Information Flow Control

Size: px

Start display at page:

Download "Information Flow Control"

Muriel Barton
6 years ago
Views:

1 Information Flow Control Language and System Level Fall, Privacy&Security -

2 Concept Information flow Long-term confinement of information to authorized receivers Controls how information moves among data handlers and data storage units Applied at language, system, or application levels Examples: Insure that secret data is only revealed to individuals with a suitably high clearance level Guarantee that information available to a process cannot leak to the network Certify that the outputs of a program only contain information derived from specified inputs Fall, Privacy&Security -2

3 System Example Guarantee that the anti-virus (AV) scanner cannot leak to the network any data found in its scan of user files Possible leak methods Send data directly to a network connection Conspire with other processes (e.g, sendmail or httpd) Subvert another process and use its network access to send data Leave data in /tmp for other processes (e.g., the AV update daemon) to send Use other in/direct means of communication with the update daemon Fall, Privacy&Security -3

,B, } is a set of security classes Disjoint classes of information Each is bound to a security class Notation: a may be

4 Flow model Click to edit Master title style Denning Model where N = {a,b, } is a set of logical storage objects P = {p,q, } is a set of processes (active objects) SC = {A.,B, } is a set of security classes Disjoint classes of information Each is bound to a security class Notation: a may be static or dynamic (varies with content) Class combining operator: a b N Flow relation: iff information in class A is allowed to flow into class B Dorothy Denning Fall, Privacy&Security -4

5 Example Security Classes (TS,[dip,mil]) top secret secret (TS,[dip]) (TS,[mil]) (S,[dip,mil]) confidential (TS,[]) (S,[mil]) (S,[dip]) public (S,[]} Adapted from K. Rosen Discrete Mathematics and its Applications, Fall, Privacy&Security -5

6 Class Combining Operations least upper bound (TS,[dip,mil]) (TS,[dip]) (TS,[mil]) (S,[dip,mil]) greatest lower bound (TS,[]) (S,[mil]) (S,[dip]) (S,[]} Fall, Privacy&Security -6

7 Implicit/Explicit flows In the statement: a=b+c; There is explicit flow from b to a and from c to a Here written as a b and a c In the statement: if (a =0) {b = c;} There is an explicit flow from c to b (b c) There is an implicit flow from a to b (b a) Because testing the value of b before and after the statement can reveal the value of a In the statement: if (c) {a=b+1;d=e+2;} explicit flows from b to a and from e to d (a b, e d) implicit flows from c to a and from c to d (a c, d c) Fall, Privacy&Security -7

8 Security Requirements Elementary statement S: b a 1,,a n is secure if b a 1,, b a n are secure i.e., if a 1 b,, a n b i.e., if is allowed Sequence S = S 1 ; S 2 Is secure if both S 1 and S 2 are secure Conditional S = c: S 1,, S n where S i updates b i is secure if b i c for i=1..n are secure i.e. if is allowed Fall, Privacy&Security -8

9 Click to edit Master title style Static Binding Access Control Process p can read from a only if a p Process p can write to b only if p b In general, Data Mark Machine Associate a security class with the program counter For conditional structure c:s Push p onto the stack Set p to p c Execute S On exit restore p from stack For statement S that with b a1,,an Verify that Fall, Privacy&Security -9

10 Compiler-based Click to edit Master title style Static Binding For elementary statement S: f(a 1,,a n ) b verify that Set S to b is allowed For sequence S = S 1 ;S 2 Set S to S 1 S 2 For conditional structure S = c: S 1,,S m Set S to S 1 S m Verify that c S Fall, Privacy&Security -10

11 Dynamic Binding A pure dynamic binding is not practical Typical that some objects and most users have a static security class Dynamic Data Mark Machine Difficult to account for implicit flows, so Compiler determines implicit flows and Inserts additional instructions to update class associated with program counter accordingly Accounts for implicit flows even if flow not executed Fall, Privacy&Security -11

HiStar : System Level Flow Control Basic ideas Files and process are associated with a label whose taint restricts the flow to lesser tainted components

12 HiStar : System Level Flow Control Basic ideas Files and process are associated with a label whose taint restricts the flow to lesser tainted components Many categories of taint each owned by its creator Selected components (e.g., wrap) can be given untainting privileges Fall, Privacy&Security -12

13 Labels Structure L = {c 1 l 1, c 2 l 2,,c n l n,l default } Each c i is a category and l i is the taint level in that category l default is the default level for unnamed categories L(c) = l i if c=c i for some i and l default otherwise Levels Fall, Privacy&Security -13

14 Information Flow General rule: information can flow from O 1 to O 2 only if O 2 is at least as tainted as O 1 in every category Information cannot flow from O 1 to O 2 if O 1 is more tainted in some category than O 2 Example Thread T with L T ={1}, object O with L O ={c3,1} L T (c)=1 < 3=L O (c) Flow is permitted from T to O (i.e., T can write to O) No flow permitted from O to T (i.e., T cannot read/observe O) Fall, Privacy&Security -14

Example with Labels User data labels set so that only owner can read (b r 3) and write (b w 0) Wrap program has ownership to read (b r ) user data which it delegates to scanner Wrap creates

15 Example with Labels User data labels set so that only owner can read (b r 3) and write (b w 0) Wrap program has ownership to read (b r ) user data which it delegates to scanner Wrap creates category v to (1) prevent the scanner from modifying User Data (since User Data has default level 1) and (2) prevent scanner from communicating with network Fall, Privacy&Security -15

16 Notation Information flow Treatment of level should be high for reading, but low for writing Notation provides two ownership symbols Used as L and L ; for example if L={a, b, 1} then L = {a,b,1} and L = {a,b,1} Flow restriction: T can read/observe O only if T can write/modify O only if Fall, Privacy&Security -16

17 Kernel Object Types Object structure objectid (unique, 61 bit) label (threads also have clearance label) quota metadata (64 bytes) flags Segment: variable-length byte array Fall, Privacy&Security -17

18 Design Rationale Kernel interface The contents of object A can only affect object B if, for every category c in which A is more tainted than B, a thread owning c takes part in the process. Provides end-to-end guarantee of which system components can affect which others without need to understand component details Application structure Organize applications so that key categories are owned by small amounts of code Bulk of the system is not security critical Fall, Privacy&Security -18

Asbestos Operating System

Asbestos Operating System Presented by Sherley Codio and Tom Dehart This Talk Recap on Information Flow Asbestos Overview Labels Special Rules Discretionary Contamination Declassification/Decontamination