Steve Vandebogart
Frans Kaashoek
Skip Abstract Section
Abstract
Asbestos, a new operating system, provides novel labeling and isolation mechanisms that help contain the effects of exploitable software flaws. Applications can express a wide range of policies with Asbestos's kernel-enforced labels, including controls on interprocess communication and system-wide information flow. A new event process abstraction defines lightweight, isolated contexts within a single process, allowing one process to act on behalf of multiple users while preventing it from leaking any single user's data to others. A Web server demonstration application uses these primitives to isolate private user data. Since the untrusted workers that respond to client requests are constrained by labels, exploited workers cannot directly expose user data except as allowed by application policy. The server application requires 1.4 memory pages per user for up to 145,000 users and achieves connection rates similar to Apache, demonstrating that additional security can come at an acceptable cost.
- Apache. The Apache HTTP Server Project. http://httpd.apache.org.Google Scholar
- Apache API Notes. Apache API module notes: http://httpd.apache.org/docs/1.3/misc/API.html.Google Scholar
- Bell, D. E. and La Padula, L. 1976. Secure computer system: Unified exposition and Multics interpretation. Tech. Rep. MTR-2997, Rev. 1, MITRE Corp., Bedford, MA.Google Scholar
- Berstis, V. 1980. Security and protection of data in the IBM System/38. In Proceedings of the 7th Annual Symposium on Computer Architecture (ISCA). 245--252. Google Scholar
- Branstad, M., Tajalli, H., Mayer, F., and Dalva, D. 1989. Access mediation in a message passing kernel. In Proceedings of the IEEE Symposium on Security and Privacy. Oakland, CA, 66--72.Google Scholar
- Cheriton, D. R. 1988. The V distributed system. J. ACM 31, 3, 314--33. Google Scholar
- Denning, D. E. 1976. A lattice model of secure information flow. Commun. ACM 19, 5, 236--243. Google Scholar
- Denning, D. E. and Denning, P. J. 1977. Certification of programs for secure information flow. Commun. ACM 20, 7, 504--513. Google Scholar
- Department of Defense. 1985. Trusted Computer System Evaluation Criteria (Orange Book). Department of Defense. DoD 5200.28-STD.Google Scholar
- Dunkels, A. 2003. Full TCP/IP for 8-bit architectures. In Proceedings of the 1st International Conference on Mobile Systems, Applications, and Services (MOBISYS). San Francisco, CA. Google Scholar
- Efstathopoulos, P., Krohn, M., VanDeBogart, S., Frey, C., Ziegler, D., Kohler, E., Mazières, D., Kaashoek, F., and Morris, R. 2005. Labels and event processes in the Asbestos operating system. In Proceedings of the 20th ACM Symposium on Operating Systems Principles. Brighton, England. Google Scholar
- Fraser, T. 2000. LOMAC: Low water-mark integrity protection for COTS environments. In Proceedings of the IEEE Symposium on Security and Privacy. Oakland, CA, 230--245. Google Scholar
- Goldberg, R. P. 1973. Architecture of virtual machines. In Proceedings of the AFIPS National Computer Conference. Vol. 42. 309--318.Google Scholar
- Hardy, N. 1988. The confused deputy (or why capabilities might have been invented). Operat. Syst. Rev. 22, 4, 36--38. Google Scholar
- Hu, W.-M. 1991. Reducing timing channels with fuzzy time. In Proceedings of the IEEE Symposium on Security and Privacy. Oakland, CA, 8--20.Google Scholar
- Jaeger, T., Prakash, A., Liedtke, J., and Islam, N. 1999. Flexible control of downloaded executable content. ACM Trans. Inform. Syst. Secur. 2, 2, 177--228. Google Scholar
