lecture 16
play

Lecture #16 Composition Nondeducibility Generalized - PowerPoint PPT Presentation

Apr 28, 2023 •289 likes •761 views

Lecture #16 Composition Nondeducibility Generalized Noninterference Restrictiveness February 25, 2009 ECS 235B, Winter Quarter 2009 Slide #16-1 Matt Bishop, UC Davis Policy Composition I Assumed: Output function of input

  1. Lecture #16 • Composition • Nondeducibility • Generalized Noninterference • Restrictiveness February 25, 2009 ECS 235B, Winter Quarter 2009 Slide #16-1 Matt Bishop, UC Davis

  2. Policy Composition I • Assumed: Output function of input – Means deterministic (else not function) – Means uninterruptability (differences in timings can cause differences in states, hence in outputs) • This result for deterministic, noninterference-secure systems February 25, 2009 ECS 235B, Winter Quarter 2009 Slide #16-2 Matt Bishop, UC Davis

  3. Compose Systems • Louie, Dewey LOW • Hughie HIGH b L b H • b L output buffer – Anyone can read it Louie • b H input buffer b LH – From HIGH source b LDH Hughie • Hughie reads from: Dewey b DH – b LH (Louie writes) – b LDH (Louie, Dewey write) – b DH (Dewey writes) February 25, 2009 ECS 235B, Winter Quarter 2009 Slide #16-3 Matt Bishop, UC Davis

  4. Systems Secure • All noninterference- secure b L b H – Hughie has no output • So inputs don’t interfere Louie b LH with it b LDH Hughie – Louie, Dewey have no input Dewey b DH • So (nonexistent) inputs don’t interfere with outputs February 25, 2009 ECS 235B, Winter Quarter 2009 Slide #16-4 Matt Bishop, UC Davis

  5. Security of Composition • Buffers finite, sends/receives blocking: composition not secure! – Example: assume b DH , b LH have capacity 1 • Algorithm: 1. Louie (Dewey) sends message to b LH ( b DH ) – Fills buffer 2. Louie (Dewey) sends second message to b LH ( b DH ) 3. Louie (Dewey) sends a 0 (1) to b L 4. Louie (Dewey) sends message to b LDH – Signals Hughie that Louie (Dewey) completed a cycle February 25, 2009 ECS 235B, Winter Quarter 2009 Slide #16-5 Matt Bishop, UC Davis

  6. Hughie • Reads bit from b H – If 0, receive message from b LH – If 1, receive message from b DH • Receive on b LDH – To wait for buffer to be filled February 25, 2009 ECS 235B, Winter Quarter 2009 Slide #16-6 Matt Bishop, UC Davis

  7. Example • Hughie reads 0 from b H – Reads message from b LH • Now Louie’s second message goes into b LH – Louie completes setp 2 and writes 0 into b L • Dewey blocked at step 1 – Dewey cannot write to b L • Symmetric argument shows that Hughie reading 1 produces a 1 in b L • So, input from b H copied to output b L February 25, 2009 ECS 235B, Winter Quarter 2009 Slide #16-7 Matt Bishop, UC Davis

  8. Nondeducibility • Noninterference: do state transitions caused by high level commands interfere with sequences of state transitions caused by low level commands? • Really case about inputs and outputs: – Can low level subject deduce anything about high level outputs from a set of low level outputs? February 25, 2009 ECS 235B, Winter Quarter 2009 Slide #16-8 Matt Bishop, UC Davis

  9. Example: 2-Bit System • High operations change only High bit – Similar for Low • σ 0 = (0, 0) • Commands (Heidi, xor1 ), (Lara, xor0 ), (Lara, xor1 ), (Lara, xor0 ), (Heidi, xor1 ), (Lara, xor0 ) – Both bits output after each command • Output is: 00101011110101 February 25, 2009 ECS 235B, Winter Quarter 2009 Slide #16-9 Matt Bishop, UC Davis

  10. Security • Not noninterference-secure w.r.t. Lara – Lara sees output as 0001111 – Delete High and she sees 00111 • But Lara still cannot deduce the commands deleted – Don’t affect values; only lengths • So it is deducibly secure – Lara can’t deduce the commands Heidi gave February 25, 2009 ECS 235B, Winter Quarter 2009 Slide #16-10 Matt Bishop, UC Davis

