Patent Application
20090037929
The present invention is generally directed to computer security. More particularly, it is directed to securing inter-process communications in a computer, and applications thereof.
Many computer operating systems have a security mechanism commonly referred to as access control. There are two main types of access control—discretionary access control and mandatory access control.
Under discretionary access control, system resources have security attributes (e.g., read/write/execute permission flags and/or access control lists) associated with them. Access to system resources is controlled based on these security attributes, which are used to protect the system resources (e.g., files) owned by one user from unauthorized access by other users. A weakness associated with discretionary access control is that the security attributes assigned to each system resource are specified by the resource owner and can be modified or removed at will. During a computer attack, an attacker may be able to alter discretionary access control security attributes and thereby gain access to any or all system resources.
Under mandatory access control, access to system resources is controlled by security attributes that cannot be modified or removed during normal operation. Because of this feature, mandatory access control offers a greater level of security than discretionary access control. One form of mandatory access control is type enforcement. Type enforcement is implemented, for example, in security-enhanced Linux (SELinux). In type enforcement, both applications and system resources are assigned type labels. Access for a type enforcement system such as SELinux is defined by a collection of rules contained in a file called a policy. A policy file is loaded into the operating system of a machine during the boot process.
Although mandatory access control (such as, e.g., type enforcement) provides a greater level of security than discretionary access control, available mandatory access control techniques for providing secure inter-process communications (e.g., by eliminating back channels through real-time guarantees of delivery) have a limited bandwidth and cannot meet the desired information flow requirements of many applications. Consequently, new techniques are needed for providing secure, high-bandwidth inter-process communications.
The present invention provides secure inter-process communications using mandatory access control security policies, and applications thereof. In an embodiment of the present invention, a first computer process passes data to a second computer process via a shared memory. The first computer process is granted write access to the shared memory, and the second computer process is granted read-only access to the shared memory. A third computer process creates a single-entry message queue that is used by the first computer process and the second computer process to control the passage of data via the shared memory. The third computer process is precluded from reading data from or writing data to the message queue. Access to the shared memory and the message queue are enforced using a mandatory access control security policy.
In an embodiment, the first computer process passes data to the second computer process by writing data to be passed to the second computer process in the shared memory. The first computer process then writes a first message to the message queue that indicates to the second computer process that there is data available to be read from the shared memory. When the second computer process reads the first message in the message queue, the second computer process knows to read the data from the shared memory. The first computer process writes another message to the message queue, after the first message, which when read by the second computer process indicates to the first computer process that the data written to the shared memory has been read by the second computer process and may be over-written by new data.
It is a feature of the present invention that the amount of the shared memory, and thus the bandwidth available for secure inter-process communications, can be specified to meet the desired information flow requirements of any application.
Further features and advantages of the invention, as well as the structure and operation of various embodiments of the invention, are described in detail below with reference to the accompanying drawings. It is noted that the invention is not limited to the specific embodiments described herein. Such embodiments are presented herein for illustrative purposes only. Additional embodiments will be apparent to persons skilled in the relevant art(s) based on the teachings contained herein.
The accompanying drawings, which are incorporated herein and form part of the specification, illustrate the present invention and, together with the description, further serve to explain the principles of the invention and to enable a person skilled in the relevant art(s) to make and use the invention.
The features and advantages of the present invention will become more apparent from the detailed description set forth below when read in conjunction with the drawings. In the drawings, like reference numbers generally indicate identical, functionally similar, and/or structurally similar elements. The drawing in which an element first appears is indicated by the leftmost digit(s) in the corresponding reference number.
The present invention provides secure inter-process communications using mandatory access control security policies, and applications thereof. In the detailed description that follows, references to “one embodiment”, “an embodiment”, “an example embodiment”, etc., indicate that the embodiment described may include a particular feature, structure, or characteristic, but every embodiment may not necessarily include the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Further, when a particular feature, structure, or characteristic is described in connection with an embodiment, it is submitted that it is within the knowledge of one skilled in the art to affect such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described.
