a lattice model of secure information flow
DESCRIPTION
A Lattice Model of Secure Information Flow. By Dorothy E. Denning Presented by Drayton Benner March 22, 2000. Agenda. Introduction The Information Flow Model Enforcement of Security Mechanisms for Static Binding Mechanisms for Dynamic Binding Conclusions. Introduction. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: A Lattice Model of Secure Information Flow](https://reader035.vdocuments.mx/reader035/viewer/2022062308/5681338f550346895d9a9b8e/html5/thumbnails/1.jpg)
A Lattice Model of Secure Information Flow
By Dorothy E. Denning
Presented by Drayton Benner
March 22, 2000
![Page 2: A Lattice Model of Secure Information Flow](https://reader035.vdocuments.mx/reader035/viewer/2022062308/5681338f550346895d9a9b8e/html5/thumbnails/2.jpg)
Agenda
Introduction The Information Flow Model Enforcement of Security Mechanisms for Static Binding Mechanisms for Dynamic Binding Conclusions
![Page 3: A Lattice Model of Secure Information Flow](https://reader035.vdocuments.mx/reader035/viewer/2022062308/5681338f550346895d9a9b8e/html5/thumbnails/3.jpg)
Introduction
Security – “no unauthorized flow of information is possible”
Data from files/users of higher security can not be transmitted to files/users of lower security directly or indirectly
Goal: “to find suitable and viable restrictions according to which the security of a system would not only be decidable, but simply so.”
![Page 4: A Lattice Model of Secure Information Flow](https://reader035.vdocuments.mx/reader035/viewer/2022062308/5681338f550346895d9a9b8e/html5/thumbnails/4.jpg)
The Model
FM = < N, P, SC, , > N = { a, b, … } – a set of logical storage
objects or information receptacles – files, segments, program variables, and also users.
P = processes. “Processes are the active agents responsible for all information flow.”
![Page 5: A Lattice Model of Secure Information Flow](https://reader035.vdocuments.mx/reader035/viewer/2022062308/5681338f550346895d9a9b8e/html5/thumbnails/5.jpg)
The Model (cont.)
FM = < N, P, SC, , > SC = { A, B, …} is a set of security classes. The security classes are disjoint classes of
information. Every object belongs to a security class. An example would be { public knowledge,
confidential, secret, top secret, only available to teenage hackers }.
![Page 6: A Lattice Model of Secure Information Flow](https://reader035.vdocuments.mx/reader035/viewer/2022062308/5681338f550346895d9a9b8e/html5/thumbnails/6.jpg)
The Model (cont.)
FM = < N, P, SC, , > Binding of objects to security classes can be
static or dynamic. With static binding, the security class of an
object never changes. With dynamic binding, the object’s security class can change based on the contents of the object.
A process can also be bound to a security class.
![Page 7: A Lattice Model of Secure Information Flow](https://reader035.vdocuments.mx/reader035/viewer/2022062308/5681338f550346895d9a9b8e/html5/thumbnails/7.jpg)
The Model (cont.)
FM = < N, P, SC, , > is a class combining (binary) operator that
is associative and commutative. Let A and B be security classes. A B
refers to the security class of the result of any binary function on values a and b (a = A, b = B).
is function independent.
![Page 8: A Lattice Model of Secure Information Flow](https://reader035.vdocuments.mx/reader035/viewer/2022062308/5681338f550346895d9a9b8e/html5/thumbnails/8.jpg)
The Model (cont.)
FM = < N, P, SC, , > is a flow relation. A B if and only if information in class A is
allowed to flow to class B. Information can be passed by copying,
assignment, I/O, parameter passing, message sending, etc.
Concerned with information flow on “legitimate” and “storage” channels, not “covert” channels.
![Page 9: A Lattice Model of Secure Information Flow](https://reader035.vdocuments.mx/reader035/viewer/2022062308/5681338f550346895d9a9b8e/html5/thumbnails/9.jpg)
The Model (cont.)
FM = < N, P, SC, , > The purpose of coming up with a flow
model FM is for us now to be able to say that “FM is secure if and only if execution of a sequence of operations cannot give rise to a flow that violates the relation ‘’.”
![Page 10: A Lattice Model of Secure Information Flow](https://reader035.vdocuments.mx/reader035/viewer/2022062308/5681338f550346895d9a9b8e/html5/thumbnails/10.jpg)
Universally bounded lattice
What is a universally bounded lattice? “a structure consisting of a finite partially
ordered set together with least upper and greatest lower bound operators on the set.”