  11. Event System • 4-tuple ( E , I , O , T ) – E set of events – I ⊆ E set of input events – O ⊆ E set of output events – T set of all finite sequences of events legal within system • E partitioned into H , L – H set of High events – L set of Low events February 25, 2009 ECS 235B, Winter Quarter 2009 Slide #16-11 Matt Bishop, UC Davis

  12. More Events … • H ∩ I set of High inputs • H ∩ O set of High outputs • L ∩ I set of Low inputs • L ∩ O set of Low outputs • T Low set of all possible sequences of Low events that are legal within system • π L : T → T Low projection function deleting all High inputs from trace ‒ Low observer should not be able to deduce anything about High inputs from trace t Low ∈ T low February 25, 2009 ECS 235B, Winter Quarter 2009 Slide #16-12 Matt Bishop, UC Davis

  13. Deducibly Secure • System deducibly secure if, for every trace t Low ∈ T Low , the corresponding set of high level traces contains every possible trace t ∈ T for which π L ( t ) = t Low – Given any t Low , the trace t ∈ T producing that t Low is equally likely to be any trace with π L ( t ) = t Low February 25, 2009 ECS 235B, Winter Quarter 2009 Slide #16-13 Matt Bishop, UC Davis

  14. Example • Back to our 2-bit machine – Let xor0, xor1 apply to both bits – Both bits output after each command • Initial state: (0, 1) • Inputs: 1 H 0 L 1 L 0 H 1 L 0 L • Outputs: 10 10 01 01 10 10 • Lara (at Low ) sees: 001100 – Does not know initial state, so does not know first input; but can deduce fourth input is 0 • Not deducibly secure February 25, 2009 ECS 235B, Winter Quarter 2009 Slide #16-14 Matt Bishop, UC Davis

  15. Example • Now xor0 , xor1 apply only to state bit with same level as user • Inputs: 1 H 0 L 1 L 0 H 1 L 0 L • Outputs: 1011111011 • Lara sees: 01101 • She cannot deduce anything about input – Could be 0 H 0 L 1 L 0 H 1 L 0 L or 0 L 1 H 1 L 0 H 1 L 0 L for example • Deducibly secure February 25, 2009 ECS 235B, Winter Quarter 2009 Slide #16-15 Matt Bishop, UC Davis

  16. Security of Composition • In general: deducibly secure systems not composable • Strong noninterference : deducible security + requirement that no High output occurs unless caused by a High input – Systems meeting this property are composable February 25, 2009 ECS 235B, Winter Quarter 2009 Slide #16-16 Matt Bishop, UC Davis

  17. Example • 2-bit machine done earlier does not exhibit strong noninterference – Because it puts out High bit even when there is no High input • Modify machine to output only state bit at level of latest input – Now it exhibits strong noninterference February 25, 2009 ECS 235B, Winter Quarter 2009 Slide #16-17 Matt Bishop, UC Davis

  18. Problem • Too restrictive; it bans some systems that are obviously secure • Example: System upgrade reads Low inputs, outputs those bits at High – Clearly deducibly secure: low level user sees no outputs – Clearly does not exhibit strong noninterference, as no high level inputs! February 25, 2009 ECS 235B, Winter Quarter 2009 Slide #16-18 Matt Bishop, UC Davis

  19. Remove Determinism • Previous assumption – Input, output synchronous – Output depends only on commands triggered by input • Sometimes absorbed into commands … – Input processed one datum at a time • Not realistic – In real systems, lots of asynchronous events February 25, 2009 ECS 235B, Winter Quarter 2009 Slide #16-19 Matt Bishop, UC Davis

  20. Generalized Noninterference • Nondeterministic systems meeting noninterference property meet generalized noninterference-secure property – More robust than nondeducible security because minor changes in assumptions affect whether system is nondeducibly secure February 25, 2009 ECS 235B, Winter Quarter 2009 Slide #16-20 Matt Bishop, UC Davis

  21. Example • System with High Holly, Low lucy, text file at High – File fixed size, symbol b marks empty space – Holly can edit file, Lucy can run this program: while true do begin n := read_integer_from_user ; if n > file_length or char_in_file [ n ] = b then print random_character ; else print char_in_file [ n ]; end ; February 25, 2009 ECS 235B, Winter Quarter 2009 Slide #16-21 Matt Bishop, UC Davis

  22. Security of System • Not noninterference-secure – High level inputs—Holly’s changes—affect low level outputs • May be deducibly secure – Can Lucy deduce contents of file from program? – If output meaningful (“This is right”) or close (“Thes is riqht”), yes – Otherwise, no • So deducibly secure depends on which inferences are allowed February 25, 2009 ECS 235B, Winter Quarter 2009 Slide #16-22 Matt Bishop, UC Davis

