![Page 1: Enforcing Security Policies using Transactional Memory Introspection](https://reader036.vdocument.in/reader036/viewer/2022081519/56814247550346895dae7093/html5/thumbnails/1.jpg)
Enforcing Security Policies using Transactional Memory Introspection
Vinod GanapathyRutgers University
Arnar Birgisson Mohan DhawanUlfar Erlingsson Liviu Iftode
![Page 2: Enforcing Security Policies using Transactional Memory Introspection](https://reader036.vdocument.in/reader036/viewer/2022081519/56814247550346895dae7093/html5/thumbnails/2.jpg)
Take-home slide
Vinod Ganapathy Transactional Memory Introspection
We can utilize the mechanisms ofSoftware Transactional Memory
to greatly improve security policy enforcement
![Page 3: Enforcing Security Policies using Transactional Memory Introspection](https://reader036.vdocument.in/reader036/viewer/2022081519/56814247550346895dae7093/html5/thumbnails/3.jpg)
Vinod Ganapathy
X server with multiple X clients
REMOTE
LOCAL
Transactional Memory Introspection
![Page 4: Enforcing Security Policies using Transactional Memory Introspection](https://reader036.vdocument.in/reader036/viewer/2022081519/56814247550346895dae7093/html5/thumbnails/4.jpg)
Vinod Ganapathy
REMOTE
Malicious remote X client
LOCAL
Transactional Memory Introspection
![Page 5: Enforcing Security Policies using Transactional Memory Introspection](https://reader036.vdocument.in/reader036/viewer/2022081519/56814247550346895dae7093/html5/thumbnails/5.jpg)
Vinod Ganapathy
REMOTE
Undesirable information flow
LOCAL
Transactional Memory Introspection
![Page 6: Enforcing Security Policies using Transactional Memory Introspection](https://reader036.vdocument.in/reader036/viewer/2022081519/56814247550346895dae7093/html5/thumbnails/6.jpg)
Vinod Ganapathy
Desirable information flow
LOCAL
REMOTE
Transactional Memory Introspection
![Page 7: Enforcing Security Policies using Transactional Memory Introspection](https://reader036.vdocument.in/reader036/viewer/2022081519/56814247550346895dae7093/html5/thumbnails/7.jpg)
Vinod Ganapathy
X server
X server with authorization
X client
Operation request Response
Authorization policy
Reference monitor
Allowed? YES/NO
Transactional Memory Introspection
Security enforcement crosscuts
application functionality
![Page 8: Enforcing Security Policies using Transactional Memory Introspection](https://reader036.vdocument.in/reader036/viewer/2022081519/56814247550346895dae7093/html5/thumbnails/8.jpg)
Vinod Ganapathy
Outline
• Enforcing authorization policies• Problems with existing techniques• Transactional Memory Introspection• Implementation and experiments
Transactional Memory Introspection
![Page 9: Enforcing Security Policies using Transactional Memory Introspection](https://reader036.vdocument.in/reader036/viewer/2022081519/56814247550346895dae7093/html5/thumbnails/9.jpg)
Vinod Ganapathy
Existing enforcement interfacedispatch_request ( ) {
...perform_request ( );
}
perform_request ( ) {...
perform_access (resource);
...
perform_access’(resource’);
}
Transactional Memory Introspection
![Page 10: Enforcing Security Policies using Transactional Memory Introspection](https://reader036.vdocument.in/reader036/viewer/2022081519/56814247550346895dae7093/html5/thumbnails/10.jpg)
Vinod Ganapathy
Existing enforcement interfacedispatch_request ( ) {
...perform_request ( );
}
perform_request ( ) {...
if (allowed(principal,resource,access)){perform_access (resource);
} else { handle_auth_failure1(); }; ...if (allowed(principal,resource’,access’)){perform_access’(resource’);} else { handle_auth_failure2(); };
}
Transactional Memory Introspection
![Page 11: Enforcing Security Policies using Transactional Memory Introspection](https://reader036.vdocument.in/reader036/viewer/2022081519/56814247550346895dae7093/html5/thumbnails/11.jpg)
Vinod Ganapathy
Three problems
• Violation of complete mediation• Time-of-check to Time-of-use bugs• Handing authorization failures
Transactional Memory Introspection
![Page 12: Enforcing Security Policies using Transactional Memory Introspection](https://reader036.vdocument.in/reader036/viewer/2022081519/56814247550346895dae7093/html5/thumbnails/12.jpg)
Vinod Ganapathy
I. Incomplete mediationdispatch_request ( ) {
…perform_request ( );
}
perform_request ( ) {...
