Security models part 2 Bj orn Victor Fall 2007 Doris Denning - PowerPoint PPT Presentation

Security models part 2 Bj¨ orn Victor Fall 2007

Doris Denning model Denning model Chinese Wall Clark-Wilson Principles BLP: covert channels possible ⋆ -property too strong Improvement: analyse actual (and indirect) information flow. - 2 -

Lattice Denning model Chinese Wall Lattice: partial order ≤ such that all pairs ( x , y ) have Clark-Wilson greatest lower bound (GLB) and least upper bound (LUB), Principles i.e. ∀ x , y : ∃ z : z ≤ x ∧ z ≤ y (i.e. z is a lower bound) and ∀ k : k ≤ x ∧ k ≤ y ⇒ k ≤ z (i.e. z is the greatest lower bound) vice versa for least upper bound - 3 -

Authorized flows (policy) An information flow from x to y is authorized (permitted) Denning only if lvl ( x ) ≤ lvl ( y ) . model explicit flow from x i to y : Chinese Wall Clark-Wilson y := f ( x 1 ,..., x n ) Principles permitted if LUB ( x 1 ,..., x n ) ≤ y implicit flow from x to y i : if p ( x ) then y 1 := ... ; ··· ; y n :=. . . ; endif permitted if x ≤ GLB ( y 1 ,..., y n ) (and each flow in the then part is permitted) Lattice: can always find and compare with LUB/GLB. Transitivity: sequence of flows z 0 → ··· → z n permitted if each flow z i → z i + 1 is permitted. - 4 -

Authorized flows (policy) An information flow from x to y is authorized (permitted) Denning only if lvl ( x ) ≤ lvl ( y ) . model explicit flow from x i to y : Chinese Wall Clark-Wilson y := f ( x 1 ,..., x n ) Principles permitted if LUB ( x 1 ,..., x n ) ≤ y implicit flow from x to y i : if p ( x ) then y 1 := ... ; ··· ; y n :=. . . ; endif permitted if x ≤ GLB ( y 1 ,..., y n ) (and each flow in the then part is permitted) Lattice: can always find and compare with LUB/GLB. Transitivity: sequence of flows z 0 → ··· → z n permitted if each flow z i → z i + 1 is permitted. - 4 -

Authorized flows (policy) An information flow from x to y is authorized (permitted) Denning only if lvl ( x ) ≤ lvl ( y ) . model explicit flow from x i to y : Chinese Wall Clark-Wilson y := f ( x 1 ,..., x n ) Principles permitted if LUB ( x 1 ,..., x n ) ≤ y implicit flow from x to y i : if p ( x ) then y 1 := ... ; ··· ; y n :=. . . ; endif permitted if x ≤ GLB ( y 1 ,..., y n ) (and each flow in the then part is permitted) Lattice: can always find and compare with LUB/GLB. Transitivity: sequence of flows z 0 → ··· → z n permitted if each flow z i → z i + 1 is permitted. - 4 -

Authorized flows (policy) An information flow from x to y is authorized (permitted) Denning only if lvl ( x ) ≤ lvl ( y ) . model explicit flow from x i to y : Chinese Wall Clark-Wilson y := f ( x 1 ,..., x n ) Principles permitted if LUB ( x 1 ,..., x n ) ≤ y implicit flow from x to y i : if p ( x ) then y 1 := ... ; ··· ; y n :=. . . ; endif permitted if x ≤ GLB ( y 1 ,..., y n ) (and each flow in the then part is permitted) Lattice: can always find and compare with LUB/GLB. Transitivity: sequence of flows z 0 → ··· → z n permitted if each flow z i → z i + 1 is permitted. - 4 -

Examples Denning z := x; model y := z; Chinese Wall Clark-Wilson Flow x → y allowed if x → z and z → y allowed. Principles z := 0; if (x == 1) then z := 1; endif; y := z x ∈ { 0 , 1 } . Which flows exist? x → z (implicit) z → y (explicit) x → y (indirect, transitivity) - 5 -

Examples Denning z := x; model y := z; Chinese Wall Clark-Wilson Flow x → y allowed if x → z and z → y allowed. Principles z := 0; if (x == 1) then z := 1; endif; y := z x ∈ { 0 , 1 } . Which flows exist? x → z (implicit) z → y (explicit) x → y (indirect, transitivity) - 5 -

Examples Denning z := x; model y := z; Chinese Wall Clark-Wilson Flow x → y allowed if x → z and z → y allowed. Principles z := 0; if (x == 1) then z := 1; endif; y := z x ∈ { 0 , 1 } . Which flows exist? x → z (implicit) z → y (explicit) x → y (indirect, transitivity) - 5 -

Examples Denning z := x; model y := z; Chinese Wall Clark-Wilson Flow x → y allowed if x → z and z → y allowed. Principles z := 0; if (x == 1) then z := 1; endif; y := z x ∈ { 0 , 1 } . Which flows exist? x → z (implicit) z → y (explicit) x → y (indirect, transitivity) - 5 -

