secrecy security policy - pennsylvania state...

CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

Secrecy Security PolicyCSE497b - Spring 2007

Introduction Computer and Network SecurityProfessor Jaeger

www.cse.psu.edu/~tjaeger/cse497b-s07/

Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

Secrecy Problem• Does the following protection state ensure the secrecy

of J’s private key in O1?

2

O1 O2 O3

J R RW

RW

S2 N R RW

S3 N R RW


Protection vs Security• Protection

– Security goals met under trusted processes– Protects against an error by a non-malicious entity

• Security– Security goals met under potentially malicious processes– Protects against any malicious entity

• For J:– Non-malicious process shouldn’t leak the private key by

writing it to O3

– A malicious process may write the private key to O3

3


Why Doesn’t DAC Work?• Goal: User has a file O1 she wants to keep secret• Threat: A malicious process she runs wants to leak O1

– To some other subject (user) or system (via network)

• Problems:– Permission Assignment: Malicious process maximizes

permissions• Any way that data can be read by or written to another user is

enabled– Complete Mediation: DAC systems do not mediate network

• Can be sent to anyone or requires firewall rules to control access– Complexity: How does she know that all these permissions

prevent the leak• Good luck

4


Governmental Secrecy• Military

– When will ship sail?– Where are troops?– What is the next troop movement?

• Military is hierarchical – Decisions made at a higher level of authority are enacted

• Thus, security is top-down– Secrets flow up– Decisions flow down

• Release is manual– Also, “need to know”

5

CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page

Multilevel Security

• A multi-level security (MLS) system tags all object and subject with security tags classifying them in terms of sensitivity/access level.– We formulate an access control policy based on these levels– We can also add other dimensions, called categories which

horizontally partition the rights space (in a way similar to that as was done by roles)

security levels

categories

CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger Page

Lattice Model

• Used by the US military (and many others), the Lattice model uses MLS to define policy

• Levels:

unclassified < confidential < secret < top secret

• Categories (actually unbounded set)

NUC(lear), INTEL(igence), CRYPTO(graphy)

• Note that these levels are used for physical documents in the US government as well.


Lattice• Levels form a lattice

– Vertices form a partial order– Every pair of vertices has a LUB, GLB

8

VerySecret

MostlySecret

PrettySecret

Secret

?

CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger Page

Assigning Security Levels

• All subjects are assigned clearance levels and compartments– Alice: (SECRET, {CRYTPO, NUC})– Bob: (CONFIDENTIAL, {INTEL})– Charlie: (TOP SECRET, {CRYPTO, NUC, INTEL})

• All objects are assigned an access class– DocA: (CONFIDENTIAL, {INTEL})– DocB: (SECRET, {CRYPTO})– DocC: (UNCLASSIFIED, {NUC})


Example

Access is allowed ifsubject clearance level >= object sensitivity level and

object categories subset-of subject categories (read down)Q: What would write-up be?

Hence,

Bob: CONF., {INTEL})Trent: TS, {CRYPTO, NUC, INTEL})

Alice: (SEC., {CRYTPO, NUC})

DocA: (CONFIDENTIAL, {INTEL})DocB: (SECRET, {CRYPTO})

DocC: (UNCLASSIFIED, {NUC})


Secrecy Properties

• Simple-Security Property (Read-Down)– A subject s can only read from an object o if the subject’s

clearance dominates or is same as the access class of the object

• *-Security Property (Write-Up)– A subject s can only write to an object o if the subject’s

clearance is dominated by or is the same as the access class of the object


Trojan Horses• Trojan horse: A program with a malicious function that

masquerades as a benign application• Claim: MLS prevents a Trojan horse from leaking data • Proof

– Complete mediation• All operations are mediated

– MLS *-security property• Trojan horse cannot write data down

– Mandatory policy• Trojan horse cannot change policy• Policy defines legal info flows

12


Covert Channels• Use access to shared resources as a means of

communication– Rather than an overt channel

• Storage Channel– Uses an attribute of a shared resource– E.g., Fill up shared disk

• Timing Channel– Uses temporal relationships in access to a shared resource– E.g., Driver timing behavior

• Not prevented by MLS alone!

13


Trojan Horse Paradox• MLS enables the OS to guarantee

– that a process at a higher secrecy clearance cannot

– leak to a process at a lower secrecy level• But, lots of applications handle data of multiple access

classes!

• Examples: – Server process (Mail server): Many mails of different access

classes are possible• One server per combination of level and category set is not practical

– Client process (Email client): A single email client may receive and respond to emails at different access classes

• And, think about the integrity impact of a Trojan horse– Discuss next time

14


Program-Level Secrecy• Situation: A program reads data at a higher access

class than it writes– Program can leak secret that it reads by writing it to the

lower access class• Challenge: Write a program where you can prove that

no illegal information flows (i.e., violating MLS properties) can occur

15

Program

Secret

Public

Read

Write


Denning Lattice Model• Information flow within a program

– Can a secret variable leak to a public variable?• Model covers all programs

– Statement S– Sequence S1, S2 – Conditional c: S1, …, Sm

16

Stmt Cond

Stmt

Stmt

Stmt Stmt


Implicit and Explicit Flows• Explicit

– Direct transfer to b from a (e.g., b = a)• Implicit

– Where value of b may depend on value of a indirectly (e.g., if a = 0, then b = c)

• Implicit flows only occur in conditionals

17

Stmtb = a

Condif (b < 1)

Stmtc = d

Stmte = c Stmt

Stmtc = b


Denning Semantics

• Program is secure if:– Explicit flow from S is secure– Explicit flow of all statements in a sequence are secure

(e.g., S1; S2)– Conditional c:S1, …, Sm is secure if:

• The explicit flows of all statements S1, …, Sm are secure• The implicit flows between c and the objects in Si are secure

18

Stmtb = a

Condif (b < 1)

Stmtc = d

Stmte = c Stmt

Stmtc = f


Information Flow• Explicit and implicit flows form a graph

• Resulting flow graph

19

Stmtb = a

Condif (b < 1)

Stmtc = d

Stmte = c Stmt

Stmtc = f

a c b

d

f

e


Secure When...• Suppose e is public

– What variables can be secret?• Suppose d is public

– What variables can be secret?• Suppose b is secret

– What variables can be public?

20

Stmtb = a

Condif (b < 1)

Stmtc = d

Stmte = c Stmt

Stmtc = f


Chinese Wall

• Keep different parts of a firm isolated– Accounts with Ford and GM

• Access is not controlled by attribute of data alone– Also, data that the subject holds– Conflict sets

21

t0 t1

Hold: NoneConflict: {Ford, GM}

t2

Op: Access GMHold: NoneAccess: Allowed

t3 t4

Op: Access FordHold: GMAccess: Denied


Chinese Wall• More formally,

– Objects may belong to a company dataset

– Companies may compete, so • Conflict of interest sets consist of competing company dataset labels

– Cannot access objects in two datasets in a COI set

• CW Simple Security Property– Read O,

• if accessed CD(O) already, can access again• for all datasets accessed previously, CD(O) not-in COI(previous)

• CW *-Security Property– Write O,

• if CW-Simple permits read• And we have only read data from CD(O)

22


Take Away• MLS policy provides a guarantee that a secret will not

be leaked to a lower access class– Even if you are running malicious code (e.g., Trojan horse)– But, does not include covert channels

• Know how to apply this

• However, we may also need to obtain secrecy guarantees for more privileged programs– Ones that could violate MLS– Use Denning’s model to prove compliance

• Information flows: Explicit and implicit

23

secrecy security policy - pennsylvania state...

Documents