lecture 19 flow and confinement
play

Lecture 19: Flow and Confinement Examples of information flow - PowerPoint PPT Presentation

Jan 29, 2023 •22 likes •322 views

Lecture 19: Flow and Confinement Examples of information flow applications The confinement problem Covert channels Isolation: virtual machines, sandboxes March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #19-1 Matt Bishop, UC

  1. Lecture 19: Flow and Confinement • Examples of information flow applications • The confinement problem – Covert channels • Isolation: virtual machines, sandboxes March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #19-1 Matt Bishop, UC Davis

  2. Example Information Flow Control Systems • Use access controls of various types to inhibit information flows • Security Pipeline Interface – Analyzes data moving from host to destination • Secure Network Server Mail Guard – Controls flow of data between networks that have different security classifications March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #18-2 Matt Bishop, UC Davis

  3. Security Pipeline Interface SPI host first disk second disk • SPI analyzes data going to, from host – No access to host main memory – Host has no control over SPI March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #18-3 Matt Bishop, UC Davis

  4. Use • Store files on first disk • Store corresponding crypto checksums on second disk • Host requests file from first disk – SPI retrieves file, computes crypto checksum – SPI retrieves file’s crypto checksum from second disk – If a match, file is fine and forwarded to host – If discrepency, file is compromised and host notified • Integrity information flow restricted here – Corrupt file can be seen but will not be trusted March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #18-4 Matt Bishop, UC Davis

  5. Secure Network Server Mail Guard (SNSMG) filters MTA MTA SECRET UNCLASSIFIED computer computer out in • Filters analyze outgoing messages – Check authorization of sender – Sanitize message if needed (words and viruses, etc.) • Uses type checking to enforce this – Incoming, outgoing messages of different type – Only appropriate type can be moved in or out March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #18-5 Matt Bishop, UC Davis

  6. Confinement • What is the problem? • Isolation: virtual machines, sandboxes • Detecting covert channels March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #19-6 Matt Bishop, UC Davis

  7. Example Problem • Server balances bank accounts for clients • Server security issues: – Record correctly who used it – Send only balancing info to client • Client security issues: – Log use correctly – Do not save or retransmit data client sends March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #19-7 Matt Bishop, UC Davis

  8. Generalization • Client sends request, data to server • Server performs some function on data • Server returns result to client • Access controls: – Server must ensure the resources it accesses on behalf of client include only resources client is authorized to access – Server must ensure it does not reveal client’s data to any entity not authorized to see the client’s data March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #19-8 Matt Bishop, UC Davis

  9. Confinement Problem • Problem of preventing a server from leaking information that the user of the service considers confidential March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #19-9 Matt Bishop, UC Davis

  10. Total Isolation • Process cannot communicate with any other process • Process cannot be observed Impossible for this process to leak information – Not practical as process uses observable resources such as CPU, secondary storage, networks, etc. March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #19-10 Matt Bishop, UC Davis

  11. Example • Processes p , q not allowed to communicate – But they share a file system! • Communications protocol: – p sends a bit by creating a file called 0 or 1 , then a second file called send • p waits until send is deleted before repeating to send another bit – q waits until file send exists, then looks for file 0 or 1 ; whichever exists is the bit • q then deletes 0 , 1 , and send and waits until send is recreated before repeating to read another bit March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #19-11 Matt Bishop, UC Davis

  12. Covert Channel • A path of communication not designed to be used for communication • In example, file system is a (storage) covert channel March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #19-12 Matt Bishop, UC Davis

  13. Rule of Transitive Confinement • If p is confined to prevent leaking, and it invokes q , then q must be similarly confined to prevent leaking • Rule: if a confined process invokes a second process, the second process must be as confined as the first March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #19-13 Matt Bishop, UC Davis

  14. Lipner’s Notes • All processes can obtain rough idea of time – Read system clock or wall clock time – Determine number of instructions executed • All processes can manipulate time – Wait some interval of wall clock time – Execute a set number of instructions, then block March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #19-14 Matt Bishop, UC Davis

  15. Kocher’s Attack • This computes x = a z mod n , where z = z 0 … z k –1 x := 1; atmp := a ; for i := 0 to k –1 do begin if z i = 1 then x := ( x * atmp ) mod n ; atmp := ( atmp * atmp ) mod n ; end result := x ; • Length of run time related to number of 1 bits in z March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #19-15 Matt Bishop, UC Davis

  16. Isolation • Present process with environment that appears to be a computer running only those processes being isolated – Process cannot access underlying computer system, any process(es) or resource(s) not part of that environment – A virtual machine • Run process in environment that analyzes actions to determine if they leak information – Alters the interface between process(es) and computer March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #19-16 Matt Bishop, UC Davis

