secrecy security policy
play

Secrecy Security Policy CSE497b - Spring 2007 Introduction Computer - PowerPoint PPT Presentation

Oct 21, 2023 •153 likes •389 views

Secrecy Security Policy CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/ CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Secrecy

  1. Secrecy Security Policy CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/ CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

  2. Secrecy Problem • Does the following protection state ensure the secrecy of J ’ s private key in O 1 ? O 1 O 2 O 3 J R R R W W S 2 N R R W S 3 N R R W CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 2

  3. Protection vs Security • Protection – Security goals met under trusted processes – Protects against an error by a non-malicious entity • Security – Security goals met under potentially malicious processes – Protects against any malicious entity • For J: – Non-malicious process shouldn ’ t leak the private key by writing it to O 3 – A malicious process may write the private key to O 3 CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 3

  4. Why Doesn’t DAC Work? • Goal : User has a file O1 she wants to keep secret • Threat : A malicious process she runs wants to leak O1 – To some other subject (user) or system (via network) • Problems: – Permission Assignment: Malicious process maximizes permissions • Any way that data can be read by or written to another user is enabled – Complete Mediation: DAC systems do not mediate network • Can be sent to anyone or requires firewall rules to control access – Complexity: How does she know that all these permissions prevent the leak • Good luck CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 4

  5. Governmental Secrecy • Military – When will ship sail? – Where are troops? – What is the next troop movement? • Military is hierarchical – Decisions made at a higher level of authority are enacted • Thus, security is top-down – Secrets flow up – Decisions flow down • Release is manual – Also, “need to know” CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 5

  6. Multilevel Security • A multi-level security (MLS) system tags all object and subject with security tags classifying them in terms of sensitivity/access level. – We formulate an access control policy based on these levels – We can also add other dimensions, called categories which horizontally partition the rights space (in a way similar to that as was done by roles) security levels categories CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page

  7. Lattice Model • Used by the US military (and many others), the Lattice model uses MLS to define policy • Levels: unclassified < confidential < secret < top secret • Categories (actually unbounded set) NUC(lear), INTEL(igence), CRYPTO(graphy) • Note that these levels are used for physical documents in the US government as well. CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger Page

  8. Lattice • Levels form a lattice – Vertices form a partial order – Every pair of vertices has a LUB, GLB Very Secret Mostly ? Pretty Secret Secret Secret CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 8

  9. Assigning Security Levels • All subjects are assigned clearance levels and compartments – Alice: (SECRET, {CRYTPO, NUC}) – Bob: (CONFIDENTIAL, {INTEL}) – Charlie: (TOP SECRET, {CRYPTO, NUC, INTEL}) • All objects are assigned an access class – DocA: (CONFIDENTIAL, {INTEL}) – DocB: (SECRET, {CRYPTO}) – DocC: (UNCLASSIFIED, {NUC}) CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger Page

  10. Example Access is allowed if subject clearance level >= object sensitivity level and object categories subset-of subject categories ( read down ) Q: What would write-up be? Hence, Trent: TS, {CRYPTO, NUC, INTEL}) Bob: CONF., {INTEL}) Alice: (SEC., {CRYTPO, NUC}) DocB: (SECRET, {CRYPTO}) DocA: (CONFIDENTIAL, {INTEL}) DocC: (UNCLASSIFIED , {NUC}) CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page

  11. Secrecy Properties • Simple-Security Property (Read-Down) – A subject s can only read from an object o if the subject ’ s clearance dominates or is same as the access class of the object • *-Security Property (Write-Up) – A subject s can only write to an object o if the subject ’ s clearance is dominated by or is the same as the access class of the object CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page

  12. Trojan Horses • Trojan horse: A program with a malicious function that masquerades as a benign application • Claim: MLS prevents a Trojan horse from leaking data • Proof – Complete mediation • All operations are mediated – MLS *-security property • Trojan horse cannot write data down – Mandatory policy • Trojan horse cannot change policy • Policy defines legal info flows CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 12

  13. Covert Channels • Use access to shared resources as a means of communication – Rather than an overt channel • Storage Channel – Uses an attribute of a shared resource – E.g., Fill up shared disk • Timing Channel – Uses temporal relationships in access to a shared resource – E.g., Driver timing behavior • Not prevented by MLS alone! CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 13

