lecture 16
play

Lecture #16 Composition Nondeducibility Generalized - PowerPoint PPT Presentation

Apr 28, 2023 •289 likes •761 views

Lecture #16 Composition Nondeducibility Generalized Noninterference Restrictiveness February 25, 2009 ECS 235B, Winter Quarter 2009 Slide #16-1 Matt Bishop, UC Davis Policy Composition I Assumed: Output function of input

  1. Lecture #16 • Composition • Nondeducibility • Generalized Noninterference • Restrictiveness February 25, 2009 ECS 235B, Winter Quarter 2009 Slide #16-1 Matt Bishop, UC Davis

  2. Policy Composition I • Assumed: Output function of input – Means deterministic (else not function) – Means uninterruptability (differences in timings can cause differences in states, hence in outputs) • This result for deterministic, noninterference-secure systems February 25, 2009 ECS 235B, Winter Quarter 2009 Slide #16-2 Matt Bishop, UC Davis

  3. Compose Systems • Louie, Dewey LOW • Hughie HIGH b L b H • b L output buffer – Anyone can read it Louie • b H input buffer b LH – From HIGH source b LDH Hughie • Hughie reads from: Dewey b DH – b LH (Louie writes) – b LDH (Louie, Dewey write) – b DH (Dewey writes) February 25, 2009 ECS 235B, Winter Quarter 2009 Slide #16-3 Matt Bishop, UC Davis

  4. Systems Secure • All noninterference- secure b L b H – Hughie has no output • So inputs don’t interfere Louie b LH with it b LDH Hughie – Louie, Dewey have no input Dewey b DH • So (nonexistent) inputs don’t interfere with outputs February 25, 2009 ECS 235B, Winter Quarter 2009 Slide #16-4 Matt Bishop, UC Davis

  5. Security of Composition • Buffers finite, sends/receives blocking: composition not secure! – Example: assume b DH , b LH have capacity 1 • Algorithm: 1. Louie (Dewey) sends message to b LH ( b DH ) – Fills buffer 2. Louie (Dewey) sends second message to b LH ( b DH ) 3. Louie (Dewey) sends a 0 (1) to b L 4. Louie (Dewey) sends message to b LDH – Signals Hughie that Louie (Dewey) completed a cycle February 25, 2009 ECS 235B, Winter Quarter 2009 Slide #16-5 Matt Bishop, UC Davis

  6. Hughie • Reads bit from b H – If 0, receive message from b LH – If 1, receive message from b DH • Receive on b LDH – To wait for buffer to be filled February 25, 2009 ECS 235B, Winter Quarter 2009 Slide #16-6 Matt Bishop, UC Davis

  7. Example • Hughie reads 0 from b H – Reads message from b LH • Now Louie’s second message goes into b LH – Louie completes setp 2 and writes 0 into b L • Dewey blocked at step 1 – Dewey cannot write to b L • Symmetric argument shows that Hughie reading 1 produces a 1 in b L • So, input from b H copied to output b L February 25, 2009 ECS 235B, Winter Quarter 2009 Slide #16-7 Matt Bishop, UC Davis

  8. Nondeducibility • Noninterference: do state transitions caused by high level commands interfere with sequences of state transitions caused by low level commands? • Really case about inputs and outputs: – Can low level subject deduce anything about high level outputs from a set of low level outputs? February 25, 2009 ECS 235B, Winter Quarter 2009 Slide #16-8 Matt Bishop, UC Davis

  9. Example: 2-Bit System • High operations change only High bit – Similar for Low • σ 0 = (0, 0) • Commands (Heidi, xor1 ), (Lara, xor0 ), (Lara, xor1 ), (Lara, xor0 ), (Heidi, xor1 ), (Lara, xor0 ) – Both bits output after each command • Output is: 00101011110101 February 25, 2009 ECS 235B, Winter Quarter 2009 Slide #16-9 Matt Bishop, UC Davis

  10. Security • Not noninterference-secure w.r.t. Lara – Lara sees output as 0001111 – Delete High and she sees 00111 • But Lara still cannot deduce the commands deleted – Don’t affect values; only lengths • So it is deducibly secure – Lara can’t deduce the commands Heidi gave February 25, 2009 ECS 235B, Winter Quarter 2009 Slide #16-10 Matt Bishop, UC Davis

