TightLip: Keeping Applications from Spilling the Beans
Authors: Aydan R. Yumerefendi, Benjamin Mickle, and Landon P. CoxComplete Citation
A.R. Yumerefendi, B. Mickle, and L.P. Cox . TightLip: Keeping Applications from Spilling the Beans . NSDI ’07: 4th USENIX Symposium on Networked Systems Design & Implementation . April 2007 pp159-172Abstract
Access control misconfigurations are widespread and can result in damaging breaches of confidentiality. This paper presents TightLip, a privacy management system that helps users define what data is sensitive and who is trusted to see it rather than forcing them to understand or predict how the interactions of their software packages can leak data. The key mechanism used by TightLip to detect and prevent breaches is the doppelganger process. Doppelgangers are sandboxed copy processes that inherit most, but not all, of the state of an original process. The operating system runs a doppelganger and its original in parallel and uses divergent process outputs to detect potential privacy leaks. Support for doppelgangers is compatible with legacy-code, requires minor modifications to existing operating systems, and imposes negligible overhead for common workloads. SpecWeb99? results show that Apache running on a TightLip prototype exhibits a 5% slowdown in request rate and response time compared to an unmodified server environment.Annotations
TightLip: new approach to prevent leaking of data due to access control mis-configurations through a privacy management system. New Operating System object: Doppelganger process: sandboxed copy processes that inherit most, but not all, of the state of an original process. Doppelgangers are spawned when a process tries to read sensitive data. The kernel returns sensitive data to the original and scrubbed data to the doppelganger. Both run in parallel while the OS monitors the sequence and arguments of their system calls. A breach arises when output is destined for a part of the OS outside of TightLip's control, for example sockets connected to untrusted hosts. If the previous happens, a module is invoked that fails the output or swaps the original process with the doppelganger version. Constant monitoring of data files (scrubbers), searching as anti-virus software does for strings that lable what kind of data a file is, shadow files are created if sensitive data is found. Sensitive files are marked with a one bit flag that is located with the file-object. -- AndrewBlaich - 19 Sep 2007
| I | Attachment | Action | Size | Date | Who | Comment |
|---|---|---|---|---|---|---|
 pdf |
yumerefendi.pdf | manage | 1053.4 K | 19 Sep 2007 - 15:45 | AndrewBlaich | TightLip NSDI'07 Paper |
Edit | Attach | Print version | History: r1 | Backlinks | Raw View | More topic actions
Topic revision: r1 - 19 Sep 2007 - 15:45:52 - AndrewBlaich
Repository Web
Create New Topic
Index
Search
Changes
Notifications
Statistics
Preferences
Edu |
|
Copyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding TWiki? Send feedback