  14. Trojan Horse Paradox • MLS enables the OS to guarantee – that a process at a higher secrecy clearance cannot – leak to a process at a lower secrecy level • But, lots of applications handle data of multiple access classes! • Examples: – Server process (Mail server): Many mails of different access classes are possible • One server per combination of level and category set is not practical – Client process (Email client): A single email client may receive and respond to emails at different access classes • And, think about the integrity impact of a Trojan horse – Discuss next time CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 14

  15. Program-Level Secrecy • Situation : A program reads data at a higher access class than it writes – Program can leak secret that it reads by writing it to the lower access class • Challenge : Write a program where you can prove that no illegal information flows (i.e., violating MLS properties) can occur Secret Read Program Write Public CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 15

  16. Denning Lattice Model • Information flow within a program – Can a secret variable leak to a public variable? • Model covers all programs – Statement S – Sequence S1, S2 – Conditional c: S1, …, Sm Stmt Stmt Cond Stmt Stmt Stmt CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 16

  17. Implicit and Explicit Flows • Explicit – Direct transfer to b from a (e.g., b = a) • Implicit – Where value of b may depend on value of a indirectly (e.g., if a = 0, then b = c) • Implicit flows only occur in conditionals Stmt c = b Stmt Cond Stmt Stmt b = a if (b < 1) e = c Stmt c = d CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 17

  18. Denning Semantics • Program is secure if: – Explicit flow from S is secure – Explicit flow of all statements in a sequence are secure (e.g., S1; S2) – Conditional c:S1, …, Sm is secure if: • The explicit flows of all statements S1, …, Sm are secure • The implicit flows between c and the objects in Si are secure Stmt c = f Stmt Cond Stmt Stmt b = a if (b < 1) e = c Stmt c = d CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 18

  19. Information Flow • Explicit and implicit flows form a graph Stmt c = f Stmt Cond Stmt Stmt b = a if (b < 1) e = c Stmt c = d • Resulting flow graph d e c a b f CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 19

  20. Secure When... • Suppose e is public – What variables can be secret? • Suppose d is public – What variables can be secret? • Suppose b is secret – What variables can be public? Stmt c = f Stmt Cond Stmt Stmt b = a if (b < 1) e = c Stmt c = d CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 20

  21. Chinese Wall • Keep different parts of a firm isolated – Accounts with Ford and GM • Access is not controlled by attribute of data alone – Also, data that the subject holds – Conflict sets Op: Access GM Op: Access Ford Hold: None Hold: None Hold: GM Conflict: {Ford, GM} Access: Allowed Access: Denied t0 t1 t2 t3 t4 CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Onetime Encryption Perfect Secrecy Perfect secrecy : m, m M K 0 1 2 3 M

Onetime Encryption Perfect Secrecy Perfect secrecy : m, m M K 0 1 2 3 M

Defining Encryption (ctd.) Lecture 3 SIM &amp; IND security Beyond One-Time: CPA security Computational Indistinguishability Recall Onetime Encryption Perfect Secrecy Perfect secrecy : m, m M K 0 1 2 3 M {Enc(m,K)} K KeyGen

619 views • 20 slides
Onetime Encryption Perfect Secrecy Perfect secrecy : m, m M K 0 1 2 3 M

Onetime Encryption Perfect Secrecy Perfect secrecy : m, m M K 0 1 2 3 M

Defining Encryption (ctd.) Lecture 3 SIM &amp; IND security Beyond One-Time: CPA security Computational Indistinguishability Recall Onetime Encryption Perfect Secrecy Perfect secrecy : m, m M K 0 1 2 3 M {Enc(m,K)} K KeyGen

1.45k views • 98 slides
Security of Encryption Security of Encryption Perfect secrecy (IND-Onetime security) is too

Security of Encryption Security of Encryption Perfect secrecy (IND-Onetime security) is too

Defining Encryption (ctd.) Lecture 3 CPA/CCA security Computational Indistinguishability Pseudo-randomness, One-Way Functions Security of Encryption Security of Encryption Perfect secrecy (IND-Onetime security) is too strong (though too

1.36k views • 113 slides
Introduction to DB Security Secrecy: Users should not be able to see things they are not

Introduction to DB Security Secrecy: Users should not be able to see things they are not

Introduction to DB Security Secrecy: Users should not be able to see things they are not supposed to. Security E.g., A student cant see other students grades. Integrity: Users should not be able to modify things they are not

424 views • 3 slides
Next Anticipated Amendment: Regulation of Secrecy of Communication for Foreign Platformers? 2:30

