Paper: undermine memory isolation in Fiasco OC covert channels

[Marcus Völp]

Hi,

On 12/10/2014 03:23 PM, teclis High Elf wrote:> These researchers from
TU Berlin claim to be able to undermine memory
> isolation in Fiasco OC through the use of covert channels. I'd be very
> interested to hear the opinion of the Fiasco experts.

the Fiasco OC interface (and probably most L4 versions) have not been
designed for freedom of covert channels, nor has L4Re. In my thesis in
2011, I already identified several timing channels in the mapping-tree
interface and in act Michael Peter should know this work:

http://os.inf.tu-dresden.de/papers_ps/voelp_phd.pdf

> (Could a system built
> on Fiasco be hardened against such an attack

Nevertheless, it should be possible to construct compartments in such a
way that they do not allocate from the same quotas or share resources by
mapping from within the compartments. The setup would be to partition
the system directly on top of Sigma0 and to bootstrap one L4Re instance
per compartment, not allowing for shared channels over which objects
could be mapped. Fiasco OC offers the means to establish such channels
and to confine the compartments, but it has no support (and never
claimed to have) for covert-channel free cross compartment mappings.
Anyway, why would you want that for high security applications? If you
plan to go for such a system, please have a look at the work around EROS
by Jonathan Shapiro.

> be adding access control for
> UDP ports)??

I don't see how access control for UDP Ports helps? Currently, we don't
have funding for high security work, but please feel free to discuss
your requirements and ideas on this list or more privately.

Best regards

	Marcus Völp

-- 
Dr.-Ing. Marcus Völp

Technische Universität Dresden
Computer Science, Institute for Systems Architecture
Operating Systems

01062 Dresden, Germany
Phone: +49 (351) 463-38350
Fax:   +49 (351) 463-38284
E-Mail: voelp at os.inf.tu-dresden.de