  11. Event System • 4-tuple ( E , I , O , T ) – E set of events – I ⊆ E set of input events – O ⊆ E set of output events – T set of all finite sequences of events legal within system • E partitioned into H , L – H set of High events – L set of Low events February 25, 2009 ECS 235B, Winter Quarter 2009 Slide #16-11 Matt Bishop, UC Davis

  12. More Events … • H ∩ I set of High inputs • H ∩ O set of High outputs • L ∩ I set of Low inputs • L ∩ O set of Low outputs • T Low set of all possible sequences of Low events that are legal within system • π L : T → T Low projection function deleting all High inputs from trace ‒ Low observer should not be able to deduce anything about High inputs from trace t Low ∈ T low February 25, 2009 ECS 235B, Winter Quarter 2009 Slide #16-12 Matt Bishop, UC Davis

  13. Deducibly Secure • System deducibly secure if, for every trace t Low ∈ T Low , the corresponding set of high level traces contains every possible trace t ∈ T for which π L ( t ) = t Low – Given any t Low , the trace t ∈ T producing that t Low is equally likely to be any trace with π L ( t ) = t Low February 25, 2009 ECS 235B, Winter Quarter 2009 Slide #16-13 Matt Bishop, UC Davis

  14. Example • Back to our 2-bit machine – Let xor0, xor1 apply to both bits – Both bits output after each command • Initial state: (0, 1) • Inputs: 1 H 0 L 1 L 0 H 1 L 0 L • Outputs: 10 10 01 01 10 10 • Lara (at Low ) sees: 001100 – Does not know initial state, so does not know first input; but can deduce fourth input is 0 • Not deducibly secure February 25, 2009 ECS 235B, Winter Quarter 2009 Slide #16-14 Matt Bishop, UC Davis

  15. Example • Now xor0 , xor1 apply only to state bit with same level as user • Inputs: 1 H 0 L 1 L 0 H 1 L 0 L • Outputs: 1011111011 • Lara sees: 01101 • She cannot deduce anything about input – Could be 0 H 0 L 1 L 0 H 1 L 0 L or 0 L 1 H 1 L 0 H 1 L 0 L for example • Deducibly secure February 25, 2009 ECS 235B, Winter Quarter 2009 Slide #16-15 Matt Bishop, UC Davis

  16. Security of Composition • In general: deducibly secure systems not composable • Strong noninterference : deducible security + requirement that no High output occurs unless caused by a High input – Systems meeting this property are composable February 25, 2009 ECS 235B, Winter Quarter 2009 Slide #16-16 Matt Bishop, UC Davis

  17. Example • 2-bit machine done earlier does not exhibit strong noninterference – Because it puts out High bit even when there is no High input • Modify machine to output only state bit at level of latest input – Now it exhibits strong noninterference February 25, 2009 ECS 235B, Winter Quarter 2009 Slide #16-17 Matt Bishop, UC Davis

  18. Problem • Too restrictive; it bans some systems that are obviously secure • Example: System upgrade reads Low inputs, outputs those bits at High – Clearly deducibly secure: low level user sees no outputs – Clearly does not exhibit strong noninterference, as no high level inputs! February 25, 2009 ECS 235B, Winter Quarter 2009 Slide #16-18 Matt Bishop, UC Davis

  19. Remove Determinism • Previous assumption – Input, output synchronous – Output depends only on commands triggered by input • Sometimes absorbed into commands … – Input processed one datum at a time • Not realistic – In real systems, lots of asynchronous events February 25, 2009 ECS 235B, Winter Quarter 2009 Slide #16-19 Matt Bishop, UC Davis

  20. Generalized Noninterference • Nondeterministic systems meeting noninterference property meet generalized noninterference-secure property – More robust than nondeducible security because minor changes in assumptions affect whether system is nondeducibly secure February 25, 2009 ECS 235B, Winter Quarter 2009 Slide #16-20 Matt Bishop, UC Davis

  21. Example • System with High Holly, Low lucy, text file at High – File fixed size, symbol b marks empty space – Holly can edit file, Lucy can run this program: while true do begin n := read_integer_from_user ; if n > file_length or char_in_file [ n ] = b then print random_character ; else print char_in_file [ n ]; end ; February 25, 2009 ECS 235B, Winter Quarter 2009 Slide #16-21 Matt Bishop, UC Davis