  17. Virtual Machine • Program that simulates hardware of a machine – Machine may be an existing, physical one or an abstract one • Why? – Existing OSes do not need to be modified • Run under VMM, which enforces security policy • Effectively, VMM is a security kernel March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #19-17 Matt Bishop, UC Davis

  18. VMM as Security Kernel • VMM deals with subjects (the VMs) – Knows nothing about the processes within the VM • VMM applies security checks to subjects – By transitivity, these controls apply to processes on VMs • Thus, satisfies rule of transitive confinement March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #19-18 Matt Bishop, UC Davis

  19. Example 1: KVM/370 • KVM/370 is security-enhanced version of VM/370 VMM – Goal: prevent communications between VMs of different security classes – Like VM/370, provides VMs with minidisks, sharing some portions of those disks – Unlike VM/370, mediates access to shared areas to limit communication in accordance with security policy March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #19-19 Matt Bishop, UC Davis

  20. Example 2: VAX/VMM • Can run either VMS or Ultrix • 4 privilege levels for VM system – VM user, VM supervisor, VM executive, VM kernel (both physical executive) • VMM runs in physical kernel mode – Only it can access certain resources • VMM subjects: users and VMs March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #19-20 Matt Bishop, UC Davis

  21. Example 2 • VMM has flat file system for itself – Rest of disk partitioned among VMs – VMs can use any file system structure • Each VM has its own set of file systems – Subjects, objects have security, integrity classes • Called access classes – VMM has sophisticated auditing mechanism March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #19-21 Matt Bishop, UC Davis

  22. Problem • Physical resources shared – System CPU, disks, etc. • May share logical resources – Depends on how system is implemented • Allows covert channels March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #19-22 Matt Bishop, UC Davis

  23. Sandboxes • An environment in which actions are restricted in accordance with security policy – Limit execution environment as needed • Program not modified • Libraries, kernel modified to restrict actions – Modify program to check, restrict actions • Like dynamic debuggers, profilers March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #19-23 Matt Bishop, UC Davis

  24. Examples Limiting Environment • Java virtual machine – Security manager limits access of downloaded programs as policy dictates • Sidewinder firewall – Type enforcement limits access – Policy fixed in kernel by vendor • Domain Type Enforcement – Enforcement mechanism for DTEL – Kernel enforces sandbox defined by system administrator March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #19-24 Matt Bishop, UC Davis

  25. Modifying Programs • Add breakpoints or special instructions to source, binary code – On trap or execution of special instructions, analyze state of process • Variant: software fault isolation – Add instructions checking memory accesses, other security issues – Any attempt to violate policy causes trap March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #19-25 Matt Bishop, UC Davis

  26. Example: Janus • Implements sandbox in which system calls checked – Framework does runtime checking – Modules determine which accesses allowed • Configuration file – Instructs loading of modules – Also lists constraints March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #19-26 Matt Bishop, UC Davis

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

May 15: Information Flow and Confinement Information flow for integrity policies Examples

May 15: Information Flow and Confinement Information flow for integrity policies Examples

May 15: Information Flow and Confinement Information flow for integrity policies Examples of information flow controls Android phone Firewalls Confinement Virtual machines May 15, 2017 ECS 235B Spring Quarter 2017 Slide

487 views • 32 slides
QCD - properties confinement, Higgs mechanism more on confinement (i) the absence of free quarks

QCD - properties confinement, Higgs mechanism more on confinement (i) the absence of free quarks

QCD - properties confinement, Higgs mechanism more on confinement (i) the absence of free quarks in Nature [but quarks could combine with a fundamental coloured scalar] (ii) observable particles are colour singlets [but this confuses

1.58k views • 130 slides
May 24: Confinement Confinement, non-VM isolation Program modification Covert channels

May 24: Confinement Confinement, non-VM isolation Program modification Covert channels

May 24: Confinement Confinement, non-VM isolation Program modification Covert channels May 24, 2017 ECS 235B Spring Quarter 2017 Slide #1 Compiling Compiler enforces or validates constraints Type-safe language enforces them

313 views • 27 slides
Tetraquarks in the Steiner tree model of confinement available at

Tetraquarks in the Steiner tree model of confinement available at

Introduction Symmetry breaking and tetraquarks The additive model of tetraquark confinement The Steiner-tree model of confinement Conclusions Tetraquarks in the Steiner tree model of confinement available at

644 views • 20 slides
Laboratorio Nacional de Fusin, CIEMAT, Spain 1/ 31 CORE TRANSPORT EMPIRICAL ACTUATORS

Laboratorio Nacional de Fusin, CIEMAT, Spain 1/ 31 CORE TRANSPORT EMPIRICAL ACTUATORS

SUMMARY SESSION EX/C Magnetic Confinement experiments (Confinement) EX/D Magnetic Confinement Experiments: Plasma-material interactions PPC -Plasma Overall Performance and Control I. CORE TRANSPORT II. EDGE TRANSPORT III. PLASMA-WALL IV.

