Upload
dophuc
View
217
Download
0
Embed Size (px)
Citation preview
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Information Flow Control
Language and System Level
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Concept
Information flow Long-term confinement of information to authorized
receivers Controls how information moves among data handlers
and data storage units Applied at language, system, or application levels
Examples: Insure that “secret” data is only revealed to
individuals with a suitably high clearance level Guarantee that information available to a process
cannot leak to the network Certify that the outputs of a program only contain
information derived from specified inputs
2
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
System Example
Guarantee that the anti-virus (AV) scanner cannot leak to the network any data found in its scan of user files
Possible leak methods Send data directly to a network connection Conspire with other processes (e.g, sendmail or httpd) Subvert another process and use its network access to send data Leave data in /tmp for other processes (e.g., the AV update daemon) to send Use other in/direct means of communication with the update daemon
3
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Denning Model
Flow model where N = {a,b,…} is a set of logical storage
objects P = {p,q,…} is a set of processes (active
objects) SC = {A.,B,…} is a set of security classes
• Disjoint classes of information• Each is bound to a security class
– Notation: a– may be static or dynamic (varies with content)
Class combining operator: a b N Flow relation: iff information in class
A is allowed to flow into class B
4
Dorothy Denning
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Example Security Classes
5
public
top secret
confidential
secret(TS,[dip])
(S,[]}
(TS,[])(S,[mil]) (S,[dip])
(TS,[mil]) (S,[dip,mil])
(TS,[dip,mil])
Adapted from K. Rosen Discrete Mathematics and its Applications, 2003.
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Class Combining Operations
6
(TS,[dip])
(S,[]}
(TS,[]) (S,[mil]) (S,[dip])
(TS,[mil]) (S,[dip,mil])
(TS,[dip,mil])
least upper bound
greatest lower bound
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Implicit/Explicit flows
In the statement: a=b+c; There is explicit flow from b to a and from c to a Here written as a b and ac
In the statement: if (a =0) {b = c;} There is an explicit flow from c to b (bc) There is an implicit flow from a to b (ba)
• Because testing the value of b before and after the statement can reveal the value of a
In the statement: if (c) {a=b+1;d=e+2;} explicit flows from b to a and from e to d (ab, ed) implicit flows from c to a and from c to d (ac, dc)
7
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Security Requirements
Elementary statement S: b a1,…,an is secure if ba1 ,…, ban are secure i.e., if a1 b ,…, an b i.e., if is allowed
Sequence S = S1; S2 Is secure if both S1 and S2 are secure
Conditional S = c: S1 ,…, Sn where Si updates bi is secure if bi c for i=1..n are secure i.e. if is allowed
8
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Static Binding
Access Control Process p can read from a only if ap Process p can write to b only if pb In general,
Data Mark Machine Associate a security class with the program counter For conditional structure c:S
• Push p onto the stack• Set p to p c• Execute S• On exit restore p from stack
For statement S that with ba1,…,an• Verify that
9
⊕
⊕
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Static Binding
Compiler-based For elementary statement S: f(a1,…,an)b
• verify that is allowed• Set S to b
For sequence S = S1;S2• Set S to S1 S2
For conditional structure S = c: S1,…,Sm• Set S to S1 … Sm
• Verify that c S
10
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Dynamic Binding
A pure dynamic binding is not practical Typical that some objects and most users have a
static security classDynamic Data Mark Machine Difficult to account for implicit flows, so… Compiler determines implicit flows and Inserts additional instructions to update class
associated with program counter accordingly Accounts for implicit flows even if flow not
executed
11
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
HiStar : System Level Flow Control
Basic ideas Files and process are associated with a label whose taint
restricts the flow to lesser tainted components Many categories of taint each owned by its creator Selected components (e.g., wrap) can be given untainting
privileges
12
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Labels
Structure L = {c1l1, c2l2,…,cnln,ldefault} Each ci is a category and li is the taint level in that
category ldefault is the default level for unnamed categories L(c) = li if c=ci for some i and ldefault
otherwiseLevels
13
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Information Flow
General rule: information can flow from O1 to O2 only if O2 is at
least as tainted as O1 in every category Information cannot flow from O1 to O2 if O1 is more
tainted in some category than O2
Example Thread T with LT={1}, object O with LO={c3,1} LT(c)=1 < 3=LO(c) Flow is permitted from T to O (i.e., T can write to O) No flow permitted from O to T (i.e., T cannot
read/observe O)
14
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Example with Labels
User data labels set so that only owner can read (br3) and write (bw0)
Wrap program has ownership to read (br⋆) user data which it delegates to scanner
Wrap creates category v to (1) prevent the scanner from modifying User Data (since User Data has default level 1) and (2) prevent scanner from communicating with network
15
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Notation
Information flow Treatment of level ⋆ ⋆ should be high for reading, but low for writing Notation provides two ownership symbols
Used as L⋆ and L⍟; for example if L={a⋆, b⍟, 1} then L⍟ = {a⍟,b⍟,1} and L⋆ = {a⋆,b⋆,1}
Flow restriction: T can read/observe O only if T can write/modify O only if
16
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Kernel Object Types
Object structure objectID (unique, 61 bit) label (threads also have clearance label) quota metadata (64 bytes) flags
17
Segment: variable-lengthbyte array
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Design Rationale
Kernel interface The contents of object A can only affect object B if, for
every category c in which A is more tainted than B, a thread owning c takes part in the process. Provides end-to-end guarantee of which system
components can affect which others without need to understand component details
Application structure Organize applications so that key categories are
owned by small amounts of code Bulk of the system is not security critical
18