Building Secure Systems from Buggy Code with Information Flow Control

Опубликовано 6 сентября 2016, 17:27

Today, computer security resembles an arms race: the bad guys constantly find new ways to break in, and being safe requires staying one step ahead of them in cutting off avenues of attack. This strategy is simply too risky and too expensive in the long run. In this talk, I will argue that we need to address security at a much more fundamental level, and I will show how re-designing operating systems, network protocols, and hardware can provide a solid foundation for building applications in a way that eliminates or radically reduces vulnerabilities. Much of the challenge in building secure applications stems from the fact that real systems are constantly evolving, and that most programmers are not security-conscious, resulting in code rife with bugs that cause security vulnerabilities. Instead of trying to fix all code, this talk will argue that we should protect data, by controlling how it can move through the system. The key insight is that data protection cuts across layers: any piece of data in an application can also be viewed as memory or files by the OS, or as physical pages by the hardware. Consequently, even data in buggy applications can be protected by the OS or by hardware, despite the latter two being at a much lower level of abstraction. In particular, I will first describe how a low-level information flow control mechanism can be provided by a small OS kernel, hardware, or network protocol, and then show how the same mechanism can be used throughout the system to enforce security policies ranging from those traditionally found in Unix to those that can ensure the privacy of user data in a web server built from largely untrusted code.