docEnforcing Authorization Policies using Transactional Memory
download 
Report Transcription
Enforcing Authorization Policies using Transactional Memory
Enforcing Authorization Policies using Transactional Memory Introspection Arnar Birgisson Úlfar Erlingsson Mohan Dhawan Vinod Ganapathy Liviu Iftode Reykjavik University Rutgers University Overview • Three main difficulties in policy enforcement • Transactional Memory Introspection as a solution • • • Variants of TMI Implementation and evaluation Future work Difficulty 1 Time of check vs. time of use !"#$%&&'()*$+,!-.!+%&/#,)0'1,.)/#'+),%2!'-33#4 ####+),"',5#'+),%2!'-#'-#,)0'1,.) 6 Difficulty 1 Time of check vs. time of use !"#$%&&'()*$+,!-.!+%&/#,)0'1,.)/#'+),%2!'-33#4 ####+),"',5#'+),%2!'-#'-#,)0'1,.) 6 Difficulty 1 Time of check vs. time of use !"#$%&&'()*$+,!-.!+%&/#,)0'1,.)/#'+),%2!'-33#4 Other thread may run here! ####+),"',5#'+),%2!'-#'-#,)0'1,.) 6 Difficulty 1 Time of check vs. time of use !"#$%&&'()*$+,!-.!+%&/#,)0'1,.)/#'+),%2!'-33#4 Other thread may run here! ####+),"',5#'+),%2!'-#'-#,)0'1,.) 6 Interleaving code may invalidate the check !"#$%&&'()*$+,!-.!+%&/#,)0'1,.)/#'+),%2!'-33#4 ####+),"',5#'+),%2!'-#'-#,)0'1,.) 6 Solution 1 Use locks &'.7$,)0'1,.)38 !"#$%&&'()*$+,!-.!+%&/#,)0'1,.)/#'+),%2!'-33#4 ####+),"',5#'+),%2!'-#'-#,)0'1,.) 6 ,)&)%0)$,)0'1,.)38 ... but locks are difficult to manage and prone to errors. Solution 1 Software Transactional Memory %2'5!.%&&9#4 !"#$%&&'()*$+,!-.!+%&/#,)0'1,.)/#'+),%2!'-33#4 ####+),"',5#'+),%2!'-#'-#,)0'1,.) 6 6 Solution 1 Software Transactional Memory %2'5!.%&&9#4 !"#$%&&'()*$+,!-.!+%&/#,)0'1,.)/#'+),%2!'-33#4 ####+),"',5#'+),%2!'-#'-#,)0'1,.) 6 6 Uses parallel, speculative execution Solution 1 Software Transactional Memory %2'5!.%&&9#4 !"#$%&&'()*$+,!-.!+%&/#,)0'1,.)/#'+),%2!'-33#4 ####+),"',5#'+),%2!'-#'-#,)0'1,.) 6 6 Uses parallel, speculative execution Monitors all access to memory Solution 1 Software Transactional Memory %2'5!.%&&9#4 !"#$%&&'()*$+,!-.!+%&/#,)0'1,.)/#'+),%2!'-33#4 ####+),"',5#'+),%2!'-#'-#,)0'1,.) 6 6 Uses parallel, speculative execution Monitors all access to memory Can roll back and retry on conflict Solution 1 Software Transactional Memory %2'5!.%&&9#4 !"#$%&&'()*$+,!-.!+%&/#,)0'1,.)/#'+),%2!'-33#4 ####+),"',5#'+),%2!'-#'-#,)0'1,.) 6 6 STM guarantees atomicity, consistency and isolation of atomic blocks. Nothing new here... Nothing new here... ... but we can do more TMI Transactional Memory Introspection Where TMI fits in with STM Log TX body Contention Mgr. Conflict Rollback & Retry OK Commit Where TMI fits in with STM Log TX body Contention Mgr. Conflict Rollback & Retry OK Commit Where TMI fits in with STM Log TX body Contention Mgr. Conflict Rollback & Retry Policy OK Authorization Denied Abort & Stop Allow Commit Where TMI fits in with STM Log TX body Contention Mgr. Conflict Rollback & Retry Policy OK Authorization Denied Abort & Stop TMI Allow Commit Difficulty 2 : Error handling !"#$%&&'()*$+,!-.!+%&/#,)0'1,.):/#'+:33#4 ####+),"',5#'+:#'-#,)0'1,.): 6#)&0)#4 ####.&)%-#1+#%-*#,)+',2#),,', 6 Difficulty 2 : Error handling !"#$%&&'()*$+,!-.!+%&/#,)0'1,.):/#'+:33#4 ####+),"',5#'+:#'-#,)0'1,.): 6#)&0)#4 ####.&)%-#1+#%-*#,)+',2#),,', 6 !"#$%&&'()*$+,!-.!+%&/#,)0'1,.);/#'+;33#4 ####+),"',5#'+;#'-#,)0'1,.); 6#)&0)#4 ####.