Title: Information Security CS 526 Lecture 20
1Information Security CS 526Lecture 20
2First, A Few Slides on Encryption and
Authentication
- Three ways for encryption and authentication
- Authenticate-then-encrypt (AtE), used in SSL
- a MAC(x), CE(x,a), transmit C
- Encrypt-then-authenticate (EtA), used in IPSec
- CE(x), aMAC(C), transmit (C,a)
- Encrypt-and-authenticate (EA), used in SSH
- CE(x), aMAC(x), transmit (C,a)
- Which way provides secure communications when
embedded in a protocol that runs in a real
adversarial network setting? - From the paper The Order of Encryption and
Authentication for Protecting Communications by
Hugo Krawzyck.
3Secure Channel
- Requirement of secure channel
- any message accepted as valid for a session by a
receiving party was indeed sent by the partner to
the session - attacker cannot learn any information about
messages - even against an adversary that fully controls the
communication channel and may learn information
through responses of the participants - Encrypt-then-authenticate (EtA) provides secure
channel - CE(x), aMAC(C), transmit (C,a)
4Using Only Encryption Schemes is Insufficient
- Given a secure stream cipher (or even one-time
pad) E, Consider encryption E - Ex Eencodex
- encodex replaces each bit 0 with 00, and bit 1
with either 01 or 10. - How to decrypt?
- Ex is secure
- Using E does not provide confidentiality in a
real world protocol setting - if adversary flips the first two bits of Ex
and can learn whether decryption succeeds, then
the adversary learns the first bit of x
5AtE and EA are insecure
- Authenticate-then-encrypt (AtE) is not secure in
general - a MAC(x), CE(x,a), transmit C
- consider flipping the first two bits of C
- if first bit of x is 0, decryption fails
- if first bit of x is 1, decryption MAC
verification succeeds. - AtE, however, can be secure for some specific
encryption schemes, such as CBC or OTP (or stream
ciphers) - Encrypt-and-authenticate (EA) is not secure in
general - CE(x), aMAC(x), transmit (C,a)
- Why?
6Review Discretionary Access Control
- No precise definition. Basically, DAC allows
access rights to be propagated at subjects
discretion - often has the notion of owner of an object
- used in UNIX, Windows, etc.
- "A means of restricting access to objects based
on the identity and need-to-know of users and/or
groups to which the object belongs. Controls are
discretionary in the sense that a subject with a
certain access permission is capable of passing
that permission (directly or indirectly) to any
other subject."
7Mandatory Access Control
- Mandatory access controls (MAC) restrict the
access of subjects to objects based on a
system-wide policy - denying users full control over the access to
resources that they create. The system security
policy (as set by the administrator) entirely
determines the access rights granted
8Outline
- Overview of BLP
- Details of BLP
- Discussions
9Bell-LaPadula Model A MAC Model for Achieving
Multi-level Security
- Introduce in 1973
- Air Force was concerned with security in
time-sharing systems - Many OS bugs
- Accidental misuse
- Main Objective
- Enable one to formally show that a computer
system can securely process classified information
10What is a Security Model?
- A model describes the system
- e.g., a high level specification or an abstract
machine description of what the system does - A security policy
- defines the security requirements for a given
system - Verification shows that a policy is satisfied by
a system - System Model Security Policy Security Model
11Methodology in the BLP Security Model
- Define an abstract model that can be used to
describe computer systems. - the model
- Define what does it mean for a system in the
model to be secure. - the policy
- Develop techniques to prove that a system in the
model is secure
12Security Goal of BLP
- There are security classifications or security
levels - Users/principals/subjects have security
clearances - Objects have security classifications
- Example
- Top Secret
- Secret
- Confidential
- Unclassified
- In this case Top Secret gt Secret gt Confidential gt
Unclassified - Security goal (confidentiality) ensures that
information do not flow to those not cleared for
that level
13Approach of BLP
- Use state-transition systems to describe computer
systems - Define a system as secure iff. every reachable
state satisfies 3 properties - simple-security property, -property,
discretionary-security property - Prove a Basic Security Theorem (BST)
- so that one can prove a system is secure by
proving things about the system description
14Main Contributions of BLP
- The overall methodology to show that a system is
secure - adopted in many later works
- The state-transition model
- which includes an access matrix, subject security
levels, object levels, etc. - The introduction of -property
- ss-property is not enough to stop illegal
information flow
15Main Technical Flaws of BLP
- The BLP notion of security is neither necessary
nor sufficient to stop illegal information flows - That BLP defines security as a state-based
property is too low level and limited in
expressive power - The BST fails to provide necessary and sufficient
conditions for verifying a system is BLP-secure
16The BLP Security Model Simplified
- A computer system is modeled as a
state-transition system - In each state, there are subjects, objects, an
access matrix, and the current access information - there are state transition rules describing how a
system can go from one state to another - each subject is given a level, and each object is
given a level
17The BLP Security Model Simplified
- A state is secure if it satisfies
- Simple Security Condition (no read up)
- S can read O iff L(S) L(O)
- The Star Property (no write down)
- S can write O iff L(S) L(O)
- Discretionary-security property
- every access is allowed by the access matrix
- A system is secure if and only if every reachable
state is secure.
