Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Information Flow Control Language and System Level.

Published byDaniel Thornton Modified over 9 years ago

Similar presentations

Presentation on theme: "Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Information Flow Control Language and System Level."— Presentation transcript:

1 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Information Flow Control Language and System Level

2 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Concept  Information flow  Long-term confinement of information to authorized receivers  Controls how information moves among data handlers and data storage units  Applied at language, system, or application levels  Examples:  Insure that “secret” data is only revealed to individuals with a suitably high clearance level  Guarantee that information available to a process cannot leak to the network  Certify that the outputs of a program only contain information derived from specified inputs 2

3 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science System Example  Guarantee that the anti-virus (AV) scanner cannot leak to the network any data found in its scan of user files  Possible leak methods  Send data directly to a network connection  Conspire with other processes (e.g, sendmail or httpd)  Subvert another process and use its network access to send data  Leave data in /tmp for other processes (e.g., the AV update daemon) to send  Use other in/direct means of communication with the update daemon 3

4 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Denning Model  Flow model where  N = {a,b,…} is a set of logical storage objects  P = {p,q,…} is a set of processes (active objects)  SC = {A.,B,…} is a set of security classes Disjoint classes of information Each is bound to a security class – Notation: a – may be static or dynamic (varies with content)  Class combining operator: a b N  Flow relation: iff information in class A is allowed to flow into class B 4 Dorothy Denning

5 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Example Security Classes 5 public top secret confidential secret (TS,[dip]) (S,[]} (TS,[]) (S,[mil])(S,[dip]) (TS,[mil])(S,[dip,mil]) (TS,[dip,mil]) Adapted from K. Rosen Discrete Mathematics and its Applications, 2003.

6 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Class Combining Operations 6 (TS,[dip]) (S,[]} (TS,[]) (S,[mil])(S,[dip]) (TS,[mil])(S,[dip,mil]) (TS,[dip,mil]) least upper bound greatest lower bound

7 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Implicit/Explicit flows  In the statement: a=b+c;  There is explicit flow from b to a and from c to a  Here written as a  b and a  c  In the statement: if (a =0) {b = c;}  There is an explicit flow from c to b (b  c)  There is an implicit flow from a to b (b  a) Because testing the value of b before and after the statement can reveal the value of a  In the statement: if (c) {a=b+1;d=e+2;}  explicit flows from b to a and from e to d (a  b, e  d)  implicit flows from c to a and from c to d (a  c, d  c) 7

8 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Security Requirements  Elementary statement  S: b  a 1,…,a n  is secure if b  a 1,…, b  a n are secure  i.e., if a 1  b,…, a n  b  i.e., if is allowed  Sequence  S = S 1 ; S 2  Is secure if both S 1 and S 2 are secure  Conditional  S = c: S 1,…, S n where S i updates b i  is secure if b i  c for i=1..n are secure  i.e. if is allowed 8

9 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Static Binding  Access Control  Process p can read from a only if a  p  Process p can write to b only if p  b  In general,  Data Mark Machine  Associate a security class with the program counter  For conditional structure c:S Push p onto the stack Set p to p c Execute S On exit restore p from stack  For statement S that with b  a1,…,an Verify that 9 ⊕ ⊕

10 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Static Binding  Compiler-based  For elementary statement S: f(a 1,…,a n )  b verify that is allowed Set S to b  For sequence S = S 1 ;S 2 Set S to S 1 S 2  For conditional structure S = c: S 1,…,S m Set S to S 1 … S m Verify that c  S 10

11 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Dynamic Binding  A pure dynamic binding is not practical  Typical that some objects and most users have a static security class  Dynamic Data Mark Machine  Difficult to account for implicit flows, so…  Compiler determines implicit flows and  Inserts additional instructions to update class associated with program counter accordingly  Accounts for implicit flows even if flow not executed 11

12 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science HiStar : System Level Flow Control  Basic ideas  Files and process are associated with a label whose taint restricts the flow to lesser tainted components  Many categories of taint each owned by its creator  Selected components (e.g., wrap) can be given untainting privileges 12

13 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Labels  Structure  L = {c 1 l 1, c 2 l 2,…,c n l n,l default }  Each c i is a category and l i is the taint level in that category  l default is the default level for unnamed categories  L(c) = l i if c=c i for some i and l default otherwise  Levels 13

14 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Information Flow  General rule:  information can flow from O 1 to O 2 only if O 2 is at least as tainted as O 1 in every category  Information cannot flow from O 1 to O 2 if O 1 is more tainted in some category than O 2   Example  Thread T with L T ={1}, object O with L O ={c3,1}  L T (c)=1 < 3=L O (c)  Flow is permitted from T to O (i.e., T can write to O)  No flow permitted from O to T (i.e., T cannot read/observe O) 14

