secrecy security policy - pennsylvania state...
TRANSCRIPT
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger
Secrecy Security PolicyCSE497b - Spring 2007
Introduction Computer and Network SecurityProfessor Jaeger
www.cse.psu.edu/~tjaeger/cse497b-s07/
Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger
Secrecy Problem• Does the following protection state ensure the secrecy
of J’s private key in O1?
2
O1 O2 O3
J R RW
RW
S2 N R RW
S3 N R RW
Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger
Protection vs Security• Protection
– Security goals met under trusted processes– Protects against an error by a non-malicious entity
• Security– Security goals met under potentially malicious processes– Protects against any malicious entity
• For J:– Non-malicious process shouldn’t leak the private key by
writing it to O3
– A malicious process may write the private key to O3
3
Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger
Why Doesn’t DAC Work?• Goal: User has a file O1 she wants to keep secret• Threat: A malicious process she runs wants to leak O1
– To some other subject (user) or system (via network)
• Problems:– Permission Assignment: Malicious process maximizes
permissions• Any way that data can be read by or written to another user is
enabled– Complete Mediation: DAC systems do not mediate network
• Can be sent to anyone or requires firewall rules to control access– Complexity: How does she know that all these permissions
prevent the leak• Good luck
4
Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger
Governmental Secrecy• Military
– When will ship sail?– Where are troops?– What is the next troop movement?
• Military is hierarchical – Decisions made at a higher level of authority are enacted
• Thus, security is top-down– Secrets flow up– Decisions flow down
• Release is manual– Also, “need to know”
5
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page
Multilevel Security
• A multi-level security (MLS) system tags all object and subject with security tags classifying them in terms of sensitivity/access level.– We formulate an access control policy based on these levels– We can also add other dimensions, called categories which
horizontally partition the rights space (in a way similar to that as was done by roles)
security levels
categories
CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger Page
Lattice Model
• Used by the US military (and many others), the Lattice model uses MLS to define policy
• Levels:
unclassified < confidential < secret < top secret
• Categories (actually unbounded set)
NUC(lear), INTEL(igence), CRYPTO(graphy)
• Note that these levels are used for physical documents in the US government as well.
Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger
Lattice• Levels form a lattice
– Vertices form a partial order– Every pair of vertices has a LUB, GLB
8
VerySecret
MostlySecret
PrettySecret
Secret
?
CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger Page
Assigning Security Levels
• All subjects are assigned clearance levels and compartments– Alice: (SECRET, {CRYTPO, NUC})– Bob: (CONFIDENTIAL, {INTEL})– Charlie: (TOP SECRET, {CRYPTO, NUC, INTEL})
• All objects are assigned an access class– DocA: (CONFIDENTIAL, {INTEL})– DocB: (SECRET, {CRYPTO})– DocC: (UNCLASSIFIED, {NUC})
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page
Example
Access is allowed ifsubject clearance level >= object sensitivity level and
object categories subset-of subject categories (read down)Q: What would write-up be?
Hence,
Bob: CONF., {INTEL})Trent: TS, {CRYPTO, NUC, INTEL})
Alice: (SEC., {CRYTPO, NUC})
DocA: (CONFIDENTIAL, {INTEL})DocB: (SECRET, {CRYPTO})
DocC: (UNCLASSIFIED, {NUC})
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page
Secrecy Properties
• Simple-Security Property (Read-Down)– A subject s can only read from an object o if the subject’s
clearance dominates or is same as the access class of the object
• *-Security Property (Write-Up)– A subject s can only write to an object o if the subject’s
clearance is dominated by or is the same as the access class of the object
Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger
Trojan Horses• Trojan horse: A program with a malicious function that
masquerades as a benign application• Claim: MLS prevents a Trojan horse from leaking data • Proof
– Complete mediation• All operations are mediated
– MLS *-security property• Trojan horse cannot write data down
– Mandatory policy• Trojan horse cannot change policy• Policy defines legal info flows
12
Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger
Covert Channels• Use access to shared resources as a means of
communication– Rather than an overt channel
• Storage Channel– Uses an attribute of a shared resource– E.g., Fill up shared disk
• Timing Channel– Uses temporal relationships in access to a shared resource– E.g., Driver timing behavior
• Not prevented by MLS alone!