Next Anticipated Amendment: Regulation of Secrecy of Communication for Foreign Platformers? 2:30

Next Anticipated Amendment: Regulation of Secrecy of Communication for Foreign Platformers? 2:30 p.m. 3:30 p.m., 2019-04-04 (Thu.) Intl Privacy + Security Forum 2019 Session: Japanese Privacy+Security Law Hideyuki (Yuki) MATSUMI

671 views • 28 slides
Shannons Theory of Secrecy Systems See: C. E. Shannon, Communication Theory of Secrecy Systems

Shannons Theory of Secrecy Systems See: C. E. Shannon, Communication Theory of Secrecy Systems

Shannons Theory of Secrecy Systems See: C. E. Shannon, Communication Theory of Secrecy Systems , Bell Systems Technical Journal, Vol. 28, pp. 656715, 1948. Eli Biham - May 3, 2005 c 54 Shannons Theory of Secrecy Systems (2)

584 views • 14 slides
Session 13 Secrecy, Power, and Anthropology Lecture Points: Anthropology as a Science of

Session 13 Secrecy, Power, and Anthropology Lecture Points: Anthropology as a Science of

Session 13 Secrecy, Power, and Anthropology Lecture Points: Anthropology as a Science of Secrecy Paradigms of Secrecy Max Weber: The Official (Office) Secret Michael Taussig: The Public Secret Franz Boas: The Secret is

296 views • 15 slides
Uses of Cryptography What can we use cryptography for? Lots of things Secrecy

Uses of Cryptography What can we use cryptography for? Lots of things Secrecy

Uses of Cryptography What can we use cryptography for? Lots of things Secrecy Authentication Prevention of alteration Lecture 4 Page 1 CS 236 Online Cryptography and Secrecy Pretty obvious Only those knowing the

303 views • 15 slides
Perfect Secrecy A cryptosystem is unconditionally secure if it cannot be broken, even with

Perfect Secrecy A cryptosystem is unconditionally secure if it cannot be broken, even with

Perfect Secrecy A cryptosystem is unconditionally secure if it cannot be broken, even with infinite computational resources. (There are other (weaker) types of security; well talk about those later.) A cryptosystem is unconditionally secure

642 views • 4 slides
Applied Cryptography Lecture 1 Applied Cryptography Lecture 1 Our first encounter with secrecy:

Applied Cryptography Lecture 1 Applied Cryptography Lecture 1 Our first encounter with secrecy:

Applied Cryptography Lecture 1 Applied Cryptography Lecture 1 Our first encounter with secrecy: Secret-Sharing Secrecy Secrecy Cryptography is all about controlling access to information Access to learning and/or influencing

2.01k views • 171 slides
Security and Authorization [R&amp;G] Chapter 21 CS432 1 Introduction to DB Security

Security and Authorization [R&amp;G] Chapter 21 CS432 1 Introduction to DB Security

Security and Authorization [R&amp;G] Chapter 21 CS432 1 Introduction to DB Security Secrecy: Users should not be able to see things they are not supposed to. E.g., A student cant see other students grades. Integrity: Users

522 views • 8 slides
CSCE 790 Computer Systems Security Malware Professor Qiang Zeng Spring 2020 Previous

CSCE 790 Computer Systems Security Malware Professor Qiang Zeng Spring 2020 Previous

CSCE 790 Computer Systems Security Malware Professor Qiang Zeng Spring 2020 Previous Class Implementation Principles Policy and Mechanism Decoupling Reference Monitor Bell-LaPadula (BLP) Secrecy Model No read up

822 views • 34 slides
Introduction to the Bank Secrecy Act (BSA 101) Presented by Lynn English Lafayette Federal

Introduction to the Bank Secrecy Act (BSA 101) Presented by Lynn English Lafayette Federal

Introduction to the Bank Secrecy Act (BSA 101) Presented by Lynn English Lafayette Federal Credit Union Key Takeaways After this webinar, participants should be able to understand why the Bank Secrecy Act exists Identify the

1.11k views • 51 slides
1 Figure 7.3 Figure 7.3 Messages with both Authenticity and Secrecy Messages with both

1 Figure 7.3 Figure 7.3 Messages with both Authenticity and Secrecy Messages with both

Today Today 1. Review/Summary of security technologies Crypto and certificates 2. Combination of techniques in SSL Security Technologies and Hierarchical Trust Security Technologies and Hierarchical Trust The basis for secure HTTP, ssh

269 views • 7 slides
Security and Authorization Chapter 21 Database Management Systems, 3ed, R. Ramakrishnan and J.

