Towards more usable information flow policies for contemporary operating systems

Abstract

There has been a resurgence of interest in information flow based techniques in security. A key attraction of these techniques is that they can provide strong, principled protection against malware, regardless of its sophistication. In spite of this advantage, most advances in information flow control have not been adopted in mainstream operating systems since a strict application of information flow can limit system functionality and usability. Permitting dynamic changes to subject labels, as proposed in the low-watermark model, provides better usability. However, it suffers from the self-revocation problem, whereby read/write operations on already open files are denied because the label of the subject performing these operations has been downgraded. While most applications deal gracefully with security failures on file open operations, they are unprepared to handle security violations on subsequent reads/writes. As a result, subject downgrades may lead to crashes or malfunction. Even those applications that deal with read/write errors may still leave output files in a corrupted or inconsistent state since write permissions were taken away in the midst of producing an output file. To overcome these drawbacks, we propose a new approach for dynamic downgrading that eliminates the self-revocation problem. We show that our approach represents an optimal combination of functionality and compatibility. Our experimental evaluation shows that our approach is efficient, incurring an overhead of a few percentage points, is compatible with existing applications, and provides strong integrity protection.