18Why Mandatory No Write Down
- Unrestricted DAC allows information from an
object which can be read to any other object
which can be written by a subject - do not provide multi-level security
- Suppose our users are trusted not to do this
deliberately. It is still possible for Trojan
Horses to copy information from one object to
another.
19TROJAN HORSE EXAMPLE
ACL
File F
Ar Aw
File G
Br Aw
Principal B cannot read file F
20TROJAN HORSE EXAMPLE
ACL
Principal A
executes
File F
Ar Aw
read
Program Goodies
Trojan Horse
File G
Br Aw
write
- Principal B can read contents of file F copied to
file G
21More Details in BLP
- Trusted subjects
- some subjects are identified as trusted subjects,
the star property does not apply to trusted
subjects - why having trusted subjects?
- In the actual model, each subject has two levels
the maximum level and the current level - the simple security condition uses the maximum
level - the -property uses the current level
22STAR-PROPERTY
- Applies to subjects (principals) not to users
- Users are trusted (must be trusted) not to
disclose secret information outside of the
computer system - Subjects are not trusted because they may have
Trojan Horses embedded in the code they execute - Star-property prevents overt leakage of
information and does not address the covert
channel problem
23Outline
- Overview of BLP
- Details of BLP
- Discussions
24Alphabet
- A set S of subjects
- A set ST of trusted subjects
- A set A of access modes
- A execute, read, append, write
- observation and alteration
- A set of O of object identifiers
- A partially ordered set ?L, ?? of security levels
25States Z
- Each state z ? Z is a 4-tuple ?? O, b, M, F ?
- O ? O objects in current state
- b ? S ?O ? A current access set
- M S ? O?? 2A an access matrix
- F ? fS, fO, fC ? security level functions
- fS S ? L subject maximal level
- fO O ? L object level
- fC S ? L subject current level
26State Transitions
- A set R of requests
- get-access(s,o,a)
- release-acess(s,o,a)
- give-access(s1,s2,o,a)
- rescind-access(s1,s2,o,a)
- create-object(s,o,l)
- reclassify-object(s,o, l)
- destruct-object(s,o)
- change-current-level(s, l)
27BLP Systems
- Definition A system is given by (z0,W)
- z0 is the initial state
- W½ R ? D ? Z ? Z D yes, no
- (req, d, z, z)2W defines one state transition
- Definition An appearance of the system (z0,W) is
a sequence h z0, (req1,d1,z1), (req2,d2,z2), ?,
(reqt,dt,zt) i where - t is a natural number
- ?? i s.t. 1 ? I ? t (reqi,di,zi,zi-1) ? W
28BLP Secure States
- Definition z?O, b, M, F?fS,fO,fC?? is a secure
state if and only if - z satisfies the ss-property,
- i.e., ? (s,o,a) ? b (a2 read,write ) fS(s) ?
fO(o) - z satisfies the -property, i.e., ? (s,o,a)
? b where s ? ST - a ? read,write ?? fC(s) ? fO(o) no read up
- a ? append,write?? fC(s) ? fO(o) no write down
- z satisfies the ds-property,
- i.e., ? (s,o,a) ? b ? a ? Ms,o
29The -property
- Does -property imply ss-property? No.
- The ss-property uses maximal level.
- The -property applies only to untrusted subjects
- Can one say -property is just no-write-down?
No. - The original BLP model doesnt require that
fC(s) ? fS(s) - setting ones current level higher only gets less
access right
30BLP Secure Systems
- Definition A system (z0,W) is secure iff. every
state in every appearance of the system is
secure. - State-based definition is limited in expressive
power - cannot express a policy that says a state z2
occurs after a state z1 in an appearance is not
acceptable
31Is BLP Notion of Security Good?
- The objective of BLP security is to ensure
- a subject cleared at a low level should never
read information classified high - The ss-property and the -property are sufficient
to stop such information flow at any given state. - What about information flow across states?
32BLP Security Is Not Sufficient!
- Consider a system with s1,s2,o1,o2
- fS(s1)fC(s1)fO(o1)high
- fS(s2)fC(s2)fO(o2) low
- And the following execution
- s1 gets access to o1, read something, release
access, then change current level to low, get
write access to o2, write to o2 - Every state is secure, yet illegal information
exists
33How to Deal With This?
- The following have been proposed
- subject cannot change current levels
- require a subject to forgot everything when
changing levels - But the original BLP security is wrong!
- And all the fixes limit the applicability of the
model - It is not the model that is wrong, it is the
definition of security that is wrong.
34BLP Security Is Not Necessary!
- Consider a system with only s1,s2,o1,o2
- fS(s1)fC(s1)fO(o1)high
- fS(s2)fC(s2)fO(o2) low
- And an access matrix s.t. s2 cannot access o2
- And the following execution
- s1 gets access to o1, and get write access to o2,
then the state violates -property - Why is this system bad?