- Karger, P. A. 1987. Limiting the damage potential of discretionary Trojan horses. In Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, 32--37.Google Scholar
- Karger, P. A. and Herbert, A. J. 1984. An augmented capability architecture to support lattice security and traceability of access. In Proceedings of the IEEE Symposium on Security and Privacy. Oakland, CA, 2--12.Google Scholar
- Karger, P. A., Zurko, M. E., Bonin, D. W., Mason, A. H., and Kahn, C. E. 1990. A VMM security kernel for the VAX architecture. In Proceedings of the IEEE Symposium on Security and Privacy. Oakland, CA, 2--19.Google Scholar
- Key Logic. 1989. The KeyKOS/KeySAFE system design. Key Logic. Tech. Rep. SEC009-01. http://www.cis.upenn.edu/~KeyKOS/.Google Scholar
- King, S. T. and Chen, P. M. 2003. Operating system support for virtual machines. In Proceedings of the USENIX Annual Technical Conference, San Antonio, TX. Google Scholar
- Krohn, M. 2004. Building secure high-performance web services with OKWS. In Proceedings of the USENIX Annual Technical Conference. Boston, MA, 185--198. Google Scholar
- Krohn, M., Efstathopoulos, P., Frey, C., Kaashoek, F., Kohler, E., Mazières, D., Morris, R., Osborne, M., VanDeBogart, S., and Ziegler, D. 2005. Make least privilege a right (not a privilege). In Proceedings of the 10th Hot Topics in Operating Systems Symposium (HotOS-X). Santa Fe, NM. Google Scholar
- Landwehr, C. E. 1981. Formal models for computer security. ACM Comput. Surv. 13, 3 (Sept.), 247--278. Google Scholar
- Lemos, R. 2005. News.com: Payroll site closes on security worries, Feb. 25, 2005. http://news.com.com/2102-1029_3-5587859.html.Google Scholar
- Liedtke, J. 1995. On microkernel construction. In Proceedings of the 15th ACM Symposium on Operating Systems Principles. Copper Mountain Resort, CO. Google Scholar
- Loscocco, P. and Smalley, S. 2001. Integrating flexible support for security policies into the Linux operating system. In Proceedings of the USENIX Annual Technical Conference---FREENIX Track. 29--40. Google Scholar
- MacMillan, K., Brindle, J., Mayer, F., Caplan, D., and Tang, J. 2006. Design and implementation of the SELinux policy management server. In Proceedings of the Security Enhanced Linux Symposium. Baltimore, MD.Google Scholar
- McCollum, C. J., Messing, J. R., and Notargiacomo, L. 1990. Beyond the pale of MAC and DAC---defining new forms of access control. In Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, 190--200.Google Scholar
- McIlroy, M. D. and Reeds, J. A. 1992. Multilevel security in the UNIX tradition. Softw.---Pract. Exper. 22, 8, 673--694. Google Scholar
- Mitchell, J. G., Gibbons, J., Hamilton, G., Kessler, P. B., Khalidi, Y. Y. A., Kougiouris, P., Madany, P., Nelson, M. N., Powell, M. L., and Radia, S. R. 1994. An overview of the Spring system. In Proceedings of COMPCON 1994. 122--131.Google Scholar
- Myers, A. C. and Liskov, B. 2000. Protecting privacy using the decentralized label model. ACM Trans. Comput. Syst. 9, 4 Oct., 410--442. Google Scholar
- News10. 2005. Hacker accesses thousands of personal data files at CSU Chico, March 17, 2005. http://www.news10.net/display_story.aspx?storyid=9784.Google Scholar
- Pai, V. S., Druschel, P., and Zwaenepoel, W. 1999. Flash: An efficient and portable Web server. In Proceedings of the USENIX Annual Technical Conference. Monterey, CA, 199--212. Google Scholar
- Pike, R., Presotto, D., Dorward, S., Flandrena, B., Thompson, K., Trickey, H., and Winterbottom, P. 1995. Plan 9 from Bell Labs. Comput. Syst. 8, 3, 221--254.Google Scholar
