Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University University Park PA Advanced Systems Security Program Information Flow Control Trent Jaeger Systems and Internet Infrastructure Security SIIS Lab Computer Science and Engineering Department Pennsylvania State University Systems and Internet Infrastructure Security SIIS Laboratory April 4 2010 Page 1 Problem A program is trusted to enforce a system s policy How do we know Integrity models don t cover this UMIP CW Lite don t evaluate entire program So what can we do Systems and Internet Infrastructure Security SIIS Laboratory Page 2 Problem Systems and Internet Infrastructure Security SIIS Laboratory Page 3 Problem Systems and Internet Infrastructure Security SIIS Laboratory Page 4 Problem Systems and Internet Infrastructure Security SIIS Laboratory Page 5 Problem Systems and Internet Infrastructure Security SIIS Laboratory Page 6 Problem Systems and Internet Infrastructure Security SIIS Laboratory Page 7 Problem Systems and Internet Infrastructure Security SIIS Laboratory Page 8 Problem Systems and Internet Infrastructure Security SIIS Laboratory Page 9 What s a Program Program parts Instructions Variables Control Ops Procedures Arguments System calls Library calls sources sinks What does a program look like from a security perspective Variables have data may have secrecy integrity reqs Variable values may come from external sources Variable values may be assigned to one another Variables may be written out of the program sink Systems and Internet Infrastructure Security SIIS Laboratory Page 10 What s a Program Systems and Internet Infrastructure Security SIIS Laboratory Page 11 What s a Program Systems and Internet Infrastructure Security SIIS Laboratory Page 12 It s the Data Flow Data input to a program may have security requirements E g it is secret The program operations enable the data to flow through the program Track each variable s label based on the data it s seen Enforce a data security requirements on information flows Can that data be sent out to a file Can connect OS VM and program enforcement Systems and Internet Infrastructure Security SIIS Laboratory Page Concepts Attach flow labels to program data Enable static checking of information flows Compatible with Denning s model Only a program with legal information flows will compile Programmers can declassify labels Upgrade integrity Downgrade secrecy Remove restrictions Label polymorphism Run time label checking Systems and Internet Infrastructure Security SIIS Laboratory Page Denning s Lattice Model Formalizes information flow models FM N P SC Shows that the information flow model instances form a lattice SC is a partial ordered set SC the set of security classes is finite SC has a lower bound and is a lub operator Implicit and explicit information flows Semantics for verifying that a configuration is secure Static and dynamic binding considered Biba and BLP are among the simplest models of this type Systems and Internet Infrastructure Security SIIS Laboratory Page Implicit and explicit flows Explicit Direct transfer to b from a e g b a Implicit Where value of b may depend on value of a indirectly e g if a 0 then b c Model covers all programs Statement S Sequence S1 S2 Conditional c S1 Sm Implicit flows only occur in conditionals Systems and Internet Infrastructure Security SIIS Laboratory Page Static and Dynamic Binding Static binding Security class of an object is fixed This is the case for BLP and Biba This is the case for most system models Dynamic binding Security class of an object can change For b a then the security class of b is b a E g High water mark secrecy LOMAC IX Systems and Internet Infrastructure Security SIIS Laboratory Page Semantics Program is secure if Explicit flow from S is secure Explicit flow of all statements in a sequence are secure e g S1 S2 Conditional c S1 Sm is secure if The explicit flows of all statements S1 Sm are secure The implicit flows between c and the objects in Si are secure Systems and Internet Infrastructure Security SIIS Laboratory Page Example custo C hospital H patient data patient E data extractor R p R patient p s medical history p p H response to request C B C ba B C B C R R S researchers R R R S statistics package S results of study statistical database S S Figure 1 Medical Study Scenario of a principal in the system and may therefore modify the policies that have been attached to data by that principal Systems and Internet Infrastructure Security SIIS Laboratory per customer account data Ci B Ci Figure 2 B leak the relabeled data since The analysis package per Page Example ent E a ractor hospital H patient p s medical history p p H response to request C B C bank B R S statistical database per customer account data Ci B Ci S S al Study Scenario and may therefore modify the hed to data by that principal les is show how our approach customer request C B C C B C S statistics package S customer C private bank data B B total assets B B B B trusted industry standard totaller T Figure 2 Bank Scenario leak the relabeled data since is only a reader not an owner The analysis package performs its computations using the patient data now labeled R R S and its own statistical Systems and Internet Infrastructure Security SIIS Laboratory Page Type Safety Systems and Internet Infrastructure Security SIIS Laboratory Page Security Types Systems and Internet Infrastructure Security SIIS Laboratory Page Decentralized Label Model Labels have owners and readers Effective Readers Owner whose data was observed to generate value Intersection of all reader sets of the label Reader principals allowed by an owner to read Readers are specified by each owner Effective readers of L are r2 because only it can read from o1 and o2 Label representation L o1 r1 r2 o2 r2 r3 Channel Values are written to output channels Each channel has a set of readers Systems and Internet Infrastructure Security SIIS Laboratory Act for Readers can act for others using their permissions Semantics A value can be written to a channel only if each channel reader has authority to act for some effective reader for the value Page Relabeling Semantics Basics Assignment causes a relabel of value Default is restriction according to property A new label contains the owners of the old but same or fewer readers Declassification semantics An authority for an owner can Remove