Policy management and decentralized debugging in the Asbestos operating system

The continuing frequency and seriousness of security incidents underlines the importance of application security. We have developed Asbestos , a novel operating system focusing on security that uses Asbestos labels to implement decentralized information flow control (DIFC). Using DIFC Asbestos is able to track information flow and contain the effects of malicious or poorly implemented applications. This way, Asbestos applications can be made significantly more secure than applications built with conventional operating systems abstractions, since application security is preserved even in cases where large parts of the applications are compromised. However, our development experience in Asbestos applications showed that achieving Asbestos's benefits was simply too difficult. We believe that an important reason for this problem is Asbestos's challenging programming model.;Based on our development experience for Asbestos, we attempt to improve its programming model. We identify and investigate two important security policy management problems that are critical for Asbestos development: security policy specification and debugging.;First we present a policy description language that can be used to facilitate application policy management. Using our policy language developers are able to describe application policy in terms of pair-wise communication rules between application components---an interface that is far more compact, intentionally simple and human-friendly than Asbestos labels. Our policy language parser is able to translate these high-level policy descriptions to equivalent Asbestos label configurations. Furthermore, developers can use the policy language to describe important run-time application properties that are required to automatically instantiate the application policy using our policy launcher.;Secondly, we propose a new mechanism to facilitate security policy debugging in Asbestos, namely debug domains. Performing system state inspection---e.g. during debugging---would, if unchecked, leak information from a compartment and violate information flow. Debug domains implement a decentralized debugging primitive that adheres to the information flow policies enforced by Asbestos.;We evaluate our policy language by using it to describe policies from major DIFC systems. We also use synthetic tests to evaluate the effectiveness and performance overhead of debug domains. Our results suggest that our proposed mechanisms are able to assist developers with reasonable overhead, can be beneficial to DIFC systems other than Asbestos, and improve the DIFC programming model.