Chapter 15: Information Flow

Similar documents
Formal Specification and Verification

Software Engineering using Formal Methods

Computer Architecture /

Lecture 5: Declarative Programming. The Declarative Kernel Language Machine. September 12th, 2011

Software Engineering using Formal Methods

CS 6110 S14 Lecture 38 Abstract Interpretation 30 April 2014

Parsing Scheme (+ (* 2 3) 1) * 1

Advanced Programming Methods. Introduction in program analysis

9/21/17. Outline. Expression Evaluation and Control Flow. Arithmetic Expressions. Operators. Operators. Notation & Placement

Chapter 7. - FORTRAN I control statements were based directly on IBM 704 hardware

Programming Languages Third Edition. Chapter 9 Control I Expressions and Statements

Automata-Theoretic LTL Model Checking. Emptiness of Büchi Automata

Computer Organization CS 206 T Lec# 2: Instruction Sets

Project 3 Due October 21, 2015, 11:59:59pm

A Gentle Introduction to Program Analysis

Introduction. C provides two styles of flow control:

CMa simple C Abstract Machine

CS4411 Intro. to Operating Systems Exam 1 Fall points 9 pages

CSc 520 Principles of Programming Languages. 26 : Control Structures Introduction

Statement level control structures

CS558 Programming Languages

LECTURE 18. Control Flow

CSCI 1061U Programming Workshop 2. C++ Basics

8. Control statements

Control Flow. COMS W1007 Introduction to Computer Science. Christopher Conway 3 June 2003

Iterative Statements. Iterative Statements: Examples. Counter-Controlled Loops. ICOM 4036 Programming Languages Statement-Level Control Structure

Chapter 8. Statement-Level Control Structures

Introduction to Visual Basic and Visual C++ Arithmetic Expression. Arithmetic Expression. Using Arithmetic Expression. Lesson 4.

Repetition Structures

CS313D: ADVANCED PROGRAMMING LANGUAGE

Condition-Controlled Loop. Condition-Controlled Loop. If Statement. Various Forms. Conditional-Controlled Loop. Loop Caution.

Name :. Roll No. :... Invigilator s Signature : INTRODUCTION TO PROGRAMMING. Time Allotted : 3 Hours Full Marks : 70

Fundamentals of Programming Session 13

DAC vs. MAC. Most people familiar with discretionary access control (DAC)

Principles of Programming Languages

MIDTERM EXAM (Solutions)

Chapter 8. Statement-Level Control Structures

Chapter 8 Statement-Level Control Structures

Chapter 4 Introduction to Control Statements

CS1622. Semantic Analysis. The Compiler So Far. Lecture 15 Semantic Analysis. How to build symbol tables How to use them to find

3.Constructors and Destructors. Develop cpp program to implement constructor and destructor.

Labels and Information Flow

Chapter 8. Statement-Level Control Structures

Lecture V Toy Hardware and Operating System

Flow Control. CSC215 Lecture

1 Overview. 2 Basic Program Structure. 2.1 Required and Optional Parts of Sketch

Concepts Introduced in Chapter 6

Qualifying Exam in Programming Languages and Compilers

Lecture 4: Bell LaPadula

Why Is Repetition Needed?

Chapter 8. Statement-Level Control Structures ISBN

Review of the syntax and use of Arduino functions, with special attention to the setup and loop functions.

G Programming Languages - Fall 2012

Lecture 3 Notes Arrays

3.7 Denotational Semantics

Chapter 6: Integrity Policies

Operational Semantics. One-Slide Summary. Lecture Outline

Programming for Engineers Iteration

CS111: PROGRAMMING LANGUAGE II

2.2 THE MARIE Instruction Set Architecture

Functions. Systems Programming Concepts

CS4411 Intro. to Operating Systems Exam 1 Fall points 10 pages

Applications of Formal Verification

Week 6. Data structures

Quick Reference Guide

Course Administration

Università degli Studi di Bologna Facoltà di Ingegneria. Principles, Models, and Applications for Distributed Systems M

Last time. User Authentication. Security Policies and Models. Beyond passwords Biometrics

Lecture 10 Notes Linked Lists

Dion Model. Objects and their classification

Lecture Notes on Arrays

The role of semantic analysis in a compiler

UNIT 3

Merge Sort. Run time typically depends on: Insertion sort can be faster than merge sort. Fast, able to handle any data

Types. Type checking. Why Do We Need Type Systems? Types and Operations. What is a type? Consensus

CHAPTER 4 FUNCTIONS. 4.1 Introduction

Principles of Computer Science

The Compiler So Far. Lexical analysis Detects inputs with illegal tokens. Overview of Semantic Analysis

QUIZ on Ch.5. Why is it sometimes not a good idea to place the private part of the interface in a header file?

