Nickolai Zeldovich
Abstract
HiStar is a new operating system designed to minimize the amount of code that must be trusted. HiStar provides strict information flow control, which allows users to specify precise data security policies without unduly limiting the structure of applications. HiStar's security features make it possible to implement a Unix-like environment with acceptable performance almost entirely in an untrusted user-level library. The system has no notion of superuser and no fully trusted code other than the kernel. HiStar's features permit several novel applications, including privacy-preserving, untrusted virus scanners and a dynamic Web server with only a few thousand lines of trusted code.
- Bell, D.E., La Padula, L. Secure Computer System: Unified Exposition and Multics Interpretation. Technical Report MTR-2997, Rev. 1, MITRE Corporation, Bedford, MA, March 1976.Google Scholar
- Biba, K.J. Integrity Considerations for Secure Computer Systems. Technical Report MTR-3153, MITRE Corporation, Bedford, MA, April 1977.Google Scholar
- Bomberger, A.C., Frantz, A.P., Frantz, W.S., Hardy, A.C., Hardy, N., Landau, C.R., Shapiro, J.S. The KeyKOS nanokernel architecture. In Proceedings of the USENIX Workshop on Micro-Kernels and Other Kernel Architectures, April 1992, 95--112. Google ScholarDigital Library
- Efstathopoulos, P., Krohn, M., VanDeBogart, S., Frey, C., Ziegler, D., Kohler, E., Mazières, d., Kaashoek, F., Morris, R. Labels and event processes in the Asbestos operating system. In Proceedings of the 20th SOSP (Brighton, U.K., October 2005), 17--30. Google ScholarDigital Library
- Fraser, T. LOMAC: low water-mark integrity protection for COTS environments. In Proceedings of the IEEE Symposium on Security and Privacy (Oakland, CA, May 2000), 230--245. Google ScholarDigital Library
- Hamilton, G., Kougiouris, P. The Spring nucleus: a microkernel for objects. In Proceedings of the Summer 1993 USENIX (Cincinnati, OH, April 1993), 147--159. Google ScholarDigital Library
- Krohn, M., Efstathopoulos, P., Frey, C., Kaashoek, F., Kohler, E., Mazières, D., Morris, R., Osborne, M., VanDeBogart, S., Ziegler, D. Make least privilege a right (not a privilege). In Proceedings of the 10th Workshop on Hot Topics in Operating Systems (Santa Fe, NM, June 2005). Google ScholarDigital Library
- Krohn, M., Yip, A., Brodsky, M., Cliffer, N., Kaashoek, M.F., Kohler, E., Morris, R. Information flow control for standard OS abstractions. In Proceedings of the 21st SOSP (Stevenson, WA, October 2007), 321--334. Google ScholarDigital Library
- Landwehr, C.E. Formal models for computer security. Comput. Surv. 13, 3 (September 1981), 247--278. Google ScholarDigital Library
- Leyden, J. Anti-virus vulnerabilities strike again. The Register, March 2005. http://www.theregister.co.uk/2005/03/18/mcafee_vuln/Google Scholar
- Loscocco, P., Smalley, S. Integrating flexible support for security policies into the Linux operating system. In Proceedings of the 2001 USENIX (Boston, MA, June 2001), 29--40, FREENIX track. Google ScholarDigital Library
- McIlroy, M.D., Reeds, J.A. Multilevel security in the UNIX tradition. Softw. Pract. Exp. 22, 8 (1992), 673--694. Google ScholarDigital Library
- Myers, A.C., Liskov, B. Protecting privacy using the decentralized label model. Trans. Comput. Syst. 9, 4 (October 2000), 410--442. Google ScholarDigital Library
- Naraine, R. Symantec antivirus worm hole puts millions at risk. eWeek.com, May 2006. http://www.eweek.com/article2/0,1895,1967941,00.aspGoogle Scholar
- Peterson, D. Anti-virus rife with vulnerabilities. digitalbond.com, January 2008. http://www.digitalbond.com/index.php/2008/01/07/anti-virus-rife-with-vulnerabilities/Google Scholar
- Schroeder, M.D., Saltzer, J.H. A hardware architecture for implementing protection rings. In Proceedings of the 3rd SOSP (New York, March 1972), 42--54. Google ScholarDigital Library
- Shapiro, J.S., Smith, J.M., Farber, D.J. EROS: a fast capability system. In Proceedings of the 17th SOSP (Island Resort, SC, December 1999), 170--185. Google ScholarDigital Library
- Zeldovich, N., Boyd-Wickizer, S., Kohler, E., Mazières, D. Making information flow explicit in HiStar. In Proceedings of the 7th OSDI (Seattle, WA, November 2006), 263--278. Google ScholarDigital Library
- Zeldovich, N., Boyd-Wickizer, S., Mazières, D. Securing distributed systems with information flow control. In Proceedings of the 5th NSDI (San Francisco, CA, April 2008), 293--308. Google ScholarDigital Library
- Zeldovich, N., Kannan, H., Dalton, M., Kozyrakis, C. Hardware enforcement of application security policies. In Proceedings of the 8th OSDI (San Diego, CA, December 2008), 225--240. Google ScholarDigital Library
- Zoller, T. Clamav 0.94 and below---evasion and bypass due to malformed archive. April 2009. http://blog.zoller.lu/2009/04/clamav-094-and-below-evasion-and-bypass.htmlGoogle Scholar
Index Terms
- Making information flow explicit in HiStar
Recommendations
Making information flow explicit in HiStar
OSDI '06: Proceedings of the 7th symposium on Operating systems design and implementationHiStar is a new operating system designed to minimize the amount of code that must be trusted. HiStar provides strict information flow control, which allows users to specify precise data security policies without unduly limiting the structure of ...
Making information flow explicit in HiStar
OSDI '06: Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation - Volume 7HiStar is a new operating system designed to minimize the amount of code that must be trusted. HiStar provides strict information flow control, which allows users to specify precise data security policies without unduly limiting the structure of ...
Language-based information-flow security
Current standard security practices do not provide substantial assurance that the end-to-end behavior of a computing system satisfies important security policies such as confidentiality. An end-to-end confidentiality policy might assert that secret ...
Comments