A Lattice Model of Secure Information Flow By Dorothy E. Denning Presented by Drayton Benner March 22, 2000.

Slides:



Advertisements
Similar presentations
Operating Systems Components of OS
Advertisements

ACCESS-CONTROL MODELS
Restricted Machines Presented by Muhannad Harrim.
Information Flow and Covert Channels November, 2006.
Operating System Security
Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.
Programming Languages and Paradigms
Database Management System
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering CSCE 330 Programming Language Structures Ch.2: Syntax and Semantics Fall 2005.
Verifiable Security Goals
1 Pertemuan 20 Run-Time Environment Matakuliah: T0174 / Teknik Kompilasi Tahun: 2005 Versi: 1/6.
Chapter 2: Impact of Machine Architectures What is the Relationship Between Programs, Programming Languages, and Computers.
CS533 - Concepts of Operating Systems
Chapter 9: Subprogram Control
CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz.
1 FM and Security-Overview FM Formal Security Models Based on Slides prepared by A. Jones and Y. Lin. Material based on C. Landwehr paper.
CS5371 Theory of Computation Lecture 8: Automata Theory VI (PDA, PDA = CFG)
User Domain Policies.
1 Contents. 2 Run-Time Storage Organization 3 Static Allocation In many early languages, notably assembly and FORTRAN, all storage allocation is static.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
Mandatory Flow Control Bismita Srichandan. Outline Mandatory Flow Control Models Information Flow Control Lattice Model Multilevel Models –The Bell-LaPadula.
Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.
1 Exception and Event Handling (Based on:Concepts of Programming Languages, 8 th edition, by Robert W. Sebesta, 2007)
1 Chapter 5: Names, Bindings and Scopes Lionel Williams Jr. and Victoria Yan CSci 210, Advanced Software Paradigms September 26, 2010.
CH14 – Protection / Security. Basics Potential Violations – Unauthorized release, modification, DoS External vs Internal Security Policy vs Mechanism.
MT311 Java Application Development and Programming Languages Li Tak Sing( 李德成 )
Ryan Chu. Arithmetic Expressions Arithmetic expressions consist of operators, operands, parentheses, and function calls. The purpose is to specify an.
© G. Dhillon, IS Department Virginia Commonwealth University Principles of IS Security Formal Models.
Compiler Construction
Review Introduction to Searching External and Internal Searching Types of Searching Linear or sequential search Binary Search Algorithms for Linear Search.
Silberschatz, Galvin and Gagne  Operating System Concepts Chapter 3: Operating-System Structures System Components Operating System Services.
Lattice-Based Access Control Models Ravi S. Sandhu Colorado State University CS 681 Spring 2005 John Tesch.
The Stack This is a special data structure: –The first item to be placed into the stack will be the last item taken out. Two basic operations: –Push: Places.
Advantage of File-oriented system: it provides useful historical information about how data are managed earlier. File-oriented systems create many problems.
SECURE WEB APPLICATIONS VIA AUTOMATIC PARTITIONING S. Chong, J. Liu, A. C. Myers, X. Qi, K. Vikram, L. Zheng, X. Zheng Cornell University.
Information Flow Language and System Level 1Dennis Kafura – CS5204 – Operating Systems.
Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Information Flow Control Language and System Level.
Processes Introduction to Operating Systems: Module 3.
14.1/21 Part 5: protection and security Protection mechanisms control access to a system by limiting the types of file access permitted to users. In addition,
MT311 Java Application Development and Programming Languages Li Tak Sing( 李德成 )
12/4/20151 Computer Security Security models – an overview.
Concepts of programming languages Chapter 5 Names, Bindings, and Scopes Lec. 12 Lecturer: Dr. Emad Nabil 1-1.
Introduction Program File Authorization Security Theorem Active Code Authorization Authorization Logic Implementation considerations Conclusion.
13-1 Chapter 13 Concurrency Topics Introduction Introduction to Subprogram-Level Concurrency Semaphores Monitors Message Passing Java Threads C# Threads.
COEN 350: Network Security Authorization. Fundamental Mechanisms: Access Matrix Subjects Objects (Subjects can be objects, too.) Access Rights Example:
1 An infrastructure for context-awareness based on first order logic 송지수 ISI LAB.
Certification of Programs for Secure Information Flow Dorothy & Peter Denning Communications of the ACM (CACM) 1977.
Design and Implementation MAC in Security Operating System CAI Yi, ZHENG Zhi-rong, SHEN Chang-xiang Presented By, Venkateshwarlu Jangili. 1.
Database Security Database System Implementation CSE 507 Some slides adapted from Navathe et. Al.
PREPARED BY: MS. ANGELA R.ICO & MS. AILEEN E. QUITNO (MSE-COE) COURSE TITLE: OPERATING SYSTEM PROF. GISELA MAY A. ALBANO PREPARED BY: MS. ANGELA R.ICO.
22 feb What is Access Control? Access control is the heart of security Definitions: * The ability to allow only authorized users, programs or.
SSD951: Secure Software Development Language-based Security
Verifiable Security Goals
Chapter 15. Information Flow
Information Flow Control
Chapter 17: Confinement Problem
Mandatory Access Control (MAC)
Information Security CS 526
CSCE 330 Programming Language Structures Ch.2: Syntax and Semantics
Graph Coverage for Specifications CS 4501 / 6501 Software Testing
Chapter 2: Operating-System Structures
Introduction to Operating Systems
Information Security CS 526
UNIT V Run Time Environments.
Languages and Compilers (SProg og Oversættere)
An information flow model FM is defined by
Information Security CS 526
Chapter 2: Operating-System Structures
Chapter 15 Functional Programming 6/1/2019.
A Survey of Formal Models for Computer Security
Presentation transcript:

