INTRO TO COMP SECURITY
INTRO TO COMP SECURITY CS 591
Popular in Course
Popular in ComputerScienence
This 63 page Class Notes was uploaded by Orrin Rutherford on Wednesday September 2, 2015. The Class Notes belongs to CS 591 at Portland State University taught by Staff in Fall. Since its upload, it has received 31 views. For similar materials see /class/168288/cs-591-portland-state-university in ComputerScienence at Portland State University.
Reviews for INTRO TO COMP SECURITY
Report this Material
What is Karma?
Karma is the currency of StudySoup.
You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!
Date Created: 09/02/15
CS 591 Introduction to Computer Security Information Flow Epilog James Hook 5106 1537 a me Information flow security Denning and Denning as presented in Chapter 15 Flow Caml nutshell paper 0 Compilation can be made aware of confidentiality levels Levels must be identified Levels can be tracked through computational effects environment state control exceptions concurrency Not shown in Flow Caml 5106 1537 Does it work 0 Theoretical results Volpano Irvine and Smith JCS 96 showed Soundness o If an expression e can be given a type r in our system then Simple Security says that only variables at level I or lower in e will have their contents read when e is evaluated no read up On the other hand if a command c can be given a type r cmd then Confinement says that no variable below level I is updated in c no write downquot Using modern language theory the techniques in Flow Caml and similar systems can be proven sound 5 06 1537 Does it work 0 In practice it is not broadly adopted Technical issue is the complexity of managing policy I suspect there are social issues as well the technical issues are not show stoppers 51 06 1537 Recall Consider an example in no particular language H readHighDatabase L readLowUserInput If fHL then printLow Success else printLow Fail 0 Assume H is high and L is Low 5 06 1537 But 0 Consider an example in no particular language H readHighDatabase passwd L readLowUserInput If checkPasswordHL then printLow Success else printLow Fail 0 We do this every day 5106 1537 Password checking paradox Why shouldn t we allow someone to write the password program 0 Why should we 5106 1537 Policy c The password paradox is solved by explicit policy 0 Similar issues arise with crypto algorithms LoCypher encrypt HighClear goodKey Cf LoCypher encrypt HighClear badKey 51 06 1537 FlowCaml and Policy FlowCaml solves the policy problem by dividing the program into two parts Flow caml portion fml with all flows checked Regular caml portion with an annotated interface 0 The downgrading of encryption or password validation queries is not done within the flowchecked portion 5 06 1537 Policy Zdancewic uses other techniques including explicit downgrade assertions for confidentiality Basic philosophy uniform enforcement with explicit escape mechanism Focus analysis on the exceptions 51 06 1537 Further reading Dorothy E Denning and Peter J Denning Certification of Programs for Secure Information Flow httpwwwseasupenneducis670SpringZOO3p504denningpdf Dennis Volpano Geoffrey Smith and Cynthia Irvine A Sound Type System for Secure Flow Analysis httpwwwcsfiueduNsmithgpapersjcs96pdf Steve Zdancewic Lantian Zheng Nathaniel Nystrom and Andrew C Myers Secure Program Partitioning httpwwwcisupenneduNstevezpapersZZNM02pdf Andrei Sabelfeld and Andrew C Myers Languagebased Information Flow Security httpwwwcscorneeduandrupapersjsacsm 139sac03pdf Peng Li and Steve Zdancewic Downgrading Policies and Relaxed Noninterference httpwwwcisupenneduNstevezpapersLZOSapdf 5106 1537 Introduction to Computer Security Study Questions This is a closedbook closednotes exami All problems have equal weight 1 2 9 F In the Bell LaPadula model there is an apparent anomaly that prevents dialog between agents with different clearances To address this anomaly Bell LaPadula include the notion of current security level 0 Bell LaPadula is de ned by two rules which are sometimes quoted as slogans Give either the two rules or the two slogans 0 Describe the anomaly 0 Explain how the concept ofcurrent security level addresses the anomaly 0 Outline how this is dealt with in the DGUX system described in the text SecureSoft has a subcontract form NuHard to develop software for a new product that NuHard is about to release The IP agreement allows Secure Soft to share information within the company on a need to know basis but prohibits SecureSoft from sharing this information with anyone outside of the company As SecureSoftls director of security you are asked to propose a set of policies and mechanisms to support this business relationship Outline your proposal making reference to established con dentiality and integrity policies and access control mechanisms In the Denning and Denning information flow model traditional