stack based and history based access control for secure
play

Stack-based and History-based Access Control for Secure Information - PowerPoint PPT Presentation

May 11, 2023 •177 likes •480 views

Stack-based and History-based Access Control for Secure Information Flow Anindya Banerjee and David A. Naumann ab@cis.ksu.edu, naumann@cs.stevens-tech.edu Kansas State University and Stevens Institute of Technology CASSIS Workshop 2004-03-11 /

  1. Stack-based and History-based Access Control for Secure Information Flow Anindya Banerjee and David A. Naumann ab@cis.ksu.edu, naumann@cs.stevens-tech.edu Kansas State University and Stevens Institute of Technology CASSIS Workshop 2004-03-11 / 1

  2. Problem � Goal: Modular, static checking of security policies, e.g., confidentiality, for extensible software: no information flow from High input channels to Low output channels (including covert channels) � Focus: implementations (not protocol designs) involving mobile code, subclassing, pointers —constrained by types, scope, and runtime access control � Observation: extensible software implemented in Java associate permissions (“rights”) with code to prevent run-time security errors. � Question: How to connect access control mechanism (used widely) and information flow analysis (often restrictive)? CASSIS Workshop 2004-03-11 / 2

  3. Access control by “stack inspection” Local policy assigns static permissions to classes (based on code origin: local disk, signed download, etc). When untrusted code calls trusted code, latter must execute with “right” permissions – dependent on permissions of untrusted code. Run-time permissions computed/checked using run-time stack. test p then S 1 else S 2 executes S 1 only if the class for “each frame on stack” has p in its static permissions. enable p in S limits test to stack frames up to one that explicitly enabled p . Eager semantics: security context parameter, the set of current permissions (updated by enable and call). CASSIS Workshop 2004-03-11 / 3

  4. Example: Permissions class Sys { // static permissions chpass , wpass unit writepass( string x) { test wpass // access guard to protect integrity then nativeWrite(x,”passfile”) else abort } unit passwd( string x) { test chpass then enable wpass in writepass(x) else abort }} class User { // static permission chpass (but not wpass ) Sys s:= . . . ; unit use() { enable chpass in s.passwd(”mypass”) } // ok unit try() { enable wpass in s.writepass(”mypass”) }} // aborts CASSIS Workshop 2004-03-11 / 4

  5. Info release vs. Info flow class Sys { // static permissions rdkey int readKey() { // policy: confidential key test rdkey then result:= nativeReadKey() else abort } int trojanHorse() { enable rdkey in int x:= readKey(); if (x mod 2) > 0 then result := 0 else result := 1 }} class PlugIn { // no static permissions Sys s:= . . . ; int output; // policy: public unit tryToSteal() { output:= s.readKey() } // aborts unit steal() { output:= s.trojanHorse() }} // leak CASSIS Workshop 2004-03-11 / 5

  6. Security types specify/check policy class Sys { // static permissions rdkey int readKey() { // security type: • → H test rdkey then result:= nativeReadKey() else abort } int trojanHorse() { // security type: • → H enable rdkey in int x:= readKey(); if (x mod 2) > 0 then result := 0 else result := 1 }} class PlugIn { // no static permissions Sys s:= . . . ; int output; // security type: L unit tryToSteal() { output:= s.readKey() } // aborts unit steal() { output:= s.trojanHorse() }} // illegal fl ow H to L CASSIS Workshop 2004-03-11 / 6

  7. Checking information flow by typing Data types: T ::= unit | bool | C Levels: κ ::= L | H Expression types: ( T, κ ) means that value is ≤ κ Commands: ( com κ 1 , κ 2 ) assigns to vars ≥ κ 1 , to fields ≥ κ 2 Typings (in context ∆ ): ∆ ⊢ e : ( T, κ ) ∆ ⊢ S : ( com κ 1 , κ 2 ) Assignment rule: if x : ( C, κ 1 ) ⊢ e : ( T, κ 2 ) and κ 2 ≤ κ 1 then x : ( C, κ 1 ) ⊢ x := e : ( com κ 1 , H ) Conditional rule: if ∆ ⊢ e : ( bool , κ 1 ) and ∆ ⊢ S i : ( com κ 2 , κ 2 ) and κ 1 ≤ κ 2 then ∆ ⊢ if e then S 1 else S 2 : ( com κ 2 , κ 2 ) Noninterference theorem (“Rules enforce policy”): typability implies that L ow outputs do not depend on H igh inputs CASSIS Workshop 2004-03-11 / 7

