Talk:COMP 3000 Essay 2 2010 Question 2
Comments & Discussion
EDIT: I've pretty much explained the background concept behind IBOS and I kind of added the way it's executed near the end. Feel free to move that into the research section.
I can work on the background of IBOS
--Selliot3 23:03, 22 November 2010 (UTC)
It seems we only have 5/7 members. We should start splitting up the tasks and assign who gets what. So if everybody writes what section they would like to work on that would be great.
--Youcef M. 15:19, 20 November 2010 (UTC)
I'll do the contribution section. I'll be reading through the paper thoroughly today and taking notes as I go. I'll post them later on this page as a sort of cheat-sheet/reminder. --Gsmith6 17:45, 25 November 2010 (UTC)
Group Members
Leave your name and e-mail address if you are assigned to this question.
Youcef M. moussoud@gmail.com
I am alive and still in the class, selliot3@connect.carleton.ca
--Selliot3 18:12, 15 November 2010 (UTC)
Still in the class, andrewtubman84@gmail.com
I'm here. I have received an email reply from John Vanden Heuvel as well (he may not see this) gsmith0413@gmail.com --Gsmith6 22:31, 15 November 2010 (UTC)
I am here... and replied to the email
Question 2 members
Elliott Charles selliot3
Moussoud Youcef ymoussou
Pharand Alexandre apharan2
Smith Geoffrey gsmith6
Tubman Andrew atubman
Vanden Heuvel John jvheuvel
Vivekanandarajah Vijitharan vviveka2
Raw Information
The web itself is ubiquitous which a person can use for communication; banking, business, social networking and it can be useful for other purposes. There are different type of vulnerabilities web applications, browser, OS and library vulnerabilities. Insecure web browsers are monolithic, and they are easy to exploit. Secure web browser such as chrome isolate web applications and it still contain huge trusted computing base (TCB). Browser abstractions as the first-class OS, contains reduced TCB for web browser and it also have protection to withstand attacks to most components. vG
Rough Notes
Essay Notes -most attacks are on web apps, but some attack the browser itself -if the attack on the browser is successful, it can be more devestating because the attacker can access much more of the system (lower on the computer stack than web apps) -even more serious if an attacker gets lower in the stack (i.e. libraries, OSes) -higher level vulnerabilities are more common, but low levels mean more devastating attacks -new browsers create a seperation between functionality of browser, and security mechanisms, but they still share certain services and libraries that attackers can use to infiltrate the system. -Illinois Browser Operating System (IBOS) is an effort to reduce the TCB of web browsers. -achieves this by taking out shared OS components and services from the browser's TCB. -These include device drivers, network protocol implementations, storage stack, and window-management software. -they are put into the browser level abstractions. -traditional methods are to put application-specific abstractions on top of the OS abstractions.
CONTRIBUTIONS: -first system to improve broswer and OS security by making browser-level abstractions into first class OS abstractions, creating seperation between browser functionality and browser security -by having low-layer software expose browser abstractions allows for removal of almost all traditional OS components from the TCB -IBOS still allows traditional applications to interact with the browser and shared OS services without compromising security.
ARCHITECTURE: -uses microkernel, exokernel, and safety kernel concepts -by making the security decisions at the lowest layer of software, the authors avoid putting the millions of lines of library and OS code in the TCB. -monitors the sharing of data between web apps and traditional apps -built to enforce browser policies of existing systems -IBOS kernel acts similarily to traditional microkernels, it manages global resources and creates new processes. -All messages being passed travel through the reference monitor, where it is subjected to the overall security policy. -HTTP requests are reformated into a TCP stream which then gets converted into a series of Ethernet frames. -by storing HTTP cookies and HTML5 local storage objects using the storage manager, they can be examined by the reference monitor. -by using namespaces, the OS isolates objects such as web apps, traditional apps and device drivers -two different types of processes, web page instances and traditional processes -new process, called a web page instance, is created for each individual web page that the user visits -these are resposnsible for issuing HTTP reguests, parsing HTML, executing JavaScript, and rendering web content to a tab -the key difference between the two types of processes is the security label the IBOS kernel gives them -plugins are run as traditional processes, but they are launched by the browser and are given access to browser states
CURRENT BROWSER POLICIES -same-origin policy (SOP) isolates web pages that come from different origins -modern browsers have their SOP scattered throught millions of lines of code, and are often troublesome to implement -iframes can be labeled by the page developers as from the same origin as the hosting page, or from different origins
