disjunction category labels
play

Disjunction Category Labels Deian Stefan, Alejandro Russo, David - PowerPoint PPT Presentation

Feb 24, 2024 •44 likes •564 views

Disjunction Category Labels Deian Stefan, Alejandro Russo, David Mazires, John Mitchell NordSec 2011 Motivating Example Bob Speadsheet WebTax Public Network Proprietary DB Motivating Example Bob does not trust WebTax WebTax can

  1. Disjunction Category Labels Deian Stefan, Alejandro Russo, David Mazières, John Mitchell NordSec 2011

  2. Motivating Example Bob Speadsheet WebTax Public Network Proprietary DB

  3. Motivating Example • Bob does not trust WebTax ➤ WebTax can exfiltrated his data Bob • WebTax author does not trust Bob Speadsheet WebTax ➤ Bob can learn proprietary information by inspecting code • WebTax author want to prevent Public Network Proprietary DB leaks due to bugs

  4. Motivating Example • Bob does not trust WebTax ➤ WebTax can exfiltrated his data Bob • WebTax author does not trust Bob Speadsheet WebTax ➤ Bob can learn proprietary information by inspecting code • WebTax author want to prevent Public Network Proprietary DB leaks due to bugs

  5. Motivating Example • Bob does not trust WebTax ➤ WebTax can exfiltrated his data Bob • WebTax author does not trust Bob Speadsheet WebTax ➤ Bob can learn proprietary information by inspecting code • WebTax author want to prevent Public Network Proprietary DB leaks due to bugs

  6. Motivating Example • Bob does not trust WebTax ➤ WebTax can exfiltrated his data Bob • WebTax author does not trust Bob Speadsheet WebTax ➤ Bob can learn proprietary information by inspecting code • WebTax author want to prevent Public Network Proprietary DB leaks due to bugs

  7. Motivating Example • Bob does not trust WebTax ➤ WebTax can exfiltrated his data Bob • WebTax author does not trust Bob Speadsheet WebTax ➤ Bob can learn proprietary information by inspecting code • WebTax author want to prevent Public Network Proprietary DB leaks due to bugs How do we address security in the presence of mutual-distrust?

  8. Information Flow Control Well-established approach to enforcing security • ➤ Confidentiality: prevent unwanted leaks ➤ Integrity: prevent flows to critical operations Decentralized IFC addresses mutual distrust • Suitable for executing untrustworthy code • ➤ Policies specify where data can flow

  9. Example with IFC Policy: observable by Bob cannot be exfiltrated to network Bob Speadsheet WebTax Policy: observable by WebTax author Public Network Proprietary DB

  10. IFC Policies How are policies specified? • ➤ Associating a label with every piece of data Labels form a lattice over can-flow-to relation ⊑ • ➤ E.g., Bob’s data cannot flow to network ⋢ Policies are enforced at every possible flow • WebTax

  11. IFC Policies How are policies specified? • ➤ Associating a label with every piece of data Labels form a lattice over can-flow-to relation ⊑ • ➤ E.g., Bob’s data cannot flow to network ⋢ Policies are enforced at every possible flow • ⊑ ? WebTax

  12. IFC Policies How are policies specified? • ➤ Associating a label with every piece of data Labels form a lattice over can-flow-to relation ⊑ • ➤ E.g., Bob’s data cannot flow to network ⋢ Policies are enforced at every possible flow • ⋢ ✗ WebTax

  13. Motivation for DC Labels Existing DIFC systems use ad-hoc label formats • ➤ DLM, Asbestos/HiStar, DStar, Flume, etc. all present their own label format Most labels have not been formalized • Some rely on centralized components • Need simple, sound, expressive & • decentralized label format ➠ DC Labels

  14. DC Labels 〈 S , I 〉 Components S and I are formulas over principals • ➤ Components impose restrictions on data flow Principal is a source of authority (e.g., Bob) • Restrictions: • ➤ S and I are minimal (sorted) formulas in CNF ➤ Neither S nor I contain negated terms

