Information Security CS 526 Lecture 20 - PowerPoint PPT Presentation

1 / 54
About This Presentation
Title:

Information Security CS 526 Lecture 20

Description:

First, A Few Slides on Encryption and Authentication. Three ways for ... consider flipping the first two bits of C. if first bit of x is 0, decryption fails ... – PowerPoint PPT presentation

Number of Views:31
Avg rating:3.0/5.0
Slides: 55
Provided by: NINGH7
Category:

less

Transcript and Presenter's Notes

Title: Information Security CS 526 Lecture 20


1
Information Security CS 526Lecture 20
  • The Bell-LaPadupa Model

2
First, A Few Slides on Encryption and
Authentication
  • Three ways for encryption and authentication
  • Authenticate-then-encrypt (AtE), used in SSL
  • a MAC(x), CE(x,a), transmit C
  • Encrypt-then-authenticate (EtA), used in IPSec
  • CE(x), aMAC(C), transmit (C,a)
  • Encrypt-and-authenticate (EA), used in SSH
  • CE(x), aMAC(x), transmit (C,a)
  • Which way provides secure communications when
    embedded in a protocol that runs in a real
    adversarial network setting?
  • From the paper The Order of Encryption and
    Authentication for Protecting Communications by
    Hugo Krawzyck.

3
Secure Channel
  • Requirement of secure channel
  • any message accepted as valid for a session by a
    receiving party was indeed sent by the partner to
    the session
  • attacker cannot learn any information about
    messages
  • even against an adversary that fully controls the
    communication channel and may learn information
    through responses of the participants
  • Encrypt-then-authenticate (EtA) provides secure
    channel
  • CE(x), aMAC(C), transmit (C,a)

4
Using Only Encryption Schemes is Insufficient
  • Given a secure stream cipher (or even one-time
    pad) E, Consider encryption E
  • Ex Eencodex
  • encodex replaces each bit 0 with 00, and bit 1
    with either 01 or 10.
  • How to decrypt?
  • Ex is secure
  • Using E does not provide confidentiality in a
    real world protocol setting
  • if adversary flips the first two bits of Ex
    and can learn whether decryption succeeds, then
    the adversary learns the first bit of x

5
AtE and EA are insecure
  • Authenticate-then-encrypt (AtE) is not secure in
    general
  • a MAC(x), CE(x,a), transmit C
  • consider flipping the first two bits of C
  • if first bit of x is 0, decryption fails
  • if first bit of x is 1, decryption MAC
    verification succeeds.
  • AtE, however, can be secure for some specific
    encryption schemes, such as CBC or OTP (or stream
    ciphers)
  • Encrypt-and-authenticate (EA) is not secure in
    general
  • CE(x), aMAC(x), transmit (C,a)
  • Why?

6
Review Discretionary Access Control
  • No precise definition. Basically, DAC allows
    access rights to be propagated at subjects
    discretion
  • often has the notion of owner of an object
  • used in UNIX, Windows, etc.
  • "A means of restricting access to objects based
    on the identity and need-to-know of users and/or
    groups to which the object belongs. Controls are
    discretionary in the sense that a subject with a
    certain access permission is capable of passing
    that permission (directly or indirectly) to any
    other subject."

7
Mandatory Access Control
  • Mandatory access controls (MAC) restrict the
    access of subjects to objects based on a
    system-wide policy
  • denying users full control over the access to
    resources that they create. The system security
    policy (as set by the administrator) entirely
    determines the access rights granted

8
Outline
  • Overview of BLP
  • Details of BLP
  • Discussions

9
Bell-LaPadula Model A MAC Model for Achieving
Multi-level Security
  • Introduce in 1973
  • Air Force was concerned with security in
    time-sharing systems
  • Many OS bugs
  • Accidental misuse
  • Main Objective
  • Enable one to formally show that a computer
    system can securely process classified information

10
What is a Security Model?
  • A model describes the system
  • e.g., a high level specification or an abstract
    machine description of what the system does
  • A security policy
  • defines the security requirements for a given
    system
  • Verification shows that a policy is satisfied by
    a system
  • System Model Security Policy Security Model

11
Methodology in the BLP Security Model
  • Define an abstract model that can be used to
    describe computer systems.
  • the model
  • Define what does it mean for a system in the
    model to be secure.
  • the policy
  • Develop techniques to prove that a system in the
    model is secure

