463.8 Information Flow

463.8 Information Flow UIUC CS463 Computer Security

Overview • Motivation • Non-interference model • Information flow and language analysis • Confinement and covert channels

Required • Reading • Chapter 8 up to the beginning of 8.2.1 • Goguen / Meseguer 82 • Chapter 16 sections 16.1 and 16.3 • Chapter 17 • Garfinkel / Pfaff / Rosenblum 03 • Exercises • Section 8.9 exercise 1 • Section 16.9 exercises 2, 4-6 • Section 17.7 exercises 2a, 3-4, 6-7

Example 1 • Downloadable financial planner: Disk Network AccountingSoftware • Access control insufficient • Encryption necessary, but also insufficient

Noninterference Disk Network AccountingSoftware • Private data does not interfere with network communication • Baseline confidentiality policy

Example 2 • Smart card for financial transactions • Card contains sensitive financial information used to make a transaction • Used in the terminal of a merchant • Card is tamper-resistant, protects card secrets from both the merchant and card holder • Java cards provide limited card-based computation • Must split the computation between the card, the terminal, and network connections

Model of Noninterference • Represent noninterference as a relation between groups of users and commands • Users in group G do not interfere with those in group G’ if the state seen by G’ is not affected by the commands executed by members of G Goguen Meseguer 82

State Automaton • U – Users • S – States • C – Commands • Out – Outputs • do : S £ U £ C ! S – state transition function • out : S £ U ! Out – output function • s0 – initial machine state

Capability System • U, S, Out – users, states, commands, and outputs as before (in a state machine) • SC – State commands • Capt – Capability tables • CC – Capability commands • out : S £ Capt £ U ! Out • do : S £ Capt £ U £ SC ! S • cdo : Capt £ U £ CC ! Capt – Capability selection function • s02 S and t02 Capt – Initial state and capability tables

Transition Function • C = SC ] CC - Commands • csdo : S £ Capt £ U £ C ! S £ Capt • csdo(s,t,u,c) = (do(s,t,u,c),t) if c 2 SC • csdo(s,t,u,c) = (s,cdo(s,t,u,c)) if c 2 CC • csdo* : S £ Capt £ (U £ C)* ! S £ Capt • csdo*(s,t,nil) = (s,t) • csdo*(s,t,w.(u,c)) = csdo(csdo*(s,t,w),u,c) • [[w]] = csdo*(s0,t0,w) • [[w]]u = out([[w]],u)

Projection • Let G µ U and A µ C and w 2 (U £ C)* • PG(w) = subset of w obtained by eliminating pairs (u,c) where u 2 G • PA(w) = subset of w obtained by eliminating pairs (u,c) where c 2 A • PG,A(w) = subset of w obtained by eliminating pairs (u,c) where u 2 G and c 2 A

Noninterference • M state machine and G, G’ µ U and A µ C • G :| G’ iff 8 w 2 (U £ C)*. 8 u 2 G’. [[w]]u = [[pG(w)]]u • A :| G iff 8 w 2 (U £ C)*. 8 u 2 G. [[w]]u = [[pA(w)]]u • A,G :| G’ iff 8 w 2 (U £ C)*. 8 u 2 G’. [[w]]u = [[pA,G(w)]]u

Security Policies • Noninterference assertions have the forms G :| G’ A :| G A,G :| G’ • A security policy is a set of noninterference assertions

Example 1 • A :| {u} • The commands in A do not interfere with the state of user u

Levels L v Top Secret Secret Unclassified Example 2 MLS • Level : U ! L - assignment of security levels in L • Above(l) = { u 2 U | l v Level(u)} • Below(l) = { u 2 U | Level(u) v l} • M is multi-level secure with respect to L if, for all l @ l’ in L, Above(l’) :| Below(l)

MLS Continued • G is invisible if G :| Gc where Gc is the complement of G in U • Proposition 1: If M,L is multi-level secure, then Above(l) is invisible for every l 2 L.

