Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Information Flow CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 22, 2004.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Information Flow CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 22, 2004."— Presentation transcript:

1 1 Information Flow CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 22, 2004

2 2 Overview Information Flow Models Information Flow Models Confinement Flow Model Confinement Flow Model Compiler-Based Mechanisms Compiler-Based Mechanisms

3 3 Bell-LaPadula Model Information flows from A to B iff B dom A Information flows from A to B iff B dom A TS{R,P} TS{R} TS{P} S{R}S{P} S{}

4 4 Entropy-Based Analysis Command sequence takes a system from state s to state t Command sequence takes a system from state s to state t x s is the value of x at state s x s is the value of x at state s H(a | b) is the uncertainty of a given b H(a | b) is the uncertainty of a given b Def: A command sequence causes a flow of information from x to y if H(x s | y t ) < H(x s | y s ). If y does not exist in s, then H(x s | y s ) = H(x s ) Def: A command sequence causes a flow of information from x to y if H(x s | y t ) < H(x s | y s ). If y does not exist in s, then H(x s | y s ) = H(x s )

5 5 Example Flows y := x H(x s | y t ) = 0 tmp := x; y := tmp; H(x s | y t ) = 0

6 6 Another Example if (x==1) then y:= 0 else y := 1 Suppose x is equally likely to be 0 or 1, so H(x s ) = 1 But, H(x s | y t ) = 0 So, H(x s | y t ) < H(x s | y s ) = H(x s ) Thus, information flows from x to y. Def. An implicit flow of information occurs when information flows from x to y without an explicit assignment of the form y := f(x)

7 7 Requirements for Information Flow Models Reflexivity: information should flow freely among members of a class Reflexivity: information should flow freely among members of a class Transitivity: If b reads something from c and saves it, and if a reads from b, then a can read from c Transitivity: If b reads something from c and saves it, and if a reads from b, then a can read from c A lattice has a relation R that is reflexive and transitive (and antisymmetric)

8 8 Information Flow Models An Information flow policy I is a triple I = (SC I,  I, join I ), where SC I is a set of security classes,  I is an ordering relation on the elements of SC I, and join I combines two elements of SC I An Information flow policy I is a triple I = (SC I,  I, join I ), where SC I is a set of security classes,  I is an ordering relation on the elements of SC I, and join I combines two elements of SC I Example: Bell-LaPadula has security compartments for SC I, dom for  I and lub as join I Example: Bell-LaPadula has security compartments for SC I, dom for  I and lub as join I

9 9 Confinement Flow Model Associate with each object x a security class x Associate with each object x a security class x Def: The confinement flow model is a 4-tuple (I, O, confine, ) in which Def: The confinement flow model is a 4-tuple (I, O, confine, ) in which I = (SCI,  I, join I ) is a lattice-based info. flow policyI = (SCI,  I, join I ) is a lattice-based info. flow policy O is a set of entitiesO is a set of entities  : O  O is a relation with (a, b)   iff information can flow from a to b : O  O is a relation with (a, b)   iff information can flow from a to b for each a  O, confine(a) is a pair (a L, a U )  SC I  SC I, with a L  I a Ufor each a  O, confine(a) is a pair (a L, a U )  SC I  SC I, with a L  I a U if x  a U then information can flow from x to aif x  a U then information can flow from x to a if a L  x the information can flow from a to xif a L  x the information can flow from a to x

10 10 Example Confinement Model Let a, b, and c  O confine(a) = [ CONFIDENTIAL, CONFIDENTIAL] confine(b) = [SECRET, SECRET] confine(c) = [TOPSECRET, TOPSECRET] Then a  b, a  c, and b  c are the legal flows

11 11 Another Example Let a, b, and c  O confine(a) = [ CONFIDENTIAL, CONFIDENTIAL] confine(b) = [SECRET, SECRET] confine(c) = [CONFIDENTIAL, TOPSECRET] Then a  b, a  c, b  c, and c  a are the legal flows Note that b  c and c  a, but information cannot flow from b to a because b L  I a U is false So, transitivity fails to hold

12 12 Non-Lattice Information Flow Policies Government agency has public relation officers (PRO), analysts (A), and spymasters (S) 4 classifications of data: public  analysis, public  covert analysis  top-level, covert  top-level confine(PRO) = [public, analysis] confine(A) = [analysis, top-level] confine(S) = [covert, top-level] PRO  A, A  PRO, PRO  S, A  S, and S  A

13 13 Complier-Based Mechanisms Assignment statements Assignment statements Compound statements Compound statements Conditional statements Conditional statements Iterative statements Iterative statements

14 14 Assignment Statements y := f(x 1,..., x n ) Requirement for information flow to be secure is: lub {x 1,..., x n }  y lub {x 1,..., x n }  yExample: x := y + z; lub{y, z}  x

15 15 Compound Statements begin S 1 ;... S n ; end; Requirement for information flow to be secure: S 1 secure AND... AND S n secure

