information flow
play

Information Flow ( Chapter 5 of the lecture notes) Erik Poll - PowerPoint PPT Presentation

Feb 23, 2024 •138 likes •589 views

Software Security Information Flow ( Chapter 5 of the lecture notes) Erik Poll Digital Security group Radboud University Nijmegen Motivating example Imagine using a mobile phone app to 1. locate nearest hotel using google 2. book a room

  1. Software Security Information Flow ( Chapter 5 of the lecture notes) Erik Poll Digital Security group Radboud University Nijmegen

  2. Motivating example Imagine using a mobile phone app to 1. locate nearest hotel using google 2. book a room with your credit card Sensitive information? location information & credit card no • (Un)wanted information flows? location should be leaked to google only • credit card info should be leaked to hotel only • Such information flow policies are an interesting class of security policies 2

  3. Motivating example Suppose that for our mobile phone app we want to enforce • location should be leaked to google only credit card info should be leaked to hotel only • Can OS access control on the app prevent these flows? • NO! Access control either gives or denies access to some information or service, but cannot restrict what app does it. More generally, could we enforce this at runtime by monitoring • the inputs & outputs of the application? NO! ! We would have to track the information inside the app with dynamic taint tracking. Recall PREfast supported static taint tracking – clumsily – also • inside the code 3

  4. Information Flow • An interesting category of security requirements is about information flow. Eg – no confidential information should leak over network – no untrusted input from network should leak into database • Information flow properties can be about confidentiality or integrity • Note the difference with access control: – access control is about access only (eg for mobile phone app, access to the location data) – information flow is also about what you do with data after you accessed it (eg how you process & forward location data) 4

  5. • Warning: possible exam questions coming up!

  6. Example Information Flow - Confidentiality String hi; // security label secret String lo; // security label public Which program fragments (may) cause problems if hi has to be kept confidential? 1. hi = lo; 5. println(lo); 2. lo = hi; 6. println(hi); 3. lo = "1234"; 7. readln(lo); 4. hi = "1234"; 8. readln(hi); 6

  7. Example Information Flow - Confidentiality String hi; // security label secret String lo; // security label public Which program fragments (may) cause problems if hi has to be kept confidential? 1. hi = lo; 5. println(lo) 2. lo = hi; 6. println(hi); 3. lo = "1234"; 7. readln(lo); ? ? 4. hi = "1234"; 8. readln(hi); 7

  8. Example Information Flow - Integrity String hi; // high integrity (trusted) data String lo; // low integrity (untrusted) data Which program fragments (may) cause problems if integrity of hi is important ? 1. hi = lo; 5. println(lo); 2. lo = hi; 6. println(hi); 3. lo = "1234"; 7. readln(lo); 4. hi = "1234"; 8. readln(hi); 8

  9. Example Information Flow - Integrity String hi; // high integrity (trusted) data String lo; // low integrity (untrusted) data Which program fragments (may) cause problems if integrity of hi is important ? 1. hi = lo; 5. println(lo); 2. lo = hi; 6. println(hi); 3. lo = "1234"; 7. readln(lo); 4. hi = "1234"; 8. readln(hi); 9

  10. Duality between integrity & confidentiality Integrity and confidentiality are duals : if you "flip" everything in a property or example for confidentiality, you get a corresponding property or example for integrity For example inputs are dangerous for integrity, outputs are dangerous for confidentiality 10

  11. Information flow • Information flow properties are about ruling out unwanted influences/dependencies/interference/observations • Note the difference between data flow properties and visibility modifiers (eg public, private) or, more generally, access control – it's not (just) about accessing data, but also about what you do with it 11

  12. Questions • What do we mean by information flow? (informally) • How can we specify information flow policies? • How can we enforce or check them? – dynamically (runtime) – statically (compile time) – by type systems • What is the semantics (ie. meaning) of information flow formally? 12

  13. Trickier examples for confidentiality int hi; // security label secret int lo; // security label public Which program fragments (may) cause problems for confidentiality? 1. if (hi > 0) { lo = 99; } 2. if (lo > 0) { hi = 66; } 3. if (hi > 0) { print(lo);} 4. if (lo > 0) { print(hi);} 13

  14. Trickier examples for confidentiality int hi; // security label secret int lo; // security label public Which program fragments (may) cause problems for confidentiality? 1. if (hi > 0) { lo = 99; } 2. if (lo > 0) { hi = 66; } 3. if (hi > 0) { print(lo);} implicit 4. if (lo > 0) { print(hi);} aka indirect flows 14