  22. Security of System • Not noninterference-secure – High level inputs—Holly’s changes—affect low level outputs • May be deducibly secure – Can Lucy deduce contents of file from program? – If output meaningful (“This is right”) or close (“Thes is riqht”), yes – Otherwise, no • So deducibly secure depends on which inferences are allowed February 25, 2009 ECS 235B, Winter Quarter 2009 Slide #16-22 Matt Bishop, UC Davis

  23. Composition of Systems • Does composing systems meeting generalized noninterference-secure property give you a system that also meets this property? • Define two systems ( cat , dog ) • Compose them February 25, 2009 ECS 235B, Winter Quarter 2009 Slide #16-23 Matt Bishop, UC Davis

  24. First System: cat • Inputs, outputs can go left or right • After some number of HIGH HIGH inputs, cat sends two cat LOW outputs LOW stop_count 0 or 1 – First stop_count – Second parity of High inputs, outputs February 25, 2009 ECS 235B, Winter Quarter 2009 Slide #16-24 Matt Bishop, UC Davis

  25. Noninterference-Secure? • If even number of High inputs, output could be: – 0 (even number of outputs) – 1 (odd number of outputs) • If odd number of High inputs, output could be: – 0 (odd number of outputs) – 1 (even number of outputs) • High level inputs do not affect output – So noninterference-secure February 25, 2009 ECS 235B, Winter Quarter 2009 Slide #16-25 Matt Bishop, UC Davis

  26. Second System: dog • High outputs to left • Low outputs of 0 or 1 to right HIGH • stop_count input from dog HIGH LOW the left 0 or 1 – When it arrives, dog stop_count emits 0 or 1 February 25, 2009 ECS 235B, Winter Quarter 2009 Slide #16-26 Matt Bishop, UC Davis

Recommend

Lecture # 5 - Monday, Aug 30th In this lecture I reviewed the previous lecture 4, and then

Lecture # 5 - Monday, Aug 30th In this lecture I reviewed the previous lecture 4, and then

Lecture # 5 - Monday, Aug 30th In this lecture I reviewed the previous lecture 4, and then reviewed the final point of lecture #3: Hennigs logical approach to tree inference is valid as logic, but we have a hard time using it because our data

660 views • 7 slides
Algorithms (2IL15) Lecture 13 Wrap-up lecture 1 TU/e Algorithms (2IL15) Lecture 13

Algorithms (2IL15) Lecture 13 Wrap-up lecture 1 TU/e Algorithms (2IL15) Lecture 13

TU/e Algorithms (2IL15) Lecture 13 Algorithms (2IL15) Lecture 13 Wrap-up lecture 1 TU/e Algorithms (2IL15) Lecture 13 Part I of the course: Optimization Problems we want to find valid solution minimizing cost (or maximizing

905 views • 20 slides
In 2020SP, this lecture and lecture 20 are both optional extra material CS 5412/LECTURE 17 Ken

In 2020SP, this lecture and lecture 20 are both optional extra material CS 5412/LECTURE 17 Ken

In 2020SP, this lecture and lecture 20 are both optional extra material CS 5412/LECTURE 17 Ken Birman LEAVE NO TRACE BEHIND Spring, 2020 HTTP://WWW.CS.CORNELL.EDU/COURSES/CS5412/2020SP 1 THE PRIVACY PUZZLE FOR I O T We have sensors

1.04k views • 65 slides
Recall last lecture ... Lecture 8 Also last lecture: Painter's Algorithm More Hidden Surface

Recall last lecture ... Lecture 8 Also last lecture: Painter's Algorithm More Hidden Surface

Recall last lecture ... Lecture 8 Also last lecture: Painter's Algorithm More Hidden Surface Removal Sort polygons in depth. Use the farthest vertex in each polygon as the sorting key. Efficient Painter - binary space partition (BSP)

563 views • 6 slides
Plan Lecture 1 - String diagrams and symmetric monoidal categories Lecture 2 -

Plan Lecture 1 - String diagrams and symmetric monoidal categories Lecture 2 -

Plan Lecture 1 - String diagrams and symmetric monoidal categories Lecture 2 - Resource-sensitive algebraic theories Lecture 3 - Interacting Hopf monoids and graphical linear algebra Lecture 4 - Signal Flow Graphs and recurrence

1.2k views • 61 slides
Where are we at - Topic overview Lecture 1A: Security requirements/features Lecture 7A