  15. DC Labels 〈 S , I 〉 Secrecy component S: • ➤ Specifies principals allowed or whose consent is necessary to observe the data Integrity component I : • ➤ Specifies principals that created or are allowed to modify the data

  16. Example with DC Labels Policy: observable by Bob Bob Speadsheet WebTax Policy: observable by WebTax author Public Network Proprietary DB

  17. Example with DC Labels Policy: observable by Bob 〈 {Bob}, {Bob} 〉 Bob Speadsheet WebTax 〈 {Preparer}, {Preparer} 〉 Policy: observable by WebTax author Public Network Proprietary DB

  18. Example with DC Labels Policy: Bob created & observable by Bob vouches for data 〈 {Bob}, {Bob} 〉 Bob Speadsheet WebTax Preparer created 〈 {Preparer}, {Preparer} 〉 & vouches for data Policy: observable by WebTax author Public Network Proprietary DB

  19. A more interesting label 〈 {(Bob ⋁ Alice) ⋀ User}, {Bob ⋁ Alice} 〉

  20. A more interesting label Policy: created/modified by Bob or Alice 〈 {(Bob ⋁ Alice) ⋀ User}, {Bob ⋁ Alice} 〉

  21. A more interesting label Policy: created/modified by Bob or Alice 〈 {(Bob ⋁ Alice) ⋀ User}, {Bob ⋁ Alice} 〉 Policy I: Policy II: observable by Bob observable by or Alice User (group) ➠ Policy: observable by Bob or Alice, given the consent the User group (or vice versa)

  22. A more interesting label “categories” Policy: created/modified by Bob or Alice 〈 {(Bob ⋁ Alice) ⋀ User}, {Bob ⋁ Alice} 〉 Policy I: Policy II: observable by Bob observable by or Alice User (group) ➠ Policy: observable by Bob or Alice, given the consent the User group (or vice versa)

  23. General observations … Secrecy: {(A ⋁ B) ⋀ C ⋀ } • ➤ Disjunction ➠ allows more readers ➤ Conjunction ➠ more restrictions ∴ more secret … Integrity: {(A ⋁ B) ⋀ C ⋀ } • ➤ Disjunction ➠ allows more writers ➤ Conjunction ➠ more restrictions ∴ trustworthy

  24. Enforcing IFC Data may flow from one entity to another iff • ➤ it accumulates more secrecy restrictions ➤ it losses integrity restrictions S 2 ⟹ S 1 I 1 ⟹ I 2 〈 S 1 , I 1 〉 ⊑ 〈 S 2 , I 2 〉

  25. Enforcing IFC Data may flow from one entity to another iff • ➤ it accumulates more secrecy restrictions ➤ it losses integrity restrictions Principal’s whose consent is needed S 2 ⟹ S 1 I 1 ⟹ I 2 to observe S 2 must include those of S 1 〈 S 1 , I 1 〉 ⊑ 〈 S 2 , I 2 〉

  26. Enforcing IFC Data may flow from one entity to another iff • ➤ it accumulates more secrecy restrictions ➤ it losses integrity restrictions Principal’s whose Dual of secrecy. consent is needed I 2 must be less S 2 ⟹ S 1 I 1 ⟹ I 2 to observe S 2 restricting than I 1 must include those of S 1 〈 S 1 , I 1 〉 ⊑ 〈 S 2 , I 2 〉

  27. Example of label relations Secrecy 〈 {Alice ⋁ Bob}, True 〉 〈 {Alice ⋁ Bob ⋁ Charlie}, True 〉 〈 {Alice ⋁ Bob}, True 〉 〈 {Alice ⋀ Dan}, True 〉 〈 {Alice ⋀ Bob}, True 〉 〈 {Alice}, True 〉