if (allowed(principal,resource,access)){perform_access (resource);
} else { handle_auth_failure1(); }; ...if (allowed(principal,resource’,access’)){
perform_access’(resource’);} else { handle_auth_failure2(); };
}
Must guard each resource access
to ensure complete mediation
Transactional Memory Introspection
![Page 13: Enforcing Security Policies using Transactional Memory Introspection](https://reader036.vdocument.in/reader036/viewer/2022081519/56814247550346895dae7093/html5/thumbnails/13.jpg)
Vinod Ganapathy
I. Incomplete mediationssize_t vfs_read (struct file *file, ...) {
...if (check_permission(file, MAY_READ)) {
file->f_op->read(file, ...);}...
}
int page_cache_read (struct file *file, ...) {struct address_space *mapping =
file->f_dentry->d_inode->i_mapping;...mapping->a_ops->readpage(file, ...);
}
[Zhang et al., USENIX Security ‘02]
Transactional Memory Introspection
![Page 14: Enforcing Security Policies using Transactional Memory Introspection](https://reader036.vdocument.in/reader036/viewer/2022081519/56814247550346895dae7093/html5/thumbnails/14.jpg)
Vinod Ganapathy
perform_request ( ) {...if (allowed(principal,resource,access)){
perform_access (resource);} else { handle_auth_failure1() }; ...if (allowed(principal,resource’,access’)){
perform_access’(resource’);} else { handle_auth_failure2() };
}
II. TOCTTOU bugs
Transactional Memory Introspection
![Page 15: Enforcing Security Policies using Transactional Memory Introspection](https://reader036.vdocument.in/reader036/viewer/2022081519/56814247550346895dae7093/html5/thumbnails/15.jpg)
Vinod Ganapathy
perform_request ( ) {...if (allowed(principal,resource,access)){
perform_access (resource);} else { handle_auth_failure1() }; ...if (allowed(principal,resource’,access’)){
perform_access’(resource’);} else { handle_auth_failure2() };
}
II. TOCTTOU bugs
Similar race condition found in the Linux Security Modules framework[Zhang et al. USENIX Security ’02]
Several similar bugs recently found in popular enforcement tools: [Watson, WOOT ’07]
• GSWTK• Systrace [Provos, USENIX Security ’03]
• OpenBSD Sysjail [Johnson and Deksters ’07]
Transactional Memory Introspection
![Page 16: Enforcing Security Policies using Transactional Memory Introspection](https://reader036.vdocument.in/reader036/viewer/2022081519/56814247550346895dae7093/html5/thumbnails/16.jpg)
Vinod Ganapathy
II. TOCTTOU bugs
perform_request ( ) {...if (allowed(principal,resource,access)){
perform_access (resource);} else { handle_auth_failure1() }; ...if (allowed(principal,resource’,access’)){
perform_access’(resource’);} else { handle_auth_failure2() };
}
Authorization check and resource access must be
atomic
Transactional Memory Introspection
![Page 17: Enforcing Security Policies using Transactional Memory Introspection](https://reader036.vdocument.in/reader036/viewer/2022081519/56814247550346895dae7093/html5/thumbnails/17.jpg)
Vinod Ganapathy
III. Failure handling
perform_request ( ) {...if (allowed(principal,resource,access)){
perform_access (resource);} else { handle_auth_failure1() }; ...if (allowed(principal,resource’,access’)){
perform_access’(resource’);} else { handle_auth_failure2() };
}
Handling authorization failures
is ad hoc and error prone
Transactional Memory Introspection
![Page 18: Enforcing Security Policies using Transactional Memory Introspection](https://reader036.vdocument.in/reader036/viewer/2022081519/56814247550346895dae7093/html5/thumbnails/18.jpg)
Vinod Ganapathy
III. Failure handling
• Exception-handling code accounts for a large fraction of server software – Over two-thirds of server software [IBM ’87]
– Nearly 46% on several Java benchmarks [Weimer & Necula OOPSLA’04]
• Exception-handling code itself is error-prone [Fetzer and Felber ’04]
• SecurityException most often handled erroneously [Weimer & Necula OOPSLA’04]
Transactional Memory Introspection
![Page 19: Enforcing Security Policies using Transactional Memory Introspection](https://reader036.vdocument.in/reader036/viewer/2022081519/56814247550346895dae7093/html5/thumbnails/19.jpg)
Vinod Ganapathy
Summary of problems• Violation of complete mediation
– Need to identify all the resources accessed– Example: Bug in Linux Security Modules [Zhang et al., USENIX
