enforcing security policies using transactional memory introspection vinod ganapathy rutgers...
TRANSCRIPT
Enforcing Security Policies using Transactional Memory Introspection
Vinod GanapathyRutgers University
Arnar Birgisson Mohan Dhawan
Ulfar Erlingsson Liviu Iftode
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 2
X server with multiple X clients
REMOTE
LOCAL
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 4
REMOTE
Undesirable information flow
LOCAL
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 5
Desirable information flow
LOCAL
REMOTE
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 6
X server
X server with authorization
X client
Operation request Response
Authorization policy
Reference monitor
Allowed? YES/NO
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 7
Server
The problem
Client
Authorization policy
Reference monitor
Multiple clients
Manages resources
Likely multithreaded
Security enforcement crosscutsapplication functionality
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 8
Outline
• Enforcing authorization policies
• Problems with existing techniques
• Transactional Memory Introspection
• Implementation and experiments
• Open questions and future work
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 9
Existing enforcement interfacedispatch_request ( ) {
...perform_request ( );
}
perform_request ( ) {...
perform_access (resource);
...
perform_access’(resource’);
}
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 10
Existing enforcement interfacedispatch_request ( ) {
...perform_request ( );
}
perform_request ( ) {...
if (allowed(principal,resource,access)){perform_access (resource);
} else { handle_auth_failure1(); }; ...if (allowed(principal,resource’,access’)){perform_access’(resource’);} else { handle_auth_failure2(); };
}
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 11
Three problems
• Violation of complete mediation
• Time-of-check to Time-of-use bugs
• Handing authorization failures
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 12
I. Incomplete mediationdispatch_request ( ) {
…perform_request ( );
}
perform_request ( ) {...
if (allowed(principal,resource,access)){perform_access (resource);
} else { handle_auth_failure1(); }; ...if (allowed(principal,resource’,access’)){
perform_access’(resource’);} else { handle_auth_failure2(); };
}
Must guard each resource access to ensure complete mediation
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 13
I. Incomplete mediationssize_t vfs_read (struct file *file, ...) {
...if (check_permission(file, MAY_READ)) {
file->f_op->read(file, ...);}...
}
int page_cache_read (struct file *file, ...) {struct address_space *mapping =
file->f_dentry->d_inode->i_mapping;...mapping->a_ops->readpage(file, ...);
}
[Zhang et al., USENIX Security ‘02]
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 14
perform_request ( ) {...if (allowed(principal,resource,access)){
perform_access (resource);} else { handle_auth_failure1() }; ...if (allowed(principal,resource’,access’)){
perform_access’(resource’);} else { handle_auth_failure2() };
}
II. TOCTTOU bugs
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 15
perform_request ( ) {...if (allowed(principal,resource,access)){
perform_access (resource);} else { handle_auth_failure1() }; ...if (allowed(principal,resource’,access’)){
perform_access’(resource’);} else { handle_auth_failure2() };
}
II. TOCTTOU bugs
Similar race condition found in the Linux Security Modules framework[Zhang et al. USENIX Security ’02]
Several similar bugs recently found in popular enforcement tools: [Watson, WOOT ’07]
• GSWTK• Systrace [Provos, USENIX Security ’03]
• FreeBSD Sysjail [Johnson and Deksters ’07]
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 16
II. TOCTTOU bugs
perform_request ( ) {...if (allowed(principal,resource,access)){
perform_access (resource);} else { handle_auth_failure1() }; ...if (allowed(principal,resource’,access’)){
perform_access’(resource’);} else { handle_auth_failure2() };
}
Authorization check and resource access must be atomic
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 17
III. Failure handling
perform_request ( ) {...if (allowed(principal,resource,access)){
perform_access (resource);} else { handle_auth_failure1() }; ...if (allowed(principal,resource’,access’)){
perform_access’(resource’);} else { handle_auth_failure2() };
}
Handling authorization failures is ad hoc and error prone
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 18
III. Failure handling
• Exception-handling code accounts for a large fraction of server software – Over two-thirds of server software [IBM ’87]
– Nearly 46% on several Java benchmarks [Weimer & Necula OOPSLA’04]
• Exception-handling code itself is error-prone [Fetzer and Felber ’04]
• SecurityException most often handled erroneously [Weimer & Necula OOPSLA’04]
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 19
Summary of problems
