1CS 161– 30 October 2006© 2006 Doug TygarCS 161 – Multilevel & Database Security30 October 2006CS 161 – 30 October 2006© 2006 Doug TygarMilitary models of security• “Need to know”• Three models of security– Classification• unclassified, classified, secret, top secret– Compartmentalization• nuclear, crypto, weapons specific– Discretionary access control• Distribution lists2CS 161 – 30 October 2006© 2006 Doug TygarWhat clearance means• Clearance is primarily a restriction on what you can release• Declassification = permission to discuss • Everyday example: Non-disclosure agreements• Advice: Be careful before agreeing to clearance or NDAsCS 161 – 30 October 2006© 2006 Doug TygarTwo ways to rank systems• How much do they protect military models of classification?• What is the strength of mechanism3CS 161 – 30 October 2006© 2006 Doug TygarHistoryUSOrange book (Trusted Computer Security Evaluation Criteria) → TCSEC Rainbow SeriesEuropeHarmonized Criteria (UK, Germany, France, Holland) → ITSECCanadaCTCPECInternationalizationCommon Criteria (now on version 3.0)CS 161 – 30 October 2006© 2006 Doug TygarUS levelsD : minimal protectionC1: discretionary access controlC2: controlled access controlB1: labeled security protectionB2: structured protectionB3: security domainsA1: verified designA2: verified implementation (never achieved)4CS 161 – 30 October 2006© 2006 Doug TygarKey ideas• Bell-Lapudula• We trust people, not processes• Small “trusted computing base” (TCB)• Includes a “security kernel”• Processes “read down”• Processes “write up” (star property)CS 161 – 30 October 2006© 2006 Doug TygarMore on the star property• Star property acts as a “King Midas” touch• Once a process reads a classified file, its security level is boosted to that of the file• Then everything it writes (modifies, deletes, etc.) is at the same security level5CS 161 – 30 October 2006© 2006 Doug TygarProblem: covert channels• There is more than one way to leak information– Existence of a file– System load– Paging behavior• Example: TENEX passwordsCS 161 – 30 October 2006© 2006 Doug TygarCovert channels• Covert channels are virtually impossible to remove entirely• So we restrict the bandwidth of what can transmitted • This means that high-classification processes are heavily restricted6CS 161 – 30 October 2006© 2006 Doug TygarWhat killed the Orange Book?• System performance was poor– Often 1,000 to 10,000 times worse than unsecure operating systems• Using special hardware was expensive• Formal methods for evaluation never really worked• User interface was horrible• Evaluation took years (and was expensive)CS 161 – 30 October 2006© 2006 Doug TygarThe last great evaluated system• Windows NT was evaluated at the C-2 level of security … as long as you didn’t hook it up to a network.7CS 161 – 30 October 2006© 2006 Doug TygarToday’s problems & the Orange book• Problems we face today seem strangely distant from the Orange book• Denial of service, worms, privacy, aggregation of data …none of these are addressedCS 161 – 30 October 2006© 2006 Doug TygarCommon Criteria• Protection Profile• Security Target8CS 161 – 30 October 2006© 2006 Doug TygarCommon Criteria Levels• EAL 1: functionally tested (US between D & C1)• EAL 2: structurally tested (US C1)• EAL 3: methodically tested & checked (US C2)• EAL 4: methodically designed, tested, & reviewed (US B1)• EAL 5: semiformally designed & tested (US B2)• EAL 6: semiformally verified design & tested (US B3)• EAL 7: formally verified design & tested (US A1)CS 161 – 30 October 2006© 2006 Doug TygarSide channel examples• Sound of keyboard typing•Timing• Power attacks9CS 161 – 30 October 2006© 2006 Doug TygarPower AnalysisCS 161 – 30 October 2006© 2006 Doug TygarSimple Power Analysis• Top line (DES)• Bottom line (one cycle of DES)10CS 161 – 30 October 2006© 2006 Doug TygarDifferential Power Analysis• Repeat, and look for statistical averagingCS 161 – 30 October 2006© 2006 Doug TygarShamir secret sharing• How did this work11CS 161 – 30 October 2006© 2006 Doug TygarAdding with Shamir secret sharing• Suppose we want to find everyone’s average salaryCS 161 – 30 October 2006© 2006 Doug TygarUnsatisfactory solutions to puzzle• Mix approach: – Everyone sends salary anonymously to third parties who publish• Escrow approach: – Everyone sends salary to trusted escrow agentAlice Bob Carl DoeAlice Bob Carl DoeAnony-mizersTrusted refereepublish publish publish publishpublish12CS 161 – 30 October 2006© 2006 Doug TygarUsing Shamir Secret SharingAliceA1A2A3BobB1B2B3CarlC1C2C3Referee 1A1B1C1Referee 2A2B2C2Referee 3A3B3C3Σ1Σ2Σ3Final sumAll sums takenmodulo nCS 161 – 30 October 2006© 2006 Doug TygarCensus bureau problem• Wants to publish average statistics• But how do they change when a new person joins?13CS 161 – 30 October 2006© 2006 Doug TygarApproaches that don’t work• Adding noise– Why not?• Thresholding– Why not?CS 161 – 30 October 2006© 2006 Doug TygarCensus bureau problem• Wants to publish average statistics• But how do they change when a new person joins?14CS 161 – 30 October 2006© 2006 Doug TygarApproaches that don’t work• Adding noise– Why not?• Thresholding– Why not?• Revealing Medians– Why notCS 161 – 30 October 2006© 2006 Doug TygarExampleGrey202000CMMajorsGrey2100AFLiuWest100CFKochHolmes2105000BFHillWest304000CMGroffWest0151000CFFeinHolmes1952000CFEarhartGrey3351000BMDewittWest0203000AFChinGrey000BMBaileyHolmes1455000CMAdamsDormDrugsFinesAidRaceSexName•List NAME whereSEX=M ∧ DRUGS=1•List NAME where(SEX=M ∧ DRUGS=1)∨ (SEX≠M ∧ SEX ≠ F)∨ (DORM=AYRES)15CS 161 – 30 October 2006© 2006 Doug TygarCensus rules• “n items over k percent”• Withhold data if n items represent over k percent of data reported.CS 161 – 30 October 2006© 2006 Doug TygarSum attack• Sums of Financial Aid by Dorm and Sex• Conclusion – no woman in Grey receives financial aid230008000300012000Total11000400007000F12000400030005000MTotalWestGreyHolmes16CS 161 – 30 October 2006© 2006 Doug TygarCount attack230008000300012000Total11000400007000F12000400030005000MTotalWestGreyHolmes11443Total6312F5131MTotalWestGreyHolmesCS 161 – 30 October 2006© 2006 Doug TygarMedian attack• By manipulating the
View Full Document
Unlocking...