So, what is a partially ordered set? a set with a relation R that is reflexive,
transitive, and antisymmetric
![Page 11: A Lattice Model of Secure Information Flow](https://reader035.vdocuments.mx/reader035/viewer/2022062308/5681338f550346895d9a9b8e/html5/thumbnails/11.jpg)
Universally Bounded Lattice (cont.) So, what are least upper and greatest lower
bounds? Suppose <= is the relation. C is an upper
bound of A and B if A <= C and B <= C. C is a least upper bound of A and B if for any upper bound D of A and B, C <= D. Lower bounds and greatest lower bounds work the same way.
![Page 12: A Lattice Model of Secure Information Flow](https://reader035.vdocuments.mx/reader035/viewer/2022062308/5681338f550346895d9a9b8e/html5/thumbnails/12.jpg)
Derivation of Lattice Structure
First we show that < SC, > is a poset. Reflexive: A A (for consistency sake) Transitive: if A B and B C, then A C
(for consistency sake) Antisymmetric: if A B and B A, then A =
B (otherwise, you have a superfluous security class, so this assumption can be made without loss of generality)
![Page 13: A Lattice Model of Secure Information Flow](https://reader035.vdocuments.mx/reader035/viewer/2022062308/5681338f550346895d9a9b8e/html5/thumbnails/13.jpg)
Derivation of Lattice Structure (cont.) Second, we assume SC is finite because we
are hopefully dealing with the real world. Third, we can assume that there exists a
lower bound L on SC without loss of generality. If needed, we can insert L with no objects. Or, perhaps we could fill it with constants.
Fourth, we show that is a least upper bound operator.
![Page 14: A Lattice Model of Secure Information Flow](https://reader035.vdocuments.mx/reader035/viewer/2022062308/5681338f550346895d9a9b8e/html5/thumbnails/14.jpg)
Derivation of Lattice Structure (cont.) A B is an upper bound of A and B because
from the definition information must be able to flow from A or B into A B.
A B is a least upper bound because an upper bound C of A and B can get information from A and B in the same way as A B, so preventing information from flowing from A B to C does not make sense.
![Page 15: A Lattice Model of Secure Information Flow](https://reader035.vdocuments.mx/reader035/viewer/2022062308/5681338f550346895d9a9b8e/html5/thumbnails/15.jpg)
Derivation of Lattice Structure (cont.) Similar to the operator, we can define the
operator such that A B is the greatest lower bound of A and B.
The greatest lower bound of SC we call L, and the least upper bound of SC we call H.
Thus, we have established that SC, “”, and “” form a universally bounded lattice with greatest lower bound L and least upper bound H.
![Page 16: A Lattice Model of Secure Information Flow](https://reader035.vdocuments.mx/reader035/viewer/2022062308/5681338f550346895d9a9b8e/html5/thumbnails/16.jpg)
Enforcement of Security The goal, of course, of deriving this information
flow model is for it to help us enforce security. To do this, we must monitor all flow causing
operations (yikes!!!). We must monitor explicit flow (assignment, I/O)
and implicit flow. An example of implicit flow:
if a = 0 then b := c can cause information to flow from a to b whether or not the line b := c is executed.
![Page 17: A Lattice Model of Secure Information Flow](https://reader035.vdocuments.mx/reader035/viewer/2022062308/5681338f550346895d9a9b8e/html5/thumbnails/17.jpg)
Enforcement of Security (cont.)
We want to represent a program or statement S in a way that easily allows us to evaluate whether or not it is secure.
Define S recursively:– S is an elementary statement (assignment, I/O)
– S = S1; S2
– S = c: S1, …, Sm (c is an m-valued variable)
![Page 18: A Lattice Model of Secure Information Flow](https://reader035.vdocuments.mx/reader035/viewer/2022062308/5681338f550346895d9a9b8e/html5/thumbnails/18.jpg)
Enforcement of Security (cont.)
For elementary statements, S is secure if any explicit flow caused by S is secure.
For S = S1; S2 , S is secure if both S1 and S2 are secure.
For S = c: S1, …, Sm , S is secure if each Sk is secure and all implicit flows from c are secure.
![Page 19: A Lattice Model of Secure Information Flow](https://reader035.vdocuments.mx/reader035/viewer/2022062308/5681338f550346895d9a9b8e/html5/thumbnails/19.jpg)
Enforcement of Security (cont.)