  8. Selective release for trusted clients class Kern { // static permissions stat , sys string infoH; // security type H string infoL; // security type L string getHinfo() { // security type • → H test sys then result:= self.infoH else abort } string getStatus() { // security type • → ??? /* trusted, untrusted callers may both use getStatus */ test stat // selective release of info then enable sys in result:= self.getHinfo() else result:= self.infoL } . . . } Usual info. fl ow analysis restrictive – getStatus: • → H . Want: no stat then getStatus: • → L , o.w., getStatus: • → H . CASSIS Workshop 2004-03-11 / 8

  9. class Comp1 { // untrusted: static permission other Kern k:=. . . ; string v; // security type L string status() { // security type • → L result:= self.v ++ k.getStatus() } // gets infoL string status2() { // • → L enable stat in result:= self.v ++ k.getStatus() } // gets infoL class Comp2 { // partially trusted: static permissions stat , other Kern k:=. . . ; string statusH() { // • → H enable stat in result:= k.getStatus() }} // gets infoH CASSIS Workshop 2004-03-11 / 9

  10. Our approach P − Notation κ → κ 2 for method type means: when called with argument with level ≤ κ , type of result ≤ κ 2 provided caller does not have the permissions in set P . { stat } ∅ string getStatus() { // both • − → L and • − → H test stat then enable sys in result:= self.getHinfo() else result:= self.infoL } class Comp1 { // static permission other { stat } . . . result:= k.getStatus() // ok, using Kern.getStatus: • − → L { stat } . . . enable stat in result:= k.getStatus() // ok, using • − → L CASSIS Workshop 2004-03-11 / 10

  11. Technical details Typing Judgements: ∆ ; P ⊢ e : ( T, κ ) // ∆ security type context ∆ ; P ⊢ S : ( com κ 1 , κ 2 ) In security context ∆ , expression e has type ( T, κ ) when permissions disjoint from P are enabled , i.e., P is upper bound of excluded permissions. CASSIS Workshop 2004-03-11 / 11

  12. Checking test Consider ∆ ; P ⊢ test P ′ then S 1 else S 2 : com If P ′ ∩ P � = ∅ then test must fail at run time. Check S 2 : ∆ ; P ⊢ S 2 : com If P ′ ∩ P = ∅ then test may succeed . Check both S 1 and S 2 : ∆ ; P ⊢ S 1 : com and ∆ ; P ⊢ S 2 : com CASSIS Workshop 2004-03-11 / 12

  13. Checking test in getStatus { stat } ∅ string getStatus() { // both • − → L and • − → H test stat then enable sys in result:= self.getHinfo() else result:= self.infoL } ∆ ; ∅ ⊢ test stat then . . . { stat } ∩ ∅ = ∅ , so analyze both branches of test . ∆ ; { stat } ⊢ test stat then . . . else result:= self.infoL { stat } ∩ { stat } = { stat } , so analyze else branch. Note that at run-time only result:= self.infoL is relevant. CASSIS Workshop 2004-03-11 / 13

  14. Checking method declarations P Recap: Security type κ − → κ 2 means that if args ≤ κ and caller permissions disjoint from P then result ≤ κ 2 . To check C ⊢ T m ( U x ) { S } // mtype ( m, C ) = U → T P we must check, for all ( κ − → κ 2 ) ∈ smtypes ( m, C ) , that ∆ ; ( P ∩ Perms ( C )) ⊢ S : com where ∆ = x : ( U, κ ) , self : ( C, κ 0 ) , result : ( T, κ 2 ) CASSIS Workshop 2004-03-11 / 14