  28. Example of label relations Secrecy ✗ 〈 {Alice ⋁ Bob}, True 〉 〈 {Alice ⋁ Bob ⋁ Charlie}, True 〉 〈 {Alice ⋁ Bob}, True 〉 〈 {Alice ⋀ Dan}, True 〉 〈 {Alice ⋀ Bob}, True 〉 〈 {Alice}, True 〉

  29. Example of label relations Secrecy ✗ 〈 {Alice ⋁ Bob}, True 〉 〈 {Alice ⋁ Bob ⋁ Charlie}, True 〉 ✓ 〈 {Alice ⋁ Bob}, True 〉 〈 {Alice ⋀ Dan}, True 〉 〈 {Alice ⋀ Bob}, True 〉 〈 {Alice}, True 〉

  30. Example of label relations Secrecy ✗ 〈 {Alice ⋁ Bob}, True 〉 〈 {Alice ⋁ Bob ⋁ Charlie}, True 〉 ✓ 〈 {Alice ⋁ Bob}, True 〉 〈 {Alice ⋀ Dan}, True 〉 ✗ 〈 {Alice ⋀ Bob}, True 〉 〈 {Alice}, True 〉

  31. Example of label relations Integrity 〈 True , {Alice ⋁ Bob} 〉 〈 True , {Alice ⋁ Bob ⋁ Charlie} 〉 〈 True , {Alice} 〉 〈 True , {Alice ⋁ Bob} 〉 〈 True , {Alice} 〉 〈 True , {Alice ⋀ Bob} 〉

  32. Example of label relations Integrity ✓ 〈 True , {Alice ⋁ Bob} 〉 〈 True , {Alice ⋁ Bob ⋁ Charlie} 〉 〈 True , {Alice} 〉 〈 True , {Alice ⋁ Bob} 〉 〈 True , {Alice} 〉 〈 True , {Alice ⋀ Bob} 〉

  33. Example of label relations Integrity ✓ 〈 True , {Alice ⋁ Bob} 〉 〈 True , {Alice ⋁ Bob ⋁ Charlie} 〉 ✓ 〈 True , {Alice} 〉 〈 True , {Alice ⋁ Bob} 〉 〈 True , {Alice} 〉 〈 True , {Alice ⋀ Bob} 〉

  34. Example of label relations Integrity ✓ 〈 True , {Alice ⋁ Bob} 〉 〈 True , {Alice ⋁ Bob ⋁ Charlie} 〉 ✓ 〈 True , {Alice} 〉 〈 True , {Alice ⋁ Bob} 〉 ✗ 〈 True , {Alice} 〉 〈 True , {Alice ⋀ Bob} 〉

  35. DC Labels form a lattice Combining differently labeled data ➠ join ⊔ • 〈 S 1 , I 1 〉 ⊔ 〈 S 2 , I 2 〉 = 〈 S 1 ⋀ S 2 , I 1 ⋁ I 2 〉 Writing to differently labeled entities ➠ meet ⊓ • ➤ Dual of join: 〈 S 1 , I 1 〉 ⊓ 〈 S 2 , I 2 〉 = 〈 S 1 ⋁ S 2 , I 1 ⋀ I 2 〉

  36. DC Labels form a lattice Combining differently labeled data ➠ join ⊔ • Need consent of principals in S 1 and S 2 to observe data 〈 S 1 , I 1 〉 ⊔ 〈 S 2 , I 2 〉 = 〈 S 1 ⋀ S 2 , I 1 ⋁ I 2 〉 Writing to differently labeled entities ➠ meet ⊓ • ➤ Dual of join: 〈 S 1 , I 1 〉 ⊓ 〈 S 2 , I 2 〉 = 〈 S 1 ⋁ S 2 , I 1 ⋀ I 2 〉