exception mechanisms allow information to flow in dangerous ways a Illustrate a prohibited information flow that communicates via an exceptional eventi b Describe how explicit static declaration of exceptions and handlers can address this If you are familiar with Java you may want to discuss Java s exception mechanism and its restrictions Recall the Needham Schroeder protocol AHCZAHBHTH C A A1 AllBllnlllksllAllkskBkA A A B Allk5k8 B A A n2ks A A B n2 7 Iks P FF ON E What role do the random values ml and n2 called nonces serve in this protocol Describe an attack on a simpli ed protocol that omits one or both nonces but is otherwise identical 5i HOW7 in general7 does an attacker approach cracking a symmetric key based system in Which the attacker only has access to the ciphertext and the function if needed Hint answer this in terms of a 20 bit binary key7 or a 128 bit binary keyi CS 591 Introduction to Computer Security Lecture 2 Access Control James Hook 102007 1431 Objectives 0 Introduce the mechanism of Access Control Relate mechanism to Confidentiality Integrity and Availability 0 Introduce the Access Control Matrix Model and Protection State Transitions 102007 1431 Alice and Bob 0 Standard names for agents in a security or crypto scenario 0 Also known as A and B 102007 1431 An Access Control Scenario 0 Alice 0 Bob 1 NewSecrei foo 2 If cpfooufoo 3 then echo quotsuccessquot 4 else echo quotfailquot Intent oBob s cp is attempting to violate Alice s expected access policy oIf cp succeeds then the principle of confidentiality is not satisfied lO2007l43l Q Revise scenario to violate availability Characterizing the Violation B echo quotsuccessquot B echo quottailquot 7 Basic Abstraction States and Transitions Q What are the States Q What determines if we reach State 2 or 4 From State 1 102007 1431 Q IF we reach State 5 was State 1 good Secure and nonSecure States Characterize states in a system as Secure and nonSecure A system is Secure if every transition maps Secure states to Secure states Consequence In the scenario security is compromised if Alice s New secret foo yields a state in which Bob can access foo 102007 1431 Abstract state 102007 1431 Abstraction Protection States An abstraction that focuses on security properties Primarily interested in characterizing Safe states Goal is to prove that all operations in the system preserve security of the protection state Access Control Matrix is our first Protection State model 102007 1431 Access Control Matrix Model Lampson 71 refined by Graham and Denning 71 72 Concepts Objects the protected entities O Subjects the active entities acting on the objects S Rights the controlled operations subjects can perform on objects R Access Control Matrix A maps Objects and Subjects to sets of Rights State S O A 102007 1431 Inmal 5mg Con dentiality Scenario Subjects S0 A3 Objects OO Sol 00 A0 A New Secre r Foo 11 0139 A1 AC Mafrix A0 1 01 A1 B cp Foo aFoo 11 01 A1 Righfs R r w own A New Secret foo B echo quotfailquot B echo quotsuccessquot In rended S ra re 1 Subjects 51 AB Objec rs 01 1 00 AC Ma rrix A1 AFoorwown 102007 1431 BIFOO Inmal 5mg Con dentiality Scenario Subjects S0 A3 Objects 00 AC Matrix A0 Righ rS R rzwzown A New Secret too Is there a representation For Protection States 4 and 5 B echo quotsuccessquot States 1 2 and 77 Subjects 51 AB Objects 01 Foo U AC Matrix A1 AFoorwown crlhcal 3955 2 Is 10200714 BFoo deFInItIon 0F l CID Inmal 5mg Availability Scenario 5 b39 r S AB 5039 0039 A0 3 New Public Foo 11 01 A1 AC Mafrix A0 1 01 A1 B cp Foo aFoo S41 04 A4 ngh fs R rIWIO A New Public foo B echo quotsuccessquot S ra re 4 39 S ra rel Sub jec rs s4 51 Subjec fs 51 A3 Objec rs 04 1 U afoo ObjeC fS 01 F00 AC Ma rrix A4 AFoorwo AC Ma rrix A1 AFoorwo Blfoorl 102007 1431 BIF Ir AIOFOOID BaFoorwo Voting Machine 0 How can a voting machine be modeled with subjects objects and rights 0 In what ways do the rights change dynamically 102007 1431 A DomainSpecific Language for Access Control 0 Harrison Ruzzo and Ullman defined a set of primitive commands Create subjects HRU Create object o gods up onguoges Enter r into aso 2 d Delete r from aso m wes 0 e Destroy squect s P he exampl Destroy object o c We will use this DSL of primitive commands to model the system in our example 102007 1431 HRU Semantics SI 0 A lCreate subjects 5 U S 0 A SI OI A Create object 0 SI 0 U 0 A SI 0 A lEnter r into aso SI OI AI where A so Aso U r SI 0 A Deete r from aso SI 0 AI where A so Aso r SI OI A Destroy subjects S 39 S OI AL SI 0 A Destroy object 0 SI 0 39 0 AL where AL is the appropriate restriction of A 102007 1431 Molecules from Atoms This DSL gives us atomic transitions 0 To model a system we combine these atomic operations into commands A system model in this framework is the set of commands that implement the system primitives 102007 1431 Modeling the Example 0 Interface X