- Rashid, R. F. and Robertson, G. G. 1981. Accent: A communication oriented network operating system kernel. In Proceedings of the 8th ACM Symposium on Operating Systems Principles. Pacific Grove, CA, 64--75. Google Scholar
- Rozier, M., Abrossimov, V., Armand, F., Boule, I., Gien, M., Guillemont, M., Herrmann, F., Kaiser, C., Langlois, S., Leonard, P., and Neuhauser, W. 1988. CHORUS distributed operating system. Comput. Syst. 1, 305--370.Google Scholar
- Saltzer, J. H. and Schroeder, M. D. 1975. The protection of information in computer systems. Proceedings of the IEEE 63, 9, 1278--1308.Google Scholar
- Schneier, B. 1993. Description of a new variable-length key, 64-bit block cipher (Blowfish). In Proceedings of Fast Software Encryption, Cambridge Security Workshop. Springer-Verlag, 191--204. Google Scholar
- Shapiro, J. S. and Hardy, N. 2002. EROS: A principle-driven operating system from the ground up. IEEE Softw. 19, 1, 26--33. Google Scholar
- Shapiro, J. S., Smith, J. M., and Farber, D. J. 1999. EROS: A fast capability system. In Proceedings of the 17th ACM Symposium on Operating Systems Principles. Kiawah Island, SC, 170--185. Google Scholar
- SQLite. http://www.sqlite.org. Version 3.2.1.Google Scholar
- Tanenbaum, A. S., van Renesse, R., van Staveren, H., Sharp, G. J., Mullender, S. J., Jansen, J., and van Rossum, G. 1990. Experiences with the Amoeba distributed operating system. Commun. ACM 33, 12, 46--63. Google Scholar
- Trounson, R. 2006. Major breach of UCLA’s computer files. Los Angeles Times, Dec. 12, 2006. http://www.latimes.com/news/local/la-me-ucla12dec12,0,7111141.story.Google Scholar
- VMware. 2000. VMware and the National Security Agency team to build advanced secure computer systems. Tech Trend Notes 9, 4, 3--11. http://www.vmware.com/pdf/TechTrendNotes.pdf.Google Scholar
- von Behren, R., Condit, J., Zhou, F., Necula, G. C., and Brewer, E. 2003. Capriccio: Scalable threads for Internet services. In Proceedings of the 19th ACM Symposium on Operating Systems Principles. Bolton Landing, Lake George, NY, 268--281. Google Scholar
- Watson, R., Morrison, W., Vance, C., and Feldman, B. 2003. The TrustedBSD MAC framework: Extensible kernel access control for FreeBSD 5.0. In Proceedings of the USENIX Annual Technical Conference, San Antonio, TX, 285--296.Google Scholar
- Whitaker, A., Shaw, M., and Gribble, S. D. 2002. Scale and performance in the Denali isolation kernel. In Proceedings of the 5th Symposium on Operating Systems Design and Implementation (OSDI '02). Boston, MA, 195--210. Google Scholar
- Zeldovich, N. B., Boyd-Wickizer, S., Kohler, E., and Mazières, D. 2006. Making information flow explicit in HiStar. In Proceedings of the 7th Symposium on Operating Systems Design and Implementation (OSDI'06). Seattle, WA. Google Scholar
Index Terms
- Labels and event processes in the Asbestos operating system
Recommendations
Labels and event processes in the asbestos operating system
SOSP '05Asbestos, a new prototype operating system, provides novel labeling and isolation mechanisms that help contain the effects of exploitable software flaws. Applications can express a wide range of policies with Asbestos's kernel-enforced label mechanism, ...
Labels and event processes in the asbestos operating system
SOSP '05: Proceedings of the twentieth ACM symposium on Operating systems principlesAsbestos, a new prototype operating system, provides novel labeling and isolation mechanisms that help contain the effects of exploitable software flaws. Applications can express a wide range of policies with Asbestos's kernel-enforced label mechanism, ...
Comments