Explicit Information Flow in the HiStar OS在操作系明确的信息流3..ppt

Explicit Information Flowin the HiStar OS Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, David Mazieres Too much trusted software Untrustworthy code a huge problem Users willingly run malicious software Malware, spyware, ... Even legitimate software is often vulnerable Symantec remote vulnerability No sign that this problem is going away Can an OS make untrustworthy code secure? Example: Virus Scanner Goal: private files cannot go onto the network Information Flow Control Goal: private files cannot go onto the network Buggy scanner leaks private data Must restrict sockets to protect private data Buggy scanner leaks private data Must restrict scanner’s ability to use IPC Buggy scanner leaks private data Must run scanner in chroot jail Buggy scanner leaks private data Must run scanner with different UID Buggy scanner leaks private data Must restrict access to /proc, ... Buggy scanner leaks private data Must restrict FSes that virus scanner can write Buggy scanner leaks private data List goes on – is there any hope? Whats going on? Kernel not designed to enforce these policies Retrofitting difficult Need to track potentially any memory observed or modified by a system call! Hard to even enumerate HiStar Solution Make all state explicit, track all communication HiStar: Contributions Narrow kernel interface, few comm. channels Minimal mechanism: enough for a Unix library Strong control over information flow Unix support implemented as user-level library Unix communication channels are made explicit, in terms of HiStars mechanisms Provides control over the gamut of Unix channels HiStar kernel objects HiStar kernel objects HiStar: Unix process Unix File Descriptors Unix File Descriptors Tainted process only talks to other tainted procs Unix File Descriptors Lots of shared state in kernel, easy to miss HiStar File Descriptors HiStar File Descriptors All shared state is now explicitly labeled Just need segment read/write checks Taint Tracking Stra