• Violation of complete mediation– Need to identify all the resources accessed– Example: Bug in Linux Security Modules [Zhang et al.,
USENIX Security ‘02]
• Time-of-check to Time-of-use bugs– Examples: [Zhang et al., USENIX Security ‘02] [Watson,
WOOT ‘07]
• Handing authorization failures– Large fraction of server code relates to error handling
[IBM survey, ’87, Weimer and Necula, ‘04 ]
– Error-handling code is error-prone! [Fetzer & Felber ’04]
Security enforcement crosscutsapplication functionality
Our solution: TMI Decouples security enforcement
from application functionality
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 20
Outline
• Enforcing authorization policies
• Problems with existing techniques
• Transactional Memory Introspection (TMI)– Programmer’s interface– Mechanics of TMI
• Implementation and experiments
• Open questions and future work
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 21
Transactional memory primer
• Alternative to lock-based programming• Reason about atomic sections, not locks
• TM attempts to guarantee ACID semantics
acquire(S1.lock)acquire(S2.lock)value = S1.pop()S2.push(value)Release(S2.lock)Release(S1.lock)
transaction { value = S1.pop() S2.push(value)}
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 22
Programmer’s interface to TMIdispatch_request ( ) {
transaction [ principal ] {...perform_request ( );
}}
perform_request ( ) {...perform_access (resource);...perform_access’(resource’);
}
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 23
Programmer’s interface to TMIdispatch_request ( ) {
transaction [ principal ] {...perform_request ( );
}}
perform_request ( ) {...perform_access (resource);...perform_access’(resource’);
}
Authorization manager:case (resource=R, access_type=A)
if (!allowed(principal, R, A)) then abort_txallowed(principal, resource, access)?
allowed(principal, resource’, access’)?
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 24
I. Complete mediation for freedispatch_request ( ) {
transaction [ principal ] {...perform_request ( );
}}
perform_request ( ) {...perform_access (resource);...perform_access’(resource’);
}
TMI automatically invokesauthorization checks
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 25
II. TOCTTOU-freedom for freedispatch_request ( ) {
transaction [ principal ] {...perform_request ( );
}}
perform_request ( ) {...perform_access (resource);...perform_access’(resource’);
}
Conflicting resource accessesautomatically abort transaction
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 26
III. Error-handling for freedispatch_request ( ) {
transaction [ principal ] {...perform_request ( );
}}
perform_request ( ) {...perform_access (resource);...perform_access’(resource’);
}
Unauthorized resource accessesautomatically abort transaction
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 27
Decouples functionality and securitydispatch_request ( ) {
transaction [ principal ] {...perform_request ( );
}}
perform_request ( ) {...perform_access (resource);...perform_access’(resource’);
}
Authorization manager
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 28
Outline
• Enforcing authorization policies
• Problems with existing techniques
• Transactional Memory Introspection (TMI)– Programmer’s interface– Mechanics of TMI
• Implementation and experiments
• Open questions and future work
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 29
TM runtime system
• The TM runtime maintains per-transaction read/write sets and detects conflicts
transaction { value = S1.pop() S2.push(value)}
val1 = S1.pop()val2 = S1.pop()S2.push(val2)S2.push(val1)
Transaction Read set Write set
Green S1.stkptr S1.stkptr
Red S1.stkptr, S2.stkptr S1.stkptr, S2.stkptr
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 30
TM runtime system
Transactionbody
Execution
Read and Write Sets
Validation
Contentionmanager
Retry
Commitlogic
Commit
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 31
Transactional Memory Introspection
Transactionbody
Execution
Read and Write Sets
Validation
Contentionmanager
Retry
Commitlogic
CommitAuthorization
Auth.checks
Auth.Manager
Success
Failure
Abort
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 32
perform_request ( ) {...perform_access (resource);...perform_access’(resource’);
}
Transactional Memory Introspectiondispatch_request ( ) {
transaction [ principal ] {...perform_request ( );
}}
Present in read/write set
Accesses checkedbefore tx commits
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 33
Outline
• Enforcing authorization policies
• Problems with existing techniques
• Transactional Memory Introspection
• Implementation and experiments
• Open questions and future work
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 34
TMI Implementation: TMI/DSTM2
• Implemented using Sun’s DSTM2
• Object-based software TM system
• TM system modified to– Trigger authorization checks on additions to
read/write set and upon transaction validation– Raise AccessDeniedException upon abort– Integrate transactional I/O libraries