  23. Composition of Systems • Does composing systems meeting generalized noninterference-secure property give you a system that also meets this property? • Define two systems ( cat , dog ) • Compose them February 25, 2009 ECS 235B, Winter Quarter 2009 Slide #16-23 Matt Bishop, UC Davis

  24. First System: cat • Inputs, outputs can go left or right • After some number of HIGH HIGH inputs, cat sends two cat LOW outputs LOW stop_count 0 or 1 – First stop_count – Second parity of High inputs, outputs February 25, 2009 ECS 235B, Winter Quarter 2009 Slide #16-24 Matt Bishop, UC Davis

  25. Noninterference-Secure? • If even number of High inputs, output could be: – 0 (even number of outputs) – 1 (odd number of outputs) • If odd number of High inputs, output could be: – 0 (odd number of outputs) – 1 (even number of outputs) • High level inputs do not affect output – So noninterference-secure February 25, 2009 ECS 235B, Winter Quarter 2009 Slide #16-25 Matt Bishop, UC Davis

  26. Second System: dog • High outputs to left • Low outputs of 0 or 1 to right HIGH • stop_count input from dog HIGH LOW the left 0 or 1 – When it arrives, dog stop_count emits 0 or 1 February 25, 2009 ECS 235B, Winter Quarter 2009 Slide #16-26 Matt Bishop, UC Davis

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Lecture # 5 - Monday, Aug 30th In this lecture I reviewed the previous lecture 4, and then

Lecture # 5 - Monday, Aug 30th In this lecture I reviewed the previous lecture 4, and then

Lecture # 5 - Monday, Aug 30th In this lecture I reviewed the previous lecture 4, and then reviewed the final point of lecture #3: Hennigs logical approach to tree inference is valid as logic, but we have a hard time using it because our data

660 views • 7 slides
Algorithms (2IL15) Lecture 13 Wrap-up lecture 1 TU/e Algorithms (2IL15) Lecture 13

Algorithms (2IL15) Lecture 13 Wrap-up lecture 1 TU/e Algorithms (2IL15) Lecture 13

TU/e Algorithms (2IL15) Lecture 13 Algorithms (2IL15) Lecture 13 Wrap-up lecture 1 TU/e Algorithms (2IL15) Lecture 13 Part I of the course: Optimization Problems we want to find valid solution minimizing cost (or maximizing

904 views • 20 slides
In 2020SP, this lecture and lecture 20 are both optional extra material CS 5412/LECTURE 17 Ken

In 2020SP, this lecture and lecture 20 are both optional extra material CS 5412/LECTURE 17 Ken

In 2020SP, this lecture and lecture 20 are both optional extra material CS 5412/LECTURE 17 Ken Birman LEAVE NO TRACE BEHIND Spring, 2020 HTTP://WWW.CS.CORNELL.EDU/COURSES/CS5412/2020SP 1 THE PRIVACY PUZZLE FOR I O T We have sensors

1.04k views • 65 slides
Recall last lecture ... Lecture 8 Also last lecture: Painter's Algorithm More Hidden Surface

Recall last lecture ... Lecture 8 Also last lecture: Painter's Algorithm More Hidden Surface

Recall last lecture ... Lecture 8 Also last lecture: Painter's Algorithm More Hidden Surface Removal Sort polygons in depth. Use the farthest vertex in each polygon as the sorting key. Efficient Painter - binary space partition (BSP)

563 views • 6 slides
Plan Lecture 1 - String diagrams and symmetric monoidal categories Lecture 2 -

Plan Lecture 1 - String diagrams and symmetric monoidal categories Lecture 2 -

Plan Lecture 1 - String diagrams and symmetric monoidal categories Lecture 2 - Resource-sensitive algebraic theories Lecture 3 - Interacting Hopf monoids and graphical linear algebra Lecture 4 - Signal Flow Graphs and recurrence

1.2k views • 61 slides
Where are we at - Topic overview Lecture 1A: Security requirements/features Lecture 7A

Where are we at - Topic overview Lecture 1A: Security requirements/features Lecture 7A

Where are we at - Topic overview Lecture 1A: Security requirements/features Lecture 7A Threatens Privacy Threatens Try to achieve Lecture 2B: Network threats Lecture 3A: Attacks on Lecture 6A: Security Protocols Web servers, malware

381 views • 25 slides
Lecture Capture Introduction to Lecture Capture Learning Outcomes What will lecture capture

Lecture Capture Introduction to Lecture Capture Learning Outcomes What will lecture capture

ISDS & Digital Business Skills Lecture Capture Introduction to Lecture Capture Learning Outcomes What will lecture capture actually do? What happens before a lecture? What happens during a lecture? What does the button do?