CSE101-lec#12. Designing Structured Programs Introduction to Functions. Created By: Amanpreet Kaur & Sanjeev Kumar SME (CSE) LPU

Semantic actions for declarations and expressions

Operational Semantics of Cool

CHAPTER 5 A Closer Look at Instruction Set Architectures

CSI33 Data Structures

Instruction Sets: Characteristics and Functions Addressing Modes

Lecture Outline. COOL operational semantics. Operational Semantics of Cool. Motivation. Lecture 13. Notation. The rules. Evaluation Rules So Far

Iteration. Side effects

UNIX Input/Output Buffering

6. Control Statements II

Programming Basics and Practice GEDB029 Decision Making, Branching and Looping. Prof. Dr. Mannan Saeed Muhammad bit.ly/gedb029

X Language Definition

introduction to Programming in C Department of Computer Science and Engineering Lecture No. #40 Recursion Linear Recursion

Ordering Within Expressions. Control Flow. Side-effects. Side-effects. Order of Evaluation. Misbehaving Floating-Point Numbers.

Control Flow COMS W4115. Prof. Stephen A. Edwards Fall 2006 Columbia University Department of Computer Science

Lecture 3 Local Optimizations, Intro to SSA

CS111: PROGRAMMING LANGUAGE II

Control Structures. Outline. In Text: Chapter 8. Control structures Selection. Iteration. Gotos Guarded statements. One-way Two-way Multi-way

Function Call Stack and Activation Records

Lecture 1 Contracts : Principles of Imperative Computation (Fall 2018) Frank Pfenning

Applications of Formal Verification

Transcription:

Chapter 15: Information Flow Definitions Compiler-based mechanisms Execution-based mechanisms Examples Slide #15-1

Overview Basics and background Compiler-based mechanisms Execution-based mechanisms Examples Security Pipeline Interface Secure Network Server Mail Guard Slide #15-2

Basics Bell-LaPadula Model embodies information flow policy Given compartments A, B, info can flow from A to B iff B dom A Variables x, y assigned compartments x, y as well as values If x = A and y = B, and A dom B, then y := x allowed but not x := y Slide #15-3

Information Flow Idea: info flows from x to y as a result of a sequence of commands c if you can deduce information about x before c from the value in y after c Slide #15-4

Example 1 Command is x := y + z; where: 0 y 7, equal probability z = 1 with prob. 1/2, z = 2 or 3 with prob. 1/4 each If you know final value of x, initial value of y can have at most 3 values, so information flows from y to x Slide #15-5

Example 2 Command is if x = 1 then y := 0 else y := 1; where: x, y equally likely to be either 0 or 1 But if x = 1 then y = 0, and vice versa, so value of y depends on x So information flowed from x to y Slide #15-6

Implicit Flow of Information Information flows from x to y without an explicit assignment of the form y := f(x) f(x) an arithmetic expression with variable x Example from previous slide: if x = 1 then y := 0 else y := 1; So must look for implicit flows of information to analyze program Slide #15-7

Notation x means class of x In Bell-LaPadula based system, same as label of security compartment to which x belongs x y means information can flow from an element in class of x to an element in class of y Or, information with a label placing it in class x can flow into class y Slide #15-8

Compiler-Based Mechanisms Detect unauthorized information flows in a program during compilation Analysis not precise, but secure If a flow could violate policy (but may not), it is unauthorized No unauthorized path along which information could flow remains undetected Set of statements certified with respect to information flow policy if flows in set of statements do not violate that policy Slide #15-9

Example if x = 1 then y := a; else y := b; Info flows from x and a to y, or from x and b to y Certified only if x y and a y and b y Note flows for both branches must be true unless compiler can determine that one branch will never be taken Slide #15-10

Declarations Notation: x: int class { A, B } means x is an integer variable with security class at least lub{ A, B }, so lub{ A, B } x Distinguished classes Low, High Constants are always Low Slide #15-11

