lecture 19 flow and confinement
play

Lecture 19: Flow and Confinement Examples of information flow - PowerPoint PPT Presentation

Jan 29, 2023 •22 likes •322 views

Lecture 19: Flow and Confinement Examples of information flow applications The confinement problem Covert channels Isolation: virtual machines, sandboxes March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #19-1 Matt Bishop, UC

  1. Lecture 19: Flow and Confinement • Examples of information flow applications • The confinement problem – Covert channels • Isolation: virtual machines, sandboxes March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #19-1 Matt Bishop, UC Davis

  2. Example Information Flow Control Systems • Use access controls of various types to inhibit information flows • Security Pipeline Interface – Analyzes data moving from host to destination • Secure Network Server Mail Guard – Controls flow of data between networks that have different security classifications March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #18-2 Matt Bishop, UC Davis

  3. Security Pipeline Interface SPI host first disk second disk • SPI analyzes data going to, from host – No access to host main memory – Host has no control over SPI March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #18-3 Matt Bishop, UC Davis

  4. Use • Store files on first disk • Store corresponding crypto checksums on second disk • Host requests file from first disk – SPI retrieves file, computes crypto checksum – SPI retrieves file’s crypto checksum from second disk – If a match, file is fine and forwarded to host – If discrepency, file is compromised and host notified • Integrity information flow restricted here – Corrupt file can be seen but will not be trusted March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #18-4 Matt Bishop, UC Davis

  5. Secure Network Server Mail Guard (SNSMG) filters MTA MTA SECRET UNCLASSIFIED computer computer out in • Filters analyze outgoing messages – Check authorization of sender – Sanitize message if needed (words and viruses, etc.) • Uses type checking to enforce this – Incoming, outgoing messages of different type – Only appropriate type can be moved in or out March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #18-5 Matt Bishop, UC Davis

  6. Confinement • What is the problem? • Isolation: virtual machines, sandboxes • Detecting covert channels March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #19-6 Matt Bishop, UC Davis

  7. Example Problem • Server balances bank accounts for clients • Server security issues: – Record correctly who used it – Send only balancing info to client • Client security issues: – Log use correctly – Do not save or retransmit data client sends March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #19-7 Matt Bishop, UC Davis

  8. Generalization • Client sends request, data to server • Server performs some function on data • Server returns result to client • Access controls: – Server must ensure the resources it accesses on behalf of client include only resources client is authorized to access – Server must ensure it does not reveal client’s data to any entity not authorized to see the client’s data March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #19-8 Matt Bishop, UC Davis

  9. Confinement Problem • Problem of preventing a server from leaking information that the user of the service considers confidential March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #19-9 Matt Bishop, UC Davis

  10. Total Isolation • Process cannot communicate with any other process • Process cannot be observed Impossible for this process to leak information – Not practical as process uses observable resources such as CPU, secondary storage, networks, etc. March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #19-10 Matt Bishop, UC Davis

  11. Example • Processes p , q not allowed to communicate – But they share a file system! • Communications protocol: – p sends a bit by creating a file called 0 or 1 , then a second file called send • p waits until send is deleted before repeating to send another bit – q waits until file send exists, then looks for file 0 or 1 ; whichever exists is the bit • q then deletes 0 , 1 , and send and waits until send is recreated before repeating to read another bit March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #19-11 Matt Bishop, UC Davis

  12. Covert Channel • A path of communication not designed to be used for communication • In example, file system is a (storage) covert channel March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #19-12 Matt Bishop, UC Davis

  13. Rule of Transitive Confinement • If p is confined to prevent leaking, and it invokes q , then q must be similarly confined to prevent leaking • Rule: if a confined process invokes a second process, the second process must be as confined as the first March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #19-13 Matt Bishop, UC Davis

  14. Lipner’s Notes • All processes can obtain rough idea of time – Read system clock or wall clock time – Determine number of instructions executed • All processes can manipulate time – Wait some interval of wall clock time – Execute a set number of instructions, then block March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #19-14 Matt Bishop, UC Davis

  15. Kocher’s Attack • This computes x = a z mod n , where z = z 0 … z k –1 x := 1; atmp := a ; for i := 0 to k –1 do begin if z i = 1 then x := ( x * atmp ) mod n ; atmp := ( atmp * atmp ) mod n ; end result := x ; • Length of run time related to number of 1 bits in z March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #19-15 Matt Bishop, UC Davis

