[PPT] - Secrecy Security Policy CSE497b - Spring 2007 Introduction Computer PowerPoint Presentation

SLIDE 1

CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

Secrecy Security Policy

CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger

www.cse.psu.edu/~tjaeger/cse497b-s07/

SLIDE 2

Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

Secrecy Problem

Does the following protection state ensure the secrecy
f J’s private key in O1?

2

O1 O2 O3 J R R W R W S2 N R R W S3 N R R W

SLIDE 3

Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

Protection vs Security

Protection

– Security goals met under trusted processes – Protects against an error by a non-malicious entity

Security

– Security goals met under potentially malicious processes – Protects against any malicious entity

For J:

– Non-malicious process shouldn’t leak the private key by writing it to O3 – A malicious process may write the private key to O3

3

SLIDE 4

Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

Why Doesn’t DAC Work?

Goal: User has a file O1 she wants to keep secret
Threat: A malicious process she runs wants to leak O1

– To some other subject (user) or system (via network)

Problems:

– Permission Assignment: Malicious process maximizes permissions

Any way that data can be read by or written to another user is

enabled

– Complete Mediation: DAC systems do not mediate network

Can be sent to anyone or requires firewall rules to control access

– Complexity: How does she know that all these permissions prevent the leak

Good luck

4

SLIDE 5

Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

Governmental Secrecy

Military

– When will ship sail? – Where are troops? – What is the next troop movement?

Military is hierarchical

– Decisions made at a higher level of authority are enacted

Thus, security is top-down

– Secrets flow up – Decisions flow down

Release is manual

– Also, “need to know”

5

SLIDE 6

CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page

Multilevel Security

A multi-level security (MLS) system tags all object and

subject with security tags classifying them in terms of sensitivity/access level.

– We formulate an access control policy based on these levels – We can also add other dimensions, called categories which horizontally partition the rights space (in a way similar to that as was done by roles) security levels categories

SLIDE 7

CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger Page

Lattice Model

Used by the US military (and many others), the Lattice

model uses MLS to define policy

Levels:

unclassified < confidential < secret < top secret

Categories (actually unbounded set)

NUC(lear), INTEL(igence), CRYPTO(graphy)

Note that these levels are used for physical documents

in the US government as well.

SLIDE 8

Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

Lattice

Levels form a lattice

– Vertices form a partial order – Every pair of vertices has a LUB, GLB

8

Very Secret Mostly Secret Pretty Secret Secret ?

SLIDE 9

CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger Page

Assigning Security Levels

All subjects are assigned clearance levels and

compartments

– Alice: (SECRET, {CRYTPO, NUC}) – Bob: (CONFIDENTIAL, {INTEL}) – Charlie: (TOP SECRET, {CRYPTO, NUC, INTEL})

All objects are assigned an access class

– DocA: (CONFIDENTIAL, {INTEL}) – DocB: (SECRET, {CRYPTO}) – DocC: (UNCLASSIFIED, {NUC})

SLIDE 10

CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page

Example

Access is allowed if

subject clearance level >= object sensitivity level and

bject categories subset-of subject categories (read down)

Q: What would write-up be?

Hence,

Bob: CONF., {INTEL}) Trent: TS, {CRYPTO, NUC, INTEL}) Alice: (SEC., {CRYTPO, NUC}) DocA: (CONFIDENTIAL, {INTEL}) DocB: (SECRET, {CRYPTO}) DocC: (UNCLASSIFIED , {NUC})

SLIDE 11

CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page

Secrecy Properties

Simple-Security Property (Read-Down)

– A subject s can only read from an object o if the subject’s clearance dominates or is same as the access class of the

bject
*-Security Property (Write-Up)

– A subject s can only write to an object o if the subject’s clearance is dominated by or is the same as the access class of the object

SLIDE 12

Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

Trojan Horses

Trojan horse: A program with a malicious function that

masquerades as a benign application

Claim: MLS prevents a Trojan horse from leaking data
Proof

– Complete mediation

All operations are mediated

– MLS *-security property

Trojan horse cannot write data down

– Mandatory policy

Trojan horse cannot change policy
Policy defines legal info flows

12

SLIDE 13

Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

Covert Channels

Use access to shared resources as a means of

communication – Rather than an overt channel

Storage Channel

– Uses an attribute of a shared resource – E.g., Fill up shared disk

Timing Channel

– Uses temporal relationships in access to a shared resource – E.g., Driver timing behavior

Not prevented by MLS alone!