&)%-#1+#%"2),#'+:8 ####.&)%-#1+#%"2),#'+;#%-*#,)+',2#),,', 6 Difficulty 2 : Error handling !"#$%&&'()*$+,!-.!+%&/#,)0'1,.):/#'+:33#4 ####+),"',5#'+:#'-#,)0'1,.): 6#)&0)#4 ####.&)%-#1+#%-*#,)+',2#),,', 6 !"#$%&&'()*$+,!-.!+%&/#,)0'1,.);/#'+;33#4 ####+),"',5#'+;#'-#,)0'1,.); 6#)&0)#4 ####.&)%-#1+#%"2),#'+:8 ####.&)%-#1+#%"2),#'+;#%-*#,)+',2#),,', 6 This quickly becomes hard to manage Difficulty 2 : Error handling • Error handling accounts for a large fraction of server software, over two-thirds [IBM’87] • Exception handling code itself is prone to errors [Fetzer and Felber ’04] • SecurityException is the one most often handled incorrectly [Weimer & Necula OOPSLA’04] Difficulty 3 : Complete mediation !"#$%&&'()*$+,!-.!+%&/#,)0'1,.):/#'+:33#4 ####+),"',5#'+:#'-#,)0'1,.): 6#)&0)#4 ####.&)%-#1+#%-*#,)+',2#),,', 6 !"#$%&&'()*$+,!-.!+%&/#,)0'1,.);/#'+;33#4 ####+),"',5#'+;#'-#,)0'1,.); 6#)&0)#4 ####.&)%-#1+#%"2),#'+:8 ####.&)%-#1+#%"2),#'+;#%-*#,)+',2#),,', 6 Difficulty 3 : Complete mediation !"#$%&&'()*$+,!-.!+%&/#,)0'1,.):/#'+:33#4 ####+),"',5#'+:#'-#,)0'1,.): 6#)&0)#4 ####.&)%-#1+#%-*#,)+',2#),,', 6 !"#$%&&'()*$+,!-.!+%&/#,)0'1,.);/#'+;33#4 ####+),"',5#'+;#'-#,)0'1,.); 6#)&0)#4 ####.&)%-#1+#%"2),#'+:8 ####.&)%-#1+#%"2),#'+;#%-*#,)+',2#),,', 6 Easy to forget or miss checks in complex code Difficulty 3 : Complete mediation • • A real problem in current practice • Decentralized, ad-hoc hard-coded access checks, leads to errors when code changes. • Also a problem in Linux Bugs of this kind found in the Linux kernel, +%<)=.%.>)=,)%* did not check for file permissions [Zhang et al. USENIX Security ‘02] [Jaeger et al. ’04] TMI takes care of “security boilerplate” Step 1 : Implicit abort %2'5!.%&&9#4 ####!"#$%&&'()*$+,!-.!+%&/#,)0'1,.):/#'+:33#4 #######+),"',5#'+:#'-#,)0'1,.):8 ######)&0)#4 ####6 ########.&)%-#1+#%-*#,)+',2#),,', ####6 ####!"#$%&&'()*$+,!-.!+%&/#,)0'1,.);/#'+;33#4 #######+),"',5#'+;#'-#,)0'1,.);8 ####6 ######)&0)#4 ########.&)%-#1+#%"2),#'+:8 ########.&)%-#1+#%"2),#'+;#%-*#,)+',2#),,', ####6 6 Step 1 : Implicit abort %2'5!.%&&9#4 ####!"#$%&&'()*$+,!-.!+%&/#,)0'1,.):/#'+:33#4 #######+),"',5#'+:#'-#,)0'1,.):8 ####6 ####!"#$%&&'()*$+,!-.!+%&/#,)0'1,.);/#'+;33#4 #######+),"',5#'+;#'-#,)0'1,.);8 ####6 6 Step 1 : Implicit abort %2'5!.%&&9#4 ####!"#$%&&'()*$+,!-.!+%&/#,)0'1,.):/#'+:33#4 #######+),"',5#'+:#'-#,)0'1,.):8 ####6 ####!"#$%&&'()*$+,!-.!+%&/#,)0'1,.);/#'+;33#4 #######+),"',5#'+;#'-#,)0'1,.);8 ####6 ##'-#%?',2#4 6 ####,)+',2#),,',8 // no cleanup necessary 6 Step 2 : Implicit access checks ###########4 %2'5!.%&&9 ####!"#$%&&'()*$+,!-.!+%&/#,)0'1,.):/#'+:33#4 #######+),"',5#'+:#'-#,)0'1,.):8 ####6 ####!"#$%&&'()*$+,!-.!+%&/#,)0'1,.);/#'+;33#4 #######+),"',5#'+;#'-#,)0'1,.);8 ####6 ##'-#%?',2#4 6 ####,)+',2#),,',8 // no cleanup necessary 6 Step 2 : Implicit access checks %2'5!.%&&9 ###########4 ###########@+,!-.!+%&A ####!"#$%&&'()*$+,!-.!+%&/#,)0'1,.):/#'+:33#4 #######+),"',5#'+:#'-#,)0'1,.):8 ####6 ####!"#$%&&'()*$+,!-.!+%&/#,)0'1,.);/#'+;33#4 #######+),"',5#'+;#'-#,)0'1,.);8 ####6 ##'-#%?',2#4 6 ####,)+',2#),,',8 // no cleanup necessary 6 Step 2 : Implicit access checks %2'5!.%&&9 ###########4 ###########@+,!-.!+%&A #######+),"',5#'+:#'-#,)0'1,.):8 #######+),"',5#'+;#'-#,)0'1,.);8 6#'-#%?',2#4 # ####,)+',2#),,',8 // no cleanup necessary 6 Step 2 : Implicit access checks %2'5!.