  15. indirect vs direct flows There are (at least) two kinds of information flows direct aka explicit flows • by “direct” assignment or leak eg lo=hi; or println(hi); indirect aka implicit flows • by indirect “influence” eg if (hi > 0} { lo = 99; } Implicit flows can be partial, ie leak some but not all info Eg the example above only leaks the sign of hi , not its value . 15

  16. Trickier examples for confidentiality Example int hi; // security label secret int lo; // security label public Which program fragments (may) cause problems for confidentiality? 1. while (hi>99) do {....}; 2. while (lo>99) do {....}; 3. a[hi] = 23; // where a is high/secret 4. a[hi] = 23; // where a is low/public 5. a[lo] = 23; // where a is high/secret 6. a[lo] = 23; // where a is low/public 16

  17. Trickier examples for confidentiality int hi; // security label secret int lo; // security label public 1. while (hi>99) do {....}; // timing or termination may reveal if hi > 99 2. while (lo>99) do {....}; // no problem 3. a[hi] = 23; // where a is high/secret // exception may reveal if hi is negative 4. a[hi] = 23; // where a is low/public // contents of a may reveal value of hi and, again, // exception may reveal if hi is negative 5. a[lo] = 23; // where a is high/secret // exception may reveal the length of a, which may be secret 6. a[lo] = 23; // where a is low/public - no problem 17

  18. Hidden channels More subtle forms of indirect information flows can arise via hidden channel aka covert channels aka side channels (non)termination • eg while (hi>99) do {....}; or if (hi=99) then {“loop”} else {“terminate”} execution time • eg for (i=0; i<hi; i++) {...}; or if (hi=1234) then {...} else {...} exceptions • eg a[i] = 23 may reveal length of a (if i is known), or leak info about i (if length of a is known), or reveal if a is null.. 18

  19. Hidden channels Apart from timing & terminations, there are many more side- • channels: – noise – power consumption – EM radiation – aka TEMPEST attacks In the courses Hardware Security and Cryptographic • Engineering you can find out more about hidden channels In our lab we have set-ups for • power analysis & EM radiation

  20. How can we statically enforce information flow policies by means of a type system?

  21. Type-based information flow Type systems have been proposed as way to restrict information flow. • most of the theoretical work considers confidentiality, but the same works for integrity Practical problem: often very (too) restrictive, because of difficulty in ruling out implicit flows 21

  22. Types for information flow (confidentiality) • We consider a lattice (Dutch: tralie) of different security levels H • For simplicity, just two levels – H(igh) or confidential, secret – L(ow) or public • Typing judgements e:t L meaning e has type t • implicitly with respect to a context x 1 :t 1 , ... x n :t n that gives levels of program variables 22

  23. More complex lattices Top Secret Top Secret Top Secret Libya Top Secret Syria Secret Secret Classified Secret Libya Secret Syria Unclassified Unclassified 23

  24. NATO classification Cosmic Secret Confidential Restricted Unclassified 24

  25. Rules for expressions e : t means e contains information of level t or lower variable x:t if x is a variable of type t • operations e:t e’:t for some binary operation + • e+e' : t (similar for n-ary) subtyping e:t t  t' • e:t' 25

  26. Rules for commands s : ok t means s only writes to level t or higher • assignment e : t x is a variable of type t x:=e : ok t • if-then-else e : t c1 : ok t c2 : ok t if e then c1 else c2 : ok t subtyping c : ok t t  t' • c : ok t' ie. ok t  ok t’ iff t  t' (anti-monotonicity) 26

  27. Rules for commands s : ok t means s only writes to level t or higher • composition c1 : ok t c2 : ok t c1;c2 : ok t • while e : t c : ok t while e do c : ok t 27

  28. Beware Beware of the confusing difference in directions e : t means e contains information of level t or lower s : ok t means s only writes to level t or higher For people familiar will Bell – LaPadula access control : there you have the same confusion, in the “no read up” & “no write down” rules

  29. How can we be sure that such type systems are “correct”?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

May 15: Information Flow and Confinement Information flow for integrity policies Examples

May 15: Information Flow and Confinement Information flow for integrity policies Examples

May 15: Information Flow and Confinement Information flow for integrity policies Examples of information flow controls Android phone Firewalls Confinement Virtual machines May 15, 2017 ECS 235B Spring Quarter 2017 Slide

487 views • 32 slides
Decompilation is an information-flow problem (Or, information flow meets program transformation)

Decompilation is an information-flow problem (Or, information flow meets program transformation)

Decompilation is an information-flow problem (Or, information flow meets program transformation) Boris Feigin Computer Laboratory, University of Cambridge PLID 2008 joint work with Alan Mycroft 1 / 22 Motivation Given suitable tools we

