Secure APIs for Applications in Microkernel-based Systems Mohammad Hamad and Vassilis Prevelakis Institute of Computer and Network Engineering, Technical University of Braunschweig, Braunschweig, Germany mhamad, prevelakis @ida.ing.tu-bs.de { } Keywords: Secure APIs, Security. Abstract: The Internet evolved from a collection of computers to today’s agglomeration of all sort of devices (e.g. printers, phones, coffee makers, cameras and so on) a large part of which contain security vulnerabilities. The current wide scale attacks are, in most cases, simple replays of the original Morris Worm of the mid-80s. The effects of these attacks are equally devastating because they affect huge numbers of connected devices. The reason for this lack of progress is that software developers will keep writing vulnerable software due to problems associated with the way software is designed and implemented and market realities. So in order to contain the problem we need effective control of network communications and more specifically, we need to vet all network connections made by an application on the premise that if we can prevent an attacker from reaching his victim, the attack cannot take place. This paper presents a comprehensive network security framework, including a well-defined applications programming interface (API) that allows fine-grained and flexible control of network connections. In this way, we can finally instantiate the principles of dynamic network control and protect vulnerable applications from network attacks. 1 INTRODUCTION erbated the problem. For example firewalls have the ability to guard the entrances of networks and allow Every day we come across examples of security fail- only ”good” guys to connect to internal hosts. Ini- ures that cast doubt on the reliability of today’s IT tially, firewalls proved quite effective, but over the infrastructure. We hear about compromises spanning years, they gradually became irrelevant (Niederberger huge numbers of IoT devices, or about hundreds of et al., 2006) as WiFi connections allowed firewalls thousands of customer records lost. All these fail- to be bypassed and Transport Layer Security (TLS) ures largely stem from the ability of Internet-aware (Dierks and Rescorla, 2008) ensured that traffic flow- devices (or hosts) to be contacted by any other host ing via these firewalls is encrypted so that they are connected to the Internet. Our lack of effective man- incapable of monitoring it for attacks. agement of these connections is allowing malfeasants In a typical banking application scenario, the cus- to connect to our devices and cause havoc. Another tomer uses TLS to connect to the banking application problem lies with the applications themselves. Even running on the banks servers (Hiltgen et al., 2006). when extensively tested, they often contain vulnera- The connection is cleared by the firewall before the bilities that, while extremely difficult to be detected customer is identified by the system. This is so be- via traditional testing, provide the means for attack- cause identification is handled by the application af- ers to compromise the application and potentially take ter the TLS session has been established. Thus, not over the host. Moreover, applications developed using only we are forcing the firewall to allow all connec- vastly different development methodologies and qual- tions from the public Internet to our application, but ity often coexist in the same environment (e.g. enter- we also prevent any network-based intrusion detec- tainment systems in cars coexisting with critical sys- tion system from monitoring the data exchanged over tems such as stability control, steering and breaking) the encrypted connection. allowing stepping stone attacks. It is thus crucial for the connection request to be The need to protect these applications from being vetted before it is allowed to reach the application. contacted by random hosts from across the Internet The problem with the traditional way of controlling has been well understood since the original Morris access to the application, is that it involves a lot of worm of the mid-80s. Unfortunately, the solutions manual configurations (e.g. configuring packet filters proposed proved inadequate and in some cases exac- etc.), requires administrator access and is, thus, ex- 553 Hamad, M. and Prevelakis, V. Secure APIs for Applications in Microkernel-based Systems. DOI: 10.5220/0006265805530558 In Proceedings of the 3rd International Conference on Information Systems Security and Privacy (ICISSP 2017), pages 553-558 ISBN: 978-989-758-209-7 Copyright c 2017 by SCITEPRESS – Science and Technology Publications, Lda. All rights reserved ICISSP 2017 - 3rd International Conference on Information Systems Security and Privacy pensive, slow and error prone. We, therefore, need a policy of the application. faster, automated way for access control. We propose The rest of the paper is organized as follow. In to de-couple the access control mechanism from the Section 2, we provide a short background and some network code and use a policy engine to evaluate re- related works. Section 