CSCE 548 Secure Software Development Information Leakage

About This Presentation

Title:

CSCE 548 Secure Software Development Information Leakage

Description:

Information leakage: designers and developers DO NOT understand ... Macro-statistics: collections of related statistics presented in 2-dimensional tables ... – PowerPoint PPT presentation

Number of Views:113

Avg rating:3.0/5.0

Slides: 31

Provided by: far1

Category:

more less

Transcript and Presenter's Notes

Title: CSCE 548 Secure Software Development Information Leakage

1
CSCE 548 Secure Software DevelopmentInformation
Leakage
2
Reading

For student presentation
Howard et al. Chapter 4
This lecture
Howard et al. Chapter 13
Recommended
I. Moskowitz, M. H. Kang Covert Channels Here
to Stay? http//citeseer.nj.nec.com/cache/papers/c
s/1340/httpzSzzSzwww.itd.nrl.navy.milzSzITDzSz554
0zSzpublicationszSzCHACSzSz1994zSz1994moskowitz-co
mpass.pdf/moskowitz94covert.pdf
Jajodia, Meadows Inference Problems in
Multilevel Secure Database Management Systems
http//www.acsac.org/secshelf/book001/book001.html
, essay 24
Next lecture
Howard et al. Chapter 6

3
Information Leakage

By accident
By intention

4
Communication Channels

Overt Channel designed into a system and
documented in the user's manual
Information leakage designers and developers DO
NOT understand security needs of the application
Covert Channel not documented. Covert channels
may be deliberately inserted into a system, but
most such channels are accidents of the system
design.
Information leakage slow information flow to
unauthorized recipient

5
Information Flow

Direct Flow
Bell-LaPadula example
Indirect flow
Covert channel
Inference channel

TS-subject
TS-object
info- flow
info- flow
read
write
S-object
S-subject
6
Non-Interference

High-security data does not influence lower
security data
How to guarantee it?

7
Covert Channel

Timing Channel based on system times
Storage channel not time related communication
Can be turned into each other

8
Covert Channel

Need
Two active participants and encoding schema OR
Access to the system and knowledge about the
system
Example sender modulates the CPU utilization
level with the data stream to be transmitted
Sender
repeat get a bit to send
if the bit is 1 wait one second (don't use CPU
time)
else busy wait one second (use CPU time)
endif
until done

9
Covert Channels

Problems
Noise
Need sophisticated synchronization
Protection (user state, system state)
Removal
Slow down
Audit

10
Cryptographic Timing Attack

How long does it take to perform encryption
Table look ups
Non-constant time
Partial guesses ? faster performance
Measure the duration between messages, where
message content depends on secret data

11
Inference Channels
Sensitive Information

Non-sensitive
information

Meta-data

12
Inference Channels

Statistical Database Inferences
General Purpose Database Inferences

13
Statistical Databases

Goal provide aggregate information about groups
of individuals
E.g., average grade point of students
Security risk specific information about a
particular individual
E.g., grade point of student John Smith
Meta-data
Working knowledge about the attributes
Supplementary knowledge (not stored in database)

14
Types of Statistics

Macro-statistics collections of related
statistics presented in 2-dimensional tables
Micro-statistics Individual data records used
for statistics after identifying information is
removed

15
Statistical Compromise

Exact compromise find exact value of an
attribute of an individual (e.g., John Smiths
GPA is 3.8)
Partial compromise find an estimate of an
attribute value corresponding to an individual
(e.g., John Smiths GPA is between 3.5 and 4.0)

16
Methods of Attacks and Protection

Small/Large Query Set Attack
C characteristic formula that identifies groups
of individuals
If C identifies a single individual I, e.g.,
count(C) 1
Find out existence of property
If count(C and D)1 means I has property D
If count(C and D)0 means I does not have D
OR
Find value of property
Sum(C, D), gives value of D

17
Prevention

Protection from small/large query set attack
query-set-size control
A query q(C) is permitted only if
N-n ? C ? n , where n ? 0 is a parameter of
the database and N is all the records in the
database

18
Statistical Inference Theory

Give unlimited number of statistics and correct
statistical answers, all statistical databases
can be compromised (Ullman)

19
Inferences in General-Purpose Databases

Queries based on sensitive data
Inference via database constraints
Inferences via updates

20
Queries based on sensitive data

Sensitive information is used in selection
condition but not returned to the user.
Example Salary secret, Name public
?Name?Salary25,000
Protection apply query of database views at
different security levels

21
Database Constraints

Integrity constraints
Database dependencies
Key integrity

22
Integrity Constraints

CAB
Apublic, Cpublic, and Bsecret
B can be calculated from A and C, i.e., secret
information can be calculated from public data

23
Database Dependencies

Metadata
Functional dependencies
Multi-valued dependencies
Join dependencies
etc.

24
Functional Dependency

FD A ? B, that is for any two tuples in the
relation, if they have the same value for A, they
must have the same value for B.
Example FD Rank ? Salary
Secret information Name and Salary together
Query1 Name and Rank
Query2 Rank and Salary
Combine answers for query1 and 2 to reveal Name
and Salary together

25
Key integrity