Input Parameters Parameters through which data passed into procedure Class of parameter is class of actual argument i p : type class { i p } Slide #15-12

Output Parameters Parameters through which data passed out of procedure If data passed in, called input/output parameter As information can flow from input parameters to output parameters, class must include this: o p : type class { r 1,, r n } where r i is class of ith input or input/output argument Slide #15-13

Example proc sum(x: int class { A }; begin var out: int class { A, B }); out := out + x; end; Require x out and out out Slide #15-14

Array Elements Information flowing out: := a[i] Value of i, a[i] both affect result, so class is lub{ a[i], i } Information flowing in: a[i] := Only value of a[i] affected, so class is a[i] Slide #15-15

Assignment Statements x := y + z; Information flows from y, z to x, so this requires lub{ y, z } x More generally: y := f(x 1,, x n ) the relation lub{ x 1,, x n } y must hold Slide #15-16

Compound Statements x := y + z; a := b * c x; First statement: lub{ y, z } x Second statement: lub{ b, c, x } a So, both must hold (i.e., be secure) More generally: S 1 ; S n ; Each individual S i must be secure Slide #15-17

Conditional Statements if x + y < z then a := b else d := b * c x; end The statement executed reveals information about x, y, z, so lub{ x, y, z } glb{ a, d } More generally: if f(x 1,, x n ) then S 1 else S 2 ; end S 1, S 2 must be secure lub{ x 1,, x n } glb{y y target of assignment in S 1, S 2 } Slide #15-18

Iterative Statements while i < n do begin a[i] := b[i]; i := i + 1; end Same ideas as for if, but must terminate More generally: while f(x 1,, x n ) do S; Loop must terminate; S must be secure lub{ x 1,, x n } glb{y y target of assignment in S } Slide #15-19

Iterative Statements while i < n do begin a[i] := b[i]; i := i + 1; end Same ideas as for if, but must terminate More generally: while f(x 1,, x n ) do S; Loop must terminate; S must be secure lub{ x 1,, x n } glb{y y target of assignment in S } Slide #15-20

Goto Statements No assignments Hence no explicit flows Need to detect implicit flows Basic block is sequence of statements that have one entry point and one exit point Control in block always flows from entry point to exit point Slide #15-21

Example Program proc tm(x: array[1..10][1..10] of int class {x}; var y: array[1..10][1..10] of int class {y}); var i, j: int {i}; begin b 1 i := 1; b 2 L2: if i > 10 goto L7; b 3 j := 1; b 4 L4: if j > 10 then goto L6; b 5 y[j][i] := x[i][j]; j := j + 1; goto L4; b 6 L6: i := i + 1; goto L2; b 7 L7: end; Slide #15-22

Flow of Control b 1 b 2 b 7 b 6 b 3 j > n j n b 4 i > n i n b 5 Slide #15-23

IFDs Idea: when two paths out of basic block, implicit flow occurs Because information says which path to take When paths converge, either: Implicit flow becomes irrelevant; or Implicit flow becomes explicit Immediate forward dominator of basic block b (written IFD(b)) is first basic block lying on all paths of execution passing through b Slide #15-24

IFD Example In previous procedure: IFD(b 1 ) = b 2 one path IFD(b 2 ) = b 7 b 2 b 7 or b 2 b 3 b 6 b 2 b 7 IFD(b 3 ) = b 4 one path IFD(b 4 ) = b 6 b 4 b 6 or b 4 b 5 b 6 IFD(b 5 ) = b 4 one path IFD(b 6 ) = b 2 one path Slide #15-25

Requirements B i is set of basic blocks along an execution path from b i to IFD(b i ) Analogous to statements in conditional statement x i1,, x in variables in expression selecting which execution path containing basic blocks in B i used Analogous to conditional expression Requirements for secure: All statements in each basic blocks are secure lub{ x i1,, x in } glb{ y y target of assignment in B i } Slide #15-26

Example of Requirements Within each basic block: b 1 : Low i b 3 : Low j b 6 : lub{ Low, i } i b 5 : lub{ x[i][j], i, j } y[j][i] }; lub{ Low, j } j Combining, lub{ x[i][j], i, j } y[j][i] } From declarations, true when lub{ x, i } y B 2 = {b 3, b 4, b 5, b 6 } Assignments to i, j, y[j][i]; conditional is i 10 Requires i glb{ i, j, y[j][i] } From declarations, true when i y Slide #15-27