IBOS SECURITY POLICIES AND MECHANISMS -want to be able to ensure the IBOS kernel upholds security policies even if any number of subsystems have been compromised -susceptible components include all drivers, browser API managers, web page instances, and traditional processes. -IBOS labels specify the resources that a process can access or messages it can receive -web page instances are labeled by the origin of the HTML document -traditional processes are labeled as "localhost" -IBOS labels the processes upon creation, and keeps the labels unchanged throughout the processes life -because the IBOS kernel labels processes itself, rather than the process labelling itself, it ensures it has the correct label information. -by using these security invariants, they can extracting security relevant information from messages automatically, they can remove almost all of the components found in modern operating systems from the TCB, including device drivers -SI 0: All components can only perform their designated functions -SI 1: Drivers cannot access DMA buffers directly -SI 2: Devices can only access validated DMA buffers -seperates management of device control registers from the use of the device buffers to allow checking that the communications are within the IBOS security policies -SI 3: All of the key-value pairs maintain confidentiality and integrity even if the storage stack becomes compromised -this is acheived by encrypting objects before passing them to the storage subsystem -SI 4: The kernel must route network requests from web page instances to the proper network process -SI 5: The kernel must route Ethernet frames from the NIC to the proper netwok processes -SI 6: Ethernet frames from network processes to the NIC must have an IP address and TCP port that matches the origin of the network process -SI 7: HTTP data from network process to web page instances must adhere to the SOP -SI 8: Network processes for different web page instances must remain isolated -all network processes are put into their own protection domains -using the labeling system, the kernel can ensure that network requests from web page instances and Ethernet frames from the NIC are routed to the correct network process -by cross checking the outgoing requests with the sending network process, the IBOS kernel ensures that the NIC send the request to the right host, and that it is sending the right data -SI 9: The browser chrome and web page content displays are isolated -SI 10: Only the current tab can access the screen, mouse and keyboard -SI 11: The URL of the current tab is displayed to the user -sections of the IBOS display are isolated from one another -3 horizontal sections, each with its own access privelages -top bar is only for the IBOS kernel, middle section is reserved for the UI subsystem to draw the browser chrome, and the rest is for the web page instance -by displaying the current URL in the top section, the kernel cross-references that URL with the URL the web page instance claims to be -this is a simple task, but is not currently implemented right in modern browsers -by running iframes in a seperate web page instance, the kernel can examine the label, and determine if it is safe -IBOS cannot stop XSS (cross-site scripting) but it does try and prevent the attack from causing any serious damage
IMPLEMENTATION -divided into 3 parts. The IBOS kernel, the IBOS messaging passing interfaces, and the IBOS subsystems -IBOS kernel is implemented on top of the L4Ka::Pistachio microkernel -scheduler is a static priority system -entire IBOS TCB has 42,044 lines of code compared to: -Firefox on Linux > 5,684,639 -ChromeOS > 4,407,066 -looked at 28 known Linux vulnerabilities, and were able to prevent 27 of them for a success rate of 96% -also looked at Chrome's 295 bugs, 42 of which cause denial-of-service, which IBOS does not address currently -78 were not actual security issues -175 were legit issues, and can be grouped into 7 categories -Memory Exploitation = IBOS contained or eliminated slightly more problems than Chrome contained -XSS = IBOS was able to eliminate or contain all issues known in Chrome -SOP circumvention = also stopped all issues, vs. Chrome did not contain any -Sandbox bypassing = all vs. none -Interface spoofing = all vs. none -UI design flaw = neither browser was able to contain or eliminate any of these issues -Miscellaneous = IBOS only managed to stop 14% of these problems -Overall, Chrome was able to contain 46%, while IBOS either contained or eliminated 77% of these known issues -Chrome can contain most issues that get into the rendering engine, but cannot contain those that are in the browser kernel -a compromised Ethernet driver cannot access the DMA buffers -a compromised storage module has little impact on the data confidentiality and integrity because the IBOS kernel encrypts all data, only thing it can do is delete objects -a compromised network stack is constrained as well because the IBOS kernel ensures that each network process can only send relevant data to the expected host -a compromised window manager cannot affect other subsystems, because IBOS does not allow it to do anything but draw the browser chrome. -compared IBOS, IBOS-Linux, Firefox, and Chrome loading several different websites -overall, Chrome was the fastest -IBOS, and IBOS-Linux were as fast as Chrome when loading web pages with few HTTP requests, but web pages like facebook, and wikipedia (which use a lot of HTTP requests, slowed IBOS and IBOS-Linux considerably)
ADDITIONAL RELATED WORK -ChromeOS and IBOS have fundamentally differnt design philosophies -ChromeOS is implemented on top of the pre-existing Linux kernel, but will make modifications to the kernel to strip out uneeded portions -IBOS starts with a clean slate and only includes the system functionality for the system. -by starting from scratch, IBOS is able to keep the lines of code down in the TCB by 2 to 3 orders of magnitude compared to ChromeOS --Gsmith6 01:58, 2 December 2010 (UTC)
Extra Resources
http://www.cs.uiuc.edu/homes/stang6/ibos.html#slide1 I found some presentation slides by Shuo Tang, Haohui Mai and Sam King, the authors and developers of IBOS --Gsmith6 22:35, 25 November 2010 (UTC)