  15. Checking getStatus { stat } ∅ string getStatus() { // both • − → L and • − → H test stat then enable sys in result:= self.getHinfo() else result:= self.infoL } ∅ For • − → H : result : H ; ∅ ⊢ test stat then . . . ( N.B. ∅ ∩ Perms ( Kern ) = ∅ ) { stat } For • − → L : result : L ; { stat } ⊢ test stat then . . . ( N.B. { stat } ∩ Perms ( Kern ) = { stat } ) CASSIS Workshop 2004-03-11 / 15

  16. Trusted calling Untrusted class NaiveProgram extends Object { // all permissions, R unit Main() { string s := BadPlugIn.TempFile(); File.Delete(s); } (1) body of TempFile executed with R ∩ Perms ( BadPlugIn ) (2) File.Delete(s) executed with R class BadPlugIn extends Object { // no FileIO string TempFile() { result := “...//tmp/password ...”; } } class File extends Object { // R unit Delete( string s) { test FileIO then Win32.Delete(s) else abort; } } CASSIS Workshop 2004-03-11 / 16

  17. Integrity class NaiveProgram extends Object { // R unit Main() { string s := BadPlugIn.TempFile(); // s : H File.Delete(s); } class BadPlugIn extends Object { // no FileIO string TempFile() { result := “...//tmp/password ...” } } // • ∅ − → H { FileIO } → • and type L ∅ − − → • . File.Delete has both type H To check well-typedness of Main’s body under ∅ , check { FileIO } File.Delete(s) under H − → • . Need { FileIO } ⊆ ∅ – impossible. So Main is not typable. CASSIS Workshop 2004-03-11 / 17

  18. History-based Access Control class NaiveProgram extends Object { // all permissions, R unit Main() { string s := BadPlugIn.TempFile(); File.Delete(s); } } (1) BadPlugin.Tempfile() called with R (2) body of TempFile executed with R ∩ Perms ( BadPlugIn ) (3) File.Delete(s) executed with R ∩ Perms ( BadPlugIn ) FileIO �∈ R ∩ Perms ( BadPlugIn ) . Hence test FileIO then ... fails the test. CASSIS Workshop 2004-03-11 / 18

  19. Security Typing P ; Q Notation κ − → κ 2 for method type means: (1) caller’s permissions are disjoint from P (2) on return, permissions for rest of computation disjoint from Q . Similarly use ∆ ; P ⊢ S : com ; Q : (1) excluded permissions before S is P (2) excluded permissions after S is Q . To check ∆ ; P ⊢ S 1 ; S 2 : com ; Q there must exist Q 1 such that ∆ ; P ⊢ S 1 : com ; Q 1 and ∆ ; Q 1 ⊢ S 2 : com ; Q . CASSIS Workshop 2004-03-11 / 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Working Set- -Based Access Control for Based Access Control for Working Set Network File

Working Set- -Based Access Control for Based Access Control for Working Set Network File

Working Set- -Based Access Control for Based Access Control for Working Set Network File Systems Network File Systems Stephen Smaldone, Vinod Ganapathy, and Liviu Iftode DiscoLab - Department of Computer Science Rutgers, The State University

667 views • 23 slides
Access Control Enforcement Access Control Enforcement for Conversation- -based based for

Access Control Enforcement Access Control Enforcement for Conversation- -based based for

The Cyber Center The Cyber Center Access Control Enforcement Access Control Enforcement for Conversation- -based based for Conversation Web Services Web Services Massimo Mecella * Mourad Ouzzani Univ. Roma LA SAPIENZA, Italy Purdue

375 views • 26 slides
Role-based access control Role-based access control 1 RBAC: Motivations Complexity of

Role-based access control Role-based access control 1 RBAC: Motivations Complexity of

Role-based access control Role-based access control 1 RBAC: Motivations Complexity of security administration p y y For large number of subjects and objects, the number of authorizations can become extremely large For dynamic

536 views • 51 slides
Language-Based Access Control and Safety Language-based access control is impossible in a

Language-Based Access Control and Safety Language-based access control is impossible in a

Language-Based Access Control and Safety Language-based access control is impossible in a programming language that is not memory safe. Without memory safety, there is no way to guarantee separation of memory used by different program

413 views • 30 slides
Policy-based Access Control for Weakly Consistent Replication Based on paper written by Ted

