Information flow and policy
Foundational results
● Access Control Matrix
– Formally undecidable if a right leaks
● Take-grant model
– Transitive closure
Policies
● Confidentiality
– Bell-LaPadula: no reads up, no writes down
● Integrity
– Biba’s low-water-mark policy (if you read it, your integrity becomes the
minimum of what it is already and that of what you read)
– Biba’s ring policy (read if you’re interested)
– Biba’s Model (Bell-LaPadula upside down)
– Lipner (read if you’re interested) and Clark-Wilson (for business)
● Availability Hybrid Policies
– Chinese Wall model (for conflicts of interest)
– CISSP (had its acronym stolen)
Lattice = partial ordering
Plagiarized from
http://www.cs.cornell.edu/courses/cs5430/2012sp/mls.gif
http://www.cs.cornell.edu/courses/cs5430/2012sp/mls.gif
Chinese Wall Model
Plagiarized from http://www.cs.cornell.edu/courses/cs5430/2012sp/chinWall.gif
http://www.cs.cornell.edu/courses/cs5430/2012sp/chinWall.gif
Mechanisms
● Mandatory Access Control
– System won’t let users change, like SELinux
● Discretionary Access Control
– Users can change, like UNIX file permissions
● Capabilities vs. access control lists
● Weak Windows DACLs is a fascinating topic
– https://www.nccgroup.trust/uk/about-us/newsroom-and-events/b
logs/2013/november/windows-dacls-why-there-is-still-room-for-i
nterest/
– Gray Hat Hacking, 4th Edition by Harper et al.
– https://www.blackhat.com/presentations/bh-dc-07/Cerrudo/Pape
r/bh-dc-07-Cerrudo-WP.pdf
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2013/november/windows-dacls-why-there-is-still-room-for-interest/
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2013/november/windows-dacls-why-there-is-still-room-for-interest/
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2013/november/windows-dacls-why-there-is-still-room-for-interest/
https://www.blackhat.com/presentations/bh-dc-07/Cerrudo/Paper/bh-dc-07-Cerrudo-WP.pdf
https://www.blackhat.com/presentations/bh-dc-07/Cerrudo/Paper/bh-dc-07-Cerrudo-WP.pdf
Information flow
● Multi-Level Security (Top Secret, Secret,
Unclassified, etc. all on the same machine)
– Kind of a stupid idea (think rainbow series)
● Noninterference (Goguen and Meseguer in 1982)
– “A computer has the non-interference property if and
only if any sequence of low inputs will produce the
same low outputs, regardless of what the high level
inputs are.” (https://en.wikipedia.org/wiki/Non-
interference_(security))
Information flow
(continued)
● Denning’s Lattice-based access control (1976)
● Fenton’s Data Mark Machine (1974)
● Dynamic Information Flow Tracking (Suh et al.,
ASPLOS 2004, Crandall and Chong MICRO
2004)
– A.k.a. Dynamic Taint Analysis (Newsome and Song 2005)
– Indirect flows are a problem
x = A[y] if (y==1)
X = 1
Implicit flows
if (y == 1)
x = 1
Even if y != 1, information flows from y to x
Covert channels
● Confinement problem
– Defined by Lampson in 1973
● Covert channel = path of communication that was not
designed to be used for communication [Bishop, Chapter 17]
● Lipner (1975) distinguishes between timing channels and
storage channels
– Kemmerer’s (1983) Shared Resource Matrix Methodology can be
used for storage channels, basically a transitive closure
– Wray (1992) considered timing channels, can compare all pairs of
“clocks”
Examples of covert channels
● Hard drive timings
● Locks
Side channels
● Covert channels assume collusion
● Side channels can be used to infer information
– Key stroke timings leaking through entropy pool
(Silence on the Wire by Zalewski)
– Keyboard Acoustic Emanations
https://www.davidsalomon.name/CompSec/auxiliary/K
ybdEmanation.pdf
– Cache missing for fun and profit
http://www.daemonology.net/papers/cachemissing.pdf
● “Information wants to be free”
https://www.davidsalomon.name/CompSec/auxiliary/KybdEmanation.pdf
https://www.davidsalomon.name/CompSec/auxiliary/KybdEmanation.pdf
http://www.daemonology.net/papers/cachemissing.pdf
Examples of side channels
● Microarchitectural
● TCP/IP side channels
● Crypto timing channels in power, over the
network, etc.
Thomas Jefferson said…
“That ideas should freely spread from one to
another over the globe, for the moral and mutual
instruction of man, and improvement of his
condition, seems to have been peculiarly and
benevolently designed by nature, when she made
them, like fire, expansible over all space, without
lessening their density in any point, and like the
air in which we breathe, move, and have our
physical being, incapable of confinement or
exclusive appropriation.”
https://www.computerhope.com/jargon/m/meltdown-and-spectre.htm
Resources
● Cryptography and Data Security by Dorothy
Elizabeth Denning
● Computer Security: Art and Science by Matt
Bishop
● The Light Pink Book
● https://www.youtube.com/watch?v=kO8x8eoU3
L4
Slide 1
Slide 2
Slide 3
Slide 4
Slide 5
Slide 6
Slide 7
Slide 8
Slide 9
Slide 10
Slide 11
Slide 12
Slide 13
Slide 14
Slide 15
Slide 16
Slide 17
Slide 18