Secrecy Security Policy CSE497b - Spring 2007 Introduction Computer - PowerPoint PPT Presentation

Secrecy Security Policy CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/ CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

Secrecy Problem • Does the following protection state ensure the secrecy of J ’ s private key in O 1 ? O 1 O 2 O 3 J R R R W W S 2 N R R W S 3 N R R W CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 2

Protection vs Security • Protection – Security goals met under trusted processes – Protects against an error by a non-malicious entity • Security – Security goals met under potentially malicious processes – Protects against any malicious entity • For J: – Non-malicious process shouldn ’ t leak the private key by writing it to O 3 – A malicious process may write the private key to O 3 CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 3

Why Doesn’t DAC Work? • Goal : User has a file O1 she wants to keep secret • Threat : A malicious process she runs wants to leak O1 – To some other subject (user) or system (via network) • Problems: – Permission Assignment: Malicious process maximizes permissions • Any way that data can be read by or written to another user is enabled – Complete Mediation: DAC systems do not mediate network • Can be sent to anyone or requires firewall rules to control access – Complexity: How does she know that all these permissions prevent the leak • Good luck CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 4

Governmental Secrecy • Military – When will ship sail? – Where are troops? – What is the next troop movement? • Military is hierarchical – Decisions made at a higher level of authority are enacted • Thus, security is top-down – Secrets flow up – Decisions flow down • Release is manual – Also, “need to know” CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 5

Multilevel Security • A multi-level security (MLS) system tags all object and subject with security tags classifying them in terms of sensitivity/access level. – We formulate an access control policy based on these levels – We can also add other dimensions, called categories which horizontally partition the rights space (in a way similar to that as was done by roles) security levels categories CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page

Lattice Model • Used by the US military (and many others), the Lattice model uses MLS to define policy • Levels: unclassified < confidential < secret < top secret • Categories (actually unbounded set) NUC(lear), INTEL(igence), CRYPTO(graphy) • Note that these levels are used for physical documents in the US government as well. CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger Page

Lattice • Levels form a lattice – Vertices form a partial order – Every pair of vertices has a LUB, GLB Very Secret Mostly ? Pretty Secret Secret Secret CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 8

Assigning Security Levels • All subjects are assigned clearance levels and compartments – Alice: (SECRET, {CRYTPO, NUC}) – Bob: (CONFIDENTIAL, {INTEL}) – Charlie: (TOP SECRET, {CRYPTO, NUC, INTEL}) • All objects are assigned an access class – DocA: (CONFIDENTIAL, {INTEL}) – DocB: (SECRET, {CRYPTO}) – DocC: (UNCLASSIFIED, {NUC}) CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger Page

Example Access is allowed if subject clearance level >= object sensitivity level and object categories subset-of subject categories ( read down ) Q: What would write-up be? Hence, Trent: TS, {CRYPTO, NUC, INTEL}) Bob: CONF., {INTEL}) Alice: (SEC., {CRYTPO, NUC}) DocB: (SECRET, {CRYPTO}) DocA: (CONFIDENTIAL, {INTEL}) DocC: (UNCLASSIFIED , {NUC}) CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page

Secrecy Properties • Simple-Security Property (Read-Down) – A subject s can only read from an object o if the subject ’ s clearance dominates or is same as the access class of the object • *-Security Property (Write-Up) – A subject s can only write to an object o if the subject ’ s clearance is dominated by or is the same as the access class of the object CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page

Trojan Horses • Trojan horse: A program with a malicious function that masquerades as a benign application • Claim: MLS prevents a Trojan horse from leaking data • Proof – Complete mediation • All operations are mediated – MLS *-security property • Trojan horse cannot write data down – Mandatory policy • Trojan horse cannot change policy • Policy defines legal info flows CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 12

Covert Channels • Use access to shared resources as a means of communication – Rather than an overt channel • Storage Channel – Uses an attribute of a shared resource – E.g., Fill up shared disk • Timing Channel – Uses temporal relationships in access to a shared resource – E.g., Driver timing behavior • Not prevented by MLS alone! CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 13

Trojan Horse Paradox • MLS enables the OS to guarantee – that a process at a higher secrecy clearance cannot – leak to a process at a lower secrecy level • But, lots of applications handle data of multiple access classes! • Examples: – Server process (Mail server): Many mails of different access classes are possible • One server per combination of level and category set is not practical – Client process (Email client): A single email client may receive and respond to emails at different access classes • And, think about the integrity impact of a Trojan horse – Discuss next time CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 14

Program-Level Secrecy • Situation : A program reads data at a higher access class than it writes – Program can leak secret that it reads by writing it to the lower access class • Challenge : Write a program where you can prove that no illegal information flows (i.e., violating MLS properties) can occur Secret Read Program Write Public CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 15

Denning Lattice Model • Information flow within a program – Can a secret variable leak to a public variable? • Model covers all programs – Statement S – Sequence S1, S2 – Conditional c: S1, …, Sm Stmt Stmt Cond Stmt Stmt Stmt CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 16

Implicit and Explicit Flows • Explicit – Direct transfer to b from a (e.g., b = a) • Implicit – Where value of b may depend on value of a indirectly (e.g., if a = 0, then b = c) • Implicit flows only occur in conditionals Stmt c = b Stmt Cond Stmt Stmt b = a if (b < 1) e = c Stmt c = d CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 17

Denning Semantics • Program is secure if: – Explicit flow from S is secure – Explicit flow of all statements in a sequence are secure (e.g., S1; S2) – Conditional c:S1, …, Sm is secure if: • The explicit flows of all statements S1, …, Sm are secure • The implicit flows between c and the objects in Si are secure Stmt c = f Stmt Cond Stmt Stmt b = a if (b < 1) e = c Stmt c = d CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 18

Information Flow • Explicit and implicit flows form a graph Stmt c = f Stmt Cond Stmt Stmt b = a if (b < 1) e = c Stmt c = d • Resulting flow graph d e c a b f CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 19

Secure When... • Suppose e is public – What variables can be secret? • Suppose d is public – What variables can be secret? • Suppose b is secret – What variables can be public? Stmt c = f Stmt Cond Stmt Stmt b = a if (b < 1) e = c Stmt c = d CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 20

Chinese Wall • Keep different parts of a firm isolated – Accounts with Ford and GM • Access is not controlled by attribute of data alone – Also, data that the subject holds – Conflict sets Op: Access GM Op: Access Ford Hold: None Hold: None Hold: GM Conflict: {Ford, GM} Access: Allowed Access: Denied t0 t1 t2 t3 t4 CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 21