lecture06 - Purdue University3 Information Flow Model n An information flow model is defined by FM =...
Transcript of lecture06 - Purdue University3 Information Flow Model n An information flow model is defined by FM =...
![Page 1: lecture06 - Purdue University3 Information Flow Model n An information flow model is defined by FM = 〈SC, ⊕, →〉 n where SC is a finite set of security classes n ⊕ is the](https://reader033.fdocuments.us/reader033/viewer/2022041818/5e5c2694a70bff313a4ecc87/html5/thumbnails/1.jpg)
CS590UAccess Control: Theory and Practice
Lecture 6 (January 26)Information Flow, Confinement &
Covert Channels
![Page 2: lecture06 - Purdue University3 Information Flow Model n An information flow model is defined by FM = 〈SC, ⊕, →〉 n where SC is a finite set of security classes n ⊕ is the](https://reader033.fdocuments.us/reader033/viewer/2022041818/5e5c2694a70bff313a4ecc87/html5/thumbnails/2.jpg)
A Lattice Model of Secure Information Flow
Dorothy DenningCACM 1976
![Page 3: lecture06 - Purdue University3 Information Flow Model n An information flow model is defined by FM = 〈SC, ⊕, →〉 n where SC is a finite set of security classes n ⊕ is the](https://reader033.fdocuments.us/reader033/viewer/2022041818/5e5c2694a70bff313a4ecc87/html5/thumbnails/3.jpg)
3
Information Flow Model
n An information flow model is defined by FM = ⟨SC, ⊕, →⟩n where SC is a finite set of security classesn ⊕ is the class-combining operator
n is an associative and commutative binary operatorn A ⊕ B denotes the security class of information that
includes information both of a and of b
n → is a binary operation that specifies from which class information can flow into which class
![Page 4: lecture06 - Purdue University3 Information Flow Model n An information flow model is defined by FM = 〈SC, ⊕, →〉 n where SC is a finite set of security classes n ⊕ is the](https://reader033.fdocuments.us/reader033/viewer/2022041818/5e5c2694a70bff313a4ecc87/html5/thumbnails/4.jpg)
4
When Information Flows
Examples n y := xn z := x; y := zn z := x + y;n z := x ⊕ y;n if x = 1 then y := 1n if (x = 1) and (y = 1) then z := 1n if x = 1 then if y = 1 then z := 1
![Page 5: lecture06 - Purdue University3 Information Flow Model n An information flow model is defined by FM = 〈SC, ⊕, →〉 n where SC is a finite set of security classes n ⊕ is the](https://reader033.fdocuments.us/reader033/viewer/2022041818/5e5c2694a70bff313a4ecc87/html5/thumbnails/5.jpg)
5
Why Lattice?
n If the following holds, then ⟨SC, →⟩ is a latticen ⟨SC, →⟩ is a posetn SC is finiten SC has a lower bound L such that L→A for all
A∈SCn ⊕ is the least upper bound operator
![Page 6: lecture06 - Purdue University3 Information Flow Model n An information flow model is defined by FM = 〈SC, ⊕, →〉 n where SC is a finite set of security classes n ⊕ is the](https://reader033.fdocuments.us/reader033/viewer/2022041818/5e5c2694a70bff313a4ecc87/html5/thumbnails/6.jpg)
A Note on the Confinement Problem
Butler LampsonCACM October 1973
![Page 7: lecture06 - Purdue University3 Information Flow Model n An information flow model is defined by FM = 〈SC, ⊕, →〉 n where SC is a finite set of security classes n ⊕ is the](https://reader033.fdocuments.us/reader033/viewer/2022041818/5e5c2694a70bff313a4ecc87/html5/thumbnails/7.jpg)
7
The Confinement Problem
n Confine a program’s execution so that it cannot transmit information to any other program except its caller.
n Motivation:n a customer uses a service program and wants to
ensure that the inputs are not leaked by the service program
![Page 8: lecture06 - Purdue University3 Information Flow Model n An information flow model is defined by FM = 〈SC, ⊕, →〉 n where SC is a finite set of security classes n ⊕ is the](https://reader033.fdocuments.us/reader033/viewer/2022041818/5e5c2694a70bff313a4ecc87/html5/thumbnails/8.jpg)
8
Ways to leak information
0. The service has memory and can be called by its owner
1. The service writes to a permanent file that can be read by its owner
2. The service writes to a temporary file that can be read by its owner
3. The service sends a message to the owner’s process using interprocess communication
![Page 9: lecture06 - Purdue University3 Information Flow Model n An information flow model is defined by FM = 〈SC, ⊕, →〉 n where SC is a finite set of security classes n ⊕ is the](https://reader033.fdocuments.us/reader033/viewer/2022041818/5e5c2694a70bff313a4ecc87/html5/thumbnails/9.jpg)
9
Ways to leak information
4. Information may be encoded in the bill rendered for the service, or payment for resources used by the service program
5. Using file lock as a shared boolean variable6. By varying its ratio of computing to
input/output or its paging rate, the service can transmit information to a concurrently running process
![Page 10: lecture06 - Purdue University3 Information Flow Model n An information flow model is defined by FM = 〈SC, ⊕, →〉 n where SC is a finite set of security classes n ⊕ is the](https://reader033.fdocuments.us/reader033/viewer/2022041818/5e5c2694a70bff313a4ecc87/html5/thumbnails/10.jpg)
10
Confinement rules (from the paper)
n A confined program must be memoryless, i.e., it must not be able to preserve information within itself from one call to another
n Total isolation: A confined program shall make no calls on any other programn sufficient to ensure confinementn quite impractical as even system calls may be
dangerous and thus need to be forbidden
![Page 11: lecture06 - Purdue University3 Information Flow Model n An information flow model is defined by FM = 〈SC, ⊕, →〉 n where SC is a finite set of security classes n ⊕ is the](https://reader033.fdocuments.us/reader033/viewer/2022041818/5e5c2694a70bff313a4ecc87/html5/thumbnails/11.jpg)
11
Less Restrictive Case
n Trusted programs: programs trusted not to leak data or help any confined program that calls them leak data
n Transitivity: if a confined program calls another program which is not trusted, then the called program must also be confined.
