HiStar

Making Information Flow Explicit in HiStar, CACM 2011 (OSDI 2006)

Question

Using the can-flow-to relation ⊑ and owernship (Section 2.1), briefly explain whether the label assignment in the HiStar web server (Figure 6) permits information flows:

  • from “user files” (L = {ur, uw}) to “httpd” (L = ∅, O = {ur, uw, sslr}), and
  • from “user files” (L = {ur, uw}) to “netd” (L = ∅, O = {nr, nw}).

Question

When a thread accesses a segment, briefly describe what label checks HiStar needs to apply and how. What if a device (e.g., NIC) wants to write to a segment through DMA?

Question

One challenge in designing information flow control systems is to avoid over-tainting. For example, in order for a web server to read files from Alice, its label may contain Alice’s secrecy tag alicer. Similarly, its label may contain Bob’s secrecy tag bobr to serve Bob’s files. Soon the web server may be tainted with secrecy tags from every user, which means that it will not be able to communicate with any user (or the outside world). How can a web server on HiStar avoid this problem?

Question

Provide a list of questions you would like to discuss in class. Feel free to provide any comments on the paper and related topics (e.g., which parts you like and which parts you find confusing).

For example, Section 2.4 mentions that to “address a possible covert channel through object reference counting,” most HiStar system calls names an object using a (container ID, object ID) pair. Do you think that’s necessary (or sufficient)? You don’t have to answer these questions. In general, think how HiStar should design system calls to avoid covert channels.