New Secret ltfgt X New Public ltfgt X Cp ltfgt ltfgt X If ltcommandgt then ltcommandgt else ltcommandgt Assumptions X ranges over AB 102007 1431 Example Initialize NewPuinc Xf create subject A create object f create subject B enter own into axf end enter r into aAf enter r into aBf Ne Sec et w r XI enterwintO axf create object f enter own into axf End enter r into axf enter w into axf end 102007 1431 Example cont Conditional command Cp srcdest i r e agtltsrc then create object dest enter own into axdest enter w into axdest 7 End Modeling helps us be precise Is the new File public or secret 102007 1431 Modeling if How do we model the if statement in our scenario We assumed Unix like exit status Could enrich model to have statements have value Does that add value 102007 1431 Modeling if cont 0 To establish system security we must model all sequences of commands What matters is that cp won t reveal Alice s secret Since we are considering all sequences of non conditional commands we don t need to model If c1 then c2 else c3 since we model both c1 c2 c1 c3 0 Why doesn t this argument apply to primitive commands 102007 1431 Conditional Commands To obtain results in Chapter 3 we place technical restrictions on HRU conditional commands Condition must be positive r e aso Cf negative r 65 aso Conjunctions of conditions are allowed r e aso r e as o Disjunctions are unnecessary All atomic actions are idempotent if thhenCE ifqgtthen C ifxpthenC 102007 1431 Access Control Matrix 0 Very high fidelity model 0 Every user and process can be modeled as a subject 0 Every file and process can be modeled as an object 0 Does it scale 0 Is it useful 102007 1431 Access Control Matrix 0 The access control matrix model is a critical reference point most systems can be modeled within the framework most mechanisms are an imperfect approximation of the Access Control Matrix 102007 1431 Foundational Results 0 Can we use an algorithm to test if a system is secure What do we mean by system What do we mean by secure 102007 1431 Aside Safew and Liveness Safety property A bad thing does not happen Eg A memory safe program will not dereference a bad pointer Liveness property A good thing will happen eventually Eg Every runnable process will eventually be scheduled 102007 1431 Security safe or live 0 Availability is often a liveness property 0 Confidentiality is often cast as a safety property Integrity can be both The processor will execute the instruction stream is a liveness property All memory will be accessed consistent with the protection state is a safety property 102007 1431 Bounding the Problem Monooperational commands If each system level command in the modeled system is implemented by a single HRU primitive the system is monooperational General case In the general case the commands of the system being modeled are implemented by arbitrary combinations of HRU primitives Cast Problem as Safety Property Bad things don t happen 102007 1431 What is secure 0 Must designate a bad thing and then prove it doesn t happen 0 Definition A right r is leaked if it is added to an element of the access control matrix that does not already contain it In our example new secret fooquot leaks rights own r and wquot if foo did not already exist 0 Definition A system is safe with respect to right r if it does not leak the right r 102007 1431 Follow Bishop If time permits in this lecture jump to Bishop s slide 0304 102007 1431 Conclusion 0 Modeling is the process of abstracting to the essence of the property of concern 0 Security Modeling exploits protection state abstractions Access Control Matrix is a best model for file and process granularity modeling 0 With virtually any realistic system the general security question will be undecidable 102007 1431 Looking Forward 0 Next Week Jim Binkley will lecture on Crypto Bishop 8 9 10 Anderson 2 5 0 Following Week Bishop 1 2 3 4 5 7 Anderson 1 7 102007 1431 Backup Materials 102007 1431 A scenario from the text Bishop models a language with interface Createfilepf Spawnprocesspq Makeownerpf Grantreadfie1pfq Grantreadfie2pfq Grantwritefile1pfq Grantwritefile2pfq Some of his examples follow 102007 1431 Commands Command createfie pf create object f enter own into apf enter r into apf enter w into apf end 10 20 07 143 Commands cont Command spawnprocesspq create subject q enter own into apq enter r into apq enter w into apq enter r into aqp enter w into aqp End 102007 1431 Conditional Commands Command grantreadfie1pfq if own in apf then enter r into aqf End 102007 1431 Root Agent Create subjects voter taIIyAgent reporter Create objects vote state tally voterCa rd Initialize tayO Enter 102007 1431 Voter Agent Repeat Indefinitely Present credential If credential accepted then Prepare ballot Confirm vote Withdraw credential 102007 1431 Tally Agent While mode election do On credential presented do If