# Introduction - University of California, Davis

Information Flow Chapter 17 Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-1 Overview Basics and background Entropy Non-lattice flow policies Compiler-based mechanisms Execution-based mechanisms Examples Privacy and cell phones

Firewalls Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-2 Basics Bell-LaPadula Model embodies information flow policy Given compartments A, B, info can flow from A to B iff B dom A So does Biba Model Given compartments A, B, info can flow from A to B iff A dom B Variables x, y assigned compartments x, y as well as values Confidentiality (Bel-LaPadula): if x = A, y = B, and B dom A, then y := x allowed but not x := y

Integrity (Biba): if x = A, y = B, and A dom B, then x := y allowed but not y := x From here on, the focus is on confidentiality (Bell-LaPadula) Discuss integrity later Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-3 Entropy and Information Flow Idea: info flows from x to y as a result of a sequence of commands c if you can deduce information about x before c from the value in y after c Formally: s time before execution of c, t time after H(xs | yt) < H(xs | ys) If no y at time s, then H(xs | yt) < H(xs)

Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-4 Example 1 Command is x := y + z; where: 0 y 7, equal probability z = 1 with prob. 1/2, z = 2 or 3 with prob. 1/4 each s state before command executed; t, after; so H(ys) = H(yt) = 8(1/8) lg (1/8) = 3 H(zs) = H(zt) = (1/2) lg (1/2) 2(1/4) lg (1/4) = 1.5 If you know xt, ys can have at most 3 values, so H(ys | xt) = 3(1/3) lg (1/3) = lg 3 1.58

Thus, information flows from y to x Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-5 Example 2 Command is if x = 1 then y := 0 else y := 1; where x, y equally likely to be either 0 or 1 H(xs) = 1 as x can be either 0 or 1 with equal probability H(xs | yt) = 0 as if yt = 1 then xs = 0 and vice versa Thus, H(xs | yt) = 0 < 1 = H(xs) So information flowed from x to y Version 1.0

Computer Security: Art and Science, 2nd Edition Slide 17-6 Implicit Flow of Information Information flows from x to y without an explicit assignment of the form y := f(x) f(x) an arithmetic expression with variable x Example from previous slide: if x = 1 then y := 0 else y := 1; So must look for implicit flows of information to analyze program Version 1.0 Computer Security: Art and Science, 2nd Edition

Slide 17-7 Notation x means class of x In Bell-LaPadula based system, same as label of security compartment to which x belongs x y means information can flow from an element in class of x to an element in class of y Or, information with a label placing it in class x can flow into class y Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-8 Information Flow Policies

Information flow policies are usually: reflexive So information can flow freely among members of a single class transitive So if information can flow from class 1 to class 2, and from class 2 to class 3, then information can flow from class 1 to class 3 Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-9 Non-Transitive Policies Betty is a confident of Anne Cathy is a confident of Betty With transitivity, information flows from Anne to Betty to Cathy

Anne confides to Betty she is having an affair with Cathys spouse Transitivity undesirable in this case, probably Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-10 Non-Lattice Transitive Policies 2 faculty members co-PIs on a grant Equal authority; neither can overrule the other Grad students report to faculty members Undergrads report to grad students Information flow relation is: Reflexive and transitive

But some elements (people) have no least upper bound element What is it for the faculty members? Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-11 Confidentiality Policy Model Lattice model fails in previous 2 cases Generalize: policy I = (SCI, I, joinI): SCI set of security classes I ordering relation on elements of SCI joinI function to combine two elements of SCI Example: Bell-LaPadula Model

SCI set of security compartments I ordering relation dom joinI function lub Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-12 Confinement Flow Model (I, O, confine, ) I = (SCI, I, joinI) O set of entities

: OO with (a, b) (written a b) iff information can flow from a to b for a O, confine(a) = (aL, aU) SCISCI with aL I aU Interpretation: for a O, if x I aU, information can flow from x to a, and if aL I x, information can flow from a to x So aL lowest classification of information allowed to flow out of a, and aU highest classification of information allowed to flow into a Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-13 Assumptions, etc. Assumes: object can change security classes So, variable can take on security class of its data Object x has security class x currently