591 views • 31 slides
May 19: Design Principles and Confinement Principles of Secure Design One set; other sets

May 19: Design Principles and Confinement Principles of Secure Design One set; other sets

May 19: Design Principles and Confinement Principles of Secure Design One set; other sets say basically the same thing Confinement, non-VM isolation Library operating systems Sandboxes Program modification Covert

584 views • 30 slides
Static Use-Based Object Confinement Christian Skalka and Scott Smith The Johns Hopkins University

Static Use-Based Object Confinement Christian Skalka and Scott Smith The Johns Hopkins University

Static Use-Based Object Confinement Christian Skalka and Scott Smith The Johns Hopkins University Object confinement: what is it? Object confinement is concerned with the encapsulation , or protection, of object references Code boundaries

412 views • 24 slides
1 Why Why flow flow control? control? sender

1 Why Why flow flow control? control? sender

Lecture 7. Lecture 7. TCP mechanisms for: TCP mechanisms for: data transfer control / flow control error control congestion control Graphical examples (applet java) of several algorithms at:

589 views • 13 slides
Lecture 6: Flow Control Lecture 6: Flow Control 1 / 28 Relational Expressions Conditions in if

Lecture 6: Flow Control Lecture 6: Flow Control 1 / 28 Relational Expressions Conditions in if

Lecture 6: Flow Control Lecture 6: Flow Control 1 / 28 Relational Expressions Conditions in if statements use expressions that are conceptually either true or false . These expressions are called relational expressions or Boolean expressions

570 views • 28 slides
2000-02-08 Lecture 14: Flow visualisation Feature extraction Unsteady flow

2000-02-08 Lecture 14: Flow visualisation Feature extraction Unsteady flow

Mats Nyl en February 8, 2000 Slide 1 of 13 2000-02-08 Lecture 14: Flow visualisation Feature extraction Unsteady flow Meteorological data VIS00 Mats Nyl en February 8, 2000 Slide 2 of 13 Flow visualization Fluid flow

399 views • 13 slides
Solitary ry confinement and super- maximum prisons A South Afr frican and in international

Solitary ry confinement and super- maximum prisons A South Afr frican and in international

Solitary ry confinement and super- maximum prisons A South Afr frican and in international perspective Gwen Dereymaeker Westville CC 7 September 2017 @ACJReform History ry of f super-maximum prisons Solitary confinement as punishment

380 views • 18 slides
Flow Networks Flow Network: - digraph - weights, called capacities on edges - two

Flow Networks Flow Network: - digraph - weights, called capacities on edges - two

M AXIMUM F LOW How to do it... Why you want it... Where you find it... The Tao of Flow: Let your body go with the flow. -Madonna, Vogue Maximum flow...because youre worth it. -Loreal Go with the flow, Joe.

619 views • 20 slides
Lecture 17: Information Flow Basics and background Entropy Nonlattice flow policies

Lecture 17: Information Flow Basics and background Entropy Nonlattice flow policies

Lecture 17: Information Flow Basics and background Entropy Nonlattice flow policies Compiler-based mechanisms Execution-based mechanisms Examples Security Pipeline Interface Secure Network Server Mail Guard February

625 views • 44 slides
FIRST STEP ACT OF 2018 Early Release Mechanisms: Home Confinement and Reduction in Sentence

FIRST STEP ACT OF 2018 Early Release Mechanisms: Home Confinement and Reduction in Sentence

FIRST STEP ACT OF 2018 Early Release Mechanisms: Home Confinement and Reduction in Sentence Peter Goldberger, Ardmore PA NACDL Webinar, July 25, 2019 Early Eligibility for Home Confinement Per 603(a) of the First Step Act, amending

356 views • 22 slides
PROGRAMMING CONTESTS Jaehyun Park Last Lecture on Graph Algorithms Network Flow Problems

PROGRAMMING CONTESTS Jaehyun Park Last Lecture on Graph Algorithms Network Flow Problems