Where are we at - Topic overview Lecture 1A: Security requirements/features Lecture 7A

Where are we at - Topic overview Lecture 1A: Security requirements/features Lecture 7A Threatens Privacy Threatens Try to achieve Lecture 2B: Network threats Lecture 3A: Attacks on Lecture 6A: Security Protocols Web servers, malware

381 views • 25 slides
Lecture Capture Introduction to Lecture Capture Learning Outcomes What will lecture capture

Lecture Capture Introduction to Lecture Capture Learning Outcomes What will lecture capture

ISDS & Digital Business Skills Lecture Capture Introduction to Lecture Capture Learning Outcomes What will lecture capture actually do? What happens before a lecture? What happens during a lecture? What does the button do?

527 views • 18 slides
CSE 158 Lecture 4 Web Mining and Recommender Systems More Classifiers Last lecture How

CSE 158 Lecture 4 Web Mining and Recommender Systems More Classifiers Last lecture How

CSE 158 Lecture 4 Web Mining and Recommender Systems More Classifiers Last lecture How can we predict binary or categorical variables? {0,1}, {True, False} {1, , N} Last lecture Will I purchase this product? (yes) Will I click

1.74k views • 60 slides
CSE 158 Lecture 4 Web Mining and Recommender Systems More Classifiers Last lecture How

CSE 158 Lecture 4 Web Mining and Recommender Systems More Classifiers Last lecture How

CSE 158 Lecture 4 Web Mining and Recommender Systems More Classifiers Last lecture How can we predict binary or categorical variables? {0,1}, {True, False} {1, , N} Last lecture Will I purchase this product? (yes) Will I click

851 views • 46 slides
CSE 158 Lecture 4 Web Mining and Recommender Systems More Classifiers Last lecture How

CSE 158 Lecture 4 Web Mining and Recommender Systems More Classifiers Last lecture How

CSE 158 Lecture 4 Web Mining and Recommender Systems More Classifiers Last lecture How can we predict binary or categorical variables? {0,1}, {True, False} {1, , N} Last lecture Will I purchase this product? (yes) Will I click

839 views • 58 slides
Usability of Programming Languages Lecture 4 - directed by your research interests Lecture

Usability of Programming Languages Lecture 4 - directed by your research interests Lecture

Overview Practical experimental course lectures are only introductory Lecture 1 - theoretical principles classic approaches l h current trends in leading research. Lecture 2 - candidate research methods advantages and

499 views • 15 slides
Introduction to AI & Intelligent Agents This Lecture Chapters 1 and 2 Next Lecture

Introduction to AI & Intelligent Agents This Lecture Chapters 1 and 2 Next Lecture

Introduction to AI & Intelligent Agents This Lecture Chapters 1 and 2 Next Lecture Chapter 3.1 to 3.4 (Please read lecture topic material before and after each lecture on that topic) What is Artificial Intelligence? Thought

636 views • 31 slides
Introduction to Numerical Optimization Biostatistics 615/815 Lecture 14 Lecture 14 Course is

Introduction to Numerical Optimization Biostatistics 615/815 Lecture 14 Lecture 14 Course is

Introduction to Numerical Optimization Biostatistics 615/815 Lecture 14 Lecture 14 Course is More Than Half Done! If you have comments they are very welcome y y Lectures Lecture notes Weekly Homework Midterm

795 views • 42 slides
Lecture 12: Clustering 1 6.0002 LECTURE 12 Re Reading Chapter 23 6.0002 LECTURE 12 2 Mach Ma

Lecture 12: Clustering 1 6.0002 LECTURE 12 Re Reading Chapter 23 6.0002 LECTURE 12 2 Mach Ma

Lecture 12: Clustering 1 6.0002 LECTURE 12 Re Reading Chapter 23 6.0002 LECTURE 12 2 Mach Ma chine e Lea earn rning Paradigm Observe set of examples: training data Infer something about process that generated that data Use

847 views • 36 slides
Lecture Outline Regeltechniek Previous lecture: Stability and transient response. Lecture 4

Lecture Outline Regeltechniek Previous lecture: Stability and transient response. Lecture 4

Lecture Outline Regeltechniek Previous lecture: Stability and transient response. Lecture 4 Basics of Feedback Control Robert Babu ska Today: Steady-state response. Delft Center for Systems and Control Faculty of Mechanical

388 views • 7 slides
Psycholinguistics Lecture 2 By Dr.Chelli Lecture Objectives At the end of this lecture, students