Example 3 Isolation • A group of users G is isolated if: G :| Gc and Gc :| G. • A system is completely isolated if every user in U is isolated.

Example 4 Channel Control • View a channel as a set of commands A • We can assert that groups of users G and G’ can only communicate through channel A with the following two noninterference assertions: • Ac,G :| G’ and • Ac,G’ :| G

A1 u1 A u u’ A2 u2 Example 5 Information Flow u’,u1,u2 :| u u1,u2 :| u’ u1 :| u2 u2 :| u1 Ac,u :| {u’,u1,u2} A1c,u’ :| {u1} A2c,u’ :| {u2}

Example 6 Security Officer • Let A be the set of commands that can change the security policy • seco 2 U is the only individual permitted to use these commands to make changes • This is expressed by the following policy: A,{seco}c :| U

Entropy and Information Flow • Idea: info flows from x to y as a result of a sequence of commands c if you can deduce information about x before c from the value in y after c • Formalized using information theory

Entropy • Entropy: measure of uncertainty in a random variable • H(X) = -åi p(xi) log(p(xi)) • constant: H(c) = 0 • uniform distribution: H(Un) = log(n) • Conditional entropy: how much uncertainty left about X knowing Y • H(X | Y) = -åj p(yj) åi p(xi | yj) log(p(xi | yj)) • H(X | Y) = åj p(yj) H(X | Y=yj) • H(X | Y) = H(X) if X,Y are independent

Entropy and Information Flow • Definitions: • Sequence of commands c • xs, ysare (distributions) of values of x,y before commands c • xt, yt are values after c • Commands c leak information about x into y if: • H(xs | yt) < H(xs | ys) • If no y at time s, then H(xs | yt) < H(xs)

Example 1 • y := x • If we learn y, then we know x • H(xs | yt=y) = 0 for all y, so H(xs | yt) = 0 • Information flow exists if xs not a (known) constant

Example 2 • Destroyed information 1: r1 := x 2: … 3: r1 := r1 xor r1 4: y := z + r1 • H(xs | yt) = H(xs | ys) since after line 3, r1 = 0

Example 3 • Command is • ifx = 1 theny := 0 elsey := 1; where: • x, y equally likely to be either 0 or 1 • H(xs) = 1 as x can be either 0 or 1 with equal probability • H(xs | yt) = 0 as if yt = 1 then xs = 0 and vice versa • Thus, H(xs | yt) = 0 < 1 = H(xs) • So information flowed from x to y

Implicit Flow of Information • Information flows from x to y without an explicit assignment of the form y := f(x) • f(x) an arithmetic expression with variable x • Example from previous slide: • ifx = 1 theny := 0 elsey := 1; • So must look for implicit flows of information to analyze program

Compiler-Based Mechanisms • Detect unauthorized information flows in a program during compilation • Analysis not precise, but secure • If a flow could violate policy (but may not), it is unauthorized • No unauthorized path along which information could flow remains undetected • Set of statements certified with respect to information flow policy if flows in set of statements do not violate that policy Denning Denning 77

Example ifx = 1 theny := a; elsey := b; • Info flows from x and a to y, or from x and b to y • Certified only if information from the security class x of x is allowed to flow into the security class y of y and similar conditions hold for a and b relative to y. • Write: x ≤ y and a ≤ y and b ≤ y • Note flows for both branches must be true unless compiler can determine that one branch will never be taken

Declarations • Notation: x: intclass { A, B } means x is an integer variable with security class at least lub{ A, B } so lub{ A, B } ≤ x • Distinguished classes Low, High

Assignment Statements x := y + z; • Information flows from y, z to x, so this requires lub{ y, z } ≤ x More generally: y := f(x1, …, xn) • Require lub{ x1, …, xn} ≤ y

Compound Statements x := y + z; a := b * c – x; • First statement: lub{ y, z } ≤ x • Second statement: lub{ b, c, x } ≤ a • So, both must hold (i.e., be secure) More generally: S1; … Sn; • Each individual Si must be secure

