1 Information Flow CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 22, 2004

2 Overview Information Flow Models Information Flow Models Confinement Flow Model Confinement Flow Model Compiler-Based Mechanisms Compiler-Based Mechanisms

3 Bell-LaPadula Model Information flows from A to B iff B dom A Information flows from A to B iff B dom A TS{R,P} TS{R} TS{P} S{R}S{P} S{}

4 Entropy-Based Analysis Command sequence takes a system from state s to state t Command sequence takes a system from state s to state t x s is the value of x at state s x s is the value of x at state s H(a | b) is the uncertainty of a given b H(a | b) is the uncertainty of a given b Def: A command sequence causes a flow of information from x to y if H(x s | y t ) < H(x s | y s ). If y does not exist in s, then H(x s | y s ) = H(x s ) Def: A command sequence causes a flow of information from x to y if H(x s | y t ) < H(x s | y s ). If y does not exist in s, then H(x s | y s ) = H(x s )

5 Example Flows y := x H(x s | y t ) = 0 tmp := x; y := tmp; H(x s | y t ) = 0

6 Another Example if (x==1) then y:= 0 else y := 1 Suppose x is equally likely to be 0 or 1, so H(x s ) = 1 But, H(x s | y t ) = 0 So, H(x s | y t ) < H(x s | y s ) = H(x s ) Thus, information flows from x to y. Def. An implicit flow of information occurs when information flows from x to y without an explicit assignment of the form y := f(x)

7 Requirements for Information Flow Models Reflexivity: information should flow freely among members of a class Reflexivity: information should flow freely among members of a class Transitivity: If b reads something from c and saves it, and if a reads from b, then a can read from c Transitivity: If b reads something from c and saves it, and if a reads from b, then a can read from c A lattice has a relation R that is reflexive and transitive (and antisymmetric)

8 Information Flow Models An Information flow policy I is a triple I = (SC I,  I, join I ), where SC I is a set of security classes,  I is an ordering relation on the elements of SC I, and join I combines two elements of SC I An Information flow policy I is a triple I = (SC I,  I, join I ), where SC I is a set of security classes,  I is an ordering relation on the elements of SC I, and join I combines two elements of SC I Example: Bell-LaPadula has security compartments for SC I, dom for  I and lub as join I Example: Bell-LaPadula has security compartments for SC I, dom for  I and lub as join I

9 Confinement Flow Model Associate with each object x a security class x Associate with each object x a security class x Def: The confinement flow model is a 4-tuple (I, O, confine, ) in which Def: The confinement flow model is a 4-tuple (I, O, confine, ) in which I = (SCI,  I, join I ) is a lattice-based info. flow policyI = (SCI,  I, join I ) is a lattice-based info. flow policy O is a set of entitiesO is a set of entities  : O  O is a relation with (a, b)   iff information can flow from a to b : O  O is a relation with (a, b)   iff information can flow from a to b for each a  O, confine(a) is a pair (a L, a U )  SC I  SC I, with a L  I a Ufor each a  O, confine(a) is a pair (a L, a U )  SC I  SC I, with a L  I a U if x  a U then information can flow from x to aif x  a U then information can flow from x to a if a L  x the information can flow from a to xif a L  x the information can flow from a to x

10 Example Confinement Model Let a, b, and c  O confine(a) = [ CONFIDENTIAL, CONFIDENTIAL] confine(b) = [SECRET, SECRET] confine(c) = [TOPSECRET, TOPSECRET] Then a  b, a  c, and b  c are the legal flows

11 Another Example Let a, b, and c  O confine(a) = [ CONFIDENTIAL, CONFIDENTIAL] confine(b) = [SECRET, SECRET] confine(c) = [CONFIDENTIAL, TOPSECRET] Then a  b, a  c, b  c, and c  a are the legal flows Note that b  c and c  a, but information cannot flow from b to a because b L  I a U is false So, transitivity fails to hold

12 Non-Lattice Information Flow Policies Government agency has public relation officers (PRO), analysts (A), and spymasters (S) 4 classifications of data: public  analysis, public  covert analysis  top-level, covert  top-level confine(PRO) = [public, analysis] confine(A) = [analysis, top-level] confine(S) = [covert, top-level] PRO  A, A  PRO, PRO  S, A  S, and S  A

13 Complier-Based Mechanisms Assignment statements Assignment statements Compound statements Compound statements Conditional statements Conditional statements Iterative statements Iterative statements

14 Assignment Statements y := f(x 1,..., x n ) Requirement for information flow to be secure is: lub {x 1,..., x n }  y lub {x 1,..., x n }  yExample: x := y + z; lub{y, z}  x

15 Compound Statements begin S 1 ;... S n ; end; Requirement for information flow to be secure: S 1 secure AND... AND S n secure

16 Conditional Statements if f(x 1,..., x n ) then S 1 ; else S 2 ; end; Requirement for information flow to be secure: S 1 secure AND S 2 secure AND lub{x 1,..., x n }  glb{y | y is the target of an assignment in S 1 or S 2 }

17 Example Conditional Statement if x + y < z then a := b; else d := b * c - x; end; b  a for S 1 lub{b, c, x}  d for S 2 lub{x, y, z}  glb{a, d} for condition

18 Iterative Statements while f(x 1,..., x n ) do S; Requirement for information flow to be secure: Iteration terminates S secure lub{x 1,..., x n }  glb{y | y is the target of an assignment in S}

19 Example Iteration Statement while i < n do begin a[i] := b[i]; i := i + 1; end; Loop terminates i  a[i] AND b[i]  a[i] for S 1 lub{i, b[i]}  a[i] for compound statement lub{b[i], i, n}  glb{a[i], i} for while condition