Psycholinguistics Lecture 2 By Dr.Chelli Lecture Objectives At the end of this lecture, students

Psycholinguistics Lecture 2 By Dr.Chelli Lecture Objectives At the end of this lecture, students will be able to: Discuss the different stages in the history of psycholinguistics Identify the scholars in the field of psycholinguistics

589 views • 28 slides
Methodology for Lecture Methodology for Lecture Computer Graphics (Spring 2008) Computer

Methodology for Lecture Methodology for Lecture Computer Graphics (Spring 2008) Computer

Methodology for Lecture Methodology for Lecture Computer Graphics (Spring 2008) Computer Graphics (Spring 2008) Lecture deals with lighting (teapot shaded as in HW1) Some Nate Robbins tutor demos in lecture COMS 4160, Lecture 14: OpenGL

535 views • 5 slides
Lecture Outline Regeltechniek Previous lecture: Nyquist plot and stability criterion. Lecture 11

Lecture Outline Regeltechniek Previous lecture: Nyquist plot and stability criterion. Lecture 11

Lecture Outline Regeltechniek Previous lecture: Nyquist plot and stability criterion. Lecture 11 State-space models and state feedback control (We are finished with frequency domain methods.) Robert Babu ska Today: Delft Center for

452 views • 6 slides
CSE Fall 2014 311 Lecture 1 Lecture 1 Lecture 1: Propositional Logic Lecture 1 Foundations

CSE Fall 2014 311 Lecture 1 Lecture 1 Lecture 1: Propositional Logic Lecture 1 Foundations

CSE 311: Foundations of Computing I CSE Fall 2014 311 Lecture 1 Lecture 1 Lecture 1: Propositional Logic Lecture 1 Foundations of Computing I Fall 2014 Some Perspective About the Course We will study the theory needed for CSE: Computer

242 views • 7 slides
Proteomics Steven Meinhardt Lectures Lecture 1 Introduction review of proteins

Proteomics Steven Meinhardt Lectures Lecture 1 Introduction review of proteins

11/29/2012 Proteomics Steven Meinhardt Lectures Lecture 1 Introduction review of proteins Lecture 2 Gel Electrophoresis Lecture 3 Mass Spectrometry Lecture 4 Programs for MS analysis Lecture 5 MIAPE (Minimum

900 views • 8 slides
Multiphase Modelling in Cancer Helen Byrne Wolfson Centre for Mathematical Biology Mathematical

Multiphase Modelling in Cancer Helen Byrne Wolfson Centre for Mathematical Biology Mathematical

Lecture 1 Lecture 2 Lecture 3 Lecture 4 Multiphase Modelling in Cancer Helen Byrne Wolfson Centre for Mathematical Biology Mathematical Institute University of Oxford CRM, Barcelona, April 2018 Lecture 1 Lecture 2 Lecture 3 Lecture 4

1.79k views • 141 slides
Lecture 1: Neurons Lecture 2: Coding with spikes Lecture 3: Tuning curves and receptive fields

Lecture 1: Neurons Lecture 2: Coding with spikes Lecture 3: Tuning curves and receptive fields

Lecture 1: Neurons Lecture 2: Coding with spikes Lecture 3: Tuning curves and receptive fields Lecture 4: Population vectors To gain a basic understanding of how population vectors are constructed 4 credit students: First assignment is

584 views • 31 slides
Algorithms (2IL15) Lecture 10 NP-Completeness, II 1 TU/e Algorithms (2IL15) Lecture 10

Algorithms (2IL15) Lecture 10 NP-Completeness, II 1 TU/e Algorithms (2IL15) Lecture 10

TU/e Algorithms (2IL15) Lecture 10 Algorithms (2IL15) Lecture 10 NP-Completeness, II 1 TU/e Algorithms (2IL15) Lecture 10 Summary of previous lecture P: class of decision problems that can be solved in polynomial time NP:

496 views • 34 slides
Lecture 1: Bioinformatic Algorithms In this lecture Logistics of the course

Lecture 1: Bioinformatic Algorithms In this lecture Logistics of the course

Lecture 1: Bioinformatic Algorithms In this lecture Logistics of the course Introduction to basic biology which will continue in the following lecture Logistics of the Course Logistics About the Course Christina Boucher: (email)

546 views • 40 slides

More recommend