Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Precise Enforcement of Policies After we have a policy, is there always a mechanism to enforce it? If so, can we devise a generic procedure for developing.

Published byAmberlynn Atkinson Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Precise Enforcement of Policies After we have a policy, is there always a mechanism to enforce it? If so, can we devise a generic procedure for developing."— Presentation transcript:

1 1 Precise Enforcement of Policies After we have a policy, is there always a mechanism to enforce it? If so, can we devise a generic procedure for developing such mechanisms? secure precise set of reachable states with mechanisms set of secure states

2 2 The A. Jones + R. Lipton Model A program p is modeled as a function p: I 1 x I 2 x...x I n  r Assumption on Observability All information available about I 1 x I 2 x...x I n are encoded in the function p(I 1,I 2, I n ) A protection mechanism: Let p: I 1 x I 2 x...x I n  r be a function. and let m(I 1,I 2, I n ) = p(I 1,I 2, I n ) or m(I 1,I 2, I n )  E That is, m produces the same output as p or an error.

3 3 A Visualization of the Model Objective is to secure a program p that takes inputs I 1 I 2... I n and outputs some r A protection mechanism m takes the same inputs I 1 I 2... I n and outputs either the same r or some error E set of reachable states without mechanisms set of secure states

4 4 The A. Jones + R. Lipton Model Cont. Definition: A confidentiality policy for p: I 1 x I 2 x...x I n  r is a function c: I 1 x I 2 x...x I n  A where A is a subset of I 1 xI 2 x...xI n Definition: A confidentiality policy c is secure with respect to a security mechanism m iff there is a function m’: A  R U E satisfying m (i 1,i 2,i n )= m’ (c(i 1,i 2,i n )) Example: consider a password accepting function auth with respect to a database Db with output {good, bad} auth: U x P x Db  {good, bad}, where Db contains pairs of (u,pwd) that are allowed. The the confidentiality policy allow(i 1,i 2,i 3 )=(i 1,i 2 ). Then there is NO function auth’ satisfying auth’(allow(i 1,i 2,i 3 ))= auth’(i 1,i 2 )= auth(i 1,i 2,i 3 )

5 5 Precision Mechanisms for enforcing policies are typically too- restrictive m 1, m 2 are distinct mechanisms for program p under same policy m 1 as precise as m 2 (m 1  m 2 ) if, for all inputs i 1, …, i n, m 2 (i 1, …, i n ) = p(i 1, …, i n )  m 1 (i 1, …, i n ) = p(i 1, …, i n ) set of reachable states without mechanisms set of secure states m1m1 m2m2

6 6 Combining Mechanisms Let m 3 = m 1  m 2 For inputs on which m 1 and m 2 outputs same value as p, m 3 does also; otherwise, m 3 returns same value as m 1 Theorem: if m 1, m 2 are secure, then m 3 is secure Also, m 3  m 1 and m 3  m 2 set of reachable states without mechanisms set of secure states m1m1 m2m2

7 7 Existence Theorem For any program p and security policy c, there exists a precise, secure mechanism m* such that, for all secure mechanisms m associated with p and c, m*  m m* =  i=1,  m i set of reachable states without mechanisms set of secure states mimi

8 8 Lack of Effective Procedure Theorem: There is no effective procedure that determines a maximally precise, secure mechanism for any policy and program. Proof analogous to that of undecidable problem However, possible to get a maximally precise secure mechanism for specific cases.

9 9 Key Points Policies describe what are (not) allowed Trust underlies everything DAC and MAC (ORCON) Formal languages are required to specify policy Precise enforcement of policies is generally difficult

10 10 Appendix 1: Fake Windows Patch Is a Windows Killer (Source: http://www.pcmag.com/article2/0,1895,1853366,00.asp) Go backhttp://www.pcmag.com/article2/0,1895,1853366,00.aspGo back From: update@microsoft.com Subject: What You Need to Know About the Zotob.A Worm. What You Should Know About Zotob Published: August 14, 2005 | Updated: August 19, 2005 Severity VirusGreen Supported Software Affected Windows All Version Microsoft Security Advisory 899588 Zotob.A Zotob.B Zotob.C Zotob.D Zotob.E Bobax.O Esbot.A Rbot.MA Rbot.MB Rbot.MC The attachment is named MS05-039.EXE. It is 21,229 bytes and is compressed with the MEW program. When the attachment is executed, it first downloads a second Trojan program, Agent.AII, and executes it. This program downloads additional malware which logs keystrokes and accesses multiple web sites. It also attempts to modify the settings of security programs on the user's computer. Zotob is a worm that targets All Windows computers and takes advantage of a security issue that was addressed by Microsoft Security Bulletin MS05-039. This worm installs malicious software, and then searches for other computers to infect. If you have installed the update released with Security Bulletin MS05-039, you are protected from Zotob and its variants. If you are using any supported version of Windows, you are not at risk.