  37. DC Labels form a lattice Combining differently labeled data ➠ join ⊔ • Principals of I 1 or I 2 could Need consent of principals in have created the data S 1 and S 2 to observe data 〈 S 1 , I 1 〉 ⊔ 〈 S 2 , I 2 〉 = 〈 S 1 ⋀ S 2 , I 1 ⋁ I 2 〉 Writing to differently labeled entities ➠ meet ⊓ • ➤ Dual of join: 〈 S 1 , I 1 〉 ⊓ 〈 S 2 , I 2 〉 = 〈 S 1 ⋁ S 2 , I 1 ⋀ I 2 〉

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

- na : a disjunction AND conjunction marker? A-na B: disjunction Example Disjunction and

- na : a disjunction AND conjunction marker? A-na B: disjunction Example Disjunction and

Introduction - na : a disjunction AND conjunction marker? A-na B: disjunction Example Disjunction and Alternative Conditionals in Korean Angie- na Brad -ka cikum Nagoya-ey issta. now Nagoya-in exist Angie- na Brad- N OM Jiwon Yun Angie

195 views • 8 slides
Towards an exhaustification analysis of plain disjunction in Russian Formal Approaches to Russian

Towards an exhaustification analysis of plain disjunction in Russian Formal Approaches to Russian

Towards an exhaustification analysis of plain disjunction in Russian Formal Approaches to Russian Linguistics 3 Pavel Rudnev pasha.rudnev@gmail.com 56 April 2019 Disjunction and polarity Focus of this talk syntax and semantics of plain

237 views • 21 slides
2016 Vegetable Pesticide Update: Weeds 1) New/Changed labels 2) Labels soon 3) Auxin Technologies

2016 Vegetable Pesticide Update: Weeds 1) New/Changed labels 2) Labels soon 3) Auxin Technologies

2016 Vegetable Pesticide Update: Weeds 1) New/Changed labels 2) Labels soon 3) Auxin Technologies drift management New Herbicide Labels for 2016 1) New Select Max Labels 2) Chateau row middle for Cabbage Grass Control Herbicides Select Max

565 views • 35 slides
Self-Stabilizing Silent Disjunction in an Anonymous Network Ajoy K. Datta Stphane Devismes

Self-Stabilizing Silent Disjunction in an Anonymous Network Ajoy K. Datta Stphane Devismes

Self-Stabilizing Silent Disjunction in an Anonymous Network Ajoy K. Datta Stphane Devismes Lawrence L. Larmore University of Nevada Las Vegas Universit Joseph Fourier, Grenoble Datta Devismes Larmore (UNLV/UJFG) Distributed Disjunction

2.13k views • 174 slides
Disjunction Property . . . A derivable or B derivable A B derivable . . . A B

Disjunction Property . . . A derivable or B derivable A B derivable . . . A B

Utrecht University Jeroen Goudsmit The Admissible Rules of BD 2 August 8 th 2013 . Disjunction Property . . . A derivable or B derivable A B derivable . . . A B A or B . . . . . semantics syntax A B A

731 views • 60 slides
Eco Labels in AEC Dr.Lunchakorn Prathumratana Thailand Environment Institute (TEI) Eco labels in

Eco Labels in AEC Dr.Lunchakorn Prathumratana Thailand Environment Institute (TEI) Eco labels in

NSTDA Annual Conference 2013 Eco Labels in AEC Dr.Lunchakorn Prathumratana Thailand Environment Institute (TEI) Eco labels in AEC ASEAN and Type 1 Ecolabelling No . of No . of certified ASEAN GEN member standards products 45 2150

363 views • 23 slides
2012 GFVGA: Herbicide Update 2012 Weed Control Update 1. Recent labels 2. New labels 3. Near

2012 GFVGA: Herbicide Update 2012 Weed Control Update 1. Recent labels 2. New labels 3. Near

2012 GFVGA: Herbicide Update 2012 Weed Control Update 1. Recent labels 2. New labels 3. Near future labels LABELED OR NOT LABELED FOR GEORGIA! GFVGA Third Party Registrations 1. Labels are held by GFVGA. 2. Label must be in hand of user. 3.

