Proving Confidentiality in a File System Using DiskSec (Poster #2) - - PowerPoint PPT Presentation

proving confidentiality in a file system using disksec
SMART_READER_LITE
LIVE PREVIEW

Proving Confidentiality in a File System Using DiskSec (Poster #2) - - PowerPoint PPT Presentation

Apr 05, 2024 547 likes •796 views

Proving Confidentiality in a File System Using DiskSec (Poster #2) OSDI 18 Atalay Mert leri, Tej Chajed, Adam Chlipala, Frans Kaashoek, Nickolai Zeldovich MIT CSAIL Storage Systems Contain Confidential Data Users rely on the storage

slide-1
SLIDE 1

Proving Confidentiality in a File System Using DiskSec (Poster #2)

Atalay Mert İleri, Tej Chajed, Adam Chlipala, Frans Kaashoek, Nickolai Zeldovich MIT CSAIL OSDI ‘18

slide-2
SLIDE 2

Storage Systems Contain Confidential Data

Users rely on the storage system to maintain their confidentiality.

2

  • A file system will be used as a case study in this talk.
slide-3
SLIDE 3

Confidentiality in a File System

3

  • Alice and Bob share a file-system on the same machine
  • Bob tries to learn the content of Alice’s files

Threat model: Bob can call the file-system interface and cannot bypass it. ○ can’t steal the disk ○ can’t read or write directly to the disk etc.

slide-4
SLIDE 4

Bugs May Leak Confidential Data

File-systems are also subject to confidentiality bugs. Examples

  • Crash can expose deleted data

(ext4 - 2017)

  • Anyone can change POSIX ACLs

(NFS - 2016)

  • Truncated data can be accessed

(btrfs - 2015)

  • Crash can expose data

(ext4 - 2014)

  • Anyone can change POSIX ACLs

(btrfs, gfs2 - 2010)

  • ...

4

slide-5
SLIDE 5

Approach: Formal Verification

5

  • Write a specification that captures the desired

behavior of the system.

  • Prove that implementation satisfies the specification.
  • As long as specification accurately captures the

desired behavior, implementation details are irrelevant.

  • We have verified file systems with correctness

specifications (e.g. DFSCQ [SOSP’17]).

slide-6
SLIDE 6

dir_b, dir_a dir_a, dir_b

Functional Specifications Do Not Ensure Confidentiality

Example: Specification for readdir readdir can return entries in any order. /dir_a /dir_b readdir(...) ⇒

6

Functional specifications ensure many security properties. (e.g. no memory corruption, no disk corruption etc.)

slide-7
SLIDE 7

Functional Specifications Do Not Ensure Confidentiality

  • Meets specification
  • Leaks confidential data

Nondeterministic functional specifications allow breach of confidentiality. Confidentiality requires better specifications.

7

def readdir(...) dirs = get_dirlist(...) if (alice.txt file contains ‘a’) return sort(dirs) else return reverse_sort(dirs)

slide-8
SLIDE 8

State of the Art in Verifying Confidentiality

Existing Systems

  • seL4

[SSP’13]

  • Ironclad

[OSDI’14]

  • CertiKOS [PLDI’16]
  • Komodo

[SOSP’17]

  • Nickel

[OSDI‘18]

8

Above systems use non-interference for their confidentiality specifications. Non-interference does not allow any data exposure from Alice to Bob.

slide-9
SLIDE 9

Non-interference is Not Suitable for File System Confidentiality.

  • File systems have discretionary access control
  • File systems intentionally expose metadata.

9

slide-10
SLIDE 10

Contributions

DiskSec Framework for proving confidentiality of storage systems.

  • File-system confidentiality specification.
  • Proof technique to track ownership of the data.
  • DiskSec implemented and proven in Coq Proof Assistant.

