a note on the confinement problem
DESCRIPTION
A NOTE ON THE CONFINEMENT PROBLEM. Butler Lampson Xerox PARC. IN BRIEF. The paper discusses How a server program (service) can leak information about its clients to other programs How we can prevent these leaks - PowerPoint PPT PresentationTRANSCRIPT
A NOTE ON THE CONFINEMENT PROBLEM
Butler LampsonXerox PARC
IN BRIEF
• The paper discusses– How a server program (service) can leak
information about its clients to other programs– How we can prevent these leaks
• Its main contribution is to make us realize the number of potential covert channels
THE MODEL
• A customer– has confidential data– does not trust the service processing its data– wants to prevent leaks
Customer Service x
SEVEN POSSIBLE LEAKS (I)
• If the service has memory, it can collect data and keep them until its owner calls the service
• The service can write data into a permanent file that can be read by its owner
• The service can create a temporary file that can be read by its owner
• The service can send a message to a process controlled by its owner
SEVEN POSSIBLE LEAKS (II)
• The service can encode some data in the bill it sends to the customer– its owner must have a copy of that bill
• The service can play with locks controlling access to shared files
• The service can modulate its demands on the system’s resources
COUNTERMEASURES (I)
• Process must be stateless from one invocation to the other– No static variables and no globals
• Process must be confined
• First sufficient rule:A confined program shall make no calls on any other program
COUNTERMEASURES (II)
• First rule is very restrictive
• Transitivity rule: If a confined program calls on another program that is not trusted, the called program must also be confined
COUNTERMEASURES (III)
• We will assume that that untrustworthy service will run on the top of a trustworthy supervisor
• Trustworthy supervisor will block all possible channels that can be used to leak information
• These channels include–storage– legitimate channels–covert channels
COUNTERMEASURES (IV)
• Leaks through storage are not hard to prevent– If another process want to write into a file that
is being read by the service, the supervisor will create a new copy of the file and let the service access that copy
• Problem is is how to identify all the kinds of storage accessed by the service
COUNTERMEASURES (V)
• Masking Principle:A program to be confined must allow its caller to determine all its inputs into legitimate and covert channels. the channels are said to be masked by the caller
• Requires the bill to be computed by the customer, not by the service
COUNTERMEASURES (VI)
• Enforcement:The supervisor must ensure that a confined program’s input to a covert channel satisfies the specifications of the customer
• May require slowing the program down and adding spurious requests
• Much less costly to limit the bandwidth of the covert channels
CONCLUSIONS
• The confinement problem can be solved as long as we can trust the supervisor of the system
• Total confinement can be costly
• Much cheaper to limit the bandwidth of possible leaks