527 views • 18 slides
CSE 158 Lecture 4 Web Mining and Recommender Systems More Classifiers Last lecture How

CSE 158 Lecture 4 Web Mining and Recommender Systems More Classifiers Last lecture How

CSE 158 Lecture 4 Web Mining and Recommender Systems More Classifiers Last lecture How can we predict binary or categorical variables? {0,1}, {True, False} {1, , N} Last lecture Will I purchase this product? (yes) Will I click

1.74k views • 60 slides
CSE 158 Lecture 4 Web Mining and Recommender Systems More Classifiers Last lecture How

CSE 158 Lecture 4 Web Mining and Recommender Systems More Classifiers Last lecture How

CSE 158 Lecture 4 Web Mining and Recommender Systems More Classifiers Last lecture How can we predict binary or categorical variables? {0,1}, {True, False} {1, , N} Last lecture Will I purchase this product? (yes) Will I click

850 views • 46 slides
CSE 158 Lecture 4 Web Mining and Recommender Systems More Classifiers Last lecture How

CSE 158 Lecture 4 Web Mining and Recommender Systems More Classifiers Last lecture How

CSE 158 Lecture 4 Web Mining and Recommender Systems More Classifiers Last lecture How can we predict binary or categorical variables? {0,1}, {True, False} {1, , N} Last lecture Will I purchase this product? (yes) Will I click

839 views • 58 slides
Usability of Programming Languages Lecture 4 - directed by your research interests Lecture

Usability of Programming Languages Lecture 4 - directed by your research interests Lecture

Overview Practical experimental course lectures are only introductory Lecture 1 - theoretical principles classic approaches l h current trends in leading research. Lecture 2 - candidate research methods advantages and

499 views • 15 slides
Introduction to AI & Intelligent Agents This Lecture Chapters 1 and 2 Next Lecture

Introduction to AI & Intelligent Agents This Lecture Chapters 1 and 2 Next Lecture

Introduction to AI & Intelligent Agents This Lecture Chapters 1 and 2 Next Lecture Chapter 3.1 to 3.4 (Please read lecture topic material before and after each lecture on that topic) What is Artificial Intelligence? Thought

636 views • 31 slides
Introduction to Numerical Optimization Biostatistics 615/815 Lecture 14 Lecture 14 Course is

Introduction to Numerical Optimization Biostatistics 615/815 Lecture 14 Lecture 14 Course is

Introduction to Numerical Optimization Biostatistics 615/815 Lecture 14 Lecture 14 Course is More Than Half Done! If you have comments they are very welcome y y Lectures Lecture notes Weekly Homework Midterm

795 views • 42 slides
Lecture 12: Clustering 1 6.0002 LECTURE 12 Re Reading Chapter 23 6.0002 LECTURE 12 2 Mach Ma

Lecture 12: Clustering 1 6.0002 LECTURE 12 Re Reading Chapter 23 6.0002 LECTURE 12 2 Mach Ma

Lecture 12: Clustering 1 6.0002 LECTURE 12 Re Reading Chapter 23 6.0002 LECTURE 12 2 Mach Ma chine e Lea earn rning Paradigm Observe set of examples: training data Infer something about process that generated that data Use

847 views • 36 slides
Lecture Outline Regeltechniek Previous lecture: Stability and transient response. Lecture 4

Lecture Outline Regeltechniek Previous lecture: Stability and transient response. Lecture 4

Lecture Outline Regeltechniek Previous lecture: Stability and transient response. Lecture 4 Basics of Feedback Control Robert Babu ska Today: Steady-state response. Delft Center for Systems and Control Faculty of Mechanical

388 views • 7 slides
Psycholinguistics Lecture 2 By Dr.Chelli Lecture Objectives At the end of this lecture, students

Psycholinguistics Lecture 2 By Dr.Chelli Lecture Objectives At the end of this lecture, students

Psycholinguistics Lecture 2 By Dr.Chelli Lecture Objectives At the end of this lecture, students will be able to: Discuss the different stages in the history of psycholinguistics Identify the scholars in the field of psycholinguistics

589 views • 28 slides
Modification of O-mode reflectometer system to detect LH waves S. Baek, R. Parker, S. Shiraiwa, A.