15 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Example with Labels  User data labels set so that only owner can read (b r 3) and write (b w 0)  Wrap program has ownership to read (b r ⋆ ) user data which it delegates to scanner  Wrap creates category v to (1) prevent the scanner from modifying User Data (since User Data has default level 1) and (2) prevent scanner from communicating with network 15

16 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Notation  Information flow  Treatment of level ⋆  ⋆ should be high for reading, but low for writing  Notation provides two ownership symbols  Used as L ⋆ and L ⍟ ; for example if L={a ⋆, b ⍟, 1} then L ⍟ = {a ⍟,b ⍟,1} and L ⋆ = {a ⋆,b ⋆,1}  Flow restriction:  T can read/observe O only if  T can write/modify O only if 16

17 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Kernel Object Types  Object structure  objectID (unique, 61 bit)  label (threads also have clearance label)  quota  metadata (64 bytes)  flags 17 Segment: variable-length byte array

18 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Design Rationale  Kernel interface  The contents of object A can only affect object B if, for every category c in which A is more tainted than B, a thread owning c takes part in the process.  Provides end-to-end guarantee of which system components can affect which others without need to understand component details  Application structure  Organize applications so that key categories are owned by small amounts of code  Bulk of the system is not security critical 18

Download ppt "Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Information Flow Control Language and System Level."

Similar presentations

Operating Systems Components of OS

Operating Systems Components of OS
Information Flow and Covert Channels November, 2006.

Information Flow and Covert Channels November, 2006.
1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.

1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.
CS426Fall 2010/Lecture 71 Computer Security CS 426 Lecture 7 Operating System Security Basics.

CS426Fall 2010/Lecture 71 Computer Security CS 426 Lecture 7 Operating System Security Basics.
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
Chapter 5: Elementary Data Types Properties of types and objects –Data objects, variables and constants –Data types –Declarations –Type checking –Assignment.

Chapter 5: Elementary Data Types Properties of types and objects –Data objects, variables and constants –Data types –Declarations –Type checking –Assignment.
Assemblers Dr. Monther Aldwairi 10/21/20071Dr. Monther Aldwairi.

Assemblers Dr. Monther Aldwairi 10/21/20071Dr. Monther Aldwairi.
Copyright © 2012 Pearson Education, Inc. Chapter 1: Introduction to Computers and Programming.

Copyright © 2012 Pearson Education, Inc. Chapter 1: Introduction to Computers and Programming.
Verifiable Security Goals

Verifiable Security Goals
Computer Architecture

Computer Architecture
Starting Out with C++: Early Objects 5/e © 2006 Pearson Education. All Rights Reserved Starting Out with C++: Early Objects 5 th Edition Chapter 1 Introduction.

Starting Out with C++: Early Objects 5/e © 2006 Pearson Education. All Rights Reserved Starting Out with C++: Early Objects 5 th Edition Chapter 1 Introduction.
Copyright © 2012 Pearson Education, Inc. Chapter 1: Introduction to Computers and Programming.

Copyright © 2012 Pearson Education, Inc. Chapter 1: Introduction to Computers and Programming.
Alternate Version of STARTING OUT WITH C++ 4 th Edition Chapter 1 Introduction to Computers and Programming.

Alternate Version of STARTING OUT WITH C++ 4 th Edition Chapter 1 Introduction to Computers and Programming.
Chapter Introduction to Computers and Programming 1.

Chapter Introduction to Computers and Programming 1.
CSC 125 Introduction to C++ Programming Chapter 1 Introduction to Computers and Programming.

CSC 125 Introduction to C++ Programming Chapter 1 Introduction to Computers and Programming.
System Calls 1.

System Calls 1.
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Design Extensions to Google+ CS6204 Privacy and Security.

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Design Extensions to Google+ CS6204 Privacy and Security.
An Introduction Chapter 1. 2301274 Chapter 1 Introduction2 Computer Systems  Programmable machines  Hardware + Software (program) HardwareProgram.

An Introduction Chapter Chapter 1 Introduction2 Computer Systems  Programmable machines  Hardware + Software (program) HardwareProgram.
Copyright © 2012 Pearson Education, Inc. Chapter 1: Introduction to Computers and Programming.

Copyright © 2012 Pearson Education, Inc. Chapter 1: Introduction to Computers and Programming.
Chapter 1: Introduction to Computers and Programming.

Chapter 1: Introduction to Computers and Programming.

Similar presentations

Ads by Google