Security ‘02]
• Time-of-check to Time-of-use bugs– Examples: [Zhang et al., USENIX Security ‘02] [Watson, WOOT ‘07]
• Handing authorization failures– Large fraction of server code relates to error handling [IBM
survey, ’87, Weimer and Necula, ‘04 ]– Error-handling code is error-prone! [Fetzer & Felber ’04]
Security enforcement crosscuts
application functionality
Our solution: TMI Decouples security
enforcement from application functionality
Transactional Memory Introspection
![Page 20: Enforcing Security Policies using Transactional Memory Introspection](https://reader036.vdocument.in/reader036/viewer/2022081519/56814247550346895dae7093/html5/thumbnails/20.jpg)
Vinod Ganapathy
Outline
• Enforcing authorization policies• Problems with existing techniques• Transactional Memory Introspection (TMI)
– Programmer’s interface– Mechanics of TMI
• Implementation and experiments
Transactional Memory Introspection
![Page 21: Enforcing Security Policies using Transactional Memory Introspection](https://reader036.vdocument.in/reader036/viewer/2022081519/56814247550346895dae7093/html5/thumbnails/21.jpg)
Vinod Ganapathy
Transactional memory primer
• Alternative to lock-based programming• Reason about atomic sections, not locks
• TM provides atomicity and isolation
acquire(S1.lock)acquire(S2.lock)value = S1.pop()S2.push(value)Release(S2.lock)Release(S1.lock)
transaction { value = S1.pop() S2.push(value)}
Transactional Memory Introspection
![Page 22: Enforcing Security Policies using Transactional Memory Introspection](https://reader036.vdocument.in/reader036/viewer/2022081519/56814247550346895dae7093/html5/thumbnails/22.jpg)
Vinod Ganapathy
Programmer’s interface to TMIdispatch_request ( ) {
transaction [ principal ] {...perform_request ( );
}}
perform_request ( ) {...perform_access (resource);...perform_access’(resource’);
}
Transactional Memory Introspection
![Page 23: Enforcing Security Policies using Transactional Memory Introspection](https://reader036.vdocument.in/reader036/viewer/2022081519/56814247550346895dae7093/html5/thumbnails/23.jpg)
Vinod Ganapathy
Programmer’s interface to TMIdispatch_request ( ) {
transaction [ principal ] {...perform_request ( );
}}
perform_request ( ) {...perform_access (resource);...perform_access’(resource’);
}
Authorization manager:case (resource=R, access_type=A)
if (!allowed(principal, R, A)) then abort_txallowed(principal, resource, access)?
allowed(principal, resource’, access’)?
Transactional Memory Introspection
![Page 24: Enforcing Security Policies using Transactional Memory Introspection](https://reader036.vdocument.in/reader036/viewer/2022081519/56814247550346895dae7093/html5/thumbnails/24.jpg)
Vinod Ganapathy
I. Complete mediation for freedispatch_request ( ) {
transaction [ principal ] {...perform_request ( );
}}
perform_request ( ) {...perform_access (resource);...perform_access’(resource’);
}
TMI automatically invokesauthorization checks
Transactional Memory Introspection
![Page 25: Enforcing Security Policies using Transactional Memory Introspection](https://reader036.vdocument.in/reader036/viewer/2022081519/56814247550346895dae7093/html5/thumbnails/25.jpg)
Vinod Ganapathy
II. TOCTTOU-freedom for freedispatch_request ( ) {
transaction [ principal ] {...perform_request ( );
}}
perform_request ( ) {...perform_access (resource);...perform_access’(resource’);
}
Conflicting resource accessesautomatically abort transaction
Transactional Memory Introspection
![Page 26: Enforcing Security Policies using Transactional Memory Introspection](https://reader036.vdocument.in/reader036/viewer/2022081519/56814247550346895dae7093/html5/thumbnails/26.jpg)
Vinod Ganapathy
III. Error-handling for freedispatch_request ( ) {
transaction [ principal ] {...perform_request ( );
}}
perform_request ( ) {...perform_access (resource);...perform_access’(resource’);
}
Unauthorized resource accessesautomatically abort transaction
Transactional Memory Introspection
![Page 27: Enforcing Security Policies using Transactional Memory Introspection](https://reader036.vdocument.in/reader036/viewer/2022081519/56814247550346895dae7093/html5/thumbnails/27.jpg)
Vinod Ganapathy
Decouples functionality and securitydispatch_request ( ) {