12
Security Goal of BLP
  • There are security classifications or security
    levels
  • Users/principals/subjects have security
    clearances
  • Objects have security classifications
  • Example
  • Top Secret
  • Secret
  • Confidential
  • Unclassified
  • In this case Top Secret gt Secret gt Confidential gt
    Unclassified
  • Security goal (confidentiality) ensures that
    information do not flow to those not cleared for
    that level

13
Approach of BLP
  • Use state-transition systems to describe computer
    systems
  • Define a system as secure iff. every reachable
    state satisfies 3 properties
  • simple-security property, -property,
    discretionary-security property
  • Prove a Basic Security Theorem (BST)
  • so that one can prove a system is secure by
    proving things about the system description

14
Main Contributions of BLP
  • The overall methodology to show that a system is
    secure
  • adopted in many later works
  • The state-transition model
  • which includes an access matrix, subject security
    levels, object levels, etc.
  • The introduction of -property
  • ss-property is not enough to stop illegal
    information flow

15
Main Technical Flaws of BLP
  • The BLP notion of security is neither necessary
    nor sufficient to stop illegal information flows
  • That BLP defines security as a state-based
    property is too low level and limited in
    expressive power
  • The BST fails to provide necessary and sufficient
    conditions for verifying a system is BLP-secure

16
The BLP Security Model Simplified
  • A computer system is modeled as a
    state-transition system
  • In each state, there are subjects, objects, an
    access matrix, and the current access information
  • there are state transition rules describing how a
    system can go from one state to another
  • each subject is given a level, and each object is
    given a level

17
The BLP Security Model Simplified
  • A state is secure if it satisfies
  • Simple Security Condition (no read up)
  • S can read O iff L(S) L(O)
  • The Star Property (no write down)
  • S can write O iff L(S) L(O)
  • Discretionary-security property
  • every access is allowed by the access matrix
  • A system is secure if and only if every reachable
    state is secure.

18
Why Mandatory No Write Down
  • Unrestricted DAC allows information from an
    object which can be read to any other object
    which can be written by a subject
  • do not provide multi-level security
  • Suppose our users are trusted not to do this
    deliberately. It is still possible for Trojan
    Horses to copy information from one object to
    another.

19
TROJAN HORSE EXAMPLE
ACL
File F
Ar Aw
File G
Br Aw
Principal B cannot read file F
20
TROJAN HORSE EXAMPLE
ACL
Principal A
executes
File F
Ar Aw
read
Program Goodies
Trojan Horse
File G
Br Aw
write
  • Principal B can read contents of file F copied to
    file G

21
More Details in BLP
  • Trusted subjects
  • some subjects are identified as trusted subjects,
    the star property does not apply to trusted
    subjects
  • why having trusted subjects?
  • In the actual model, each subject has two levels
    the maximum level and the current level
  • the simple security condition uses the maximum
    level
  • the -property uses the current level

22
STAR-PROPERTY
  • Applies to subjects (principals) not to users
  • Users are trusted (must be trusted) not to
    disclose secret information outside of the
    computer system
  • Subjects are not trusted because they may have
    Trojan Horses embedded in the code they execute
  • Star-property prevents overt leakage of
    information and does not address the covert
    channel problem

23
Outline
  • Overview of BLP
  • Details of BLP
  • Discussions

24
Alphabet
  • A set S of subjects
  • A set ST of trusted subjects
  • A set A of access modes
  • A execute, read, append, write
  • observation and alteration
  • A set of O of object identifiers
  • A partially ordered set ?L, ?? of security levels

25
States Z
  • Each state z ? Z is a 4-tuple ?? O, b, M, F ?
  • O ? O objects in current state
  • b ? S ?O ? A current access set
  • M S ? O?? 2A an access matrix
  • F ? fS, fO, fC ? security level functions
  • fS S ? L subject maximal level
  • fO O ? L object level
  • fC S ? L subject current level

26
State Transitions
  • A set R of requests
  • get-access(s,o,a)
  • release-acess(s,o,a)
  • give-access(s1,s2,o,a)
  • rescind-access(s1,s2,o,a)
  • create-object(s,o,l)
  • reclassify-object(s,o, l)
  • destruct-object(s,o)
  • change-current-level(s, l)