Some or all of these security requirements are being used in the following:– ADEPT-50
– The MITRE system
– The Case system
– Rotenberg’s Privacy Restriction Processor
– Fenton’s Data Mark Machine
– Gat and Saal (proposed)
– Jones and Lipton (proposed)
– Denning (proposed)
![Page 20: A Lattice Model of Secure Information Flow](https://reader035.vdocuments.mx/reader035/viewer/2022062308/5681338f550346895d9a9b8e/html5/thumbnails/20.jpg)
Mechanisms for Static Binding
Mechanisms for static binding can occur at run-time or at compile-time.
Access Control Mechanisms operate at run-time.
The Data Mark Machine also operates at run-time.
The Certification Mechanism operates at compile-time.
![Page 21: A Lattice Model of Secure Information Flow](https://reader035.vdocuments.mx/reader035/viewer/2022062308/5681338f550346895d9a9b8e/html5/thumbnails/21.jpg)
Access Control Mechanisms
Both the Case system and the MITRE system use Access Control Mechanisms.
Each process has an associated clearance (security) class.
This clearance class is the highest class from which the process can read and the lowest class into which the process can write.
![Page 22: A Lattice Model of Secure Information Flow](https://reader035.vdocuments.mx/reader035/viewer/2022062308/5681338f550346895d9a9b8e/html5/thumbnails/22.jpg)
The Data Mark Machine
Proposed by Fenton to run on an abstract computer called a Data Mark Machine.
A security class p is associated with the program counter of the process p.
When a conditional structure c: S1, …, Sm is reached, p is pushed onto the stack, and the new security class is c p. Once the conditional is finished, the old value p is popped off the stack.
![Page 23: A Lattice Model of Secure Information Flow](https://reader035.vdocuments.mx/reader035/viewer/2022062308/5681338f550346895d9a9b8e/html5/thumbnails/23.jpg)
Certification Mechanism
This is a mechanism proposed by the author.
Compile-time advantages:– Execution is guaranteed to be secure before it
executes.– The program’s speed is not impaired.– Higher-level language constructs can be used in
the certification process rather than low-level hardware instructions.
![Page 24: A Lattice Model of Secure Information Flow](https://reader035.vdocuments.mx/reader035/viewer/2022062308/5681338f550346895d9a9b8e/html5/thumbnails/24.jpg)
Certification Mechanism (cont.)
Compile-time disadvantages:– Flows caused by program language
implementation defects cannot be verified (e.g. unchecked array bounds)
– Hardware malfunctions can cause insecure behavior
– The programmer has to assign a security level to each object in the program
![Page 25: A Lattice Model of Secure Information Flow](https://reader035.vdocuments.mx/reader035/viewer/2022062308/5681338f550346895d9a9b8e/html5/thumbnails/25.jpg)
Mechanisms for Dynamic Binding If a system is based purely on dynamic
binding, it’s useless. A user at a low security level can raise his security level simply by accessing high security information.
Dynamic Data Mark Machine Nondecreasing Class Mechanisms
![Page 26: A Lattice Model of Secure Information Flow](https://reader035.vdocuments.mx/reader035/viewer/2022062308/5681338f550346895d9a9b8e/html5/thumbnails/26.jpg)
Dynamic Data Mark Machine A modified version of the Data Mark Machine
designed for dynamic binding. Whenever information flows from objects to a
dynamically bound object, the class of the dynamically bound object is updated to be the join (least upper bound) of the class of the objects and the class of the program counter.
Security violations can occur using this system because it does not adequately consider implicit flow. Modifications have been proposed by Fenton, Gat and Saal, and Denning.
![Page 27: A Lattice Model of Secure Information Flow](https://reader035.vdocuments.mx/reader035/viewer/2022062308/5681338f550346895d9a9b8e/html5/thumbnails/27.jpg)
Nondecreasing Class Mechanisms This method of dynamically binding objects
operates under the principle that the security class of an object never goes down.
That is, if information flows from an object a to an object b, the security class of b is updated to be a b.
This mechanism is used in the ADEPT system and the Rotenberg’s Processor system. Neither of these systems adequately consider implicit flow.
![Page 28: A Lattice Model of Secure Information Flow](https://reader035.vdocuments.mx/reader035/viewer/2022062308/5681338f550346895d9a9b8e/html5/thumbnails/28.jpg)
Conclusions
Applications of the model and mechanisms described:– Confinement: do not let a process leak
confidential information– Databases: ability to control the flow of raw
data in the database as well as the flow of correlations of the data
– Some requirements modeled by an access matrix have been omitted. Practical systems need access and flow control.
![Page 29: A Lattice Model of Secure Information Flow](https://reader035.vdocuments.mx/reader035/viewer/2022062308/5681338f550346895d9a9b8e/html5/thumbnails/29.jpg)
Questions?