Security and Authorization Chapter 21 Database Management Systems, 3ed, R. Ramakrishnan and J.

Security and Authorization Chapter 21 Database Management Systems, 3ed, R. Ramakrishnan and J. Gehrke 1 Introduction to DB Security Secrecy: Users should not be able to see things they are not supposed to. E.g., A student cant see

225 views • 6 slides
Security and Authorization Chapter 21 Database Management Systems, 3ed, R. Ramakrishnan and J.

Security and Authorization Chapter 21 Database Management Systems, 3ed, R. Ramakrishnan and J.

Security and Authorization Chapter 21 Database Management Systems, 3ed, R. Ramakrishnan and J. Gehrke 1 Introduction to DB Security Secrecy: Users should not be able to see things they are not supposed to. E.g., A student cant see

289 views • 8 slides
Probable Security of Networks LI Angsheng Institute of Software Chinese Academy of Sciences

Probable Security of Networks LI Angsheng Institute of Software Chinese Academy of Sciences

Definitions Security model Mathematical principles Security theorems Probable Security of Networks LI Angsheng Institute of Software Chinese Academy of Sciences Joint work with Yicheng Pan, Wei Zhang Fragrant Hill Meeting 6th, Oct 2013

488 views • 36 slides
Review of External Security Models Michael McCool Intel Osaka, W3C Web of Things F2F, 17 May

Review of External Security Models Michael McCool Intel Osaka, W3C Web of Things F2F, 17 May

Review of External Security Models Michael McCool Intel Osaka, W3C Web of Things F2F, 17 May 2017 Purpose WoT charter: The scope of the Working Group is restricted to APIs and security frameworks that are applicable across platforms. We will

87 views • 8 slides
Expertise knowledge-based Policy Refinement Process T. Rochaeli and C. Eckert Technische

Expertise knowledge-based Policy Refinement Process T. Rochaeli and C. Eckert Technische

Expertise knowledge-based Policy Refinement Process T. Rochaeli and C. Eckert Technische Universitt Darmstadt 25.06.2007 POLICY '07, Bologna, Italy 1 Workflow and Kripke Model Workflow: computerized facilitation or automation of a

356 views • 13 slides
Improving Usability of Information Flow Security in Java Mark Thober Joint work with Scott F.

Improving Usability of Information Flow Security in Java Mark Thober Joint work with Scott F.

Mark Thober June 14, 2007 Improving Usability of Information Flow Security in Java Mark Thober Joint work with Scott F. Smith Department of Computer Science Johns Hopkins University PLAS 07 1 Mark Thober June 14, 2007 Motivation

580 views • 37 slides
Security Policies Security Policies for Large Who is allowed to do what when Systems

Security Policies Security Policies for Large Who is allowed to do what when Systems

Security Policies Security Policies for Large Who is allowed to do what when Systems And what happens if they do CS 239 something else Security for Networks and And whos responsible for making sure System Software thats

245 views • 3 slides
policies Security in Organizations 2011 Eric Verheul 1 Literature Main literature for this

policies Security in Organizations 2011 Eric Verheul 1 Literature Main literature for this

Information security policies Security in Organizations 2011 Eric Verheul 1 Literature Main literature for this lecture: 1. ISO 27001 and ISO 27002 2. Besluit voorschrift informatiebeveiliging rijksdienst 2007 (www.wetten.nl) 3.

680 views • 40 slides
T1M1: Management Plane Security Standard (T1.276) Presentation Contributors and Liaison

T1M1: Management Plane Security Standard (T1.276) Presentation Contributors and Liaison

T1M1/2003-039R3 July 9, 2003 T1M1: Management Plane Security Standard (T1.276) Presentation Contributors and Liaison Representatives: Mike Fargano - T1M1 Chair, michael.fargano@qwest.com Jim Stanco - T1M1 Vice Chair (previous),

412 views • 25 slides
Managing random generator seeds with SeedService Gianluca Petrillo University of

Managing random generator seeds with SeedService Gianluca Petrillo University of

Managing random generator seeds with SeedService Gianluca Petrillo University of Rochester/Fermilab LArSoft Coordinators Meeting, February 24 th , 2015 February 24 th , 2015 G. Petrillo (Rochester/FNAL) Managing random generator seeds with

425 views • 16 slides

More recommend