Escort: Securing scout paths

Abstract

It is becoming increasingly common to find special-purpose communication devices--Information Appliances--attached to the Internet. Information appliances include network-attached disks, cameras, and displays; web and file servers; set-top boxes; application routers and firewalls. Many of these systems perform mission critical functions, like company web servers or firewalls, but are built on general purpose operating systems that do not protect them with adequate security measures. This work introduces Escort, a security architecture for the Scout operating system. Escort provides a set of mechanisms designed to protect information appliances. It uses Scout's path abstraction to provide accurate accounting over multiple protection domains, thereby protecting privacy and integrity while enabling the defense against denial of service attacks. Escort also provides a configuration interface that allows the designer of the Information Appliance to configure the functional specification and security policy needed for a given environment. The performance penalty of many secure systems is a deterrent for their deployment. Therefore, an additional goal of Escort is to provide high performance. To achieve this goal, Escort introduces novel mechanisms for shared buffer management and thread migration without introducing security holes. Again, the path abstraction is a major enabling factor for these mechanisms. This work also presents two example Information Appliances, a web server and a TCP forwarder (firewall). They show how secure high performance system's can be built using Escort's mechanisms. The web server shows, in particular, how to deal with denial of service attacks using a path-based resource revocation mechanism, while the firewall demonstrates a path-based optimization enabled by Escort.