In an embodiment of the present invention, a first computer process passes data to a second computer process via a first inter-process communication channel of a first type. The first computer process is granted write access to the first inter-process communication channel, and the second computer process is granted read-only access to the first inter-process communication channel. A third computer process creates a second inter-process communication channel of a second type. The second inter-process communication channel is used by the first computer process and the second computer process to control the passage of data via the first inter-process communication channel. The third computer process is precluded from reading data from or writing data to the second inter-process communication channel. Access to the first inter-process communication channel and the second inter-process communication channel are enforced using a mandatory access control security policy.
Aspects of the present invention are described in more detail below in terms of the Linux operating system. This is for illustrative purposes only, and not limitation. In terms of the Linux operating system, the first inter-process communication channel and the second inter-process communication channel may be implemented as a shared memory and message queue, respectively.
For example, in an embodiment of the present invention, the first computer process passes data to the second computer process via the shared memory. The first computer process is granted write access to the shared memory, and the second computer process is granted read-only access to the shared memory. The third computer process creates a single-entry message queue that is used by the first computer process and the second computer process to control the passage of data via the shared memory. The third computer process is precluded from reading data from or writing data to the message queue. Access to the shared memory and the message queue are enforced using SELinux.
This embodiment and other embodiments are described in more detail below.
Security policy 104 provides security 114 for process A and security 112 for process B. In terms of secure inter-process communications, the goal of security 114 and 112 is to allow data transfer in a forward direction (e.g., from process A to process B), but to limit (or prevent) data transfer in the reverse direction (e.g., from process B to process A).
Shared memory can be used to quickly transfer data from process A to process B in accordance with industry specifications. Security policy 104 can enforce shared memory directionality (e.g., read→write). For example, security policy 104 can ensure that process A has write access to the shared memory, and process B has only read access to the shared memory. In this way, process A can quickly pass large amounts of data to process B via the shared memory, but process A is prevented from surreptitiously reading any privileged data from process B.
Shared memory 220 provides a high-throughput forward data path between process A and process B. Process A has write access to shared memory 220 via a data path 201, and process B has only read access to shared memory 220 via a data path 205.
Message queue 230 provides a path for controlling the flow of data through shared memory 220, while limiting the backward flow of information from process B to process A. Process A has write access to message queue 230 via a data path 203, and process B has only read access to message queue 230 via a data path 207.
Message queue management logic 240 communicates two different types of status information regarding message queue 230 to processes A and B via control paths 209 and 211, respectively. First, message queue management logic 240 informs process A whether message queue 230 is full or not. If message queue 230 is full, message queue management logic 240 enforces a blocking characteristic whereby process A is prevented from writing any messages to message queue 230. Second, message queue management logic 240 informs process B whether there is a message in message queue 230 that is ready to be read. If message queue management logic 240 indicates that there is a message ready to be read in message queue 230, process B is permitted to read the message.
If message queue 230 is sized to receive only a single message, the two types of status information communicated by message queue management logic 240 can be exploited to provide a secure manner for controlling the passage of data through shared memory 220. For example, process A can be signaled to write to shared memory 220 based on when message queue 230 is emptied by process B, and process B can be signaled to read from shared memory 220 based on when message queue 230 is filled by process A, as described in more detail below.
To use message queue 230 securely, a helper process (e.g., a process other than processes A or B) creates message queue 230, but does not use it. For example, in the case of SELinux, the helper process can call the msgget function with the IPC_CREAT flag indicating the helper process is creating message queue 230. SELinux policy can ensure that the helper process is permitted to create message queue 230, but not to use it for any other operation.
After message queue 230 is created, process A associates with message queue 230 and sets the size of message queue 230 to contain the necessary control information. The size of message queue 230 is important for the flow of the forward channel. Although altering the size of message queue 230 may break the forward channel, it will not introduce any additional back channels. Thus, allowing process A to set the attributes of message queue 230 is not a risk from a security perspective. For illustrative purposes, message queue 230 is set to a size of one (e.g., full or not full) in the example operations described below.
Security policy 104 can include access controls to prevent process A from creating message queue 230, while permitting process A to associate and subsequently use message queue 230 for data transfer. Such access controls reduce the possibility of an attacker creating a plurality of message queues for use as a bit-map to transmit data through a back channel by leveraging error conditions.
Process B also associates with message queue 230. Once both processes A and B have associated with message queue 230, the control channel is ready for use.