• Fewer than 500 lines changed in DSTM2
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 35
Porting software to TMI/DSTM2
1. Mark transactional objects with @atomic– Also require @atomic wrappers for libraries:
java.util.HashMap, java.util.Vector
2. Reads and writes to fields of @atomic objects replaced with DSTM2 accessors
3. Place transaction{…} blocks around client requests
4. Write an authorization manager
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 36
Dealing with side-effects
• Problem:– TM provides ACID semantics to memory
updates– System calls inside transaction{…} block can
violate atomicity and isolation
• Use transactional I/O packages• Integrate with commit logic
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 37
Dealing with side-effects
Transactionbody
Execution
Read and Write Sets
Validation
Contentionmanager
Retry
2-phasecommit
CommitAuthorization
Auth.checks
Auth.Manager
Success
Failure
Abort
TX I/O
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 39
Evaluation
• Ported four Java-based servers
• GradeSheet: A grade-management server
• FreeCS: A chat server
• WeirdX: An X window management server– Enforced a simple XACML based policy
• Tar: A tar archive service– Enforced Java stack inspection policy
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 40
Modifications needed
Server LOC Lines modified Transactions
GradeSheet 900 300 1
Tar service 5,000 < 50 1
FreeCS 22,000 860 47
WeirdX 27,000 4,800 108
Authorization managers were approximately 200 lines of code in each case
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 41
REMOTE
Example policy enforced in WeirdX
LOCAL
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 42
perform_request ( ) {...perform_access (resource);...perform_access’(resource’);
}
When to enforce policy?dispatch_request ( ) {
transaction [ principal ] {...perform_request ( );
}}
allowed(principal, resource, access)?
allowed(principal, resource’, access’)?
Eager
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 43
perform_request ( ) {...perform_access (resource);...perform_access’(resource’);
}
When to enforce policy?dispatch_request ( ) {
transaction [ principal ] {...perform_request ( );
}}
allowed(principal, resource, access)?
allowed(principal, resource’, access’)?
Lazy
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 44
perform_request ( ) {...perform_access (resource);...perform_access’(resource’);
}
When to enforce policy?dispatch_request ( ) {
transaction [ principal ] {...perform_request ( );
}}
allowed(principal, resource, access)?
allowed(principal, resource’, access’)?
Parallel
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 45
Performance overheads of TMI
-20
-10
0
10
20
30
40
50
60
GradeSheet Tar FreeCS WeirdX
TMI/Eager
TMI/Lazy
TMI/Parallel
10x
-15.8%
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 46
Performance overheads of STM• Software transactional memory imposes a
significant overheadServer Native TMI-ported Overhead
GradeSheet 395μs 451μs 14.7%
Tar service 4.96s 15.40s 2.1x
FreeCS 321μs 3907μs 11.2x
WeirdX 0.23ms 6.40ms 26.8x
Hardware-accelerated STM will reduce runtime overheads of TM runtime systems
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 47
Outline
• Enforcing authorization policies
• Problems with existing techniques
• Transactional Memory Introspection
• Implementation and experiments
• Open questions and future work
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 48
Hardware support for TMI
• Problem: – STM imposes high runtime overheads – Want to make TMI practical for adoption on
real-world servers
• Solution: Implementing TMI in hardware transactional memory (HTM) systems– HTM-based software as fast (or faster than)
as lock-based software.
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 49
Interaction of TMI and I/O
• Problem: I/O instructions in transactions violate atomicity and isolation
• Can deal with file and database I/O with transactional libraries
• Network I/O? Display? Other devices?
• Possible solution: Combine TMI and virtual machine introspection
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 50
A formal semantics of TMI
• Problem:– Pathological interactions of TMI with STM
implementation details
• Example: Weak-atomicity, in-place updates– With Lazy enforcement, TMI can leak
sensitive information
• Solution:– Need a formal semantics for TMI
Vinod Ganapathy Transactional Memory Introspection/IPAM'08 51
Summary
• Transactional Memory Introspection– A new reference monitor architecture– Decouples application functionality from
security policy enforcement
• Benefits– Better guarantees on complete mediation– Freedom from TOCTTOU bugs– Better handling of authorization failures
Enforcing Security Policies using Transactional Memory Introspection
Reference: Upcoming CCS 2008 paper
Vinod GanapathyRutgers [email protected]
http://www.cs.rutgers.edu/~vinodg
Thank you!