credential valid then Enable voting On vote commit do atomic add vote to tally invalidate credential 102007 1431 CS 591 Introduction to Computer Security Confinement James Hook 5aoa 1539 The Confinement Problem Lampson A Note on the Confinement Problem CACM 1973 This note explores the problem of confining a program during its execution so that it canot transmit information to any other program except its caller A set of examples attempts to stake out the boundaries of the problem Necessary conditions for a solution are stated and informally justified 5aoa 1539 Possible Leaks 0 If a service has memory it can collect data wait for its owner to call it then return the data 1 The service may write into a permanent file 2 The service may create a temporary file 3 The service may send a message to a process controlled by its owner via ipc 4 More subtly the information may be encoded in the bill rendered for the service 5306 1539 Possible Lea ks cont 5 If the system has interlocks which prevent files from being open for writing and reading at the same time the service can leak data if it is merely allowed to read files which can be written by the owner 5306 1539 Leak 5 cont The interlocks allow a file to simulate a shared Boolean variable which one program can set and the other can t Given a procedure open file error which does goto error if the file is already open the following procedures will perform this simulation procedure settrue file egin loopl open file loopl end procedure setfalse file e in close file end Boolean procedure value file begin value true open file loop2 value false close file loop2 d en 5306 1539 Leak 5 cont Using these procedures and three files called data sendclock and receiveclock a service can send a stream of bits to another concurrently running program Referencing the files as though they were variables of this rather odd kind then we can describe the sequence of events for transmitting a single bit sender data bit being sent sendclock true receiver wait for sendclock true received bit data receive clock true sender wait for receive clock true sendclock false receiver wait for sendclock false receiveclock false sender wait for receiveclock false 5306 1539 Leak 6 6 By varying its ratio of computing to inputoutput or its paging rate the service can transmit information which a concurrently running process can receive by observing the performance of the system 5306 1539 One solution 0 Just say no 0 Total isolation A confined program shall make no calls on any other program lmpractical 5306 1539 Confinement rule Transitivity If a confined program calls another program which is not trusted the called program must also be confined 5306 1539 Classification of Channels Storage Legitimate such as the bill Covert le those not intended for information transfer at all such as the service program s effect on the system load In which category does Lampson place 5 5306 1539 Root Problem Resource sharing enables covert channels The more our operating systems and hardware enable efficient resource sharing the greater the risk of covert channels 5306 1539 Resources Lampson A note on the Confinement Problem CACM Vol 16 no 10 October 1973 httpdoi acm orqf 01 145362375362389 5306 1539 Discussion Bishop s slides for Chagter 16 with some minor modifications to one example 5306 1539 Virtualization Virtualization is returning to the mainstream with Intel s Virtualization Technology aka Vanderpool Discussion following Bishop s slides for Chagter 29 Secret decoder ring PSL Processor Status Longword a vax status register 5306 1539 Applications of Virtualization Workload isolation Workload consolidation Workload migration See Uhlig et al Fig 1 5306 1539 Virtualizing Intel architectures As is Intel architectures do not meet the two requirements Nonfaulting access to privileged state lAS2 has registers that describe and manipulate the global descriptor table These registers can only be set in ring 0 They can be queried in any ring without generating a fault This violates rule 2 all references to sensitive data traps Software products to virtualize Intel hardware had to get around this Vmware dynamically rewrote code 5306I539 Intel solutions VTx virtualization for lA32 VTi virtualization for Itanium Changed architecture to meet the criteria 5306 1539 Ring aliasing and ring compression Solution is to allow guest to run at intended privilege level by augmenting privilege levels See Figure 2d 5306 1539 Nonfaulting access to privileged state Two kinds of changes Make access fault to the VM Allow nonfaulting access but to state under the control of the VMM 5306 1539 Intel Virtualization Paper ftpcownloaclintelcomtechnologycomp utiI tgvptechvt ieeecomputer finalQdf 5306 1539
Are you sure you want to buy this material for
You're already Subscribed!
Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'