Example (continued) B 4 = { b 5 } Assignments to j, y[j][i]; conditional is j 10 Requires j glb{ j, y[j][i] } From declarations, means i y Result: Combine lub{ x, i } y; i y; i y Requirement is lub{ x, i } y Slide #15-28

Procedure Calls tm(a, b); From previous slides, to be secure, lub{ x, i } y must hold In call, x corresponds to a, y to b Means that lub{ a, i } b, or a b More generally: proc pn(i 1,, i m : int; var o 1,, o n : int) begin S end; S must be secure For all j and k, if i j o k, then x j y k For all j and k, if o j o k, then y j y k Slide #15-29

Exceptions proc copy(x: int class { x }; var y: int class Low) var sum: int class { x }; z: int class Low; begin y := z := sum := 0; while z = 0 do begin sum := sum + x; y := y + 1; end end Slide #15-30

Exceptions (cont) When sum overflows, integer overflow trap Procedure exits Value of x is MAXINT/y Info flows from y to x, but x y never checked Need to handle exceptions explicitly Idea: on integer overflow, terminate loop on integer_overflow_exception sum do z := 1; Now info flows from sum to z, meaning sum z This is false (sum = { x } dominates z = Low) Slide #15-31

Infinite Loops proc copy(x: int 0..1 class { x }; var y: int 0..1 class Low) begin y := 0; while x = 0 do (* nothing *); y := 1; end If x = 0 initially, infinite loop If x = 1 initially, terminates with y set to 1 No explicit flows, but implicit flow from x to y Slide #15-32

Semaphores Use these constructs: wait(x): if x = 0 then block until x > 0; x := x 1; signal(x): x := x + 1; x is semaphore, a shared variable Both executed atomically Consider statement wait(sem); x := x + 1; Implicit flow from sem to x Certification must take this into account! Slide #15-33

Flow Requirements Semaphores in signal irrelevant Don t affect information flow in that process Statement S is a wait shared(s): set of shared variables read Idea: information flows out of variables in shared(s) fglb(s): glb of assignment targets following S So, requirement is shared(s) fglb(s) begin S 1 ; S n end All S i must be secure For all i, shared(s i ) fglb(s i ) Slide #15-34

Example begin x := y + z; (* S 1 *) wait(sem); (* S 2 *) a := b * c x; (* S 3 *) end Requirements: lub{ y, z } x lub{ b, c, x } a sem a Because fglb(s 2 ) = a and shared(s 2 ) = sem Slide #15-35

Concurrent Loops Similar, but wait in loop affects all statements in loop Because if flow of control loops, statements in loop before wait may be executed after wait Requirements Loop terminates All statements S 1,, S n in loop secure lub{ shared(s 1 ),, shared(s n ) } glb(t 1,, t m ) Where t 1,, t m are variables assigned to in loop Slide #15-36

Loop Example while i < n do begin a[i] := item; (* S 1 *) wait(sem); (* S 2 *) i := i + 1; (* S 3 *) end Conditions for this to be secure: Loop terminates, so this condition met S 1 secure if lub{ i, item } a[i] S 2 secure if sem i and sem a[i] S 3 trivially secure Slide #15-37

cobegin/coend cobegin coend x := y + z; (* S 1 *) a := b * c y; (* S 2 *) No information flow among statements For S 1, lub{ y, z } x For S 2, lub{ b, c, y } a Security requirement is both must hold So this is secure if lub{ y, z } x lub{ b, c, y } a Slide #15-38

Soundness Above exposition intuitive Can be made rigorous: Express flows as types Equate certification to correct use of types Checking for valid information flows same as checking types conform to semantics imposed by security policy Slide #15-39

Execution-Based Mechanisms Detect and stop flows of information that violate policy Done at run time, not compile time Obvious approach: check explicit flows Problem: assume for security, x y if x = 1 then y := a; When x 1, x = High, y = Low, a = Low, appears okay but implicit flow violates condition! Slide #15-40

Fenton s Data Mark Machine Each variable has an associated class Program counter (PC) has one too Idea: branches are assignments to PC, so you can treat implicit flows as explicit flows Stack-based machine, so everything done in terms of pushing onto and popping from a program stack Slide #15-41

Instruction Description skip means instruction not executed push(x, x) means push variable x and its security class x onto program stack pop(x, x) means pop top value and security class from program stack, assign them to variable x and its security class x respectively Slide #15-42