Policy-based Access Control for Weakly Consistent Replication Based on paper written by Ted

Policy-based Access Control for Weakly Consistent Replication Based on paper written by Ted Webber, Thomas L. Rodeheffer and Douglas B. Terry Outline Whats the problem? Definitions System design Operation on data Updating

978 views • 34 slides
Rule Set Based Access Control (RSBAC) Amon Ott <ao@rsbac.org> Contents: 1 Introduction

Rule Set Based Access Control (RSBAC) Amon Ott <ao@rsbac.org> Contents: 1 Introduction

Rule Set Based Access Control (RSBAC) Amon Ott <ao@rsbac.org> Contents: 1 Introduction 1.1 History 1.2 Motivation 1.3 Design Goals 1.4 Overview of RSBAC 2 Architecture and Implementation of the Framework 2.1 Subjects, Objects and

553 views • 39 slides
A Distributed Calculus for Role-Based Access Control Chiara Braghin joint work with D. Gorla and

A Distributed Calculus for Role-Based Access Control Chiara Braghin joint work with D. Gorla and

A Distributed Calculus for Role-Based Access Control Chiara Braghin joint work with D. Gorla and V. Sassone MyThS Meeting, Venice, June, 14th, 2004 A Distributed Calculus for Role-Based Access Control p.1/18 RBAC Why: Role-Based Access

613 views • 36 slides
Meta-policies for Distributed Role-based Access Control Andrs Belokosztolszki, Ken Moody

Meta-policies for Distributed Role-based Access Control Andrs Belokosztolszki, Ken Moody

Meta-policies for Distributed Role-based Access Control Andrs Belokosztolszki, Ken Moody {ab374,km}@cl.cam.ac.uk University of Cambridge, Computer Laboratory, OPERA Policy 2002 1 Outline Role-Based Access Control OASIS

480 views • 14 slides
Overview Access control lists Capability lists Locks and keys Rings-based

Overview Access control lists Capability lists Locks and keys Rings-based

Overview Access control lists Capability lists Locks and keys Rings-based access control Propagated access control lists May 31, 2005 ECS 235, Computer and Information Slide #1 Security Access Control Lists Columns

1.24k views • 80 slides
Applying Hierarchical and Role-Based Access Control to XML Documents Jason Crampton Information

Applying Hierarchical and Role-Based Access Control to XML Documents Jason Crampton Information

Applying Hierarchical and Role-Based Access Control to XML Documents Jason Crampton Information Security Group Royal Holloway, University of London ACM Workshop on Secure Web Services 2004 George Mason University, 29 October 2004 Applying

647 views • 31 slides
Role-Based Access Control Corban Rivera CS 6204, Spring 2005 1 Trusted Computer System

Role-Based Access Control Corban Rivera CS 6204, Spring 2005 1 Trusted Computer System

Role-Based Access Control Corban Rivera CS 6204, Spring 2005 1 Trusted Computer System Evaluation Criteria (TCSEC) Background MAC Mandatory Access Control Firm security levels DAC Discretionary Access Control Access

240 views • 6 slides
Outline Multilevel and mandatory access control CSci 5271 Capability-based access control

Outline Multilevel and mandatory access control CSci 5271 Capability-based access control

Outline Multilevel and mandatory access control CSci 5271 Capability-based access control Introduction to Computer Security Announcements intermission Day 11: OS security: higher assurance Stephen McCamant OS trust and assurance University

303 views • 9 slides
PERMIS Role-Based Access Control Example System Presenter: Haiyan Cheng CS 6204, Spring 2005 1

PERMIS Role-Based Access Control Example System Presenter: Haiyan Cheng CS 6204, Spring 2005 1

PERMIS Role-Based Access Control Example System Presenter: Haiyan Cheng CS 6204, Spring 2005 1 PERMIS Review A role-based access control infrastructure Uses X.509 attribute certificate (AC) to store users roles All access

397 views • 8 slides
Detecting and Countering Insider Threats: the Insider Threat Can Policy-Based Access Control

Detecting and Countering Insider Threats: the Insider Threat Can Policy-Based Access Control