27
BLP Systems
  • Definition A system is given by (z0,W)
  • z0 is the initial state
  • W½ R ? D ? Z ? Z D yes, no
  • (req, d, z, z)2W defines one state transition
  • Definition An appearance of the system (z0,W) is
    a sequence h z0, (req1,d1,z1), (req2,d2,z2), ?,
    (reqt,dt,zt) i where
  • t is a natural number
  • ?? i s.t. 1 ? I ? t (reqi,di,zi,zi-1) ? W

28
BLP Secure States
  • Definition z?O, b, M, F?fS,fO,fC?? is a secure
    state if and only if
  • z satisfies the ss-property,
  • i.e., ? (s,o,a) ? b (a2 read,write ) fS(s) ?
    fO(o)
  • z satisfies the -property, i.e., ? (s,o,a)
    ? b where s ? ST
  • a ? read,write ?? fC(s) ? fO(o) no read up
  • a ? append,write?? fC(s) ? fO(o) no write down
  • z satisfies the ds-property,
  • i.e., ? (s,o,a) ? b ? a ? Ms,o

29
The -property
  • Does -property imply ss-property? No.
  • The ss-property uses maximal level.
  • The -property applies only to untrusted subjects
  • Can one say -property is just no-write-down?
    No.
  • The original BLP model doesnt require that
    fC(s) ? fS(s)
  • setting ones current level higher only gets less
    access right

30
BLP Secure Systems
  • Definition A system (z0,W) is secure iff. every
    state in every appearance of the system is
    secure.
  • State-based definition is limited in expressive
    power
  • cannot express a policy that says a state z2
    occurs after a state z1 in an appearance is not
    acceptable

31
Is BLP Notion of Security Good?
  • The objective of BLP security is to ensure
  • a subject cleared at a low level should never
    read information classified high
  • The ss-property and the -property are sufficient
    to stop such information flow at any given state.
  • What about information flow across states?

32
BLP Security Is Not Sufficient!
  • Consider a system with s1,s2,o1,o2
  • fS(s1)fC(s1)fO(o1)high
  • fS(s2)fC(s2)fO(o2) low
  • And the following execution
  • s1 gets access to o1, read something, release
    access, then change current level to low, get
    write access to o2, write to o2
  • Every state is secure, yet illegal information
    exists

33
How to Deal With This?
  • The following have been proposed
  • subject cannot change current levels
  • require a subject to forgot everything when
    changing levels
  • But the original BLP security is wrong!
  • And all the fixes limit the applicability of the
    model
  • It is not the model that is wrong, it is the
    definition of security that is wrong.

34
BLP Security Is Not Necessary!
  • Consider a system with only s1,s2,o1,o2
  • fS(s1)fC(s1)fO(o1)high
  • fS(s2)fC(s2)fO(o2) low
  • And an access matrix s.t. s2 cannot access o2
  • And the following execution
  • s1 gets access to o1, and get write access to o2,
    then the state violates -property
  • Why is this system bad?

35
Summary of Issues with BLP Notion of Security
  • BLP notion of security is neither sufficient nor
    necessary to stop illegal information flow
    (through overt channels)
  • The state based approach is too low level and
    limited in expressive power

36
How to Fix The BLP Notion of Security?
  • May need to differentiate externally visible
    objects from other objects
  • e.g., a printer is different from a memory object
  • State-sequence based property
  • e.g., exists no sequence of states so that there
    is an information path from a high object to a
    low externally visible object or to a low subject

37
Outline
  • Overview of BLP
  • Details of BLP
  • Discussions

38
Basic Security Theorem
  • Restatement of The Basic Security Theorem A
    system (z0,W) is a secure system if and only if
    z0 is a secure state and each action of the
    system leads the system into a secure state.
  • Given a system (z0,W), ?? W is an action of the
    system iff. there is an appearance of the system
    that uses ?

39
Observations of the BST
  • The BST is a result of defining security as a
    state-based property.
  • The BST cannot be used to justify the BLP notion
    of security
  • This is McLeans main point in his papers
  • A Comment on the Basic Security Theorem of Bell
    and LaPadula 1985
  • Reasoning About Security Models 1987
  • The Specification and Modeling of Computer
    Security 1990

40
Observations of the BST
  • The BST intends to provide a necessary and
    sufficient condition for verifying that a system
    is secure without running the system
  • McLean 90 The most notable theorem known
    about BLP-security is called the Basic Security
    Theorem (BST), which gives necessary and
    sufficient conditions for a system starting in a
    secure state to never reach a non-secure state.