n It is difficult to write a trustworthy operating system, as some information path are subtle and obscure.
![Page 12: lecture06 - Purdue University3 Information Flow Model n An information flow model is defined by FM = 〈SC, ⊕, →〉 n where SC is a finite set of security classes n ⊕ is the](https://reader033.fdocuments.us/reader033/viewer/2022041818/5e5c2694a70bff313a4ecc87/html5/thumbnails/12.jpg)
12
Writing a Trustworthy Program
n A trustworthy program must guard against any possible leakage of data.
n In an operating system, the number of possible channels is large, but finite.
n It is necessary to enumerate all of them and to block each one.
![Page 13: lecture06 - Purdue University3 Information Flow Model n An information flow model is defined by FM = 〈SC, ⊕, →〉 n where SC is a finite set of security classes n ⊕ is the](https://reader033.fdocuments.us/reader033/viewer/2022041818/5e5c2694a70bff313a4ecc87/html5/thumbnails/13.jpg)
13
Three Categories of Channels
n Storage: write/read filesn Legitimate: bill for the service programn Covert: CPU/memory usagen The following simple principle is sufficient to
block all legitimate & covert channels:n Masking: A program is confined must allow its
caller to determine all its inputs into legitimate and covert channels. We say that the channels are masked by the caller.
![Page 14: lecture06 - Purdue University3 Information Flow Model n An information flow model is defined by FM = 〈SC, ⊕, →〉 n where SC is a finite set of security classes n ⊕ is the](https://reader033.fdocuments.us/reader033/viewer/2022041818/5e5c2694a70bff313a4ecc87/html5/thumbnails/14.jpg)
14
On Blocking Covert Channels
n Enforcement: The supervisor must ensure that a confined program’s input to covert channels conforms to the caller’s specifications.n this may require slowing the program down,
generating spurious disk references, or whatever, but it is conceptually straightforward
n The cost of enforcement may be high. A cheaper altrenative is to bound the capacity of the covert channels.
![Page 15: lecture06 - Purdue University3 Information Flow Model n An information flow model is defined by FM = 〈SC, ⊕, →〉 n where SC is a finite set of security classes n ⊕ is the](https://reader033.fdocuments.us/reader033/viewer/2022041818/5e5c2694a70bff313a4ecc87/html5/thumbnails/15.jpg)
A Comment on the Confinement Problem
Steven B. LipnerSOSP 1975
![Page 16: lecture06 - Purdue University3 Information Flow Model n An information flow model is defined by FM = 〈SC, ⊕, →〉 n where SC is a finite set of security classes n ⊕ is the](https://reader033.fdocuments.us/reader033/viewer/2022041818/5e5c2694a70bff313a4ecc87/html5/thumbnails/16.jpg)
16
Key observations
n The confinement problem is similar in objective to MAC securityn the common objective is to stop information flow
n Supposedly, *-property solves confinement problem for storage channelsn Identifying all objects is difficult, but can be done
![Page 17: lecture06 - Purdue University3 Information Flow Model n An information flow model is defined by FM = 〈SC, ⊕, →〉 n where SC is a finite set of security classes n ⊕ is the](https://reader033.fdocuments.us/reader033/viewer/2022041818/5e5c2694a70bff313a4ecc87/html5/thumbnails/17.jpg)
17
Closing “Covert Channels” is the most difficult
n To close “timing channels”n each subject must be constrained to see a virtual
time depending only on its activitiesn seems to solve the covert channel problemn unclear whether this is possible, because each
user also has sense of time outside the system
![Page 18: lecture06 - Purdue University3 Information Flow Model n An information flow model is defined by FM = 〈SC, ⊕, →〉 n where SC is a finite set of security classes n ⊕ is the](https://reader033.fdocuments.us/reader033/viewer/2022041818/5e5c2694a70bff313a4ecc87/html5/thumbnails/18.jpg)
18
Conclusion of this paper
n While the storage and legitimate channels of Lampson can be closed with a minimal impact on system efficiency, closing the covert channel seems to impose a direct and unreasonable performance penalty.
n Closing the covert channels seems at a minimum very difficult, and may very well be impossible in a system where physical resources are shared.