  16. Isolation • Present process with environment that appears to be a computer running only those processes being isolated – Process cannot access underlying computer system, any process(es) or resource(s) not part of that environment – A virtual machine • Run process in environment that analyzes actions to determine if they leak information – Alters the interface between process(es) and computer March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #19-16 Matt Bishop, UC Davis

  17. Virtual Machine • Program that simulates hardware of a machine – Machine may be an existing, physical one or an abstract one • Why? – Existing OSes do not need to be modified • Run under VMM, which enforces security policy • Effectively, VMM is a security kernel March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #19-17 Matt Bishop, UC Davis

  18. VMM as Security Kernel • VMM deals with subjects (the VMs) – Knows nothing about the processes within the VM • VMM applies security checks to subjects – By transitivity, these controls apply to processes on VMs • Thus, satisfies rule of transitive confinement March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #19-18 Matt Bishop, UC Davis

  19. Example 1: KVM/370 • KVM/370 is security-enhanced version of VM/370 VMM – Goal: prevent communications between VMs of different security classes – Like VM/370, provides VMs with minidisks, sharing some portions of those disks – Unlike VM/370, mediates access to shared areas to limit communication in accordance with security policy March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #19-19 Matt Bishop, UC Davis

  20. Example 2: VAX/VMM • Can run either VMS or Ultrix • 4 privilege levels for VM system – VM user, VM supervisor, VM executive, VM kernel (both physical executive) • VMM runs in physical kernel mode – Only it can access certain resources • VMM subjects: users and VMs March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #19-20 Matt Bishop, UC Davis

  21. Example 2 • VMM has flat file system for itself – Rest of disk partitioned among VMs – VMs can use any file system structure • Each VM has its own set of file systems – Subjects, objects have security, integrity classes • Called access classes – VMM has sophisticated auditing mechanism March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #19-21 Matt Bishop, UC Davis

  22. Problem • Physical resources shared – System CPU, disks, etc. • May share logical resources – Depends on how system is implemented • Allows covert channels March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #19-22 Matt Bishop, UC Davis

  23. Sandboxes • An environment in which actions are restricted in accordance with security policy – Limit execution environment as needed • Program not modified • Libraries, kernel modified to restrict actions – Modify program to check, restrict actions • Like dynamic debuggers, profilers March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #19-23 Matt Bishop, UC Davis

  24. Examples Limiting Environment • Java virtual machine – Security manager limits access of downloaded programs as policy dictates • Sidewinder firewall – Type enforcement limits access – Policy fixed in kernel by vendor • Domain Type Enforcement – Enforcement mechanism for DTEL – Kernel enforces sandbox defined by system administrator March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #19-24 Matt Bishop, UC Davis

  25. Modifying Programs • Add breakpoints or special instructions to source, binary code – On trap or execution of special instructions, analyze state of process • Variant: software fault isolation – Add instructions checking memory accesses, other security issues – Any attempt to violate policy causes trap March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #19-25 Matt Bishop, UC Davis

  26. Example: Janus • Implements sandbox in which system calls checked – Framework does runtime checking – Modules determine which accesses allowed • Configuration file – Instructs loading of modules – Also lists constraints March 2, 2009 ECS 235B, Winter Quarter 2009 Slide #19-26 Matt Bishop, UC Davis

Recommend

May 15: Information Flow and Confinement Information flow for integrity policies Examples

May 15: Information Flow and Confinement Information flow for integrity policies Examples

May 15: Information Flow and Confinement Information flow for integrity policies Examples of information flow controls Android phone Firewalls Confinement Virtual machines May 15, 2017 ECS 235B Spring Quarter 2017 Slide

487 views • 32 slides
QCD - properties confinement, Higgs mechanism more on confinement (i) the absence of free quarks

QCD - properties confinement, Higgs mechanism more on confinement (i) the absence of free quarks

QCD - properties confinement, Higgs mechanism more on confinement (i) the absence of free quarks in Nature [but quarks could combine with a fundamental coloured scalar] (ii) observable particles are colour singlets [but this confuses

1.58k views • 130 slides
May 24: Confinement Confinement, non-VM isolation Program modification Covert channels

May 24: Confinement Confinement, non-VM isolation Program modification Covert channels

May 24: Confinement Confinement, non-VM isolation Program modification Covert channels May 24, 2017 ECS 235B Spring Quarter 2017 Slide #1 Compiling Compiler enforces or validates constraints Type-safe language enforces them

313 views • 27 slides
Tetraquarks in the Steiner tree model of confinement available at

Tetraquarks in the Steiner tree model of confinement available at

Introduction Symmetry breaking and tetraquarks The additive model of tetraquark confinement The Steiner-tree model of confinement Conclusions Tetraquarks in the Steiner tree model of confinement available at