Modification of O-mode reflectometer system to detect LH waves S. Baek, R. Parker, S. Shiraiwa, A.

Modification of O-mode reflectometer system to detect LH waves S. Baek, R. Parker, S. Shiraiwa, A. Dominguez, G. Wallace,G. Kramer LHCD density limit observed below accessibility limit: SOL effect Indirect measurements (ECE, hard X-ray)

351 views • 4 slides
CABINET HARDWARE Concealed Undermount Drawer Slides Dynapro16, 3-D Soft-Close Drawer Slide

CABINET HARDWARE Concealed Undermount Drawer Slides Dynapro16, 3-D Soft-Close Drawer Slide

To Order Call 509.535.1663 or 800.888.1663 CABINET HARDWARE Concealed Undermount Drawer Slides Dynapro16, 3-D Soft-Close Drawer Slide Full-Extension - 88lb. Load Dynapro16, 2-D Soft-Close Drawer Slide Full-Extension - 88 lb. Load Drawer

624 views • 28 slides
Pg: 1 of 5 > Planogram > Planogram MST Ticket Form

Pg: 1 of 5 > Planogram > Planogram MST Ticket Form

25 - Hardware > 04 - Builder's Hardware > 119 - Drawer Slides > 1288 - Core 1 Bay-54-STR-DS-Core Live: 3/3/2016 Bay: 1 of 1 ID SKU Fac POP Shelf: 1: 42.69 in From Floor Shelf: 1: 42.69 in From Floor 1 714176 1 Y M 2

316 views • 5 slides
REVISED 10 CFR PART 35: MEDICAL USE OF BYPRODUCT MATERIAL Subpart E: Unsealed Byproduct Material

REVISED 10 CFR PART 35: MEDICAL USE OF BYPRODUCT MATERIAL Subpart E: Unsealed Byproduct Material

REVISED 10 CFR PART 35: MEDICAL USE OF BYPRODUCT MATERIAL Subpart E: Unsealed Byproduct Material - Written Directive Required This subpart replaces the requirements in the old Subpart F, Radiopharmaceuticals for therapy P The following

593 views • 13 slides
NSP Webinar Series Meeting the 25% Low Income Requirement July 18, 2013 2 pm EDT Community

NSP Webinar Series Meeting the 25% Low Income Requirement July 18, 2013 2 pm EDT Community

U.S. Department of Housing and Urban Development NSP Webinar Series Meeting the 25% Low Income Requirement July 18, 2013 2 pm EDT Community Planning and Development Hosts, Panelist and Moderator HUD Hosts David Noguera, HUD

806 views • 39 slides
Short Q-Resolution Proofs with Homomorphisms Friedrich Slivovsky 1 Stefan Szeider 1 Ankit Shukla 2

Short Q-Resolution Proofs with Homomorphisms Friedrich Slivovsky 1 Stefan Szeider 1 Ankit Shukla 2

Short Q-Resolution Proofs with Homomorphisms Friedrich Slivovsky 1 Stefan Szeider 1 Ankit Shukla 2 TU Wien, Vienna, Austria 1 JKU, Linz, Austria 2 June 30, 2020 Focus of Analysis: Proof Complexity Goal : Compare the strength of the proof systems

753 views • 62 slides
Algorithms for Big Data (XIV) Chihao Zhang Shanghai Jiao Tong University Dec. 20, 2019

Algorithms for Big Data (XIV) Chihao Zhang Shanghai Jiao Tong University Dec. 20, 2019

Algorithms for Big Data (XIV) Chihao Zhang Shanghai Jiao Tong University Dec. 20, 2019 Algorithms for Big Data (XIV) 1/12 We defined the graph Laplacian Review Last week we studied electrical networks using matrices. : We also defined the

885 views • 46 slides
Immersion Phase Phase Directors Bill Cutrer, M.D., M.Ed. Lourdes Estrada, Ph.D. Program Manager

Immersion Phase Phase Directors Bill Cutrer, M.D., M.Ed. Lourdes Estrada, Ph.D. Program Manager

Curriculum 2.0: Immersion Phase Phase Directors Bill Cutrer, M.D., M.Ed. Lourdes Estrada, Ph.D. Program Manager Brenna Hansen Program Coordinators Meghan Nordman LaToya Ford Information: immerson.phase@vanderbilt.edu Outline Phase

920 views • 61 slides

More recommend