transaction [ principal ] {...perform_request ( );
}}
perform_request ( ) {...perform_access (resource);...perform_access’(resource’);
}
Authorization manager
Transactional Memory Introspection
![Page 28: Enforcing Security Policies using Transactional Memory Introspection](https://reader036.vdocument.in/reader036/viewer/2022081519/56814247550346895dae7093/html5/thumbnails/28.jpg)
Vinod Ganapathy
Outline
• Enforcing authorization policies• Problems with existing techniques• Transactional Memory Introspection (TMI)
– Programmer’s interface– Mechanics of TMI
• Implementation and experiments
Transactional Memory Introspection
![Page 29: Enforcing Security Policies using Transactional Memory Introspection](https://reader036.vdocument.in/reader036/viewer/2022081519/56814247550346895dae7093/html5/thumbnails/29.jpg)
Vinod Ganapathy
TM runtime system
• The TM runtime maintains per-transaction read/write sets and detects conflicts
transaction { value = S1.pop() S2.push(value)}
val1 = S1.pop()val2 = S1.pop()S2.push(val2)S2.push(val1)
Transaction Read set Write set
Green S1.stkptr S1.stkptr
Red S1.stkptr, S2.stkptr S1.stkptr, S2.stkptr
Transactional Memory Introspection
![Page 30: Enforcing Security Policies using Transactional Memory Introspection](https://reader036.vdocument.in/reader036/viewer/2022081519/56814247550346895dae7093/html5/thumbnails/30.jpg)
Vinod Ganapathy
TM runtime system
Transactionbody
Execution
Read and Write Sets
Validation
Contentionmanager
Retry
Commitlogic
Commit
Transactional Memory Introspection
![Page 31: Enforcing Security Policies using Transactional Memory Introspection](https://reader036.vdocument.in/reader036/viewer/2022081519/56814247550346895dae7093/html5/thumbnails/31.jpg)
Vinod Ganapathy
Transactional Memory Introspection
Transactionbody
Execution
Read and Write Sets
Validation
Contentionmanager
Retry
Commitlogic
CommitAuthorization
Auth.checks
Auth.Manager
Success
Failure
Abort
Transactional Memory Introspection
![Page 32: Enforcing Security Policies using Transactional Memory Introspection](https://reader036.vdocument.in/reader036/viewer/2022081519/56814247550346895dae7093/html5/thumbnails/32.jpg)
Vinod Ganapathy
perform_request ( ) {...perform_access (resource);...perform_access’(resource’);
}
Transactional Memory Introspectiondispatch_request ( ) {
transaction [ principal ] {...perform_request ( );
}}
Present in read/write set
Accesses checkedbefore tx commits
Transactional Memory Introspection
![Page 33: Enforcing Security Policies using Transactional Memory Introspection](https://reader036.vdocument.in/reader036/viewer/2022081519/56814247550346895dae7093/html5/thumbnails/33.jpg)
Vinod Ganapathy
Outline
• Enforcing authorization policies• Problems with existing techniques• Transactional Memory Introspection• Implementation and experiments
Transactional Memory Introspection
![Page 34: Enforcing Security Policies using Transactional Memory Introspection](https://reader036.vdocument.in/reader036/viewer/2022081519/56814247550346895dae7093/html5/thumbnails/34.jpg)
Vinod Ganapathy
TMI Implementation: TMI/DSTM2
• Implemented using Sun’s DSTM2• Object-based software TM system• TM system modified to
– Trigger authorization checks on additions to read/write set and upon transaction validation
– Raise AccessDeniedException upon abort– Integrate transactional I/O libraries
• Fewer than 500 lines changed in DSTM2
Transactional Memory Introspection
![Page 35: Enforcing Security Policies using Transactional Memory Introspection](https://reader036.vdocument.in/reader036/viewer/2022081519/56814247550346895dae7093/html5/thumbnails/35.jpg)
Vinod Ganapathy
Porting software to TMI/DSTM2
1. Mark transactional objects with @atomic– Also require @atomic wrappers for libraries:
java.util.HashMap, java.util.Vector
2. Reads and writes to fields of @atomic objects replaced with DSTM2 accessors
3. Place transaction{…} blocks around client requests
4. Write an authorization manager
Transactional Memory Introspection
![Page 36: Enforcing Security Policies using Transactional Memory Introspection](https://reader036.vdocument.in/reader036/viewer/2022081519/56814247550346895dae7093/html5/thumbnails/36.jpg)