In an embodiment, process A creates shared memory 220, and attaches shared memory 220 to its own address space, after both processes A and B have associated with message queue 230. Relying on process A to create shared memory 220 eliminates the back channel introduced through the EEXIST error condition. SELinux policy can be written to enforce this principle.
In another embodiment, a helper process (such as the process that created message queue 230) creates shared memory 220.
Process B associates and attaches to shared memory 220 in a read-only mode. The path from process A to process B through shared memory 220 provides the high-throughput data channel. After attaching shared memory 220 to its address space, process B calls msgrcv and immediately blocks.
After the data channel (which includes shared memory 220) and the control channel (which includes message queue 230) have been created the infrastructure is in place to support inter-process communications that is capable of providing high-throughput forward data transfer while minimizing the throughput of the back channel.
It is noted that while the above example embodiment is described with references to specific features of SELinux, the references are for illustrative purposes only, and not limitation. A person skilled in the relevant art(s) will understand how to establish secure communication channel 200 in other computing environments given the description herein.
Example pseudo code that may be implemented by processes A and B to communication via secure communication channel 200 is presented below. The pseudo code is described below with continuing reference to
Referring to
Referring to line A4, process A writes a third message to message queue 230 to prevent process A from writing new data to shared memory 220 before process B has had a chance to read the old data from shared memory 220. That is, the third message that process A writes to message queue 230 prevents a race condition, as depicted in
Referring to
Referring to
The above embodiment provides both high-throughput and security. Conventionally, shared memory provides a high-throughput inter-process communications mechanism, but is insecure because of the almost unlimited back channel. This is overcome by the present invention, for example, because the present invention combines the high-throughput capabilities of shared memory with the limited back channel of message queues to provide a secure information flow pipeline.
In an embodiment of the present invention, a plurality of secure communication channels are chained together in series as illustrated in
The first communication channel between process A and process B includes a shared memory 1020, a message queue 1030, and message queue management logic 1040.
Shared memory 1020 provides a high-throughput forward data path between process A and process B. Process A has write access to shared memory 1020 via a data path 1001, and process B has only read access to shared memory 1020 via a data path 1005. Shared memory 1020 functions in a similar manner to shared memory 220 described above.
Message queue 1030 provides a path for controlling the flow of data through shared memory 1020, while limiting the backward flow of information from process B to process A. Process A has write access to message queue 1030 via a data path 1003, and process B has only read access to message queue 1030 via a data path 1007. Message queue 1030 functions in a similar manner to message queue 230 described above.
Message queue management logic 1040 communicates the status of message queue 1030 to processes A and B in a similar manner to that described above.
The second communication channel between process B and process C includes a shared memory 1060, a message queue 1080, and message queue management logic 1070.
Shared memory 1060 provides a high-throughput forward data path between process B and process C. Process B has write access to shared memory 1060 via a data path 1051, and process C has only read access to shared memory 1060 via a data path 1055. Shared memory 1060 functions in a similar manner to shared memories 220 and 1020 described above.
Message queue 1080 provides a path for controlling the flow of data through shared memory 1060, while limiting the backward flow of information from process C to process B. Process B has write access to message queue 1080 via a data path 1053, and process C has only read access to message queue 1080 via a data path 1057. Message queue 1080 functions in a similar manner to message queues 230 and 1030 described above.
Message queue management logic 1070 communicates the status of message queue 1080 to processes B and C in a similar manner to that described above.
In another embodiment of the present invention, a plurality of message queues are utilized. For example,
Shared memory 1120 provides a high-throughput forward data path between process A and process B. Process A has write access to shared memory 1120 via a data path 1101, and process B has read-only access to shared memory 1120 via a data path 1105. Shared memory 1120 functions in a similar manner to shared memory 220 (
First message queue 1130 and second message queue 1150 provide a path for controlling the flow of data through shared memory 1120, while limiting the backward flow of information from process B to process A. Process A has write access to first message queue 1130 via a data path 1103, and write access to second message queue 1150 via a data path 1153. Process B has read-only access to first message queue 1130 via a data path 1107, and read-only access to second message queue 1150 via a data path 1157.
Message queue management logic 1140 communicates the status of first message queue 1130 and second message queue 1150 to processes A and B in a similar manner to that described above.
First message queue 1130 and second message queue 1150 may function in a similar manner to message queue 230 (
It is to be appreciated that secure communication channel 1100 is presented for illustrative purposes only, and not limitation.