CS 97SI: INTRODUCTION TO PROGRAMMING CONTESTS Jaehyun Park Last Lecture on Graph Algorithms Network Flow Problems Maximum Flow Minimum Cut Ford-Fulkerson Algorithm Application: Bipartite Matching Min-cost Max-flow

460 views • 23 slides
Review Network flow definitions CSE 421 Flow examples Augmenting Paths Algorithms

Review Network flow definitions CSE 421 Flow examples Augmenting Paths Algorithms

Review Network flow definitions CSE 421 Flow examples Augmenting Paths Algorithms g Residual Graph Richard Anderson Ford Fulkerson Algorithm Lecture 22 Cuts Network Flow Maxflow-MinCut Theorem Network Flow

860 views • 4 slides
Online Ranking Combination Erzs ebet Frig o Institute for Computer Science and Control (MTA

Online Ranking Combination Erzs ebet Frig o Institute for Computer Science and Control (MTA

Online Ranking Combination Erzs ebet Frig o Institute for Computer Science and Control (MTA SZTAKI) Joint work with Levente Kocsis Overview Framework: prequential ranking evaluation Goal: optimize convex combination of ranking

407 views • 24 slides
Chapter 3: Using. Risa Wechsler KIPAC @ Stanford & SLAC large cosmological simulations

Chapter 3: Using. Risa Wechsler KIPAC @ Stanford & SLAC large cosmological simulations

Creating, Testing, and Using Simulations of the Galaxy Population in the era of surveys of 10 billion galaxies Chapter 3: Using. Risa Wechsler KIPAC @ Stanford & SLAC large cosmological simulations allow you to do many analyses in new

801 views • 32 slides
IPv4 reverse measurements Mattijs Jonker Introduction Over fjve years ago, we started with an

IPv4 reverse measurements Mattijs Jonker Introduction Over fjve years ago, we started with an

IPv4 reverse measurements Mattijs Jonker Introduction Over fjve years ago, we started with an idea: Can we measure (large parts) of the global DNS on a daily basis? This idea led to the OpenINTEL project (Rafgaele presented the

392 views • 18 slides
WEBINAR 30 th APRIL 2020 Maysir UNIQUE FEATURES OF TAKAFUL COMPARED TO INSURANCE Concept of

WEBINAR 30 th APRIL 2020 Maysir UNIQUE FEATURES OF TAKAFUL COMPARED TO INSURANCE Concept of

WEBINAR 30 th APRIL 2020 Maysir UNIQUE FEATURES OF TAKAFUL COMPARED TO INSURANCE Concept of profit Based on sharing Islamic Principles Mudarabah Unique Features of Takaful Kafala ( jointly Participants guarantee one (Customers) are

114 views • 9 slides
1 Assessing Risk in the Physical Build of a Network REANNZ lunchtime presentation 2019 WHAT

1 Assessing Risk in the Physical Build of a Network REANNZ lunchtime presentation 2019 WHAT

1 Assessing Risk in the Physical Build of a Network REANNZ lunchtime presentation 2019 WHAT REANNZ HAS LEARNED ABOUT ASSESSING RISK IN THE PHYSICAL NETWORK BUILD 2 Assessing Risk in the Physical Build of a Network REANNZ lunchtime

960 views • 26 slides
Approximate Sliding Window Framework with Error Control lvaro Villalba Former Research

Approximate Sliding Window Framework with Error Control lvaro Villalba Former Research

Constant-Time Approximate Sliding Window Framework with Error Control lvaro Villalba Former Research Engineer 05/08/2019 ISORC 2019 - Valncia A bit about me PhD Student at UPC - BarcelonaTECH Computer Architecture Department

709 views • 33 slides
Online Algorithms Algorithm Theory WS 2012/13 Fabian Kuhn Self Adjusting Lists Linked lists

Online Algorithms Algorithm Theory WS 2012/13 Fabian Kuhn Self Adjusting Lists Linked lists

Chapter 8 Online Algorithms Algorithm Theory WS 2012/13 Fabian Kuhn Self Adjusting Lists Linked lists are often inefficient Cost of accessing an item at position is linear in But, linked lists are extremely simple And

387 views • 9 slides
Using the Wheel Without Reinventing It: How to examine Noyce projects Part II Presented by:

Using the Wheel Without Reinventing It: How to examine Noyce projects Part II Presented by:

Using the Wheel Without Reinventing It: How to examine Noyce projects Part II Presented by: John Sutton, Ph.D. Brandie Ward Emma Espel, Ph.D. 1 1 Goals We hope you leave the webinar better prepared to answer two questions: What

984 views • 53 slides

More recommend