Vinod Ganapathy
GradeSheet in TMI/DSTM2
Transactional Memory Introspection
![Page 37: Enforcing Security Policies using Transactional Memory Introspection](https://reader036.vdocument.in/reader036/viewer/2022081519/56814247550346895dae7093/html5/thumbnails/37.jpg)
Vinod Ganapathy
Evaluation
• Ported four Java-based servers• GradeSheet: A grade-management server• FreeCS: A chat server• WeirdX: An X window management server
– Enforced a simple XACML based policy• Tar: A tar archive service
– Enforced Java stack inspection policy
Transactional Memory Introspection
![Page 38: Enforcing Security Policies using Transactional Memory Introspection](https://reader036.vdocument.in/reader036/viewer/2022081519/56814247550346895dae7093/html5/thumbnails/38.jpg)
Vinod Ganapathy
Modifications needed
Server LOC Lines modified Transactions
GradeSheet 900 300 1
Tar service 5,000 < 50 1
FreeCS 22,000 860 47WeirdX 27,000 4,800 108
Authorization managers were approximately 200 lines of code in each case
Transactional Memory Introspection
![Page 39: Enforcing Security Policies using Transactional Memory Introspection](https://reader036.vdocument.in/reader036/viewer/2022081519/56814247550346895dae7093/html5/thumbnails/39.jpg)
Vinod Ganapathy
perform_request ( ) {...perform_access (resource);...perform_access’(resource’);
}
When to enforce policy?dispatch_request ( ) {
transaction [ principal ] {...perform_request ( );
}}
allowed(principal, resource, access)?
allowed(principal, resource’, access’)?
Eager
Transactional Memory Introspection
![Page 40: Enforcing Security Policies using Transactional Memory Introspection](https://reader036.vdocument.in/reader036/viewer/2022081519/56814247550346895dae7093/html5/thumbnails/40.jpg)
Vinod Ganapathy
perform_request ( ) {...perform_access (resource);...perform_access’(resource’);
}
When to enforce policy?dispatch_request ( ) {
transaction [ principal ] {...perform_request ( );
}}
allowed(principal, resource, access)?
allowed(principal, resource’, access’)?
Lazy
Transactional Memory Introspection
![Page 41: Enforcing Security Policies using Transactional Memory Introspection](https://reader036.vdocument.in/reader036/viewer/2022081519/56814247550346895dae7093/html5/thumbnails/41.jpg)
Vinod Ganapathy
perform_request ( ) {...perform_access (resource);...perform_access’(resource’);
}
When to enforce policy?dispatch_request ( ) {
transaction [ principal ] {...perform_request ( );
}}
allowed(principal, resource, access)?
allowed(principal, resource’, access’)?
Parallel
Transactional Memory Introspection
![Page 42: Enforcing Security Policies using Transactional Memory Introspection](https://reader036.vdocument.in/reader036/viewer/2022081519/56814247550346895dae7093/html5/thumbnails/42.jpg)
Vinod Ganapathy
Performance overheads of TMI
-20
-10
0
10
20
30
40
50
60
GradeSheet Tar FreeCS WeirdX
TMI/Eager
TMI/Lazy
TMI/Parallel
10x
-15.8%
Transactional Memory Introspection
![Page 43: Enforcing Security Policies using Transactional Memory Introspection](https://reader036.vdocument.in/reader036/viewer/2022081519/56814247550346895dae7093/html5/thumbnails/43.jpg)
Vinod Ganapathy
Performance overheads of STM• Software transactional memory imposes a
significant overheadServer Native TMI-ported Overhead
GradeSheet 395μs 451μs 14.7%
Tar service 4.96s 15.40s 2.1x
FreeCS 321μs 3907μs 11.2x
WeirdX 0.23ms 6.40ms 26.8x
Hardware TMs reduce runtime overheads of TM runtime systems
Transactional Memory Introspection
![Page 44: Enforcing Security Policies using Transactional Memory Introspection](https://reader036.vdocument.in/reader036/viewer/2022081519/56814247550346895dae7093/html5/thumbnails/44.jpg)
Take-home message
Vinod Ganapathy Transactional Memory Introspection
We can utilize the mechanisms ofSoftware Transactional Memory
to greatly improve security policy enforcement
![Page 45: Enforcing Security Policies using Transactional Memory Introspection](https://reader036.vdocument.in/reader036/viewer/2022081519/56814247550346895dae7093/html5/thumbnails/45.jpg)
Vinod GanapathyRutgers University
http://www.cs.rutgers.edu/~vinodg
Thank you!Reference:
Enforcing Authorization Policies using Transactional Memory Introspection
Proc. ACM CCS, October 2008