Introduction Insiders and Detecting and Countering Insider Threats: the Insider Threat Can Policy-Based Access Control Help? Trust and Trustworthi- ness Access Control and Trustwor- Jason Crampton 1 Michael Huth 2 thiness 1 Information

470 views • 25 slides
An Automated Model-based Test Oracle for Access Control Systems Antonia Bertolino 1 , Said

An Automated Model-based Test Oracle for Access Control Systems Antonia Bertolino 1 , Said

An Automated Model-based Test Oracle for Access Control Systems Antonia Bertolino 1 , Said Daoudagh 1,2 , Francesca Lonetti 1 , Eda Marchetti 1 1 ISTI-CNR 2 University of Pisa Agenda Introduction Access Control Systems XACML policies

459 views • 31 slides
Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control

Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control

Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control Introduction to Computer Security Access control, contd Announcements intermission Stephen McCamant Capability-based access control University

380 views • 7 slides
Xen Summit 8 September, 2006 Xen Management API and Control Stack Ewan Mellor

Xen Summit 8 September, 2006 Xen Management API and Control Stack Ewan Mellor

Xen Summit 8 September, 2006 Xen Management API and Control Stack Ewan Mellor ewan@xensource.com Xen Management Architecture Cluster-wide Integration The aim is to integrate Xen-based systems with enterprise-level cluster management

205 views • 19 slides
CS527 Software Security Advanced Mitigations Mathias Payer Purdue University, Spring 2018

CS527 Software Security Advanced Mitigations Mathias Payer Purdue University, Spring 2018

CS527 Software Security Advanced Mitigations Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Model for Control-Flow Hijack Attacks Figure 1: Mathias Payer CS527 Software Security Advanced mitigations

504 views • 26 slides
Procedures and Call Stacks How do I pass arguments to

Procedures and Call Stacks How do I pass arguments to

University of Washington Procedures and Call Stacks How do I pass arguments to a procedure? How do I get a return value from a procedure?

652 views • 38 slides
Abstract Machines What is an abstract machine? - a set of legal states final and initial

Abstract Machines What is an abstract machine? - a set of legal states final and initial

Concepts of Program Design Abstract Machines Gabriele Keller Ron Vanderfeesten Abstract Machines What is an abstract machine? - a set of legal states final and initial states as subset - A set of instructions altering the state of the

334 views • 31 slides
Midterm #2 Review February 25, 2013 1 / 11 I will provide . . . a list of relevant

Midterm #2 Review February 25, 2013 1 / 11 I will provide . . . a list of relevant

Midterm #2 Review February 25, 2013 1 / 11 I will provide . . . a list of relevant instructions for assembly problems just the keywords and the names! you should know the difference between (and how to use) add , addi , sub ,

688 views • 11 slides
CS 103 Lecture 3 Slides Control Structures Mark Redekopp 2 Announcements Lab 2 Due

CS 103 Lecture 3 Slides Control Structures Mark Redekopp 2 Announcements Lab 2 Due

1 CS 103 Lecture 3 Slides Control Structures Mark Redekopp 2 Announcements Lab 2 Due Friday 3 Review Write a program to ask the user to enter two integers representing hours then minutes. Output the equivalent number of

762 views • 72 slides
1 What makes up an algorithm The sequence (or Compound) instruction 1 Basic steps: Feature

1 What makes up an algorithm The sequence (or Compound) instruction 1 Basic steps: Feature

Not quite an algorithm Chair of Softw are Engineering Einfhrung in die Programmierung Introduction to Programming Prof. Dr. Bertrand Meyer October 2006 February 2007 Lecture 9: Control Structures I I ntro. to Programming, lecture 9:

229 views • 5 slides
Algorithm Control Structures Analysis of Algorithms Sequencing If-Then-Else

Algorithm Control Structures Analysis of Algorithms Sequencing If-Then-Else

Algorithm Control Structures Analysis of Algorithms Sequencing If-Then-Else For loop Algorithm Control Structures While loop Recursive calls http://www.cp.eng.chula.ac.th/faculty/spj Sequencing Sequencing

564 views • 9 slides

More recommend