM'08
46
Outline
•
•
•
•
•
Enforcing authorization policies
Problems with existing techniques
Transactional Memory Introspection
Implementation and experiments
Open questions and future work
Vinod Ganapathy
Transactional Memory Introspection/IPAM'08
47
Hardware support for TMI
• Problem:
– STM imposes high runtime overheads
– Want to make TMI practical for adoption on
real-world servers
• Solution: Implementing TMI in hardware
transactional memory (HTM) systems
– HTM-based software as fast (or faster than)
as lock-based software.
Vinod Ganapathy
Transactional Memory Introspection/IPAM'08
48
Interaction of TMI and I/O
• Problem: I/O instructions in transactions
violate atomicity and isolation
• Can deal with file and database I/O with
transactional libraries
• Network I/O? Display? Other devices?
• Possible solution: Combine TMI and
virtual machine introspection
Vinod Ganapathy
Transactional Memory Introspection/IPAM'08
49
A formal semantics of TMI
• Problem:
– Pathological interactions of TMI with STM
implementation details
• Example: Weak-atomicity, in-place updates
– With Lazy enforcement, TMI can leak
sensitive information
• Solution:
– Need a formal semantics for TMI
Vinod Ganapathy
Transactional Memory Introspection/IPAM'08
50
Summary
• Transactional Memory Introspection
– A new reference monitor architecture
– Decouples application functionality from
security policy enforcement
• Benefits
– Better guarantees on complete mediation
– Freedom from TOCTTOU bugs
– Better handling of authorization failures
Vinod Ganapathy
Transactional Memory Introspection/IPAM'08
51
Thank you!
Enforcing Security Policies using
Transactional Memory Introspection
Reference: Upcoming CCS 2008 paper
Vinod Ganapathy
Rutgers University
vinodg@cs.rutgers.edu
http://www.cs.rutgers.edu/~vinodg