![Page 19: lecture06 - Purdue University3 Information Flow Model n An information flow model is defined by FM = 〈SC, ⊕, →〉 n where SC is a finite set of security classes n ⊕ is the](https://reader033.fdocuments.us/reader033/viewer/2022041818/5e5c2694a70bff313a4ecc87/html5/thumbnails/19.jpg)
Other Discussions on Covert Channels
![Page 20: lecture06 - Purdue University3 Information Flow Model n An information flow model is defined by FM = 〈SC, ⊕, →〉 n where SC is a finite set of security classes n ⊕ is the](https://reader033.fdocuments.us/reader033/viewer/2022041818/5e5c2694a70bff313a4ecc87/html5/thumbnails/20.jpg)
20
Covert Channels in MLS
n Covert storage channels: In BLP, if a file is considered to be an object, a low subject may be able to see file names of high, which can encode information.n low users can write high files; thus it reasonable
to know names of high files
n Covert timing channels
![Page 21: lecture06 - Purdue University3 Information Flow Model n An information flow model is defined by FM = 〈SC, ⊕, →〉 n where SC is a finite set of security classes n ⊕ is the](https://reader033.fdocuments.us/reader033/viewer/2022041818/5e5c2694a70bff313a4ecc87/html5/thumbnails/21.jpg)
21
n Covert channels are often noisyn However, information theory and coding
theory can be used to encode and decode information through noisy channels
n Military requires cryptographic components be implemented in hardwaren to avoid trojan horse leaking keys through covert
channels
![Page 22: lecture06 - Purdue University3 Information Flow Model n An information flow model is defined by FM = 〈SC, ⊕, →〉 n where SC is a finite set of security classes n ⊕ is the](https://reader033.fdocuments.us/reader033/viewer/2022041818/5e5c2694a70bff313a4ecc87/html5/thumbnails/22.jpg)
22
The Resource Matrix Approach
n An approach to systematically identify covert channels
n Kemmerer: “Shared Resource Matrix Methodology: An Approach to Identifying Storage and Timing Channels”, ACM TOCS.n Conference version in Oakland 1982.
![Page 23: lecture06 - Purdue University3 Information Flow Model n An information flow model is defined by FM = 〈SC, ⊕, →〉 n where SC is a finite set of security classes n ⊕ is the](https://reader033.fdocuments.us/reader033/viewer/2022041818/5e5c2694a70bff313a4ecc87/html5/thumbnails/23.jpg)
23
Intuition
n Finding all resources that are shared between high and low usersn covert channels rely on sharing of some resource
that can be used in an unexpected way to transfer informaion
![Page 24: lecture06 - Purdue University3 Information Flow Model n An information flow model is defined by FM = 〈SC, ⊕, →〉 n where SC is a finite set of security classes n ⊕ is the](https://reader033.fdocuments.us/reader033/viewer/2022041818/5e5c2694a70bff313a4ecc87/html5/thumbnails/24.jpg)
24
The Matrix
n Each system resource has a rown Each lowest-level system operation that can
be performed on resources is a columnn Each cell contains a subset of {R,M}
n R means referencing the resourcen M means modifying the resource
![Page 25: lecture06 - Purdue University3 Information Flow Model n An information flow model is defined by FM = 〈SC, ⊕, →〉 n where SC is a finite set of security classes n ⊕ is the](https://reader033.fdocuments.us/reader033/viewer/2022041818/5e5c2694a70bff313a4ecc87/html5/thumbnails/25.jpg)
25
Criteria for Identifying Covert Channels
n E.g., a storage channel exists when a high user can change an attribute of a shared resource and a low user can detect the change
n E.g., the criteria for a timing channel includes a shared common attribute, a shared time reference, and a means for modulating changes to this attribute.
![Page 26: lecture06 - Purdue University3 Information Flow Model n An information flow model is defined by FM = 〈SC, ⊕, →〉 n where SC is a finite set of security classes n ⊕ is the](https://reader033.fdocuments.us/reader033/viewer/2022041818/5e5c2694a70bff313a4ecc87/html5/thumbnails/26.jpg)
26
Polyinstantiationn Suppose that a High user creates a file named
agents, when a Low user tries to create the same file, it would fail, thus leaking informationn may be solved using naming conventions
n The problem gets more difficult in databases: Suppose that a High user allocate classified cargo to a ship, then a Low user may think the ship is empty and tries to allocate other cargosn one approach is to use a cover story
![Page 27: lecture06 - Purdue University3 Information Flow Model n An information flow model is defined by FM = 〈SC, ⊕, →〉 n where SC is a finite set of security classes n ⊕ is the](https://reader033.fdocuments.us/reader033/viewer/2022041818/5e5c2694a70bff313a4ecc87/html5/thumbnails/27.jpg)
27
End of Lecture 6
n Next lecturen Integrity, Biba, Clark-Wilson