35Summary of Issues with BLP Notion of Security
- BLP notion of security is neither sufficient nor
necessary to stop illegal information flow
(through overt channels) - The state based approach is too low level and
limited in expressive power
36How to Fix The BLP Notion of Security?
- May need to differentiate externally visible
objects from other objects - e.g., a printer is different from a memory object
- State-sequence based property
- e.g., exists no sequence of states so that there
is an information path from a high object to a
low externally visible object or to a low subject
37Outline
- Overview of BLP
- Details of BLP
- Discussions
38Basic Security Theorem
- Restatement of The Basic Security Theorem A
system (z0,W) is a secure system if and only if
z0 is a secure state and each action of the
system leads the system into a secure state. - Given a system (z0,W), ?? W is an action of the
system iff. there is an appearance of the system
that uses ?
39Observations of the BST
- The BST is a result of defining security as a
state-based property. - The BST cannot be used to justify the BLP notion
of security - This is McLeans main point in his papers
- A Comment on the Basic Security Theorem of Bell
and LaPadula 1985 - Reasoning About Security Models 1987
- The Specification and Modeling of Computer
Security 1990
40Observations of the BST
- The BST intends to provide a necessary and
sufficient condition for verifying that a system
is secure without running the system - McLean 90 The most notable theorem known
about BLP-security is called the Basic Security
Theorem (BST), which gives necessary and
sufficient conditions for a system starting in a
secure state to never reach a non-secure state.
41BST and Static Verification of Security
- Can one use BST to verify whether a system is
secure or not without running the system? - Repeat of BST A system (z0,W) is a secure system
if and only if z0 is a secure state and each
action of the system leads the system into a
secure state.
42BST and Static Verification of Security
- Yes and No.
- if every ?2W leads the system into a secure
state, then the system is secure - if some ?2W leads the system into an insecure
state, then we dont know whether the system is
secure - as we dont know whether ? is an action or not
- BST provides effectively only sufficient (but not
necessary) conditions.
43McLeans Criticism of BLP
- BST cannot be used to justify BLP security
- McLean 1985 If one define security to be any
other state-based property, BST still holds - Defense Bell 1988 exactly what is security is
outside the model - McLean 1987 System Z, defines a state change
that downgrade everything - Defense 1 Tranquility principle disallows that
- Defense 2 If such state change is desired, then
fine.
44McLeans Criticism of BLP
- In McLean 1990, McLean try to justify BLP
security using an alternative notion of secure
transition, but admitted failure - We believe that BLP notion of security is
inherent problematic - Tranquility principle
- the classification of active objects will not
change during the normal operation.
45Issues with BLP
- Deal only with confidentiality,
- does not deal with integrity at all
- Does not deal with information flow through
covert channels - The approach of defining a secure system to be
one in which every reachable state is secure is
flawed - in a system that is secure according to BLP, a
subject can read high, change current level to
low, then write low. - to address this problem, need to require
- subject cannot change current levels
- or ensures a subject to forgot everything when
changing levels - information flow security is not a per-state
property
46Overt (Explicit) Channels vs. Covert Channels
- Security objective of MLS in general, BLP in
particular - high-classified information cannot flow to
low-cleared users - Overt channels of information flow
- read/write an object
- Covert channels of information flow
- communication channel based on the use of system
resources not normally intended for communication
between the subjects (processes) in the system
47Examples of Covert Channels
- Using file lock as a shared boolean variable
- By varying its ratio of computing to input/output
or its paging rate, the service can transmit
information to a concurrently running process - Covert channels are often noisy
- However, information theory and coding theory can
be used to encode and decode information through
noisy channels
48More on Covert Channels
- Covert channels cannot be blocked by -property
- It is generally very difficult, if not
impossible, to block all cover channels - One can try to limit the bandwidth of covert
channels - Military requires cryptographic components be
implemented in hardware - to avoid trojan horse leaking keys through covert
channels
49More on MLS Security Levels
- Used as attributes of both subjects objects
- clearance classification
- Typical military security levels
- top secret ?? secret ? confidential ?
unclassified - Typical commercial security levels
- restricted ? proprietary ? sensitive ? public
50Security Categories
- Also known as compartments
- Typical military security categories
- army, navy, air force
- nato, nasa, noforn
- Typical commercial security categories
- Sales, RD, HR
- Dept A, Dept B, Dept C
51Security Labels
- Labels Levels ? P (Categories)
- Define an ordering relationship among Labels
- (e1, C1) ? (e2, C2) iff. e1 ?e2 and C1 ? C2
- This ordering relation is a partial order
- reflexive, transitive, anti-symmetric
- e.g., ?
- All security labels form a lattice
52An Example Security Lattice
- levelstop secret, secret
- categoriesarmy,navy
Top Secret, army, navy
Top Secret, army
Top Secret, navy
Secret, army, navy
Top Secret,
Secret, navyy
Secret, army
Secret,
53The need-to-know principle
- Even if someone has all the necessary official
approvals (such as a security clearance) to
access certain information they should not be
given access to such information unless they have
a need to know that is, unless access to the
specific information necessary for the conduct of
one's official duties. - Can be implemented using categories and or DAC
54Coming Attractions
- Non-interference and non-deducability