644 views • 20 slides
Laboratorio Nacional de Fusin, CIEMAT, Spain 1/ 31 CORE TRANSPORT EMPIRICAL ACTUATORS

Laboratorio Nacional de Fusin, CIEMAT, Spain 1/ 31 CORE TRANSPORT EMPIRICAL ACTUATORS

SUMMARY SESSION EX/C Magnetic Confinement experiments (Confinement) EX/D Magnetic Confinement Experiments: Plasma-material interactions PPC -Plasma Overall Performance and Control I. CORE TRANSPORT II. EDGE TRANSPORT III. PLASMA-WALL IV.

591 views • 31 slides
May 19: Design Principles and Confinement Principles of Secure Design One set; other sets

May 19: Design Principles and Confinement Principles of Secure Design One set; other sets

May 19: Design Principles and Confinement Principles of Secure Design One set; other sets say basically the same thing Confinement, non-VM isolation Library operating systems Sandboxes Program modification Covert

584 views • 30 slides
Static Use-Based Object Confinement Christian Skalka and Scott Smith The Johns Hopkins University

Static Use-Based Object Confinement Christian Skalka and Scott Smith The Johns Hopkins University

Static Use-Based Object Confinement Christian Skalka and Scott Smith The Johns Hopkins University Object confinement: what is it? Object confinement is concerned with the encapsulation , or protection, of object references Code boundaries

412 views • 24 slides
1 Why Why flow flow control? control? sender

1 Why Why flow flow control? control? sender

Lecture 7. Lecture 7. TCP mechanisms for: TCP mechanisms for: data transfer control / flow control error control congestion control Graphical examples (applet java) of several algorithms at:

589 views • 13 slides
Lecture 6: Flow Control Lecture 6: Flow Control 1 / 28 Relational Expressions Conditions in if

Lecture 6: Flow Control Lecture 6: Flow Control 1 / 28 Relational Expressions Conditions in if

Lecture 6: Flow Control Lecture 6: Flow Control 1 / 28 Relational Expressions Conditions in if statements use expressions that are conceptually either true or false . These expressions are called relational expressions or Boolean expressions

570 views • 28 slides
2000-02-08 Lecture 14: Flow visualisation Feature extraction Unsteady flow

2000-02-08 Lecture 14: Flow visualisation Feature extraction Unsteady flow

Mats Nyl en February 8, 2000 Slide 1 of 13 2000-02-08 Lecture 14: Flow visualisation Feature extraction Unsteady flow Meteorological data VIS00 Mats Nyl en February 8, 2000 Slide 2 of 13 Flow visualization Fluid flow

399 views • 13 slides
Solitary ry confinement and super- maximum prisons A South Afr frican and in international

Solitary ry confinement and super- maximum prisons A South Afr frican and in international

Solitary ry confinement and super- maximum prisons A South Afr frican and in international perspective Gwen Dereymaeker Westville CC 7 September 2017 @ACJReform History ry of f super-maximum prisons Solitary confinement as punishment

380 views • 18 slides
Flow Networks Flow Network: - digraph - weights, called capacities on edges - two

Flow Networks Flow Network: - digraph - weights, called capacities on edges - two

M AXIMUM F LOW How to do it... Why you want it... Where you find it... The Tao of Flow: Let your body go with the flow. -Madonna, Vogue Maximum flow...because youre worth it. -Loreal Go with the flow, Joe.

619 views • 20 slides
Lecture 17: Information Flow Basics and background Entropy Nonlattice flow policies

Lecture 17: Information Flow Basics and background Entropy Nonlattice flow policies

Lecture 17: Information Flow Basics and background Entropy Nonlattice flow policies Compiler-based mechanisms Execution-based mechanisms Examples Security Pipeline Interface Secure Network Server Mail Guard February

625 views • 44 slides
FIRST STEP ACT OF 2018 Early Release Mechanisms: Home Confinement and Reduction in Sentence

FIRST STEP ACT OF 2018 Early Release Mechanisms: Home Confinement and Reduction in Sentence

FIRST STEP ACT OF 2018 Early Release Mechanisms: Home Confinement and Reduction in Sentence Peter Goldberger, Ardmore PA NACDL Webinar, July 25, 2019 Early Eligibility for Home Confinement Per 603(a) of the First Step Act, amending

356 views • 22 slides
PROGRAMMING CONTESTS Jaehyun Park Last Lecture on Graph Algorithms Network Flow Problems