More examples Denning model y := x1 + x2 * x3 Chinese Wall Clark-Wilson Principles if x then y1 := 0; y2 := 42; y3 := 17; endif; Constants have bottom element of lattice as level (by policy). - 6 -

More examples Denning model y := x1 + x2 * x3 Chinese Wall Clark-Wilson Principles if x then y1 := 0; y2 := 42; y3 := 17; endif; Constants have bottom element of lattice as level (by policy). - 6 -

Quantitative information flow Denning model How much information flows? Chinese Wall Clark-Wilson Here: information flows from x to y by program p if after Principles executing p , the value of y gives more information about the value of x before executing p . Example: z := x; y := z direct flow x → z , indirect flow x → y , but no flow z → y since y does not tell anything about the initial value of z ! - 7 -

Quantitative information flow Denning model How much information flows? Chinese Wall Clark-Wilson Here: information flows from x to y by program p if after Principles executing p , the value of y gives more information about the value of x before executing p . Example: z := x; y := z direct flow x → z , indirect flow x → y , but no flow z → y since y does not tell anything about the initial value of z ! - 7 -

Quantitative information flow Denning model How much information flows? Chinese Wall Clark-Wilson Here: information flows from x to y by program p if after Principles executing p , the value of y gives more information about the value of x before executing p . Example: z := x; y := z direct flow x → z , indirect flow x → y , but no flow z → y since y does not tell anything about the initial value of z ! - 7 -

How much information flows? Mathematically: the flow from x to y is calculated using the Denning model uncertainty of the value of a variable x given y (its Chinese Wall equivocation or conditional entropy ). Clark-Wilson Principles y := 0 if odd(x) then y := 1; endif Implicit flow x → y . How much? One bit. y := 0 if x == 1 then y := x-1; endif How much information flows from x to y ? Zero bits! - 8 -

How much information flows? Mathematically: the flow from x to y is calculated using the Denning model uncertainty of the value of a variable x given y (its Chinese Wall equivocation or conditional entropy ). Clark-Wilson Principles y := 0 if odd(x) then y := 1; endif Implicit flow x → y . How much? One bit. y := 0 if x == 1 then y := x-1; endif How much information flows from x to y ? Zero bits! - 8 -

How much information flows? Mathematically: the flow from x to y is calculated using the Denning model uncertainty of the value of a variable x given y (its Chinese Wall equivocation or conditional entropy ). Clark-Wilson Principles y := 0 if odd(x) then y := 1; endif Implicit flow x → y . How much? One bit. y := 0 if x == 1 then y := x-1; endif How much information flows from x to y ? Zero bits! - 8 -

How much information flows? Mathematically: the flow from x to y is calculated using the Denning model uncertainty of the value of a variable x given y (its Chinese Wall equivocation or conditional entropy ). Clark-Wilson Principles y := 0 if odd(x) then y := 1; endif Implicit flow x → y . How much? One bit. y := 0 if x == 1 then y := x-1; endif How much information flows from x to y ? Zero bits! - 8 -

Imprecise flows Denning model z := x + y Chinese Wall Clark-Wilson where x , y ∈ { 0 ,..., 15 } with equal probability. How much Principles info flows x , y → z ? ≤ 4 bits. z := x xor y If x , y have same range/size, and all values of y equally probable, no flow to z – can’t tell anything about x or y from z . Cf. one-time-pad: no additional information about the plaintext is gained by having the ciphertext, if. . . - 9 -

Imprecise flows Denning model z := x + y Chinese Wall Clark-Wilson where x , y ∈ { 0 ,..., 15 } with equal probability. How much Principles info flows x , y → z ? ≤ 4 bits. z := x xor y If x , y have same range/size, and all values of y equally probable, no flow to z – can’t tell anything about x or y from z . Cf. one-time-pad: no additional information about the plaintext is gained by having the ciphertext, if. . . - 9 -

Imprecise flows Denning model z := x + y Chinese Wall Clark-Wilson where x , y ∈ { 0 ,..., 15 } with equal probability. How much Principles info flows x , y → z ? ≤ 4 bits. z := x xor y If x , y have same range/size, and all values of y equally probable, no flow to z – can’t tell anything about x or y from z . Cf. one-time-pad: no additional information about the plaintext is gained by having the ciphertext, if. . . - 9 -

Imprecise flows Denning model z := x + y Chinese Wall Clark-Wilson where x , y ∈ { 0 ,..., 15 } with equal probability. How much Principles info flows x , y → z ? ≤ 4 bits. z := x xor y If x , y have same range/size, and all values of y equally probable, no flow to z – can’t tell anything about x or y from z . Cf. one-time-pad: no additional information about the plaintext is gained by having the ciphertext, if. . . - 9 -