11 11 Appendix 2: True Story about a Back Door Ken Thompson's 1983 Turing Award lecture to the ACM admitted the existence of a back door in early Unix versions that may have qualified as the most fiendishly clever security hack of all time. In this scheme, the C compiler contained code that would recognize when the `login' command was being recompiled and insert some code recognizing a password chosen by Thompson. So the compiled Unix system has a backdoor whereas the source code is clean. More amazingly, Thompson also arranged that the compiler would recognize when it was compiling a version of itself, and insert into the recompiled compiler the hack codes required to get him the password, and also to recognize itself and do the whole thing again the next time around! Consequently, when someone suspected the compiler and attempted to recompile the compiler from a clean source, he had to use the hacked compiler to recompile the compiler – which would of course be a hacked version again! The hack perpetuated itself invisibly, leaving the back door in place and active but with no trace in the sources. (See full story at http://www.acm.org/classics/sep95/)http://www.acm.org/classics/sep95/

Download ppt "1 Precise Enforcement of Policies After we have a policy, is there always a mechanism to enforce it? If so, can we devise a generic procedure for developing."

Similar presentations

Dan Boneh Message integrity Message Auth. Codes Online Cryptography Course Dan Boneh.

Dan Boneh Message integrity Message Auth. Codes Online Cryptography Course Dan Boneh.
Relational Algebra, Join and QBE Yong Choi School of Business CSUB, Bakersfield.

Relational Algebra, Join and QBE Yong Choi School of Business CSUB, Bakersfield.
1 Anti Virus vs virus System i-Specific Anti-Virus Product Ali ameen al said.

1 Anti Virus vs virus System i-Specific Anti-Virus Product Ali ameen al said.
Investigating Malicious Software Steve Romig The Ohio State University April 2002.

Investigating Malicious Software Steve Romig The Ohio State University April 2002.
Reflections on Trusting Trust Ken Thompson. Communication of the ACM, Vol. 27, No. 8, August 1984, pp. 761-763. Copyright 1984, Association for Computing.

Reflections on Trusting Trust Ken Thompson. Communication of the ACM, Vol. 27, No. 8, August 1984, pp Copyright 1984, Association for Computing.
1 Protection Protection = access control Goals of protection Protecting general objects Example: file protection in Linux.

1 Protection Protection = access control Goals of protection Protecting general objects Example: file protection in Linux.
James Tam Computer Security Concepts covered Malicious computer programs Malicious computer use Security measures.

James Tam Computer Security Concepts covered Malicious computer programs Malicious computer use Security measures.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
1 Introduction to Computability Theory Lecture15: Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture15: Reductions Prof. Amos Israeli.
1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.
Chapter 4: Security Policies Overview The nature of policies What they cover Policy languages The nature of mechanisms Types Secure vs. precise Underlying.

Chapter 4: Security Policies Overview The nature of policies What they cover Policy languages The nature of mechanisms Types Secure vs. precise Underlying.
1 Introduction to Computability Theory Lecture13: Mapping Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture13: Mapping Reductions Prof. Amos Israeli.
Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA © Abdou Illia.
What Are Malicious Attacks? Malicious Attacks are any intentional attempts that can compromise the state of your computer. Including but not limited to:

What Are Malicious Attacks? Malicious Attacks are any intentional attempts that can compromise the state of your computer. Including but not limited to:
Silberschatz, Galvin and Gagne  2002 19.1 Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.

Silberschatz, Galvin and Gagne  Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.
Spring 2008 www.umsl.edu/~iclabs. Definitions  Virus  A virus is a piece of computer code that attaches itself to a program or file so it can spread.

Spring Definitions  Virus  A virus is a piece of computer code that attaches itself to a program or file so it can spread.
Computer Security Fundamentals by Chuck Easttom Chapter 5 Malware.

Computer Security Fundamentals by Chuck Easttom Chapter 5 Malware.
1 Lecture 24 Hiding Exploit in Compilers bootstrapping, self-generating code, tombstone diagrams Ras Bodik Mangpo and Ali Hack Your Language! CS164: Introduction.

1 Lecture 24 Hiding Exploit in Compilers bootstrapping, self-generating code, tombstone diagrams Ras Bodik Mangpo and Ali Hack Your Language! CS164: Introduction.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Chapter Nine Maintaining a Computer Part III: Malware.

Chapter Nine Maintaining a Computer Part III: Malware.

Similar presentations

Ads by Google