13
Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger
Trojan Horse Paradox• MLS enables the OS to guarantee
– that a process at a higher secrecy clearance cannot
– leak to a process at a lower secrecy level• But, lots of applications handle data of multiple access
classes!
• Examples: – Server process (Mail server): Many mails of different access
classes are possible• One server per combination of level and category set is not practical
– Client process (Email client): A single email client may receive and respond to emails at different access classes
• And, think about the integrity impact of a Trojan horse– Discuss next time
14
Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger
Program-Level Secrecy• Situation: A program reads data at a higher access
class than it writes– Program can leak secret that it reads by writing it to the
lower access class• Challenge: Write a program where you can prove that
no illegal information flows (i.e., violating MLS properties) can occur
15
Program
Secret
Public
Read
Write
Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger
Denning Lattice Model• Information flow within a program
– Can a secret variable leak to a public variable?• Model covers all programs
– Statement S– Sequence S1, S2 – Conditional c: S1, …, Sm
16
Stmt Cond
Stmt
Stmt
Stmt Stmt
Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger
Implicit and Explicit Flows• Explicit
– Direct transfer to b from a (e.g., b = a)• Implicit
– Where value of b may depend on value of a indirectly (e.g., if a = 0, then b = c)
• Implicit flows only occur in conditionals
17
Stmtb = a
Condif (b < 1)
Stmtc = d
Stmte = c Stmt
Stmtc = b
Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger
Denning Semantics
• Program is secure if:– Explicit flow from S is secure– Explicit flow of all statements in a sequence are secure
(e.g., S1; S2)– Conditional c:S1, …, Sm is secure if:
• The explicit flows of all statements S1, …, Sm are secure• The implicit flows between c and the objects in Si are secure
18
Stmtb = a
Condif (b < 1)
Stmtc = d
Stmte = c Stmt
Stmtc = f
Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger
Information Flow• Explicit and implicit flows form a graph
• Resulting flow graph
19
Stmtb = a
Condif (b < 1)
Stmtc = d
Stmte = c Stmt
Stmtc = f
a c b
d
f
e
Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger
Secure When...• Suppose e is public
– What variables can be secret?• Suppose d is public
– What variables can be secret?• Suppose b is secret
– What variables can be public?
20
Stmtb = a
Condif (b < 1)
Stmtc = d
Stmte = c Stmt
Stmtc = f
Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger
Chinese Wall
• Keep different parts of a firm isolated– Accounts with Ford and GM
• Access is not controlled by attribute of data alone– Also, data that the subject holds– Conflict sets
21
t0 t1
Hold: NoneConflict: {Ford, GM}
t2
Op: Access GMHold: NoneAccess: Allowed
t3 t4
Op: Access FordHold: GMAccess: Denied
Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger
Chinese Wall• More formally,
– Objects may belong to a company dataset
– Companies may compete, so • Conflict of interest sets consist of competing company dataset labels
– Cannot access objects in two datasets in a COI set
• CW Simple Security Property– Read O,
• if accessed CD(O) already, can access again• for all datasets accessed previously, CD(O) not-in COI(previous)
• CW *-Security Property– Write O,
• if CW-Simple permits read• And we have only read data from CD(O)
22
Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger
Take Away• MLS policy provides a guarantee that a secret will not
be leaked to a lower access class– Even if you are running malicious code (e.g., Trojan horse)– But, does not include covert channels
• Know how to apply this
• However, we may also need to obtain secrecy guarantees for more privileged programs– Ones that could violate MLS– Use Denning’s model to prove compliance
• Information flows: Explicit and implicit
23