Evaluation

  • SFSCQ file system: extension of DFSCQ with

confidentiality theorem

  • Confidentiality for simple app on top of SFSCQ

10

slide-11
SLIDE 11

Bob Cannot Infer Alice’s Confidential Data

11

World 2 World 1 write(f, a) write(f, b) Alice: Alice: Bob Bob Data is confidential:

  • bserves same results
slide-12
SLIDE 12

Confidentiality Means Other Users See Same Thing Regardless of Your Data

12

s1 s2 s’1 s’2 p Bob p Bob ret1 ret2 s w r i t e ( a ) write(b)

Confidentiality requires that ret1 = ret2

World 1 World 2

Two states are equivalent with respect to a user (≅user), if all the data visible to that user is the same in both states.

slide-13
SLIDE 13

Our Confidentiality Specification: Data Non-interference

s0 s1 s2 s’0 s’1 s’2 ≅Bob ≅Bob

13

p p syscall Bob ret1 syscall Bob ret2 = Return Non-interference State Non-interference

slide-14
SLIDE 14

Data Non-interference is a Good Confidentiality Specification for File Systems

Data non-interference

  • allows discretionary access control,
  • allows exposing of metadata,
  • forbids exposing of user data

○ even indirectly (e.g. readdir)

14

slide-15
SLIDE 15

How can We Prove Data Non-interference?

15

Data non-interference require more complicated proofs than functional correctness.

  • Require reasoning about behavior of two executions.

Insight: File systems mostly does not inspect user data.

  • Suffices to reason about where user data is accessed in one

execution.

slide-16
SLIDE 16

Our Approach: Sealed Blocks

16

  • Pretend that all disk blocks are logically sealed.
  • Function needs to request an unseal to access the data content.
  • Functions can be analyzed to prove that they do not unseal user

data.

slide-17
SLIDE 17

Standard Disk Infrastructure

17

File system implementation read(a: addr) -> data write(a: addr, b: data) Disk data data data

slide-18
SLIDE 18

read(a: addr) -> data write(a: addr, b: data)

DiskSec Infrastructure

18

File system implementation read(a: addr) -> sblock write(a: addr, b: sblock) Sec logical disk data

  • wner

u1, u2, ... data

  • wner

sealed block (sblock) seal(d: data, u: user) -> sblock unseal(b: sblock) -> data unseal owner trace data

  • wner

data

  • wner

Disk

slide-19
SLIDE 19

How to Use DiskSec?

19

DiskSec Implementation def read (f,...) if (can_access(f)) sealed_data = read_disk(f,...) data = unseal(sealed_data) return data else return error Standard Implementation def read(f,...) data = read_disk(f,...) return data

1. Developer instruments his code with seals, unseals and access control checks. 2. Developer proves that a certain property holds for the unseal trace of the implementation.

slide-20
SLIDE 20

Sealed Blocks Simplify Confidentiality Proofs

Unseal Secure Function only unseals data accessible to the current user Unseal Secure ➙ Return Non-interference Unseal Public Function only unseals data accessible to every user. Unseal Public ➙ Data Non-interference In this case, state non-interference needs to be proven separately.

20

slide-21
SLIDE 21

DiskSec Summary

  • Provides infrastructure for access control in storage

systems.

  • Formalizes data non-interference as a confidentiality

specification.

  • Simplifies proof effort by reducing data non-interference

proofs to unseal trace proofs.

21

slide-22
SLIDE 22

Applying DiskSec: SFSCQ Overview

  • Based on DFSCQ [SOSP’17]
  • Supports multiple users
  • Simplified permission model

○ All metadata, including file names, are public. ○ File contents may be public or private. ○ File owner is set upon creation.

  • Fully implemented and verified in Coq Proof Assistant

22

slide-23
SLIDE 23

Evaluation

23

  • Did we prove DFSCQ satisfies data non-interference?

○ Not completely. ○ Needed to remove an advanced feature.

  • Is performance the same as DFSCQ?

○ SFSCQ code = DFSCQ code + access control checks

  • How much effort did it require?

○ Took one author ~3 months

slide-24
SLIDE 24

Conclusions

  • Correctness specifications are not enough for confidentiality.
  • Data non-interference is a suitable confidentiality specification

for file systems.

  • We designed and implemented DiskSec, a framework for

confidentiality proofs for storage systems.

  • We implemented SFSCQ, the first file system with

machine-checkable confidentiality proofs, using DiskSec.

24

https://github.com/mit-pdos/fscq/tree/security