41
BST and Static Verification of Security
  • Can one use BST to verify whether a system is
    secure or not without running the system?
  • Repeat of BST A system (z0,W) is a secure system
    if and only if z0 is a secure state and each
    action of the system leads the system into a
    secure state.

42
BST and Static Verification of Security
  • Yes and No.
  • if every ?2W leads the system into a secure
    state, then the system is secure
  • if some ?2W leads the system into an insecure
    state, then we dont know whether the system is
    secure
  • as we dont know whether ? is an action or not
  • BST provides effectively only sufficient (but not
    necessary) conditions.

43
McLeans Criticism of BLP
  • BST cannot be used to justify BLP security
  • McLean 1985 If one define security to be any
    other state-based property, BST still holds
  • Defense Bell 1988 exactly what is security is
    outside the model
  • McLean 1987 System Z, defines a state change
    that downgrade everything
  • Defense 1 Tranquility principle disallows that
  • Defense 2 If such state change is desired, then
    fine.

44
McLeans Criticism of BLP
  • In McLean 1990, McLean try to justify BLP
    security using an alternative notion of secure
    transition, but admitted failure
  • We believe that BLP notion of security is
    inherent problematic
  • Tranquility principle
  • the classification of active objects will not
    change during the normal operation.

45
Issues with BLP
  • Deal only with confidentiality,
  • does not deal with integrity at all
  • Does not deal with information flow through
    covert channels
  • The approach of defining a secure system to be
    one in which every reachable state is secure is
    flawed
  • in a system that is secure according to BLP, a
    subject can read high, change current level to
    low, then write low.
  • to address this problem, need to require
  • subject cannot change current levels
  • or ensures a subject to forgot everything when
    changing levels
  • information flow security is not a per-state
    property

46
Overt (Explicit) Channels vs. Covert Channels
  • Security objective of MLS in general, BLP in
    particular
  • high-classified information cannot flow to
    low-cleared users
  • Overt channels of information flow
  • read/write an object
  • Covert channels of information flow
  • communication channel based on the use of system
    resources not normally intended for communication
    between the subjects (processes) in the system

47
Examples of Covert Channels
  • Using file lock as a shared boolean variable
  • By varying its ratio of computing to input/output
    or its paging rate, the service can transmit
    information to a concurrently running process
  • Covert channels are often noisy
  • However, information theory and coding theory can
    be used to encode and decode information through
    noisy channels

48
More on Covert Channels
  • Covert channels cannot be blocked by -property
  • It is generally very difficult, if not
    impossible, to block all cover channels
  • One can try to limit the bandwidth of covert
    channels
  • Military requires cryptographic components be
    implemented in hardware
  • to avoid trojan horse leaking keys through covert
    channels

49
More on MLS Security Levels
  • Used as attributes of both subjects objects
  • clearance classification
  • Typical military security levels
  • top secret ?? secret ? confidential ?
    unclassified
  • Typical commercial security levels
  • restricted ? proprietary ? sensitive ? public

50
Security Categories
  • Also known as compartments
  • Typical military security categories
  • army, navy, air force
  • nato, nasa, noforn
  • Typical commercial security categories
  • Sales, RD, HR
  • Dept A, Dept B, Dept C

51
Security Labels
  • Labels Levels ? P (Categories)
  • Define an ordering relationship among Labels
  • (e1, C1) ? (e2, C2) iff. e1 ?e2 and C1 ? C2
  • This ordering relation is a partial order
  • reflexive, transitive, anti-symmetric
  • e.g., ?
  • All security labels form a lattice

52
An Example Security Lattice
  • levelstop secret, secret
  • categoriesarmy,navy

Top Secret, army, navy
Top Secret, army
Top Secret, navy
Secret, army, navy
Top Secret,
Secret, navyy
Secret, army
Secret,
53
The need-to-know principle
  • Even if someone has all the necessary official
    approvals (such as a security clearance) to
    access certain information they should not be
    given access to such information unless they have
    a need to know that is, unless access to the
    specific information necessary for the conduct of
    one's official duties.
  • Can be implemented using categories and or DAC

54
Coming Attractions
  • Non-interference and non-deducability
Write a Comment
User Comments (0)
About PowerShow.com