HiStar

Making Information Flow Explicit in HiStar, CACM 2011 (OSDI 2006)

Question

Using the can-flow-to relation ⊑ and owernship (Section 2.1), briefly explain whether the label assignment in the HiStar web server (Figure 6) permits information flows:

from “user files” (L = {u_r, u_w}) to “httpd” (L = ∅, O = {u_r, u_w, ssl_r}), and
from “user files” (L = {u_r, u_w}) to “netd” (L = ∅, O = {n_r, n_w}).

Question

When a thread accesses a segment, briefly describe what label checks HiStar needs to apply and how. What if a device (e.g., NIC) wants to write to a segment through DMA?

Question

One challenge in designing information flow control systems is to avoid over-tainting. For example, in order for a web server to read files from Alice, its label may contain Alice’s secrecy tag alice_r. Similarly, its label may contain Bob’s secrecy tag bob_r to serve Bob’s files. Soon the web server may be tainted with secrecy tags from every user, which means that it will not be able to communicate with any user (or the outside world). How can a web server on HiStar avoid this problem?

Question

Provide a list of questions you would like to discuss in class. Feel free to provide any comments on the paper and related topics (e.g., which parts you like and which parts you find confusing).

For example, Section 2.4 mentions that to “address a possible covert channel through object reference counting,” most HiStar system calls names an object using a (container ID, object ID) pair. Do you think that’s necessary (or sufficient)? You don’t have to answer these questions. In general, think how HiStar should design system calls to avoid covert channels.

DAC
- discretionary: users can call chmod (e.g., unix)
- object ACLs: unix file permissions
- processes privileges: uid
- check a process’s privilege when it accesses an object
- user can do whatever to their files - what if they were compromised?
MAC
- centrally controlled security policies
- examples of implementations
  - Multics
  - Linux: AppArmor, SELinux
  - macOS: Seatbelt (from TrustedBSD MAC) - see profiles under /usr/share/sandbox/
  - Windows: Mandatory Integrity Control
- secrecy
  - suppose you want to invoke an untruste spellchecker for your files
  - goal: ensure the spellchecker cannot leak the data to network
- Bell-LaPadula model
  - every subject and object is assigned a a label L = (clearance level, category set)
    - clearance level: unclassified, secret, top-secret
    - category set: crypto, ml, hardware
  - L1 = (c1, s1) dominates L2 = (c2, s2) iff c1 ≥ c2 and s1 ⊇ s2
    - transitive
    - lattice
  - access control matrix: subject x object -> { read, append, read+write }
    - (S, O) can read => L(S) must dominate L(O)
    - (S, O) can append => L(O) must dominate L(S)
    - (S, O) can read+write => L(O) = L(S)
  - policy: information flows up in the lattice
    - “no-read-up”, “no-write-down”
    - how to apply this to the spellchecker example
- integrity
  - example: Biba model
  - suppose you want to update the dictionary used by the spellchecker
challenges
- downgrading (declassification/endorsement)
  - how to get the output of a system if information flows in one direction
  - a centralized declassifier?
- usability
  - over-tainting: e.g., a web server with multiple servers
  - label assignment
  - bootstrapping
- covert channels
  - storage channels
  - timing channels
  - examples: shared PID pool, ps, floating labels
DIFC
- anyone can create tags/categories SOSP’99
- PL: Jif, JFlow, Ur/Web
- OS: Asbestos, HiStar, Flume, NiStar
- noninterference: NiStar
gates
- multics, x86 call gates
- suppose Alice wants to allow some controlled computation on her data, but not releasing it to the public
- how about a web server with multiple users