A Lattice Model of Secure Information Flow By Dorothy E. Denning Presented by Drayton Benner March 22, 2000

Agenda  Introduction  The Information Flow Model  Enforcement of Security  Mechanisms for Static Binding  Mechanisms for Dynamic Binding  Conclusions

Introduction  Security – “no unauthorized flow of information is possible”  Data from files/users of higher security can not be transmitted to files/users of lower security directly or indirectly  Goal: “to find suitable and viable restrictions according to which the security of a system would not only be decidable, but simply so.”

The Model  FM =  N = { a, b, … } – a set of logical storage objects or information receptacles – files, segments, program variables, and also users.  P = processes. “Processes are the active agents responsible for all information flow.”

The Model (cont.)  FM =  SC = { A, B, …} is a set of security classes.  The security classes are disjoint classes of information.  Every object belongs to a security class.  An example would be { public knowledge, confidential, secret, top secret, only available to teenage hackers }.

The Model (cont.)  FM =  Binding of objects to security classes can be static or dynamic.  With static binding, the security class of an object never changes. With dynamic binding, the object’s security class can change based on the contents of the object.  A process can also be bound to a security class.

The Model (cont.)  FM =   is a class combining (binary) operator that is associative and commutative.  Let A and B be security classes. A  B refers to the security class of the result of any binary function on values a and b (a = A, b = B).   is function independent.

The Model (cont.)  FM =   is a flow relation.  A  B if and only if information in class A is allowed to flow to class B.  Information can be passed by copying, assignment, I/O, parameter passing, message sending, etc.  Concerned with information flow on “legitimate” and “storage” channels, not “covert” channels.

The Model (cont.)  FM =  The purpose of coming up with a flow model FM is for us now to be able to say that “FM is secure if and only if execution of a sequence of operations cannot give rise to a flow that violates the relation ‘  ’.”

Universally bounded lattice  What is a universally bounded lattice?  “a structure consisting of a finite partially ordered set together with least upper and greatest lower bound operators on the set.”  So, what is a partially ordered set?  a set with a relation R that is reflexive, transitive, and antisymmetric

Universally Bounded Lattice (cont.)  So, what are least upper and greatest lower bounds?  Suppose <= is the relation. C is an upper bound of A and B if A <= C and B <= C. C is a least upper bound of A and B if for any upper bound D of A and B, C <= D. Lower bounds and greatest lower bounds work the same way.

Derivation of Lattice Structure  First we show that is a poset.  Reflexive: A  A (for consistency sake)  Transitive: if A  B and B  C, then A  C (for consistency sake)  Antisymmetric: if A  B and B  A, then A = B (otherwise, you have a superfluous security class, so this assumption can be made without loss of generality)

Derivation of Lattice Structure (cont.)  Second, we assume SC is finite because we are hopefully dealing with the real world.  Third, we can assume that there exists a lower bound L on SC without loss of generality. If needed, we can insert L with no objects. Or, perhaps we could fill it with constants.  Fourth, we show that  is a least upper bound operator.

Derivation of Lattice Structure (cont.)  A  B is an upper bound of A and B because from the definition information must be able to flow from A or B into A  B.  A  B is a least upper bound because an upper bound C of A and B can get information from A and B in the same way as A  B, so preventing information from flowing from A  B to C does not make sense.

Derivation of Lattice Structure (cont.)  Similar to the  operator, we can define the  operator such that A  B is the greatest lower bound of A and B.  The greatest lower bound of SC we call L, and the least upper bound of SC we call H.  Thus, we have established that SC, “  ”, and “  ” form a universally bounded lattice with greatest lower bound L and least upper bound H.

Enforcement of Security  The goal, of course, of deriving this information flow model is for it to help us enforce security.  To do this, we must monitor all flow causing operations (yikes!!!).  We must monitor explicit flow (assignment, I/O) and implicit flow.  An example of implicit flow: if a = 0 then b := c can cause information to flow from a to b whether or not the line b := c is executed.

Enforcement of Security (cont.)  We want to represent a program or statement S in a way that easily allows us to evaluate whether or not it is secure.  Define S recursively: –S is an elementary statement (assignment, I/O) –S = S 1 ; S 2 –S = c: S 1, …, S m (c is an m-valued variable)

Enforcement of Security (cont.)  For elementary statements, S is secure if any explicit flow caused by S is secure.  For S = S 1 ; S 2, S is secure if both S 1 and S 2 are secure.  For S = c: S 1, …, S m, S is secure if each S k is secure and all implicit flows from c are secure.

Enforcement of Security (cont.)  Some or all of these security requirements are being used in the following: –ADEPT-50 –The MITRE system –The Case system –Rotenberg’s Privacy Restriction Processor –Fenton’s Data Mark Machine –Gat and Saal (proposed) –Jones and Lipton (proposed) –Denning (proposed)

Mechanisms for Static Binding  Mechanisms for static binding can occur at run-time or at compile-time.  Access Control Mechanisms operate at run- time.  The Data Mark Machine also operates at run-time.  The Certification Mechanism operates at compile-time.

Access Control Mechanisms  Both the Case system and the MITRE system use Access Control Mechanisms.  Each process has an associated clearance (security) class.  This clearance class is the highest class from which the process can read and the lowest class into which the process can write.

The Data Mark Machine  Proposed by Fenton to run on an abstract computer called a Data Mark Machine.  A security class p is associated with the program counter of the process p.  When a conditional structure c: S 1, …, S m is reached, p is pushed onto the stack, and the new security class is c  p. Once the conditional is finished, the old value p is popped off the stack.

Certification Mechanism  This is a mechanism proposed by the author.  Compile-time advantages: –Execution is guaranteed to be secure before it executes. –The program’s speed is not impaired. –Higher-level language constructs can be used in the certification process rather than low-level hardware instructions.

Certification Mechanism (cont.)  Compile-time disadvantages: –Flows caused by program language implementation defects cannot be verified (e.g. unchecked array bounds) –Hardware malfunctions can cause insecure behavior –The programmer has to assign a security level to each object in the program

Mechanisms for Dynamic Binding  If a system is based purely on dynamic binding, it’s useless. A user at a low security level can raise his security level simply by accessing high security information.  Dynamic Data Mark Machine  Nondecreasing Class Mechanisms

Dynamic Data Mark Machine  A modified version of the Data Mark Machine designed for dynamic binding.  Whenever information flows from objects to a dynamically bound object, the class of the dynamically bound object is updated to be the join (least upper bound) of the class of the objects and the class of the program counter.  Security violations can occur using this system because it does not adequately consider implicit flow. Modifications have been proposed by Fenton, Gat and Saal, and Denning.

Nondecreasing Class Mechanisms  This method of dynamically binding objects operates under the principle that the security class of an object never goes down.  That is, if information flows from an object a to an object b, the security class of b is updated to be a  b.  This mechanism is used in the ADEPT system and the Rotenberg’s Processor system. Neither of these systems adequately consider implicit flow.

Conclusions  Applications of the model and mechanisms described: –Confinement: do not let a process leak confidential information –Databases: ability to control the flow of raw data in the database as well as the flow of correlations of the data –Some requirements modeled by an access matrix have been omitted. Practical systems need access and flow control.

Questions?