%&&9 ###########4 ###########@+,!-.!+%&A #######+),"',5#'+:#'-#,)0'1,.):8 #######+),"',5#'+;#'-#,)0'1,.);8 6#'-#%?',2#4 # ####,)+',2#),,',8 // no cleanup necessary 6 TMI invokes reference monitor - on every security-relevant memory access - before every transaction commit Step 2 : Implicit access checks %2'5!.%&&9 ###########4 ###########@+,!-.!+%&A #######+),"',5#'+:#'-#,)0'1,.):8 #######+),"',5#'+;#'-#,)0'1,.);8 6#'-#%?',2#4 # ####,)+',2#),,',8 // no cleanup necessary 6 TMI invokes reference monitor - on every security-relevant memory access - before every transaction commit Step 2 : Implicit access checks %2'5!.%&&9 ###########4 ###########@+,!-.!+%&A #######+),"',5#'+:#'-#,)0'1,.):8 #######+),"',5#'+;#'-#,)0'1,.);8 6#'-#%?',2#4 # ####,)+',2#),,',8 // no cleanup necessary 6 TMI invokes reference monitor - on every security-relevant memory access - before every transaction commit Step 2 : Implicit access checks %2'5!.%&&9 ###########4 ###########@+,!-.!+%&A #######+),"',5#'+:#'-#,)0'1,.):8 #######+),"',5#'+;#'-#,)0'1,.);8 6#'-#%?',2#4 # ####,)+',2#),,',8 // no cleanup necessary 6 Reference monitor can delay policy evaluation - logs a copy of relevant metadata - security policy evaluation based on this log - evaluation can be delayed until commit Pseudo-code for policy evaluation ?)"',)#.'55!2#'"#)%.>#2,%-0%.2!'-#B#4 ####"',#$,)0'1,.)/#'+3#!-#BC&'<#4 ########!"#$-'2#%&&'()*$BC+,!-.!+%&/#,)0'1,.)/#'+3 ###########%?',2#B8 ####6 6 • • TMI security manager evaluates the policy Supplied by the programmer, decoupled from application logic Pseudo-code for policy evaluation ?)"',)#.'55!2#'"#)%.>#2,%-0%.2!'-#B#4 ####"',#$,)0'1,.)/#'+3#!-#BC&'<#4 ########!"#$-'2#%&&'()*$BC+,!-.!+%&/#,)0'1,.)/#'+3 ###########%?',2#B8 ####6 6 • • TMI security manager evaluates the policy • Reference monitor invoked on all accesses. Complete mediation for free. Supplied by the programmer, decoupled from application logic Variants of TMI reference monitors Log TX body Contention Mgr. Conflict Rollback & Retry OK Commit Variants of TMI reference monitors Lazy Log Log metadata Validate log TX body Contention Mgr. Conflict Rollback & Retry OK Commit Denied Abort & Stop Variants of TMI reference monitors Eager Abort & Stop Denied Log Validate access TX body Contention Mgr. Conflict Rollback & Retry OK Commit Variants of TMI reference monitors Overlapped Log Send metadata TX body Contention Mgr. OK Commit Conflict Denied Rollback & Retry Authorization Thread Send decision Abort & Stop Implementation • • • • • Builds on the DSTM2 library for Java Programmer specifies security metadata Reference monitor invoked with metadata Lazy, eager, overlapped or custom Adds less than 500 LOC to DSTM2 Evaluation Ported four servers to use STM and TMI 200 STM only Lazy TMI 10.8! Eager TMI Overlapped TMI 150 100 50 0 GradeSheet Tar FreeCS WeirdX Evaluation Ported four servers to use STM and TMI 200 150 STM only Lazy TMI 0.3% Eager TMI Overlapped TMI 10.8! 4.3% 11% -15.8% 100 50 0 GradeSheet Tar FreeCS WeirdX Transactional Memory Introspection in summary • • A new reference monitor architecture • • • Freedom from TOCTTOU bugs Decouples application logic from policy enforcement Easier handling of authorization failures Easier to ensure complete mediation Bedankt voor jullie aandacht!