16 16 Conditional Statements if f(x 1,..., x n ) then S 1 ; else S 2 ; end; Requirement for information flow to be secure: S 1 secure AND S 2 secure AND lub{x 1,..., x n }  glb{y | y is the target of an assignment in S 1 or S 2 }

17 17 Example Conditional Statement if x + y < z then a := b; else d := b * c - x; end; b  a for S 1 lub{b, c, x}  d for S 2 lub{x, y, z}  glb{a, d} for condition

18 18 Iterative Statements while f(x 1,..., x n ) do S; Requirement for information flow to be secure: Iteration terminates S secure lub{x 1,..., x n }  glb{y | y is the target of an assignment in S}

19 19 Example Iteration Statement while i < n do begin a[i] := b[i]; i := i + 1; end; Loop terminates i  a[i] AND b[i]  a[i] for S 1 lub{i, b[i]}  a[i] for compound statement lub{b[i], i, n}  glb{a[i], i} for while condition

Download ppt "1 Information Flow CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 22, 2004."

Similar presentations

Representing Relations

Representing Relations
Information Flow and Covert Channels November, 2006.

Information Flow and Covert Channels November, 2006.
Continuing Abstract Interpretation We have seen: 1.How to compile abstract syntax trees into control-flow graphs 2.Lattices, as structures that describe.

Continuing Abstract Interpretation We have seen: 1.How to compile abstract syntax trees into control-flow graphs 2.Lattices, as structures that describe.
Data-Flow Analysis II CS 671 March 13, 2008. CS 671 – Spring 2008 1 Data-Flow Analysis Gather conservative, approximate information about what a program.

Data-Flow Analysis II CS 671 March 13, CS 671 – Spring Data-Flow Analysis Gather conservative, approximate information about what a program.
8.3 Representing Relations Connection Matrices Let R be a relation from A = {a 1, a 2,..., a m } to B = {b 1, b 2,..., b n }. Definition: A n m  n connection.

8.3 Representing Relations Connection Matrices Let R be a relation from A = {a 1, a 2,..., a m } to B = {b 1, b 2,..., b n }. Definition: A n m  n connection.
Vinay Kumar Madhadi 10/28/2009 CSC-8320. Outline  Part 1 : Mandatory Flow Control Models? MAC vs. DAC Information Flow Control  Part 2 : Different Models-Lattice.

Vinay Kumar Madhadi 10/28/2009 CSC Outline  Part 1 : Mandatory Flow Control Models? MAC vs. DAC Information Flow Control  Part 2 : Different Models-Lattice.
I NFORMATION S ECURITY : C ONFIDENTIALITY P OLICIES (C HAPTER 4) Dr. Shahriar Bijani Shahed University.

I NFORMATION S ECURITY : C ONFIDENTIALITY P OLICIES (C HAPTER 4) Dr. Shahriar Bijani Shahed University.
Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality model Bell-LaPadula Model –General idea –Informal description of rules.

Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality model Bell-LaPadula Model –General idea –Informal description of rules.
1 Access Control Matrix CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 9, 2004.

1 Access Control Matrix CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 9, 2004.
1 Confidentiality Policies CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 18, 2004.

1 Confidentiality Policies CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 18, 2004.
1 Design Principles CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 13, 2004.

1 Design Principles CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 13, 2004.
Confidentiality Policies  Overview  What is a confidentiality model  Bell-LaPadula Model  General idea  Informal description of rules  Formal description.

Confidentiality Policies  Overview  What is a confidentiality model  Bell-LaPadula Model  General idea  Informal description of rules  Formal description.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #27-1 Chapter 27: Lattices Overview Definitions Lattices Examples.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #27-1 Chapter 27: Lattices Overview Definitions Lattices Examples.
Worklist algorithm Initialize all d i to the empty set Store all nodes onto a worklist while worklist is not empty: –remove node n from worklist –apply.

Worklist algorithm Initialize all d i to the empty set Store all nodes onto a worklist while worklist is not empty: –remove node n from worklist –apply.
April 20, 2004ECS 235Slide #1 DG/UX System Provides mandatory access controls –MAC label identifies security level –Default labels, but can define others.

April 20, 2004ECS 235Slide #1 DG/UX System Provides mandatory access controls –MAC label identifies security level –Default labels, but can define others.
From last time: reaching definitions For each use of a variable, determine what assignments could have set the value being read from the variable Information.

From last time: reaching definitions For each use of a variable, determine what assignments could have set the value being read from the variable Information.
1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.

1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #15-1 Chapter 15: Information Flow Definitions Compiler-based mechanisms Execution-based.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #15-1 Chapter 15: Information Flow Definitions Compiler-based mechanisms Execution-based.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality.
Administrative stuff Office hours: After class on Tuesday.

Administrative stuff Office hours: After class on Tuesday.

Similar presentations

Ads by Google