3 explains the design of the se- quests if authorized, and to reconfigure the system ac- cure APIs. The implementation of APIs is detailed in cordingly. In this way we can accommodate dynamic Section 4. In Section 5, we discuss some evaluation scenarios such as load balancing or failure recovery. asspects. Finally, Section 6, contains some conclud- Our mechanism should also allow interactions be- ing remarks. tween applications running in distributed control sys- tems such as those found in vehicles, airliners, etc. Numerous hacking demonstrations on car ECUs have 2 BACKGROUND AND RELATED shown that once access to the internal communica- tion bus is gained by the attacker, then the entire ve- WORK hicle is compromised (Koscher et al., 2010). Tradi- Many mechanisms and protocols were defined to pro- tional approaches have proven to be too inflexible for tect sensitive and critical system resources. TLS is complex distributed environments so we had to look one of these techniques which is used to secure com- for a better solution based on the distributed firewall munications at the application layer. It uses encryp- model proposed by Ioannidis et al (Ioannidis et al., tion and authentication to keep communications pri- 2000). Under this framework each connection re- vate between two devices; typically a web server quest must include appropriate authentication and au- (website) and a browser. TLS is limited to TCP and thorization to allow both the sending and receiving STCP based protocols. An adaptation of TLS for hosts to decide whether to allow the connection re- UDP protocol is available; it is called DTLS. How- quest to go through. In this way, there is no need to ever, it is not widely used. Numerous modifications pre-configure the elements of the distributed system on the application’s source code are required to run it with access control information, but the communica- over TLS. In some circumstances, these changes im- tions policy is dynamically constructed as communi- pose significant complexity overhead. cations requests are made and granted. Eventually we Another important mechanism is Internet Proto- will have a set of secure links connecting applications col Security (IPsec) (Kent and Seo, 2005). It was de- running on different hosts, but unlike the static con- signed to provide network security services to protect figuration model, new requests can be accommodated Internet datagrams. It provides its security services and integrated into the overall system policy. over two protocols: the first one is called Authentica- Any distributed security paradigm will eventually tion Header (AH) (Kent and Atkinson, 1998a) which fail unless it can be used by the application develop- provides origin authentication, data integrity and op- ers. By providing a proper security application-layer tional replay attack protection. The second protocol developers will be able to implement applications that is called Encapsulating Security Payload (ESP) (Kent use secure communications efficiently. Moreover, and Atkinson, 1998b) which provides the confiden- this layer will make it more convenient and applicable tiality and authentication of the exchanged data. Al- for protecting the application communications. though IPsec was introduced a few years ago, its us- In this paper, we present new APIs that give any age was confined to VPN implementation. The lack application the power to control its security policy of APIs was one of the main reasons that limited the by providing sufficient configurations to the security adoption of the IPsec to provide end-to-end security layer. This enables an application to get the relevant (Bellovin, 2009), (Ioannidis, 2003). Without these information about the applied security mechanisms APIs, applications were not able to interact with the and all the parameters of the secure channel. We also IPsec layer and verify whether IPsec services are be- provide APIs which allow any application to authen- ing used underneath. The requirements of an applica- ticate the requesters identity and indicate whether this tion to interact with security layer were specified by request is authorized or not based on the security pol- Richardson and et al. (Richardson and Sommerfeld, icy of the receiving application. The authorization de- 2006). They claimed that each application should be cision will not be based on packet filtering and Ac- able to: cess Control Lists (ACLs) mechanisms. We use the 1. Determine HOW a communication was protected, Keynote trust management (Blaze et al., 1999) model to enable the application to determine the allowed net- 2. Identify WHO is the remote party, work access regarding credentials presented by the re- 3. Influence HOW the protection should take place, mote application, which should conform to the local and 554 Secure APIs for Applications in Microkernel-based Systems 4. Indicate WHY an authorized communication Application Application Application failed. Application Application Application All these requirements should be carried out as a set Credentials Credentials Credentials of APIs which could be used by the applications.