CS 161 Multilevel Database Security 30 October 2006 2006 Doug Tygar CS 161 30 October 2006 Military models of security Need to know Three models of security Classification unclassified classified secret top secret Compartmentalization nuclear crypto weapons specific Discretionary access control Distribution lists 2006 Doug Tygar CS 161 30 October 2006 1 What clearance means Clearance is primarily a restriction on what you can release Declassification permission to discuss Everyday example Non disclosure agreements Advice Be careful before agreeing to clearance or NDAs 2006 Doug Tygar CS 161 30 October 2006 Two ways to rank systems How much do they protect military models of classification What is the strength of mechanism 2006 Doug Tygar CS 161 30 October 2006 2 History US Orange book Trusted Computer Security Evaluation Criteria TCSEC Rainbow Series Europe Harmonized Criteria UK Germany France Holland ITSEC Canada CTCPEC Internationalization Common Criteria now on version 3 0 2006 Doug Tygar CS 161 30 October 2006 US levels D C1 C2 B1 B2 B3 A1 A2 minimal protection discretionary access control controlled access control labeled security protection structured protection security domains verified design verified implementation never achieved 2006 Doug Tygar CS 161 30 October 2006 3 Key ideas Bell Lapudula We trust people not processes Small trusted computing base TCB Includes a security kernel Processes read down Processes write up star property 2006 Doug Tygar CS 161 30 October 2006 More on the star property Star property acts as a King Midas touch Once a process reads a classified file its security level is boosted to that of the file Then everything it writes modifies deletes etc is at the same security level 2006 Doug Tygar CS 161 30 October 2006 4 Problem covert channels There is more than one way to leak information Existence of a file System load Paging behavior Example TENEX passwords 2006 Doug Tygar CS 161 30 October 2006 Covert channels Covert channels are virtually impossible to remove entirely So we restrict the bandwidth of what can transmitted This means that high classification processes are heavily restricted 2006 Doug Tygar CS 161 30 October 2006 5 What killed the Orange Book System performance was poor Often 1 000 to 10 000 times worse than unsecure operating systems Using special hardware was expensive Formal methods for evaluation never really worked User interface was horrible Evaluation took years and was expensive 2006 Doug Tygar CS 161 30 October 2006 The last great evaluated system Windows NT was evaluated at the C 2 level of security as long as you didn t hook it up to a network 2006 Doug Tygar CS 161 30 October 2006 6 Today s problems the Orange book Problems we face today seem strangely distant from the Orange book Denial of service worms privacy aggregation of data none of these are addressed 2006 Doug Tygar CS 161 30 October 2006 Common Criteria Protection Profile Security Target 2006 Doug Tygar CS 161 30 October 2006 7 Common Criteria Levels EAL 1 EAL 2 EAL 3 EAL 4 EAL 5 EAL 6 EAL 7 functionally tested US between D C1 structurally tested US C1 methodically tested checked US C2 methodically designed tested reviewed US B1 semiformally designed tested US B2 semiformally verified design tested US B3 formally verified design tested US A1 2006 Doug Tygar CS 161 30 October 2006 Side channel examples Sound of keyboard typing Timing Power attacks 2006 Doug Tygar CS 161 30 October 2006 8 Power Analysis 2006 Doug Tygar CS 161 30 October 2006 Simple Power Analysis Top line DES Bottom line one cycle of DES 2006 Doug Tygar CS 161 30 October 2006 9 Differential Power Analysis Repeat and look for statistical averaging 2006 Doug Tygar CS 161 30 October 2006 Shamir secret sharing How did this work 2006 Doug Tygar CS 161 30 October 2006 10 Adding with Shamir secret sharing Suppose we want to find everyone s average salary 2006 Doug Tygar CS 161 30 October 2006 Unsatisfactory solutions to puzzle Escrow approach Mix approach Everyone sends salary anonymously to third parties who publish Alice Bob Carl Doe Everyone sends salary to trusted escrow agent Alice Bob Carl Doe Anonymizers Trusted referee publish publish 2006 Doug Tygar publish publish publish CS 161 30 October 2006 11 Using Shamir Secret Sharing Alice Bob Carl A1 A2 A3 B1 B2 B3 C1 C2 C3 A1 B1 C1 A2 B2 C2 A3 B3 C3 Referee 1 Referee 2 1 2 Referee 3 3 All sums taken modulo n Final sum 2006 Doug Tygar CS 161 30 October 2006 Census bureau problem Wants to publish average statistics But how do they change when a new person joins 2006 Doug Tygar CS 161 30 October 2006 12 Approaches that don t work Adding noise Why not Thresholding Why not 2006 Doug Tygar CS 161 30 October 2006 Census bureau problem Wants to publish average statistics But how do they change when a new person joins 2006 Doug Tygar CS 161 30 October 2006 13 Approaches that don t work Adding noise Why not Thresholding Why not Revealing Medians Why not 2006 Doug Tygar CS 161 30 October 2006 Example Name Adams Bailey Chin Dewitt Earhart Fein Groff Hill Koch Liu Majors Sex Race M M F M F F M F F F M C B A B C C C B C A C 2006 Doug Tygar Aid 5000 0 3000 1000 2000 1000 4000 5000 0 0 2000 Fines 45 0 20 35 95 15 0 10 0 10 0 Drugs Dorm 1 0 0 3 1 0 3 2 1 2 2 Holmes Grey West Grey Holmes West West Holmes West Grey Grey List NAME where SEX M DRUGS 1 List NAME where SEX M DRUGS 1 SEX M SEX F DORM AYRES CS 161 30 October 2006 14 Census rules n items over k percent Withhold data if n items represent over k percent of data reported 2006 Doug Tygar CS 161 30 October 2006 Sum attack Sums of Financial Aid by Dorm and Sex Holmes Grey West Total M 5000 3000 4000 12000 F 7000 0 4000 11000 12000 3000 8000 23000 Total Conclusion no woman in Grey receives financial aid 2006 Doug Tygar CS 161 30 October 2006 15 Count attack M F Total Holmes Grey West Total 5000 3000 4000 12000 7000 0 4000 11000 12000 3000 8000 23000 Holmes Grey West Total M 1 3 1 5 F 2 1 3 6 Total 3 4 4 11 2006 Doug Tygar CS 161 30 October 2006 Median attack By manipulating the data or finding the median of two intersecting sets can reveal individual data Median aid when sex m drugs 2 2006 Doug Tygar CS 161 30 October 2006 16 Tracker attacks Instead of asking count SEX F RACE C DORM Holmes We ask count SEX F count SEX F RACE C DORM Holmes 2006 Doug Tygar CS 161 30 October 2006 More generally any linear combination If we ask n queries of n variables we can often manipulate the results 2006 Doug Tygar CS 161 30
View Full Document
Unlocking...