Instructions x := x + 1 (increment) Same as: if PC x then x := x + 1 else skip if x = 0 then goto n else x := x 1 (branch and save PC on stack) Same as: if x = 0 then begin push(pc, PC); PC := lub{pc, x}; PC := n; end else if PC x then x := x - 1 else skip; Slide #15-43

More Instructions if x = 0 then goto n else x := x 1 (branch without saving PC on stack) Same as: if x = 0 then if x PC then PC := n else skip else if PC x then x := x 1 else skip Slide #15-44

More Instructions return (go to just after last if) Same as: pop(pc, PC); halt (stop) Same as: if program stack empty then halt Note stack empty to prevent user obtaining information from it after halting Slide #15-45

Example Program 1 if x = 0 then goto 4 else x := x 1 2 if z = 0 then goto 6 else z := z 1 3 halt 4 z := z 1 5 return 6 y := y 1 7 return Initially x = 0 or x = 1, y = 0, z = 0 Program copies value of x to y Slide #15-46

Example Execution x y z PC PC stack check 1 0 0 1 Low 0 0 0 2 Low Low x 0 0 0 6 z (3, Low) 0 1 0 7 z (3, Low) PC y 0 1 0 3 Low Slide #15-47

Handling Errors Ignore statement that causes error, but continue execution If aborted or a visible exception taken, user could deduce information Means errors cannot be reported unless user has clearance at least equal to that of the information causing the error Slide #15-48

Variable Classes Up to now, classes fixed Check relationships on assignment, etc. Consider variable classes Fenton s Data Mark Machine does this for PC On assignment of form y := f(x 1,, x n ), y changed to lub{ x 1,, x n } Need to consider implicit flows, also Slide #15-49

Example Program (* Copy value from x to y * Initially, x is 0 or 1 *) proc copy(x: int class { x }; var y: int class { y }) var z: int class variable { Low }; begin y := 0; z := 0; if x = 0 then z := 1; if z = 0 then y := 1; end; z changes when z assigned to Assume y < x Slide #15-50

Analysis of Example x = 0 z := 0 sets z to Low if x = 0 then z := 1 sets z to 1 and z to x So on exit, y = 0 x = 1 z := 0 sets z to Low if z = 0 then y := 1 sets y to 1 and checks that lub{low, z} y So on exit, y = 1 Information flowed from x to y even though y < x Slide #15-51

Handling This (1) Fenton s Data Mark Machine detects implicit flows violating certification rules Slide #15-52

Handling This (2) Raise class of variables assigned to in conditionals even when branch not taken Also, verify information flow requirements even when branch not taken Example: In if x = 0 then z := 1, z raised to x whether or not x = 0 Certification check in next statement, that z y, fails, as z = x from previous statement, and y x Slide #15-53

Handling This (3) Change classes only when explicit flows occur, but all flows (implicit as well as explicit) force certification checks Example When x = 0, first if sets z to Low then checks x z When x = 1, first if checks that x z This holds if and only if x = Low Not possible as y < x = Low and there is no such class Slide #15-54

Example Information Flow Control Systems Use access controls of various types to inhibit information flows Security Pipeline Interface Analyzes data moving from host to destination Secure Network Server Mail Guard Controls flow of data between networks that have different security classifications Slide #15-55

Security Pipeline Interface host SPI second disk first disk SPI analyzes data going to, from host No access to host main memory Host has no control over SPI Slide #15-56

Use Store files on first disk Store corresponding crypto checksums on second disk Host requests file from first disk SPI retrieves file, computes crypto checksum SPI retrieves file s crypto checksum from second disk If a match, file is fine and forwarded to host If discrepency, file is compromised and host notified Integrity information flow restricted here Corrupt file can be seen but will not be trusted Slide #15-57

Secure Network Server Mail Guard (SNSMG) MTA filters MTA SECRET computer out in UNCLASSIFIED computer Filters analyze outgoing messages Check authorization of sender Sanitize message if needed (words and viruses, etc.) Uses type checking to enforce this Incoming, outgoing messages of different type Only appropriate type can be moved in or out Slide #15-58

Key Points Both amount of information, direction of flow important Flows can be explicit or implicit Compiler-based checks flows at compile time Execution-based checks flows at run time Slide #15-59

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback