Information Flow and Covert Channels November, 2006.

Slides:



Advertisements
Similar presentations
George Mason University
Advertisements

ACCESS-CONTROL MODELS
1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.
Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality model Bell-LaPadula Model –General idea –Informal description of rules.
Access Control Intro, DAC and MAC System Security.
1 Confidentiality Policies CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 18, 2004.
Confidentiality Policies  Overview  What is a confidentiality model  Bell-LaPadula Model  General idea  Informal description of rules  Formal description.
Chapter 4: Security Policies Overview The nature of policies What they cover Policy languages The nature of mechanisms Types Secure vs. precise Underlying.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
Verifiable Security Goals
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality.
CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz.
Sicurezza Informatica Prof. Stefano Bistarelli
1 FM and Security-Overview FM Formal Security Models Based on Slides prepared by A. Jones and Y. Lin. Material based on C. Landwehr paper.
Information Systems Security Security Architecture Domain #5.
User Domain Policies.
7/15/2015 5:04 PM Lecture 4: Bell LaPadula James Hook CS 591: Introduction to Computer Security.
Mandatory Flow Control Bismita Srichandan. Outline Mandatory Flow Control Models Information Flow Control Lattice Model Multilevel Models –The Bell-LaPadula.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Assistant Professor, SIS Lecture 5 September 27, 2007 Security Policies Confidentiality Policies.
MANDATORY FLOW CONTROL Xiao Chen Fall2009 CSc 8320.
CH14 – Protection / Security. Basics Potential Violations – Unauthorized release, modification, DoS External vs Internal Security Policy vs Mechanism.
1 Introduction to Information Security , Spring 2014 Lecture 3: Access control (cont.) Eran Tromer Slide credits: John Mitchell, Stanford Max.
1 Confidentiality Policies September 21, 2006 Lecture 4 IS 2150 / TEL 2810 Introduction to Security.
1 IS 2150 / TEL 2810 Information Security & Privacy James Joshi Associate Professor, SIS Lecture 6 Oct 2-9, 2013 Security Policies Confidentiality Policies.
© G. Dhillon, IS Department Virginia Commonwealth University Principles of IS Security Formal Models.
J Carpenter & lecture & Information Security 2008 Lecture 5 Access Control, Security Models.
3/16/2004Biba Model1 Biba Integrity Model Presented by: Nathan Balon Ishraq Thabet.
Session 2 - Security Models and Architecture. 2 Overview Basic concepts The Models –Bell-LaPadula (BLP) –Biba –Clark-Wilson –Chinese Wall Systems Evaluation.
Security Architecture and Design Chapter 4 Part 3 Pages 357 to 377.
Lattice-Based Access Control Models Ravi S. Sandhu Colorado State University CS 681 Spring 2005 John Tesch.
Chapter 5 Network Security
Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Information Flow Control Language and System Level.
Trusted OS Design and Evaluation CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University.
12/4/20151 Computer Security Security models – an overview.
12/13/20151 Computer Security Security Policies...
Policy, Models, and Trust
Information Security CS 526 Topic 17
A Lattice Model of Secure Information Flow By Dorothy E. Denning Presented by Drayton Benner March 22, 2000.
1/15/20161 Computer Security Confidentiality Policies.
Chapter 4: Security Policies Overview The nature of policies What they cover Policy languages The nature of mechanisms Types Secure vs. precise Underlying.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #5-1 Confidentiality Policies Overview –What is a confidentiality model Bell-LaPadula.
CS426Fall 2010/Lecture 211 Computer Security CS 426 Lecture 21 The Bell LaPadula Model.
Security Models Xinming Ou. Security Policy vs. Security Goals In a mandatory access control system, the system defines security policy to achieve security.
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 16 October 14, 2004.
Database Security Database System Implementation CSE 507 Some slides adapted from Navathe et. Al.
Lecture 2 Page 1 CS 236 Online Security Policies Security policies describe how a secure system should behave Policy says what should happen, not how you.
9- 1 Last time ● User Authentication ● Beyond passwords ● Biometrics ● Security Policies and Models ● Trusted Operating Systems and Software ● Military.
Database System Implementation CSE 507
Verifiable Security Goals
Mandatory Access Control (MAC)
Computer Security Confidentiality Policies
Mandatory Access Control (MAC)
Information Security CS 526
Information Security CS 526 Topic 17
Advanced System Security
System state models.
Confidentiality Models
Guest Lecture in Acc 661 (Spring 2007) Instructor: Christopher Brown)
Information Security CS 526
Chapter 5: Confidentiality Policies
Information Flow.
An information flow model FM is defined by
Computer Security Confidentiality Policies
Information Security CS 526
IS 2150 / TEL 2810 Information Security & Privacy
Chapter 5: Confidentiality Policies
A Survey of Formal Models for Computer Security
Advanced System Security
Presentation transcript:

Information Flow and Covert Channels November, 2006

Objectives Understand information flow principles Understand how information flows can be identified Understand the purpose of modeling information access Understand covert channels and how to prevent them

Why Model? What is an information security model? Why use one? “A security policy is a statement that partitions the states of the system into a set of authorized, or secure, states and a set of unauthorized, or nonsecure, states” Bishop, pg. 95 “A security mechanism is an entity or procedure that enforces some part of the security policy.” Bishop, pg. 98 “A security model is a model that represents a particular policy or set of policies.” Bishop, pg. 99 Excerpts from Computer Security by Matt Bishop

Examples Security Policy – e.g. Those described for use in the military Security Model – e.g. Bell La Padula Model Security Mechanism – e.g. Virtual memory (page tables) that support access protection checking or Tagging mechanism that tags all variables with security access information

Why Formal Models? Regulations are generally descriptive rather than prescriptive, so they don’t tell you how to implement Systems must be secure –security must be demonstrable --> proofs –therefore, formal security models For “real systems” this is not easy to do.

Categories of InfoSec Models Two major categories of information security models: –Access Control models: protect access to data* –Integrity Control models: verify that data* is not changed * applies to data in storage or in transit

Traditional Models Chinese Wall –Prevent conflicts of interest Bell-LaPadula (BLP) –Address confidentiality Biba –Address integrity with static/dynamic levels Information flow –Close “some” covert channels

Bell-LaPadula Security Model The Bell-LaPadula (BLP) model is about information confidentiality, and this model formally represents the long tradition of attitudes about the flow of information concerning national secrets..

Bell – LaPadula - Details Earliest formal model Each user subject and information object has a fixed security class – labels Use the notation ≤ to indicate dominance Simple Security (ss) property: the no read-up property –A subject s has read access to an object iff the class of the subject C(s) is greater than or equal to the class of the object C(o) –i.e. Subjects can read Objects iff C(o) ≤ C(s)

Access Control: Bell-LaPadula Top Secret Secret Unclassified Top Secret Secret Unclassified Read OK

Access Control: Bell-LaPadula Top Secret Secret Unclassified Top Secret Secret Unclassified Read OK Read Forbidden Read OK

Access Control: Bell-LaPadula Top Secret Secret Unclassified Top Secret Secret Unclassified Read OK Read Forbidden

Bell - LaPadula (2) * property (star): the no write-down property –While a subject has read access to object O, the subject can only write to object P if C(O) ≤ C (P) Leads to concentration of irrelevant detail at upper levels Discretionary Security (ds) property If discretionary policies are in place, accesses are further limited to this access matrix –Although all users in the personnel department can read all [personnel] documents, the personnel manager would expect to limit the readers of some documents, e.g. file for the Prez !

Access Control: Bell-LaPadula Top Secret Secret Unclassified Top Secret Secret Unclassified Write OK Write Forbidden

Access Control: Bell-LaPadula Top Secret Secret Unclassified Top Secret Secret Unclassified Write OK Write Forbidden

Access Control: Bell-LaPadula Top Secret Secret Unclassified Top Secret Secret Unclassified Write OK

Security Models - Biba Based on the Cold War experiences, information integrity is also important, and the Biba model, complementary to Bell- LaPadula, is based on the flow of information where preserving integrity is critical. The “dual” of Bell-LaPadula

Integrity Control: Biba Designed to preserve integrity, not limit access Three fundamental concepts: –Simple Integrity Property – no read down –Star Integrity Property (*) – no write up –No execute up

Integrity Control: Biba High Integrity Medium Integrity High Integrity Medium Integrity Read OK Read Forbidden

Integrity Control: Biba High Integrity Medium Integrity Low Integrity High Integrity Medium Integrity Low Integrity Write OK Write Forbidden

Basic Security Theorem A state transition is secure if both the initial and the final states are secure, so If all state transitions are secure and the initial system state is secure, then every subsequent state will also be secure, regardless of which inputs occur. This is information flow!

Implementation Question What are “all” of the information flows? –Files –Memory –Page faults –CPU use –?–?

Information Flow Information Flow: transmission of information from one “place” to another. Absolute or probabilistic. How does this relate to confidentiality policy? –Confidentiality: What subjects can see what objects. So, confidentiality specifies what is allowed. –Flow: Controls what subjects actually see. So, information flow describes how policy is enforced.

Information Flow Next: How do we measure/capture flow? –Entropy-based analysis Change in entropy  flow –Confinement “Cells” where information does not leave –Language/compiler based mechanisms? –Guards

What is Entropy? Idea: Entropy captures uncertainty If there is complete uncertainty, is there an information flow?

Information Flow – Informal What do we mean by information flow? –y = x; // what do we know before & after assignment? –y = x/z; A command sequence c causes a flow of information from x to y if the value of y after the commands allows one to deduce information about the value of x before the commands executed. –tmp = x; –y = tmp; –Transitive

Information Flow – Informal Consider a conditional statement –if x == 1 then y = 0 else y = 1 –what do we know before & after execution? –What about: if x == 1 then y = 0 –No explicit assignment to y in one case This is called implicit information flow

Information Flow Models Two categories of information flows –explicit – opn’s causing flow are independent of value of x, e.g. assignment operation, x=y –implicit - conditional assignment ( if x then y=z ) Components –Lattice of security levels (L,  –Set of labeled objects –Security policy

Information-Flow Model Flow relation forms a lattice A program is secure if it does not specify any information flows that violate the given flow relation

Security Levels Linear –Top secret –Secret –Confidential –Unclassified Lattice –Security level –Compartment

Security Level Examples Linear –Marking contains the name of the level –Each higher level dominates those below it Lattice –Marking contains name of level + name of compartment (e.g. TOPSECRET OIF) –Only those “read into” the compartment can read the information in that compartment, and then only at the level of their overall access

Who Can Read What? In a linear system? In a lattice system?

Universally bounded lattice What is a universally bounded lattice? “a structure consisting of a finite partially ordered set together with least upper and greatest lower bound operators on the set.” So, what is a partially ordered set?

What’s a Partial Ordering? Partial ordering  on a set L is a relation where: –for all a  L, a  a holds (reflexive) –for all a,b,c  L, if a  b, b  c, then a  c (transitive) –for all a,b  L, if a  b, b  a, then a  b (antisymmetric)

Universally Bounded Lattice So, what are least upper and greatest lower bounds? Suppose <= is the dominates relation. C is an upper bound of A and B if A <= C and B <= C. C is a least upper bound of A and B if for any upper bound D of A and B, C <= D. Lower bounds and greatest lower bounds work the same way. See next example using Bell-LaPadula Model

B-LP Security Level Lattice S is the set of all security levels –Suppose the classifications are T, S, U –Suppose the categories are NATO and SIOP. Then the possible category sets are {}, {NATO}, {SIOP}, {NATO, SIOP} –Then S = [ (T, {}), (T,{NATO}), (T,{SIOP}), (T,{NATO,SIOP}), (S, {}), (S,{NATO}), (S,{SIOP}), (S,{NATO,SIOP}), (U, {}) ]. R dominates, as described for B-LP –Convince yourself that the dominates relation is reflexive, antisymmetric and transitive.

Bell-LaPadula Example U,{ } S,{SIOP} S,{NATO} T,{ } T,{NATO,SIOP} T,{SIOP}T,{NATO} S,{NATO,SIOP} S, { } Least upper bound: T,{NATO,SIOP} Greatest Lower Bound: U,{ }

End of Lattice modeling discussion Consider what can be done at compile time and execution time

Compiler-based –Verifies that information flows throughout a program are authorized. Determines if a program could violate a flow policy. Execution-based –Prevents information flows that violate policy. Both analyze code Execution-based typically requires tracking the security level of the PC as the program executes. Recognizing Information Flows

Compiler Mechanisms Declaration approach –x–x: integer class { A,B } –S–Specifies what security classes of information are allowed in x Function parameter: class = argument Function result: class =  parameter classes –U–Unless function verified stricter Rules for statements –A–Assignment: LHS must be able to receive all classes in RHS –C–Conditional/iterator: then/else must be able to contain if part Verifying a program is secure becomes type checking!

Assignments: –x = w+y+z; – lub{w,y,z}  x Compound Statements: begin x = y+z; a = b+c –x end lub{y,z}  x and lub{b,c,x}  a Examples

int sum (int x class{x}) { int out class{x, out}; out = out + x; } What is required for this to be a secure flow? x  out and out  out Compiler-Based Mechanisms

Iterative statements - Information can flow from the absence of execution. while f(x 1, x 2, …, x n ) do S; Which direction are the flows? –from var’s in the conditional stmt thru assignments to variables in S For iterative statements to be secure: 1.Statement terminates 2.S is secure 3.lub { x 1, x 2, …, x n }  glb {target of an assignment of S} Compiler-Based Mechanisms

Execution Mechanisms Problem with compiler-based mechanisms –May be too strict –Valid executions not allowed Solution: run-time checking Difficulty: implicit flows –if x=1 then y:=0; –When x:=2, does information flow to y? Solution: Data mark machine –Tag variables –Tag Program Counter –Any branching statement affects PC security level Affect ends when “non-branched” execution resumes

Data Mark: Example Statement involving only variables x –If PC ≤ x then statement Conditional involving x: – Push PC, PC = lub(PC,x), execute inside – When done with conditional statement, Pop PC Call: Push PC Return: Pop PC Halt – if stack empty then halt execution

Covert Channels Covert channels are found in everyday life Name some!