Iterative Statements while i < n do begin a[i] := b[i]; i := i + 1; end • Same ideas as for “if”, but must terminate More generally: while f(x1, …, xn) do S; • Loop must terminate; • S must be secure • lub{ x1, …, xn } ≤ glb{y | y target of an assignment in S }

Conditional Statements if x + y < z then a := b else d := b * c – x; end • The statement executed reveals information about x, y, z, so lub{ x, y, z } ≤ glb{ a, d } More generally: if f(x1, …, xn) then S1 else S2; end • S1, S2 must be secure • lub{ x1, …, xn } ≤ glb{y | y target of assignment in S1, S2 }

Input Parameters • Parameters through which data passed into procedure • Class of parameter is class of actual argument ip: type class { ip }

Output Parameters • Parameters through which data passed out of procedure • If data passed in, called input/output parameter • As information can flow from input parameters to output parameters, class must include this: op: typeclass { r1, …, rn } where ri is class of ith input or input/output argument

Procedure Calls proc pn(i1, …, im: int; var o1, …, on: int) begin S end; • S must be secure • For all j and k, if ij ≤ ok, then xj ≤ yk • For all j and k, if oj ≤ ok, then yj ≤ yk

Example procsum(x: int class { A }; varout: int class { A, B }); begin out := out + x; end; • Require x ≤ out and out ≤ out

Array Elements • Information flowing out: … := a[i] Value of i, a[i] both affect result, so class is lub{ a[i], i } • Information flowing in: a[i] := … • Only value of a[i] affected, so class is a[i]

Other Constructs • Goto Statements • Exceptions • Infinite loops • Concurrency

Resource Sharing • Topics so fare deal with shared resources: • Non-interference: no information flows through shared resources • Information flow: discover and measure information flows • Confinement: policies to describe and techniques to implement limits on information flows

Confinement Problem Confinement problem – problem of preventing a server from leaking information that the user of the service considers confidential. [Lampson] • Non-interference and information flow policies can specify confinement policies • Confinement is also concerned with covert channels

Transitivity • Confinement needs to be transitive • If a confined process invokes a second process, the second process must be as confined as the caller • Otherwise, confined processes could escape

Isolation • Confinement established through isolation • Restrict a process’ access • Enforce the principle of least privilege • Isolation can sometimes also ensure non-confinement properties like availability

Mechanisms for Isolation • Memory protection • chroot • Sandboxes • Virtual Machine Monitors

Memory protection • Isolate processes memory space from each other • Interact only through the OS or shared memory • Memory protection around since the ‘60s • Only recently entered mainstream OS: even single user machines need process isolation • Usually not confining enough • Communication through the OS needs to be restricted

/ usr sbin etc lib … chroot • Present a limited view of the file system apache / sbin etc lib httpd.conf libc, … apache

chroot • chroot problems • Have to replicate files used by the jail • Hard links save space, but entire directories are more troublesome • Sometimes possible to escape chroot • Control only file system access • BSD Jails: chroot + network controls • Fix existing chroot security holes • Regulate access to the network • Used to set up low-cost “virtual hosts”

Sandboxes • Restrict access to the operating system • Usually done on the scale of system calls • Used to restrict untrusted or marginally trusted applications • Three types of sandboxes: • User-space • Kernel-based • Hybrid Garfinkel Pfaff Rosenblum 03

463.8 Information Flow

463.8 Information Flow

Presentation Transcript

Flow of Genetic Information:

JavaScript Information Flow Analysis

The flow of information

INFORMATION FLOW

More information flow…

Information Flow

Information Flow Control

Information Flow

Information Flow

CS463.7 Information Flow

Information Flow Control

Information Flow

Improving Information Flow

Possibilistic Information Flow

Information Flow Epilog

a LRTAP information flow

Network Information Flow

III. Information flow Integration

Boundaryless Information Flow

Information Flow

Network Information Flow