605 views • 33 slides
IP Flow Information eXport IP Flow Information eXport (IPFIX) (IPFIX)

IP Flow Information eXport IP Flow Information eXport (IPFIX) (IPFIX)

IP Flow Information eXport IP Flow Information eXport (IPFIX) (IPFIX) elisa.boschi@hitachi-eu.com {boschi, zseby, mark, hirsch}@fokus.fraunhofer.de Outline Outline IPFIX Terminology Applicability Initial Goals

212 views • 19 slides
Towards a Flow- and Path-Sensitive Information Flow Analysis Peixuan Li, Danfeng Zhang

Towards a Flow- and Path-Sensitive Information Flow Analysis Peixuan Li, Danfeng Zhang

Towards a Flow- and Path-Sensitive Information Flow Analysis Peixuan Li, Danfeng Zhang Pennsylvania State University University Park, PA, USA {pzl129,zhang}@cse.psu.edu Background: Information Flow Analysis o Security enforcement to prevent

379 views • 24 slides
Flow Networks Flow Network: - digraph - weights, called capacities on edges - two

Flow Networks Flow Network: - digraph - weights, called capacities on edges - two

M AXIMUM F LOW How to do it... Why you want it... Where you find it... The Tao of Flow: Let your body go with the flow. -Madonna, Vogue Maximum flow...because youre worth it. -Loreal Go with the flow, Joe.

619 views • 20 slides
Quantifying Information is a fundamental issue in computer security: Flow Using Min-Entropy

Quantifying Information is a fundamental issue in computer security: Flow Using Min-Entropy

Secure Information Flow ! Protecting the confidentiality of secret information Quantifying Information is a fundamental issue in computer security: Flow Using Min-Entropy Blood type: AB Birth date: 9/5/46 HIV: positive ! Access control and

399 views • 10 slides
Lecture 19: Flow and Confinement Examples of information flow applications The confinement

Lecture 19: Flow and Confinement Examples of information flow applications The confinement

Lecture 19: Flow and Confinement Examples of information flow applications The confinement problem Covert channels Isolation: virtual machines, sandboxes March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #19-1 Matt Bishop, UC

322 views • 30 slides
Information Flow Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security

Information Flow Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security

Information Flow Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security Information Flow 3 Many security requirements can be formulated as what information flow is allowed/disallowed E.g., confidential data should not

478 views • 27 slides
Lecture 17: Information Flow Basics and background Entropy Nonlattice flow policies

Lecture 17: Information Flow Basics and background Entropy Nonlattice flow policies

Lecture 17: Information Flow Basics and background Entropy Nonlattice flow policies Compiler-based mechanisms Execution-based mechanisms Examples Security Pipeline Interface Secure Network Server Mail Guard February

625 views • 44 slides
with Deferrable constraints in Haskell through the tale of a Haskell information flow control

with Deferrable constraints in Haskell through the tale of a Haskell information flow control

Gradually typed DSLs with Deferrable constraints in Haskell through the tale of a Haskell information flow control library Pablo Buiras, Alejandro Russo, Dimitrios Vytiniotis Information flow control 101 Non- interference:

465 views • 31 slides
Ni Nickel A Framework for Design and Verification of Information Flow Control Systems Helgi

Ni Nickel A Framework for Design and Verification of Information Flow Control Systems Helgi

Ni Nickel A Framework for Design and Verification of Information Flow Control Systems Helgi Sigurbjarnarson , Luke Nelson, Bruno Castro-Karney, James Bornholt, Emina Torlak, and Xi Wang .org Enforcing information flow control is critical

1.02k views • 58 slides
Secure Information Flow as a Safety Problem Overview Introduction to secure information flow

Secure Information Flow as a Safety Problem Overview Introduction to secure information flow

Secure Information Flow as a Safety Problem Overview Introduction to secure information flow Type-Based approach Self composition Downgrading Self composition with downgrading Type directed transformation

511 views • 22 slides
Information flow control for the web Prof. Frank PIESSENS Overview The web platform Web

Information flow control for the web Prof. Frank PIESSENS Overview The web platform Web

Information flow control for the web Prof. Frank PIESSENS Overview The web platform Web script security: threats and countermeasures A formal model of web scripts Information flow security Secure multi-execution The

2.25k views • 131 slides
Information Flow in Logic Programming Antoun Yaacoub Introduction Syntax and semantics Antoun

Information Flow in Logic Programming Antoun Yaacoub Introduction Syntax and semantics Antoun