Covert Channels A path of communication that was not designed to be used for communication An information flow that is not controlled by a security mechanism Can occur by allowing low-level subjects to see names, results of comparisons, etc. of high-level objects Difficult to find, difficult to control, critical to success

Covert Channels Program that leaks confidential information intentionally via secret channels. Not that hard to leak a small amount of data –A 64 bit shared key is quite small! Example channels –Adjust the formatting of output: use the “\t” character for “1” and 8 spaces for “0” –Vary timing behavior based on key

Definition of convert channel Definition 1 : A communication channel is covert if it is neither designed nor intended to transfer information at all Definition 2 : A communication channel is covert if it is based on transmission by storage into variables that describe resource states Definition 3 : Those channels that are a result of resource allocation policies and resource management implementation Definition 4 : Those that use entities not normally viewed as data objects to transfer information from one subject to another Definition 5 : Given a non-discretionary security policy model M and its interpretation I(M) in an operating system, any potential communication between two subjects I(S1) and I(S2) of I(M) is covert if and only if any communication between the corresponding subjects S1 and S2 of the model M is illegal in M.

Covert Channels Result From Sender Receiver Legitimate information flow Unauthorized information flow information encoding information decoding Transfer unauthorized information Do not violate access control and other security mechanisms Available almost anytime Result from following conditions Design oversight during system or network implementation Incorrect implementation or operation of the access control mechanism Existence of a shared resource between the sender and the receiver The ability to implant and hide a Trojan horse

Covert Channels client, server and collaborator processes encapsulated server can still leak to collaborator via covert channels

Covert storage channel Involves the direct or indirect writing to storage location by one process and direct or indirect reading of the storage by another process. Example storage mechanisms Disk space Print spacing File naming Sender Receiver Storage area (e.g. disk, memory)

Covert Channels A covert channel using file locking

Covert timing channel Signals information to another by modulating its own use of system resource is such way that this manipulation affects the real response time observed by second process. Sequence of events CPU utilization Resource availability Sender Receiver Event

Differential Power Analysis Read the value of a DES password off of a smartcard by watching power consumption! This figure shows simple power analysis of DES encryption. The 16 rounds are clearly visible.

Covert channel identification: Shared resource matrix (SRM) method Four steps 1. Analyze all Trusted Computing Base primitive operations 2. Build a shared resource matrix 3. Perform a transitive closure on the entries of the SRM 4. Analyze each matrix column containing row entries with either ‘R’ or ‘M’ L : legal channel exists N : one cannot gain useful information from channel S : sending and receiving processes are the same P : potential channel exists primitives access chmod write link mode file table shared global variables R RM M... R : Read M : Modify

Covert channel identification: Shared resource matrix (SRM) method Conditions 1. Two or more process must have access to a common resource 2. At least One process must be able to alter the condition of the resource 3. The other process must be able to sense if the resource has been altered 4. There must be a mechanism for initiating and sequencing communications over this channel Advantages Can be applied to both formal and informal specifications Does not differentiate between storage and timing channels Does not require that security levels be assigned to internal TCP variables Drawbacks Individual TCB primitives cannot be proven secure in isolation May identify potential channels that could otherwise be eliminated automatically by information flow analysis

Covert Channel Mitigation Can covert channels be eliminated? –Eliminate shared resource? Severely limit flexibility in using resource –Otherwise we get the halting problem –Example: Assign fixed time for use of resource Closes timing channel Not always realistic –Do we really need to close every channel?

Covert Channel Analysis Solution: Accept covert channel –But analyze the capacity How many bits/second can be “leaked” Allows cost/benefit tradeoff –Risk exists –Limits known Example: Assume data time-critical –Ship location classified until next commercial satellite flies overhead –Can covert channel transmit location before this?

Conclusion Have you ever used or even seen a language with security types? Why not? Under what circumstances would you worry about covert channels?

Back Ups

Formal Definition Flow from x to y if H(x s | y t ) < H(x s | y s ) Has the uncertainty of x s gone down from knowing y t ? Examples showing possible flow from x to y: –y := x No uncertainty – H(x|y) = 0 –y := x / z Greater uncertainty (we only know x for some values of y) –Why possible? –Does information flow from y to x?

while i < n do begin a[i] = b[i]; // S1 i = i + 1; // S2 end; –List the requirements for this to be a secure flow. May want to draw a lattice. –Reqt’s for each stmt S1, S2. –Reqt’s for conditional –“Combine” the requirements – See homework Iteration Example