633 views • 35 slides
PRODUCTS Adhesive paper; A4 size adhesive paper; Blank labels in rolls and sheets; Labels for

PRODUCTS Adhesive paper; A4 size adhesive paper; Blank labels in rolls and sheets; Labels for

GIPAKO Self-Adhesive materials, labels, Linerless Different label SOLUTIONS ADDRESS: Kiemeli 18B, Vilnius district Phone: +370 5 2392413 LT-14025 Maiiagala Fax: +370 5 2392607 Savanori pr. 176, 5 a. Mobile: +370 656 99337 www.gipako.lt

585 views • 11 slides
Negotiating lexical uncertainty and speaker expertise with disjunction Christopher Potts

Negotiating lexical uncertainty and speaker expertise with disjunction Christopher Potts

Overview Side-effects Model Analysis Implicature blocking Conclusion Negotiating lexical uncertainty and speaker expertise with disjunction Christopher Potts Stanford Linguistics Paper, code, data: https://github.com/cgpotts/pypragmods

1.2k views • 68 slides
Hurfords constraint, the semantics of disjunction, and the nature of alternatives Ivano

Hurfords constraint, the semantics of disjunction, and the nature of alternatives Ivano

Hurfords constraint, the semantics of disjunction, and the nature of alternatives Ivano Ciardelli joint work with Floris Roelofsen InqBnB2 Amsterdam, 17-12-2017 Inquisitive semantics and alternative semantics Both propose a

1.72k views • 62 slides
The SAT 2005 Competition Industrial category Certified UNSAT Special track Fourth Edition Non

The SAT 2005 Competition Industrial category Certified UNSAT Special track Fourth Edition Non

The SAT 2005 Competition Whats new this year The benchmarks First stage results All categories Random category Crafted category Industrial category Second stage results Random category Crafted category The SAT 2005 Competition

791 views • 55 slides
Category Management Coalition for Government Procurement April 10, 2014 Category Management

Category Management Coalition for Government Procurement April 10, 2014 Category Management

Category Management Coalition for Government Procurement April 10, 2014 Category Management Definition of Category Five Responsibilities of Category Management Management Optimize Develops and executes the Contract - Identifying vehicles

257 views • 6 slides
Disjunction and Existence Properties in Inquisitive Logic Gianluca Grilletti June 30, 2017

Disjunction and Existence Properties in Inquisitive Logic Gianluca Grilletti June 30, 2017

Disjunction and Existence Properties in Inquisitive Logic Gianluca Grilletti June 30, 2017 Institute for Logic, Language and Computation (ILLC), 1 Amsterdam, the Netherlands Motivating example: hospital protocol A disease gives rise to

1.28k views • 88 slides
Two souls of disjunction Towards a state-monadic update semantics Patrick D. Elliott July 3,

Two souls of disjunction Towards a state-monadic update semantics Patrick D. Elliott July 3,

Two souls of disjunction Towards a state-monadic update semantics Patrick D. Elliott July 3, 2019 Asymmetries in Language: Presuppositions and beyond Berlin 1 Two souls i Two broad traditions addressing semantics and pragmatics of

584 views • 37 slides
MPLS Special Purpose Labels

MPLS Special Purpose Labels

MPLS Special Purpose Labels dra2-kompella-mpls-special-purpose-labels-01 Loa Andersson Adrian Farrel Kiree< Kompella Two Things Making the

485 views • 10 slides
Free Choice Disjunction as a Rational Speech Act Lucas Champollion, Anna Alsop, and Ioana Grosu

Free Choice Disjunction as a Rational Speech Act Lucas Champollion, Anna Alsop, and Ioana Grosu

Free Choice Disjunction as a Rational Speech Act Lucas Champollion, Anna Alsop, and Ioana Grosu {champollion,aalsop,ig950}@nyu.edu May 17-19, 2019 SALT, UCLA (handout to accompany poster) 1 Introduction Main fact to explain: Free Choice

677 views • 16 slides
Plugging Side-Channel Leaks with Timing Information Flow Control Bryan Ford Yale University

Plugging Side-Channel Leaks with Timing Information Flow Control Bryan Ford Yale University

Plugging Side-Channel Leaks with Timing Information Flow Control Bryan Ford Yale University http://dedis.cs.yale.edu/ USENIX HotCloud, June 13, 2012 The Long History of Timing Attacks Cooperative attacks apply to: Mandatory Access

359 views • 21 slides
IoT Security What, Why, How Earlence Fernandes Your car is a computer with wheels and an engine

IoT Security What, Why, How Earlence Fernandes Your car is a computer with wheels and an engine

IoT Security What, Why, How Earlence Fernandes Your car is a computer with wheels and an engine Your refrigerator is a computer that keeps food cold Your ATM is a computer with money inside -- Bruce Schneier to the US House Committee on Energy

559 views • 40 slides
Probabilistic Actual Causation Luke Fenton-Glynn l.glynn@ucl.ac.uk Intro Prob-Raise Three

Probabilistic Actual Causation Luke Fenton-Glynn l.glynn@ucl.ac.uk Intro Prob-Raise Three

Intro Prob-Raise Three Scenarios Prob. Causal Models Apt Models Conclusion Probabilistic Actual Causation Luke Fenton-Glynn l.glynn@ucl.ac.uk Intro Prob-Raise Three Scenarios Prob. Causal Models Apt Models Conclusion Introduction

229 views • 20 slides
Lessons Learned from Low-Income Energy Efficiency Programs March 23, 2017 Housekeeping Upcoming

Lessons Learned from Low-Income Energy Efficiency Programs March 23, 2017 Housekeeping Upcoming

Low-Income Solar, Part 1: Lessons Learned from Low-Income Energy Efficiency Programs March 23, 2017 Housekeeping Upcoming Webinars Interactions between Wind Turbines and Wildlife, Part 2 Wednesday, March 29, 1-2pm ET Low-Income Solar, Part

407 views • 29 slides
Cute Tricks with Cute Tricks with Virtual Memory Virtual Memory A short history of VM A short

Cute Tricks with Cute Tricks with Virtual Memory Virtual Memory A short history of VM A short

Cute Tricks with Cute Tricks with Virtual Memory Virtual Memory A short history of VM A short history of VM Memory used to be quite limited. (and why they dont work) (and why they dont work) Use secondary storage to emulate. Either by

313 views • 5 slides
The burden of asbestos-related disease in BC Asbestos Measurements (2,175) by Sector: BC,

The burden of asbestos-related disease in BC Asbestos Measurements (2,175) by Sector: BC,

The burden of asbestos-related disease in BC Asbestos Measurements (2,175) by Sector: BC, 1981-2004 Manufacturing 660 (30%) Service Sector 806 (37%) Auto Repair 239 (11%) Education 206 (9%) Healthcare 86 (4%) Construction 285 (13%)

269 views • 23 slides
WHY SHOULD CANCER SOCIETIES BE INVOLVED ? ! Occupational cancers are not going away ! We are an

WHY SHOULD CANCER SOCIETIES BE INVOLVED ? ! Occupational cancers are not going away ! We are an

Occupational Cancer: How can Cancer Societies be involved - what should we do ? ! Terry Slevin , ! Cancer Council Western Australia ! Chair, Occupational and Environmental Cancer Committee & National Skin Cancer Committee for Cancer Council

503 views • 24 slides
FILARIAL WORMS Found mainly in tropical regions in Asia Threadlike worms live in the

FILARIAL WORMS Found mainly in tropical regions in Asia Threadlike worms live in the

FILARIAL WORMS Found mainly in tropical regions in Asia Threadlike worms live in the blood and lymph vessels of birds and mammals. They are transmitted by mosquitoes. Cause severe infections Worms block passage of lymph

390 views • 8 slides

More recommend