Accountability and Freedom

Isolation

•Attacks on:

–Program

–Isolation

–Policy

Services

Boundary Creator

policy

Program

Data

guard

Host

•I am isolated if anything that goes wrong is my fault

– Actually, my program’s fault

Object

Resource

Reference

monitor

Guard

operation

Request

Principal

Source

Authorization

Audit log

Authentication

Policy

1. Isolation boundary

2. Access control

3. Policy


		Our model enables us to categorize attacks according to which model components get attacked, thus creating a checklist for devs and testers to use to validate the security of their programs.

		Attack color code: black – channel; red – isolation; green – security administration (policy)
		The host and other things relied upon (e.g. hardware, crypto) work correctly
		– the red arrows show possible attack points on the isolation mechanism that can lead to isolation failures
		- the black arrows show possible attacks points that can lead to program failures.
		The program knows about all allowed input channels
		It’s up to the program to handle all inputs correctly

		Attacks
	Both a crypto protocol stack and the guard filter traffic, ruling out some attacks.
	The remaining attack points are shown here:
		Packet handling code exposed to all sources
		Crypto stack exposed to most sources
		Packet handling code exposed to crypto-authorized sources
		Guard code exposed to crypto authorized sources
		Internal app code exposed to sources passed by the guard