PROGRAMMING CONTESTS Jaehyun Park Last Lecture on Graph Algorithms Network Flow Problems

CS 97SI: INTRODUCTION TO PROGRAMMING CONTESTS Jaehyun Park Last Lecture on Graph Algorithms Network Flow Problems Maximum Flow Minimum Cut Ford-Fulkerson Algorithm Application: Bipartite Matching Min-cost Max-flow

460 views • 23 slides
Review Network flow definitions CSE 421 Flow examples Augmenting Paths Algorithms

Review Network flow definitions CSE 421 Flow examples Augmenting Paths Algorithms

Review Network flow definitions CSE 421 Flow examples Augmenting Paths Algorithms g Residual Graph Richard Anderson Ford Fulkerson Algorithm Lecture 22 Cuts Network Flow Maxflow-MinCut Theorem Network Flow

860 views • 4 slides
Introduction to Flow Cytometry presented by: Flow Cytometry Core Facility Flow Cytometry Core

Introduction to Flow Cytometry presented by: Flow Cytometry Core Facility Flow Cytometry Core

Introduction to Flow Cytometry presented by: Flow Cytometry Core Facility Flow Cytometry Core Facility Biomedical Instrumentation Center Uniformed Services University f d Topics Covered in this Lecture Topics Covered in this Lecture

762 views • 43 slides
Control Structures Lecture 4 COP 3014 Fall 2020 September 10, 2020 Control Flow Control flow

Control Structures Lecture 4 COP 3014 Fall 2020 September 10, 2020 Control Flow Control flow

Control Structures Lecture 4 COP 3014 Fall 2020 September 10, 2020 Control Flow Control flow refers to the specification of the order in which the individual statements, instructions or function calls of an imperative program are executed or

333 views • 19 slides
Potential Flow Lecture 5 ME EN 412 Andrew Ning aning@byu.edu Outline Equation Hierarchy

Potential Flow Lecture 5 ME EN 412 Andrew Ning aning@byu.edu Outline Equation Hierarchy

Potential Flow Lecture 5 ME EN 412 Andrew Ning aning@byu.edu Outline Equation Hierarchy Potential Flow Panel Methods Other Considerations Equation Hierarchy Equation Hierarchy When is an inviscid flow assumption valid? Video: flow over

227 views • 12 slides
Lecture 5 Lecture 5 Previously in Opt 2 The maximum flow problem Input G = (N, E),

Lecture 5 Lecture 5 Previously in Opt 2 The maximum flow problem Input G = (N, E),

Lecture 5 Lecture 5 Previously in Opt 2 The maximum flow problem Input G = (N, E), a directed graph The node set N contains: A source node, s A sink node, t u ij = edge capacity; u ij 0 Objective: To maximize

789 views • 74 slides
Inaugural Lecture for the John Adams Institute of Accelerator Science at Oxford/RHUL Oxford

Inaugural Lecture for the John Adams Institute of Accelerator Science at Oxford/RHUL Oxford

From Quark Confinement to Protein Dynamics via Nano- beams and Attosecond Pulses A Theme with Variations on Microwave Superconductivity and Energy Recovery Swapan Chattopadhyay Associate Director, Jefferson Lab Inaugural Lecture for the John

911 views • 59 slides
Creativity in confinement Arvid&Marie S.A.M. The Symbiotic Autonomous Machine 2017 Alve

Creativity in confinement Arvid&Marie S.A.M. The Symbiotic Autonomous Machine 2017 Alve

Creativity in confinement Arvid&Marie S.A.M. The Symbiotic Autonomous Machine 2017 Alve 2018 The Bestiary of Autonomous Machines 2018 What is art in confinement Art in prison Russian prisoner tattoos Art in prison Art in prison

1.31k views • 32 slides
Network Flow VI - Min-Cost Flow Applications Lecture 17 October 24, 2013 Sariel (UIUC) CS573

Network Flow VI - Min-Cost Flow Applications Lecture 17 October 24, 2013 Sariel (UIUC) CS573

CS 573: Algorithms, Fall 2013 Network Flow VI - Min-Cost Flow Applications Lecture 17 October 24, 2013 Sariel (UIUC) CS573 1 Fall 2013 1 / 27 Lemma decomposing flow into cycles . Lemma . f :a circulation in G . Then, f can be

1.15k views • 89 slides
Lecture 08 Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at

Lecture 08 Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at

Lecture 08 Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides adapted from Miller, Bailey, and Brumley Control Flow Hijack: Always control + computation shellcode (aka payload)

652 views • 36 slides

More recommend