Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Information Flow Control Language and System Level

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science Concept  Information flow  Long-term confinement of information to authorized receivers  Controls how information moves among data handlers and data storage units  Applied at language, system, or application levels  Examples:  Insure that “secret” data is only revealed to individuals with a suitably high clearance level  Guarantee that information available to a process cannot leak to the network  Certify that the outputs of a program only contain information derived from specified inputs 2

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science System Example  Guarantee that the anti-virus (AV) scanner cannot leak to the network any data found in its scan of user files  Possible leak methods  Send data directly to a network connection  Conspire with other processes (e.g, sendmail or httpd)  Subvert another process and use its network access to send data  Leave data in /tmp for other processes (e.g., the AV update daemon) to send  Use other in/direct means of communication with the update daemon 3

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science Denning Model  Flow model where  N = {a,b,…} is a set of logical storage objects  P = {p,q,…} is a set of processes (active objects)  SC = {A.,B,…} is a set of security classes Disjoint classes of information Each is bound to a security class – Notation: a – may be static or dynamic (varies with content)  Class combining operator: a b N  Flow relation: iff information in class A is allowed to flow into class B 4 Dorothy Denning

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science Example Security Classes 5 public top secret confidential secret (TS,[dip]) (S,[]} (TS,[]) (S,[mil])(S,[dip]) (TS,[mil])(S,[dip,mil]) (TS,[dip,mil]) Adapted from K. Rosen Discrete Mathematics and its Applications, 2003.

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science Class Combining Operations 6 (TS,[dip]) (S,[]} (TS,[]) (S,[mil])(S,[dip]) (TS,[mil])(S,[dip,mil]) (TS,[dip,mil]) least upper bound greatest lower bound

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science Implicit/Explicit flows  In the statement: a=b+c;  There is explicit flow from b to a and from c to a  Here written as a  b and a  c  In the statement: if (a =0) {b = c;}  There is an explicit flow from c to b (b  c)  There is an implicit flow from a to b (b  a) Because testing the value of b before and after the statement can reveal the value of a  In the statement: if (c) {a=b+1;d=e+2;}  explicit flows from b to a and from e to d (a  b, e  d)  implicit flows from c to a and from c to d (a  c, d  c) 7

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science Security Requirements  Elementary statement  S: b  a 1,…,a n  is secure if b  a 1,…, b  a n are secure  i.e., if a 1  b,…, a n  b  i.e., if is allowed  Sequence  S = S 1 ; S 2  Is secure if both S 1 and S 2 are secure  Conditional  S = c: S 1,…, S n where S i updates b i  is secure if b i  c for i=1..n are secure  i.e. if is allowed 8

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science Static Binding  Access Control  Process p can read from a only if a  p  Process p can write to b only if p  b  In general,  Data Mark Machine  Associate a security class with the program counter  For conditional structure c:S Push p onto the stack Set p to p c Execute S On exit restore p from stack  For statement S that with b  a1,…,an Verify that 9 ⊕ ⊕

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science Static Binding  Compiler-based  For elementary statement S: f(a 1,…,a n )  b verify that is allowed Set S to b  For sequence S = S 1 ;S 2 Set S to S 1 S 2  For conditional structure S = c: S 1,…,S m Set S to S 1 … S m Verify that c  S 10

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science Dynamic Binding  A pure dynamic binding is not practical  Typical that some objects and most users have a static security class  Dynamic Data Mark Machine  Difficult to account for implicit flows, so…  Compiler determines implicit flows and  Inserts additional instructions to update class associated with program counter accordingly  Accounts for implicit flows even if flow not executed 11

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science HiStar : System Level Flow Control  Basic ideas  Files and process are associated with a label whose taint restricts the flow to lesser tainted components  Many categories of taint each owned by its creator  Selected components (e.g., wrap) can be given untainting privileges 12

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science Labels  Structure  L = {c 1 l 1, c 2 l 2,…,c n l n,l default }  Each c i is a category and l i is the taint level in that category  l default is the default level for unnamed categories  L(c) = l i if c=c i for some i and l default otherwise  Levels 13

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science Information Flow  General rule:  information can flow from O 1 to O 2 only if O 2 is at least as tainted as O 1 in every category  Information cannot flow from O 1 to O 2 if O 1 is more tainted in some category than O 2   Example  Thread T with L T ={1}, object O with L O ={c3,1}  L T (c)=1 < 3=L O (c)  Flow is permitted from T to O (i.e., T can write to O)  No flow permitted from O to T (i.e., T cannot read/observe O) 14

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science Example with Labels  User data labels set so that only owner can read (b r 3) and write (b w 0)  Wrap program has ownership to read (b r ⋆ ) user data which it delegates to scanner  Wrap creates category v to (1) prevent the scanner from modifying User Data (since User Data has default level 1) and (2) prevent scanner from communicating with network 15

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science Notation  Information flow  Treatment of level ⋆  ⋆ should be high for reading, but low for writing  Notation provides two ownership symbols  Used as L ⋆ and L ⍟ ; for example if L={a ⋆, b ⍟, 1} then L ⍟ = {a ⍟,b ⍟,1} and L ⋆ = {a ⋆,b ⋆,1}  Flow restriction:  T can read/observe O only if  T can write/modify O only if 16

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science Kernel Object Types  Object structure  objectID (unique, 61 bit)  label (threads also have clearance label)  quota  metadata (64 bytes)  flags 17 Segment: variable-length byte array

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science Design Rationale  Kernel interface  The contents of object A can only affect object B if, for every category c in which A is more tainted than B, a thread owning c takes part in the process.  Provides end-to-end guarantee of which system components can affect which others without need to understand component details  Application structure  Organize applications so that key categories are owned by small amounts of code  Bulk of the system is not security critical 18