Various aspects of the present invention—such as security policy 104, process A, and process B—can be implemented by software, firmware, hardware, or a combination thereof.
Computer system 1200 includes one or more processors, such as processor 1204. Processor 1204 can be a special purpose or a general purpose processor. Processor 1204 is connected to a communication infrastructure 1206 (for example, a bus or network).
Computer system 1200 also includes a main memory 1208, preferably random access memory (RAM), and may also include a secondary memory 1210. Secondary memory 1210 may include, for example, a hard disk drive 1212 and/or a removable storage drive 1214. Secondary memory 1210 may include, for example, shared memory 220 and message queue 230, as would be apparent to a person skilled in the relevant art(s). Removable storage drive 1214 may comprise a floppy disk drive, a magnetic tape drive, an optical disk drive, a flash memory, or the like. The removable storage drive 1214 reads from and/or writes to a removable storage unit 1218 in a well known manner. Removable storage unit 1218 may comprise a floppy disk, magnetic tape, optical disk, etc. which is read by and written to by removable storage drive 1214. As will be appreciated by persons skilled in the relevant art(s), removable storage unit 1218 includes a computer usable storage medium having stored therein computer software and/or data.
In alternative implementations, secondary memory 1210 may include other similar means for allowing computer programs or other instructions to be loaded into computer system 1200. Such means may include, for example, a removable storage unit 1222 and an interface 1220. Examples of such means may include a program cartridge and cartridge interface (such as that found in video game devices), a removable memory chip (such as an EPROM, or PROM) and associated socket, and other removable storage units 1222 and interfaces 1220 which allow software and data to be transferred from the removable storage unit 1222 to computer system 1200.
Computer system 1200 may also include a communications interface 1224. Communications interface 1224 allows software and data to be transferred between computer system 1200 and external devices. Communications interface 1224 may include a modem, a network interface (e.g., an Ethernet card), a communications port, a PCMCIA slot and card, or the like. Software and data transferred via communications interface 1224 are in the form of signals 1228 which may be electronic, electromagnetic, optical, or other signals capable of being received by communications interface 1224. These signals 1228 are provided to communications interface 1224 via a communications path 1226. Communications path 1226 carries signals 1228 and may be implemented using wire or cable, fiber optics, a phone line, a cellular phone link, an RF link or other communications channels.
In this document, the terms “computer program medium” and “computer usable medium” are used to generally refer to media such as removable storage unit 1218, removable storage unit 1222, a hard disk installed in hard disk drive 1212, and signals 1228. Computer program medium and computer usable medium can also refer to memories, such as main memory 1208 and secondary memory 1210, which can be memory semiconductors (e.g. DRAMs, etc.). These computer program products are means for providing software to computer system 1200.
Computer programs (also called computer control logic) are stored in main memory 1208 and/or secondary memory 1210. Computer programs may also be received via communications interface 1224. Such computer programs, when executed, enable computer system 1200 to implement embodiments of the present invention as discussed herein, such as the secure inter-process communications described above. In particular, the computer programs, when executed, enable processor 1204 to implement the processes of embodiments of the present invention—including process A and process B, and the secure inter-process communications between process A and process B. Accordingly, such computer programs represent controllers of the computer system 1200. Where the invention is implemented using software, the software may be stored in a computer program product and loaded into computer system 1200 using removable storage drive 1214, interface 1220, hard drive 1212 or communications interface 1224.
Various systems and methods for implementing secure inter-process communications, and applications thereof, have been described in detail herein. It is to be appreciated that the Detailed Description section, and not the Summary and Abstract sections, is intended to be used to interpret the claims. The Summary and Abstract sections may set forth one or more but not all exemplary embodiments of the present invention as contemplated by the inventor(s), and thus, are not intended to limit the present invention and the appended claims in any way. Furthermore, although aspects of the present invention have been described with reference to SELinux, the invention is not limited to the Linux operating system or SELinux. Based on the description contained herein, a person skilled in the relevant art(s) will appreciate that embodiments of the present invention can be implemented with regard to other operating systems.
The U.S. government has a paid-up license in this invention and the right in limited circumstances to require the patent owner to license others on reasonable terms as provided for by the terms of Contract No. ______, awarded by ______.
