Source:
PhD Thesis, Electrical Engineering Department, Princeton University, Princeton, NJ, p.130 (2012)
Abstract:
In today’s computing environment, we use various applications on our various computing
devices to process our data. However, we can only implicitly trust that the
applications do not do anything harmful or violate our desired confidentiality policy
for the data, especially when those applications are run on today’s feature-rich and
monolithic commodity operating systems. In this thesis, we present two approaches
– with and without modifying the applications – that aim to provide data confidentiality
protection after the data is given to an authorized recipient – a problem which
we refer to as illegal secondary dissemination. We also aim for the protection of the
data throughout its lifetime.
The first approach follows the school of thought of providing a secure execution
compartment for the security-critical part of an application. We propose to use the
hardware to directly protect a trusted component of an application, which in turn
controls access to the protected data, on top of an untrusted operating system. We
devise a methodology for trust-partitioning an existing application into the trusted
component, leaving the rest of the application untrusted. The trusted component
can be used to implement the desired confidentiality policy for our sensitive data and
guarantee that the policy is enforced for the lifetime of the data. We demonstrate this
first approach by showing how the difficult-to-achieve originator-controlled (ORCON)
access control policy can be enforced with the real-world vi editor.
Our first approach essentially ties the protected data with the trusted part of the
application that is protected by the hardware. However, this results in the inconvenience
of having to use only a particular application to access the protected data, limiting
the portability and availability of the data. Therefore, my second approach removes
the applications from the trust chain and provides an application-independent
secure data compartment that tracks and protects the data in the hardware, no matter
which untrusted application or authorized recipient is given access to the data. We
use the flexibility of software to interpret and translate high-level policies to low-level
semantics that the hardware understands, and we use the hardware to persistently
track the usage of the sensitive data and to control the output of the sensitive data
from the machine. We have prototyped the architecture on the OpenSPARC processor
platform and show how unmodified third-party applications can be run while
various data-specific high-level policies can be enforced on the sensitive data.
My second approach leverages a technique called Dynamic Information Flow
Tracking (DIFT), which has been shown to be a powerful technique for computer
security, covering both integrity and confidentiality applications. However, the falsepositives
and false-negatives of DIFT techniques have hindered its practical adoption
and usability. We take a deeper look at the practicality and usability issues of
DIFT and explore various techniques to address the false positives and false negatives,
arising from the undecidability of conditional branches, which is a type of implicit
information flow that is particularly hard to solve dynamically. We propose various
micro-architectural and hybrid software-hardware solutions using only the application
binaries and show how the combination of these solutions help build a practical and
usable DIFT system.