A Lattice Model of Secure Information Flow By Dorothy E. Denning Presented by Drayton Benner March 22, 2000

Agenda  Introduction  The Information Flow Model  Enforcement of Security  Mechanisms for Static Binding  Mechanisms for Dynamic Binding  Conclusions

Introduction  Security – “no unauthorized flow of information is possible”  Data from files/users of higher security can not be transmitted to files/users of lower security directly or indirectly  Goal: “to find suitable and viable restrictions according to which the security of a system would not only be decidable, but simply so.”

The Model  FM =  N = { a, b, … } – a set of logical storage objects or information receptacles – files, segments, program variables, and also users.  P = processes. “Processes are the active agents responsible for all information flow.”

The Model (cont.)  FM =  SC = { A, B, …} is a set of security classes.  The security classes are disjoint classes of information.  Every object belongs to a security class.  An example would be { public knowledge, confidential, secret, top secret, only available to teenage hackers }.

The Model (cont.)  FM =  Binding of objects to security classes can be static or dynamic.  With static binding, the security class of an object never changes. With dynamic binding, the object’s security class can change based on the contents of the object.  A process can also be bound to a security class.

The Model (cont.)  FM =   is a class combining (binary) operator that is associative and commutative.  Let A and B be security classes. A  B refers to the security class of the result of any binary function on values a and b (a = A, b = B).   is function independent.

The Model (cont.)  FM =   is a flow relation.  A  B if and only if information in class A is allowed to flow to class B.  Information can be passed by copying, assignment, I/O, parameter passing, message sending, etc.  Concerned with information flow on “legitimate” and “storage” channels, not “covert” channels.

The Model (cont.)  FM =  The purpose of coming up with a flow model FM is for us now to be able to say that “FM is secure if and only if execution of a sequence of operations cannot give rise to a flow that violates the relation ‘  ’.”

Universally bounded lattice  What is a universally bounded lattice?  “a structure consisting of a finite partially ordered set together with least upper and greatest lower bound operators on the set.”  So, what is a partially ordered set?  a set with a relation R that is reflexive, transitive, and antisymmetric

Universally Bounded Lattice (cont.)  So, what are least upper and greatest lower bounds?  Suppose <= is the relation. C is an upper bound of A and B if A <= C and B <= C. C is a least upper bound of A and B if for any upper bound D of A and B, C <= D. Lower bounds and greatest lower bounds work the same way.

Derivation of Lattice Structure  First we show that is a poset.  Reflexive: A  A (for consistency sake)  Transitive: if A  B and B  C, then A  C (for consistency sake)  Antisymmetric: if A  B and B  A, then A = B (otherwise, you have a superfluous security class, so this assumption can be made without loss of generality)

Derivation of Lattice Structure (cont.)  Second, we assume SC is finite because we are hopefully dealing with the real world.  Third, we can assume that there exists a lower bound L on SC without loss of generality. If needed, we can insert L with no objects. Or, perhaps we could fill it with constants.  Fourth, we show that  is a least upper bound operator.

