Presentation is loading. Please wait.

Presentation is loading. Please wait.

Robust Declassification Steve Zdancewic Andrew Myers Cornell University.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Robust Declassification Steve Zdancewic Andrew Myers Cornell University."— Presentation transcript:

1 Robust Declassification Steve Zdancewic Andrew Myers Cornell University

2 CSFW142 Information flow policies are a natural way to specify precise, system-wide, multi-level security requirements. Enforcement mechanisms are often too restrictive – prevent desired policies. Information flow controls provide declassification mechanisms to accommodate intentional leaks. But… hard to understand end-to-end system behavior. Information Flow Security

3 CSFW143 Declassification Declassification (downgrading) is the intentional release of confidential information. Policy governs use of declassification operation.

4 CSFW144 Password Example Password Checker public query confidential password public result This system includes declassification.

5 CSFW145 Attack: Copy data into password Password Checker public query high security data leaked result high security data copy Attacker can launder data through the password checker.

6 CSFW146 Robust Declassification Goal: Formalize the intuition that an attacker should not be able to abuse the downgrade mechanisms provided by the system to cause more information to be declassified than intended.

7 CSFW147 How to Proceed? Characterize what information is declassified. Make a distinction between “intentional” and “unintentional” information flow. Explore some of the consequences of robust declassification.

8 CSFW148 A Simple System Model A system S is a pair:  is a set of states:  1,  2,…  is a transition relation in        

9 CSFW149 Views of a System A view of ( ,  ) is an equivalence relation on . Example:  = String  Integer "integer component is visible" ("attack at dawn", 3)  I ("retreat", 3) ( x, i )  I ( y, j ) iff i = j ("attack at dawn", 3)  I ("retreat", 4) /

10 CSFW1410 Example Views Example:  = String  Integer "string component is visible" ( x, i )  S ( y, j ) iff x = y "integer is even or odd" ( x, i )  E ( y, j ) iff i%2 = j%2 "complete view" ( x, i )   ( y, j ) iff ( x, i ) = ( y, j )

11 CSFW1411 Passive Observers A view induces an observation of a trace:   = ("x",1)  ("y",1)  ("z",2)  ("z",3)   through view  I 1  1  2  3   = ("a",1)  ("b",2)  ("z",2)  ("c",3)   through view  I 1  2  2  3

12 CSFW1412 Observational Equivalence The induced observational equivalence is S[  ] :  S[  ]  ' if the traces from  look the same as the traces from  ' through the view .

13 CSFW1413 Simple Example 

14 CSFW1414 Simple Example S[  ]  S[  ]

15 CSFW1415 Why Did We Do This?  is a view of  indicating what an observer sees directly. S[  ] is a view of  indicating what an observer learns by watching S evolve. Need some way to compare them…

16 CSFW1416 An Information Lattice The views of a system S form a lattice. Order:  A   B  II  EE SS Intuition: Higher = "more information"

17 CSFW1417   is the identity relation   is the total relation Lattice Order   =  I   S II  EE SS Join:  A   B Meet:  A   B

18 CSFW1418 Intuition: An observer only learns information by watching the system. (Can't lose information.) Information Learned via Observation   S[  ]  Lemma:   S[  ]

19 CSFW1419 Natural Security Condition    = S[  ] Definition: A system S is  -secure whenever  = S[  ] Closely related to standard definitions of non-interference style properties.

20 CSFW1420 Declassification Declassification is intentional leakage of information. Implies that  = S[  ] / We want to characterize unintentional declassification.

21 CSFW1421 A Simple Attack Model An  A -attack is a system A = ( ,   ) such that  A = A[  A ]  A is the attacker's view   is a set of additional transitions introduced by the attacker  A = A[  A ] means "fair environment"

22 CSFW1422 Attacked Systems Given a system S = ( ,  ) and attack A = ( ,   ) the attacked system is: S  A = ( ,     )             =           

23 CSFW1423 More Intuition S[  ] describes the information intentionally declassified by the system – a specification for how S ought to behave. (S  A)[  A ] describes the information obtained by an attack A.

24 CSFW1424 Example Attack AA AA

25 CSFW1425 Example Attack AA AA Attack transitions affect the system.

26 CSFW1426 Example Attack  S[  A ]  (S  A)[  A ] Attacked system may reveal more. S[  ]

27 CSFW1427 Robust Declassification A system S is robust with respect to attack A whenever (S  A)[  A ]  S[  A ].   S[  A ] A A (S  A)[  A ] Intuition: Attack reveals no additional information.

28 CSFW1428 Secure Systems are Robust Theorem: If S is  A -secure then S is  A -robust with respect to all  A -attacks. Intuition: S doesn't leak any information to  A -observer, so no declassifications to exploit.

29 CSFW1429 Characterizing Attacks Given a system S and a view  A, for what  A -attacks is S robust? Need to rule out Attack transitions Like this: (integrity property) S[  ]  S[  ]

30 CSFW1430 Integrity of Policy S[  ]  S[  ] Attack circumvents or alters the policy decision made by the system.       

31 CSFW1431 Providing Robustness Identify a class of relevant attacks –Example: attacker may modify / copy files –Example: untrusted host may send bogus requests Try to verify that the system is robust vs. that class of attacks. Proof fails… system is insecure. Possible to provide enforcement mechanisms against certain classes of attacks - Protecting integrity of downgrade policy

32 CSFW1432 Future Work This is a simple model – extend definition of robustness to better models. How does robustness fit in with intransitive non-interference? We're putting the idea of robustness into practice in a distributed version of Jif.

33 CSFW1433 Conclusions It’s critical to prevent downgrading mechanisms in a system from being abused. Robustness is an attempt to capture this idea in a formal way. Suggests that integrity and confidentiality are linked in systems with declassification.

34 CSFW1434 Correction to Paper Bug-fixed version of paper available http://www.cs.cornell.edu/zdance

35 CSFW1435 A Non-Attack AA AA Uses information attacker can't see!

36 CSFW1436 Observational Equivalence  '' S[  ] ? Are  and  ' observationally equivalent with respect to  ?

37 CSFW1437 Observational Equivalence        '' '' '' '' '' '' Take the sets of traces starting at  and  '. Trc  (S) Trc  ' (S)

38 CSFW1438 Observational Equivalence        '' '' '' '' '' '' Look at the traces modulo .

39 CSFW1439 Observational Equivalence        '' '' '' '' '' '' Look at the traces modulo .

40 CSFW1440 Observational Equivalence        '' '' '' '' '' '' Obs  (S,  ) Obs  ' (S,  )

41 CSFW1441 Observational Equivalence Obs  (S,  ) Obs  ' (S,  )  Are they stutter equivalent? Yes!  S[  ]  '  =

Download ppt "Robust Declassification Steve Zdancewic Andrew Myers Cornell University."

Similar presentations

Information Flow and Covert Channels November, 2006.

Information Flow and Covert Channels November, 2006.
Challenges for Information-flow Security* Steve Zdancewic University of Pennsylvania * This talk is an attempt to be provocative and controversial.

Challenges for Information-flow Security* Steve Zdancewic University of Pennsylvania * This talk is an attempt to be provocative and controversial.
Operating System Security

Operating System Security
1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.

1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.
Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu

Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu
Confidentiality Policies  Overview  What is a confidentiality model  Bell-LaPadula Model  General idea  Informal description of rules  Formal description.

Confidentiality Policies  Overview  What is a confidentiality model  Bell-LaPadula Model  General idea  Informal description of rules  Formal description.
Explorations in Anonymous Communication Andrew Bortz with Luis von Ahn Nick Hopper Aladdin Center, Carnegie Mellon University, 8/19/2003.

Explorations in Anonymous Communication Andrew Bortz with Luis von Ahn Nick Hopper Aladdin Center, Carnegie Mellon University, 8/19/2003.
Information Flow, Security and Programming Languages Steve Steve Zdancewic.

Information Flow, Security and Programming Languages Steve Steve Zdancewic.
Steve Zdancewic ESOP011 Secure Information Flow and CPS Steve Zdancewic Joint work with Andrew Myers Cornell University.

Steve Zdancewic ESOP011 Secure Information Flow and CPS Steve Zdancewic Joint work with Andrew Myers Cornell University.
1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.

1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.
Decentralized Robustness Stephen Chong Andrew C. Myers Cornell University CSFW 19 July 6 th 2006.

Decentralized Robustness Stephen Chong Andrew C. Myers Cornell University CSFW 19 July 6 th 2006.
A Type System for Expressive Security Policies David Walker Cornell University.

A Type System for Expressive Security Policies David Walker Cornell University.
CS 711 Fall 2002 Programming Languages Seminar Andrew Myers 2. Noninterference 4 Sept 2002.

CS 711 Fall 2002 Programming Languages Seminar Andrew Myers 2. Noninterference 4 Sept 2002.
CMSC 414 Computer (and Network) Security Lecture 10 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 10 Jonathan Katz.
Type-Based Distributed Access Control Tom Chothia, Dominic Duggan, and Jan Vitek Presented by Morgan Kleene.

Type-Based Distributed Access Control Tom Chothia, Dominic Duggan, and Jan Vitek Presented by Morgan Kleene.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
Automatic Implementation of provable cryptography for confidentiality and integrity Presented by Tamara Rezk – INDES project - INRIA Joint work with: Cédric.

Automatic Implementation of provable cryptography for confidentiality and integrity Presented by Tamara Rezk – INDES project - INRIA Joint work with: Cédric.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.

Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.
Toward A Mathematical Model of Computer Security Gina Duncanson Kevin Jonas Ben Lange John Loff-Peterson Ben Neigebauer.

Toward A Mathematical Model of Computer Security Gina Duncanson Kevin Jonas Ben Lange John Loff-Peterson Ben Neigebauer.

Similar presentations

Ads by Google