Inf. flow in Logic Prog. Information Flow in Logic Programming Antoun Yaacoub Introduction Syntax and semantics Antoun Yaacoub Information flow in logic Pg. Deciding Institut de Recherche en Informatique de Toulouse (IRIT) bisimulation

683 views • 66 slides
Information Theory and Security: Quantitative Information Flow Pasquale Malacaria

Information Theory and Security: Quantitative Information Flow Pasquale Malacaria

Information Theory and Security: Quantitative Information Flow Pasquale Malacaria pm@dcs.qmul.ac.uk School of Electronic Engineering and Computer Science Queen Mary University of London Information Theory and Security: Quantitative Information

835 views • 54 slides
Logics for Classical and Quantum Information Flow Sonja Smets (ILLC, University of Amsterdam)

Logics for Classical and Quantum Information Flow Sonja Smets (ILLC, University of Amsterdam)

Logics for Classical and Quantum Information Flow Sonja Smets (ILLC, University of Amsterdam) Financial Support Acknowledgement: 1 Overview General Research Aim: Model and reason about various forms of information flow in interacting

877 views • 42 slides
I n t r o t o P o s t g r e S Q L S e c u r i t y NordicPGDay 2014 Stockholm, Sweden Stephen

I n t r o t o P o s t g r e S Q L S e c u r i t y NordicPGDay 2014 Stockholm, Sweden Stephen

I n t r o t o P o s t g r e S Q L S e c u r i t y NordicPGDay 2014 Stockholm, Sweden Stephen Frost sfrost@snowman.net Resonate, Inc. Digital Media PostgreSQL Hadoop techjobs@resonateinsights.com

954 views • 54 slides
Operating System Security It is also important to understand the operations and the

Operating System Security It is also important to understand the operations and the

Security risks exist for all operating systems and are not new. It is important to know the existing threats. Operating System Security It is also important to understand the operations and the vulnerabilities of your OS. Try to

214 views • 8 slides
Jack Chen Some content taken from a previous year's walkthrough by Prof. Adam Bates CS 423:

Jack Chen Some content taken from a previous year's walkthrough by Prof. Adam Bates CS 423:

CS 423Operating System Design: Introduction to Linux Kernel Programming (MP4 Walkthrough) Jack Chen Some content taken from a previous year's walkthrough by Prof. Adam Bates CS 423: Operating Systems Design Preliminaries Take stable snapshots

492 views • 33 slides
1 Who am I / ? 2 IMA History and Goals 3 IMA Internals and Roadmap 4

1 Who am I / ? 2 IMA History and Goals 3 IMA Internals and Roadmap 4

Petko Manolov Konsulko Group petko.manolov@konsulko.com 1 Who am I / ? 2 IMA History and Goals 3 IMA Internals and Roadmap 4 Conclusion q Software engineer and long time Linux kernel hacker since 1995 q

210 views • 18 slides
Language-based Security FOSAD 2008 Steve Zdancewic University of Pennsylvania Confidential Data

Language-based Security FOSAD 2008 Steve Zdancewic University of Pennsylvania Confidential Data

Language-based Security FOSAD 2008 Steve Zdancewic University of Pennsylvania Confidential Data Networked information systems: PCs store passwords, e-mail, finances,... Businesses rely on computing infrastructure Military &amp;

1.18k views • 102 slides
Neural Networks: Powerful yet Mysterious MNIST (hand-written digit recognition) Power lies

Neural Networks: Powerful yet Mysterious MNIST (hand-written digit recognition) Power lies

Neural Networks: Powerful yet Mysterious MNIST (hand-written digit recognition) Power lies in the The working mechanism complexity of DNN is hard to understand 3-layer DNN with 10K neurons and 25M weights DNNs work as black-

459 views • 16 slides
Improving Usability of Information Flow Security in Java Mark Thober Joint work with Scott F.

Improving Usability of Information Flow Security in Java Mark Thober Joint work with Scott F.

Mark Thober June 14, 2007 Improving Usability of Information Flow Security in Java Mark Thober Joint work with Scott F. Smith Department of Computer Science Johns Hopkins University PLAS 07 1 Mark Thober June 14, 2007 Motivation

580 views • 37 slides
Expertise knowledge-based Policy Refinement Process T. Rochaeli and C. Eckert Technische

Expertise knowledge-based Policy Refinement Process T. Rochaeli and C. Eckert Technische

Expertise knowledge-based Policy Refinement Process T. Rochaeli and C. Eckert Technische Universitt Darmstadt 25.06.2007 POLICY '07, Bologna, Italy 1 Workflow and Kripke Model Workflow: computerized facilitation or automation of a

356 views • 13 slides

More recommend