Derivation of Lattice Structure (cont.)  A  B is an upper bound of A and B because from the definition information must be able to flow from A or B into A  B.  A  B is a least upper bound because an upper bound C of A and B can get information from A and B in the same way as A  B, so preventing information from flowing from A  B to C does not make sense.

Derivation of Lattice Structure (cont.)  Similar to the  operator, we can define the  operator such that A  B is the greatest lower bound of A and B.  The greatest lower bound of SC we call L, and the least upper bound of SC we call H.  Thus, we have established that SC, “  ”, and “  ” form a universally bounded lattice with greatest lower bound L and least upper bound H.

Enforcement of Security  The goal, of course, of deriving this information flow model is for it to help us enforce security.  To do this, we must monitor all flow causing operations (yikes!!!).  We must monitor explicit flow (assignment, I/O) and implicit flow.  An example of implicit flow: if a = 0 then b := c can cause information to flow from a to b whether or not the line b := c is executed.

Enforcement of Security (cont.)  We want to represent a program or statement S in a way that easily allows us to evaluate whether or not it is secure.  Define S recursively: –S is an elementary statement (assignment, I/O) –S = S 1 ; S 2 –S = c: S 1, …, S m (c is an m-valued variable)

Enforcement of Security (cont.)  For elementary statements, S is secure if any explicit flow caused by S is secure.  For S = S 1 ; S 2, S is secure if both S 1 and S 2 are secure.  For S = c: S 1, …, S m, S is secure if each S k is secure and all implicit flows from c are secure.

Enforcement of Security (cont.)  Some or all of these security requirements are being used in the following: –ADEPT-50 –The MITRE system –The Case system –Rotenberg’s Privacy Restriction Processor –Fenton’s Data Mark Machine –Gat and Saal (proposed) –Jones and Lipton (proposed) –Denning (proposed)

Mechanisms for Static Binding  Mechanisms for static binding can occur at run-time or at compile-time.  Access Control Mechanisms operate at run- time.  The Data Mark Machine also operates at run-time.  The Certification Mechanism operates at compile-time.

Access Control Mechanisms  Both the Case system and the MITRE system use Access Control Mechanisms.  Each process has an associated clearance (security) class.  This clearance class is the highest class from which the process can read and the lowest class into which the process can write.

The Data Mark Machine  Proposed by Fenton to run on an abstract computer called a Data Mark Machine.  A security class p is associated with the program counter of the process p.  When a conditional structure c: S 1, …, S m is reached, p is pushed onto the stack, and the new security class is c  p. Once the conditional is finished, the old value p is popped off the stack.

Certification Mechanism  This is a mechanism proposed by the author.  Compile-time advantages: –Execution is guaranteed to be secure before it executes. –The program’s speed is not impaired. –Higher-level language constructs can be used in the certification process rather than low-level hardware instructions.

Certification Mechanism (cont.)  Compile-time disadvantages: –Flows caused by program language implementation defects cannot be verified (e.g. unchecked array bounds) –Hardware malfunctions can cause insecure behavior –The programmer has to assign a security level to each object in the program

Mechanisms for Dynamic Binding  If a system is based purely on dynamic binding, it’s useless. A user at a low security level can raise his security level simply by accessing high security information.  Dynamic Data Mark Machine  Nondecreasing Class Mechanisms

Dynamic Data Mark Machine  A modified version of the Data Mark Machine designed for dynamic binding.  Whenever information flows from objects to a dynamically bound object, the class of the dynamically bound object is updated to be the join (least upper bound) of the class of the objects and the class of the program counter.  Security violations can occur using this system because it does not adequately consider implicit flow. Modifications have been proposed by Fenton, Gat and Saal, and Denning.

Nondecreasing Class Mechanisms  This method of dynamically binding objects operates under the principle that the security class of an object never goes down.  That is, if information flows from an object a to an object b, the security class of b is updated to be a  b.  This mechanism is used in the ADEPT system and the Rotenberg’s Processor system. Neither of these systems adequately consider implicit flow.

Conclusions  Applications of the model and mechanisms described: –Confinement: do not let a process leak confidential information –Databases: ability to control the flow of raw data in the database as well as the flow of correlations of the data –Some requirements modeled by an access matrix have been omitted. Practical systems need access and flow control.

Questions?