Download presentation
Presentation is loading. Please wait.
1
1 Information Flow CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 22, 2004
2
2 Overview Information Flow Models Information Flow Models Confinement Flow Model Confinement Flow Model Compiler-Based Mechanisms Compiler-Based Mechanisms
3
3 Bell-LaPadula Model Information flows from A to B iff B dom A Information flows from A to B iff B dom A TS{R,P} TS{R} TS{P} S{R}S{P} S{}
4
4 Entropy-Based Analysis Command sequence takes a system from state s to state t Command sequence takes a system from state s to state t x s is the value of x at state s x s is the value of x at state s H(a | b) is the uncertainty of a given b H(a | b) is the uncertainty of a given b Def: A command sequence causes a flow of information from x to y if H(x s | y t ) < H(x s | y s ). If y does not exist in s, then H(x s | y s ) = H(x s ) Def: A command sequence causes a flow of information from x to y if H(x s | y t ) < H(x s | y s ). If y does not exist in s, then H(x s | y s ) = H(x s )
5
5 Example Flows y := x H(x s | y t ) = 0 tmp := x; y := tmp; H(x s | y t ) = 0
6
6 Another Example if (x==1) then y:= 0 else y := 1 Suppose x is equally likely to be 0 or 1, so H(x s ) = 1 But, H(x s | y t ) = 0 So, H(x s | y t ) < H(x s | y s ) = H(x s ) Thus, information flows from x to y. Def. An implicit flow of information occurs when information flows from x to y without an explicit assignment of the form y := f(x)
7
7 Requirements for Information Flow Models Reflexivity: information should flow freely among members of a class Reflexivity: information should flow freely among members of a class Transitivity: If b reads something from c and saves it, and if a reads from b, then a can read from c Transitivity: If b reads something from c and saves it, and if a reads from b, then a can read from c A lattice has a relation R that is reflexive and transitive (and antisymmetric)
8
8 Information Flow Models An Information flow policy I is a triple I = (SC I, I, join I ), where SC I is a set of security classes, I is an ordering relation on the elements of SC I, and join I combines two elements of SC I An Information flow policy I is a triple I = (SC I, I, join I ), where SC I is a set of security classes, I is an ordering relation on the elements of SC I, and join I combines two elements of SC I Example: Bell-LaPadula has security compartments for SC I, dom for I and lub as join I Example: Bell-LaPadula has security compartments for SC I, dom for I and lub as join I
9
9 Confinement Flow Model Associate with each object x a security class x Associate with each object x a security class x Def: The confinement flow model is a 4-tuple (I, O, confine, ) in which Def: The confinement flow model is a 4-tuple (I, O, confine, ) in which I = (SCI, I, join I ) is a lattice-based info. flow policyI = (SCI, I, join I ) is a lattice-based info. flow policy O is a set of entitiesO is a set of entities : O O is a relation with (a, b) iff information can flow from a to b : O O is a relation with (a, b) iff information can flow from a to b for each a O, confine(a) is a pair (a L, a U ) SC I SC I, with a L I a Ufor each a O, confine(a) is a pair (a L, a U ) SC I SC I, with a L I a U if x a U then information can flow from x to aif x a U then information can flow from x to a if a L x the information can flow from a to xif a L x the information can flow from a to x
10
10 Example Confinement Model Let a, b, and c O confine(a) = [ CONFIDENTIAL, CONFIDENTIAL] confine(b) = [SECRET, SECRET] confine(c) = [TOPSECRET, TOPSECRET] Then a b, a c, and b c are the legal flows
11
11 Another Example Let a, b, and c O confine(a) = [ CONFIDENTIAL, CONFIDENTIAL] confine(b) = [SECRET, SECRET] confine(c) = [CONFIDENTIAL, TOPSECRET] Then a b, a c, b c, and c a are the legal flows Note that b c and c a, but information cannot flow from b to a because b L I a U is false So, transitivity fails to hold
12
12 Non-Lattice Information Flow Policies Government agency has public relation officers (PRO), analysts (A), and spymasters (S) 4 classifications of data: public analysis, public covert analysis top-level, covert top-level confine(PRO) = [public, analysis] confine(A) = [analysis, top-level] confine(S) = [covert, top-level] PRO A, A PRO, PRO S, A S, and S A
13
13 Complier-Based Mechanisms Assignment statements Assignment statements Compound statements Compound statements Conditional statements Conditional statements Iterative statements Iterative statements
14
14 Assignment Statements y := f(x 1,..., x n ) Requirement for information flow to be secure is: lub {x 1,..., x n } y lub {x 1,..., x n } yExample: x := y + z; lub{y, z} x
15
15 Compound Statements begin S 1 ;... S n ; end; Requirement for information flow to be secure: S 1 secure AND... AND S n secure
16
16 Conditional Statements if f(x 1,..., x n ) then S 1 ; else S 2 ; end; Requirement for information flow to be secure: S 1 secure AND S 2 secure AND lub{x 1,..., x n } glb{y | y is the target of an assignment in S 1 or S 2 }
17
17 Example Conditional Statement if x + y < z then a := b; else d := b * c - x; end; b a for S 1 lub{b, c, x} d for S 2 lub{x, y, z} glb{a, d} for condition
18
18 Iterative Statements while f(x 1,..., x n ) do S; Requirement for information flow to be secure: Iteration terminates S secure lub{x 1,..., x n } glb{y | y is the target of an assignment in S}
19
19 Example Iteration Statement while i < n do begin a[i] := b[i]; i := i + 1; end; Loop terminates i a[i] AND b[i] a[i] for S 1 lub{i, b[i]} a[i] for compound statement lub{b[i], i, n} glb{a[i], i} for while condition
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.