13

SLIDE 14

Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

Trojan Horse Paradox

MLS enables the OS to guarantee

– that a process at a higher secrecy clearance cannot – leak to a process at a lower secrecy level

But, lots of applications handle data of multiple access

classes!

Examples:

– Server process (Mail server): Many mails of different access classes are possible

One server per combination of level and category set is not practical

– Client process (Email client): A single email client may receive and respond to emails at different access classes

And, think about the integrity impact of a Trojan horse

– Discuss next time

14

SLIDE 15

Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

Program-Level Secrecy

Situation: A program reads data at a higher access

class than it writes

– Program can leak secret that it reads by writing it to the lower access class

Challenge: Write a program where you can prove that

no illegal information flows (i.e., violating MLS properties) can occur

15

Program Secret Public

Read Write

SLIDE 16

Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

Denning Lattice Model

Information flow within a program

– Can a secret variable leak to a public variable?

Model covers all programs

– Statement S – Sequence S1, S2 – Conditional c: S1, …, Sm

16

Stmt Cond Stmt Stmt Stmt Stmt

SLIDE 17

Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

Implicit and Explicit Flows

Explicit

– Direct transfer to b from a (e.g., b = a)

Implicit

– Where value of b may depend on value of a indirectly (e.g., if a = 0, then b = c)

Implicit flows only occur in conditionals

17

Stmt

b = a

Cond

if (b < 1)

Stmt

c = d

Stmt

e = c

Stmt Stmt

c = b

SLIDE 18

Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

Denning Semantics

Program is secure if:

– Explicit flow from S is secure – Explicit flow of all statements in a sequence are secure (e.g., S1; S2) – Conditional c:S1, …, Sm is secure if:

The explicit flows of all statements S1, …, Sm are secure
The implicit flows between c and the objects in Si are secure

18

Stmt

b = a

Cond

if (b < 1)

Stmt

c = d

Stmt

e = c

Stmt Stmt

c = f

SLIDE 19

Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

Information Flow

Explicit and implicit flows form a graph
Resulting flow graph

19

Stmt

b = a

Cond

if (b < 1)

Stmt

c = d

Stmt

e = c

Stmt Stmt

c = f a

c

b d f e

SLIDE 20

Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

Secure When...

Suppose e is public

– What variables can be secret?

Suppose d is public

– What variables can be secret?

Suppose b is secret

– What variables can be public?

20

Stmt

b = a

Cond

if (b < 1)

Stmt

c = d

Stmt

e = c

Stmt Stmt

c = f

SLIDE 21

Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

Chinese Wall

Keep different parts of a firm isolated

– Accounts with Ford and GM

Access is not controlled by attribute of data alone

– Also, data that the subject holds – Conflict sets

21

t0 t1

Hold: None Conflict: {Ford, GM}

t2

Op: Access GM Hold: None Access: Allowed

t3 t4

Op: Access Ford Hold: GM Access: Denied

SLIDE 22

Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

Chinese Wall

More formally,

– Objects may belong to a company dataset – Companies may compete, so

Conflict of interest sets consist of competing company dataset labels

– Cannot access objects in two datasets in a COI set

CW Simple Security Property

– Read O,

if accessed CD(O) already, can access again
for all datasets accessed previously, CD(O) not-in COI(previous)
CW *-Security Property

– Write O,

if CW-Simple permits read
And we have only read data from CD(O)

22

SLIDE 23

Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

Take Away

MLS policy provides a guarantee that a secret will not

be leaked to a lower access class

– Even if you are running malicious code (e.g., Trojan horse) – But, does not include covert channels

Know how to apply this
However, we may also need to obtain secrecy

guarantees for more privileged programs

– Ones that could violate MLS – Use Denning’s model to prove compliance

Information flows: Explicit and implicit

23