1 Precise Enforcement of Policies After we have a policy, is there always a mechanism to enforce it? If so, can we devise a generic procedure for developing such mechanisms? secure precise set of reachable states with mechanisms set of secure states

2 The A. Jones + R. Lipton Model A program p is modeled as a function p: I 1 x I 2 x...x I n  r Assumption on Observability All information available about I 1 x I 2 x...x I n are encoded in the function p(I 1,I 2, I n ) A protection mechanism: Let p: I 1 x I 2 x...x I n  r be a function. and let m(I 1,I 2, I n ) = p(I 1,I 2, I n ) or m(I 1,I 2, I n )  E That is, m produces the same output as p or an error.

3 A Visualization of the Model Objective is to secure a program p that takes inputs I 1 I 2... I n and outputs some r A protection mechanism m takes the same inputs I 1 I 2... I n and outputs either the same r or some error E set of reachable states without mechanisms set of secure states

4 The A. Jones + R. Lipton Model Cont. Definition: A confidentiality policy for p: I 1 x I 2 x...x I n  r is a function c: I 1 x I 2 x...x I n  A where A is a subset of I 1 xI 2 x...xI n Definition: A confidentiality policy c is secure with respect to a security mechanism m iff there is a function m’: A  R U E satisfying m (i 1,i 2,i n )= m’ (c(i 1,i 2,i n )) Example: consider a password accepting function auth with respect to a database Db with output {good, bad} auth: U x P x Db  {good, bad}, where Db contains pairs of (u,pwd) that are allowed. The the confidentiality policy allow(i 1,i 2,i 3 )=(i 1,i 2 ). Then there is NO function auth’ satisfying auth’(allow(i 1,i 2,i 3 ))= auth’(i 1,i 2 )= auth(i 1,i 2,i 3 )

5 Precision Mechanisms for enforcing policies are typically too- restrictive m 1, m 2 are distinct mechanisms for program p under same policy m 1 as precise as m 2 (m 1  m 2 ) if, for all inputs i 1, …, i n, m 2 (i 1, …, i n ) = p(i 1, …, i n )  m 1 (i 1, …, i n ) = p(i 1, …, i n ) set of reachable states without mechanisms set of secure states m1m1 m2m2

6 Combining Mechanisms Let m 3 = m 1  m 2 For inputs on which m 1 and m 2 outputs same value as p, m 3 does also; otherwise, m 3 returns same value as m 1 Theorem: if m 1, m 2 are secure, then m 3 is secure Also, m 3  m 1 and m 3  m 2 set of reachable states without mechanisms set of secure states m1m1 m2m2

7 Existence Theorem For any program p and security policy c, there exists a precise, secure mechanism m* such that, for all secure mechanisms m associated with p and c, m*  m m* =  i=1,  m i set of reachable states without mechanisms set of secure states mimi

8 Lack of Effective Procedure Theorem: There is no effective procedure that determines a maximally precise, secure mechanism for any policy and program. Proof analogous to that of undecidable problem However, possible to get a maximally precise secure mechanism for specific cases.

9 Key Points Policies describe what are (not) allowed Trust underlies everything DAC and MAC (ORCON) Formal languages are required to specify policy Precise enforcement of policies is generally difficult

10 Appendix 1: Fake Windows Patch Is a Windows Killer (Source: Go backhttp:// back From: Subject: What You Need to Know About the Zotob.A Worm. What You Should Know About Zotob Published: August 14, 2005 | Updated: August 19, 2005 Severity VirusGreen Supported Software Affected Windows All Version Microsoft Security Advisory Zotob.A Zotob.B Zotob.C Zotob.D Zotob.E Bobax.O Esbot.A Rbot.MA Rbot.MB Rbot.MC The attachment is named MS EXE. It is 21,229 bytes and is compressed with the MEW program. When the attachment is executed, it first downloads a second Trojan program, Agent.AII, and executes it. This program downloads additional malware which logs keystrokes and accesses multiple web sites. It also attempts to modify the settings of security programs on the user's computer. Zotob is a worm that targets All Windows computers and takes advantage of a security issue that was addressed by Microsoft Security Bulletin MS This worm installs malicious software, and then searches for other computers to infect. If you have installed the update released with Security Bulletin MS05-039, you are protected from Zotob and its variants. If you are using any supported version of Windows, you are not at risk.

11 Appendix 2: True Story about a Back Door Ken Thompson's 1983 Turing Award lecture to the ACM admitted the existence of a back door in early Unix versions that may have qualified as the most fiendishly clever security hack of all time. In this scheme, the C compiler contained code that would recognize when the `login' command was being recompiled and insert some code recognizing a password chosen by Thompson. So the compiled Unix system has a backdoor whereas the source code is clean. More amazingly, Thompson also arranged that the compiler would recognize when it was compiling a version of itself, and insert into the recompiled compiler the hack codes required to get him the password, and also to recognize itself and do the whole thing again the next time around! Consequently, when someone suspected the compiler and attempted to recompile the compiler from a clean source, he had to use the hacked compiler to recompile the compiler – which would of course be a hacked version again! The hack perpetuated itself invisibly, leaving the back door in place and active but with no trace in the sources. (See full story at