Note transitivity not required If information can flow from a to b, then b dominates a under ordering of policy I: ( a, b O)[ a b aL I bU ] Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-14 Example 1 SCI = { U, C, S, TS }, with U I C, C I S, and S I TS a, b, c O confine(a) = [ C, C ] confine(b) = [ S, S ] confine(c) = [ TS, TS ]

Secure information flows: a b, a c, b c As aL I bU, aL I cU, bL I cU Transitivity holds Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-15 Example 2 SCI, I as in Example 1 x, y, z O confine(x) = [ C, C ] confine(y) = [ S, S ] confine(z) = [ C, TS ] Secure information flows: x y, x z, y z, z x, z y

As xL I yU, xL I zU, yL I zU, zL I xU, zL I yU Transitivity does not hold y z and z x, but y z is false, because yL I xU is false Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-16 Transitive Non-Lattice Policies Q = (SQ, Q) is a quasi-ordered set when Q is transitive and reflexive over SQ How to handle information flow? Define a partially ordered set containing quasi-ordered set Add least upper bound, greatest lower bound to partially ordered set Its a lattice, so apply lattice rules!

Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-17 In Detail x SQ: let f(x) = { y | y SQ y Q x } Define SQP = { f(x) | x SQ } Define QP = { (x, y) | x, y SQ x y } SQP partially ordered set under QP f preserves order, so y Q x iff f(x) QP f(y) Add upper, lower bounds SQP = SQP { SQ, } Upper bound ub(x, y) = { z | z SQP x z y z } Least upper bound lub(x, y) = ub(x, y) Lower bound, greatest lower bound defined analogously

Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-18 And the Policy Is Now (SQP, QP) is lattice Information flow policy on quasi-ordered set emulates that of this lattice! Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-19 Nontransitive Flow Policies

Government agency information flow policy (on next slide) Entities public relations officers PRO, analysts A, spymasters S confine(PRO) = [ public, analysis ] confine(A) = [ analysis, top-level ] confine(S) = [ covert, top-level ] Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-20 Information Flow By confinement flow model: PRO A, A PRO PRO S A S, S A

top-level Data cannot flow to public relations officers; not transitive analysis S A, A PRO S PRO is false Version 1.0 covert public Computer Security: Art and Science, 2nd Edition

Slide 17-21 Transforming Into Lattice Rough idea: apply a special mapping to generate a subset of the power set of the set of classes Done so this set is partially ordered Means it can be transformed into a lattice Can show this mapping preserves ordering relation So it preserves non-orderings and non-transitivity of elements corresponding to those of original set Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-22

Dual Mapping R = (SCR, R, joinR) reflexive info flow policy P = (SP, P) ordered set Define dual mapping functions lR, hR: SCRSP lR(x) = { x } hR(x) = { y | y SCR y R x } SP contains subsets of SCR; P subset relation Dual mapping function order preserving iff (a, b SCR )[ a R b lR(a) P hR(b) ] Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-23 Theorem

Dual mapping from reflexive information flow policy R to ordered set P order-preserving Proof sketch: all notation as before () Let a R b. Then a lR(a), a hR(b), so lR(a) hR(b), or lR(a) P hR(b) () Let lR(a) P hR(b). Then lR(a) hR(b). But lR(a) = { a }, so a hR(b), giving a R b Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-24 Information Flow Requirements Interpretation: let confine(x) = [ xL, xU ], consider class y Information can flow from x to element of y iff xL R y, or lR(xL) hR(y) Information can flow from element of y to x iff y R xU, or lR(y) hR(xU)

Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-25 Revisit Government Example Information flow policy is R Flow relationships among classes are: public R public public R analysis analysis R analysis public R covert covert R covert public R top-level covert R top-level analysis R top-leveltop-level R top-level Version 1.0 Computer Security: Art and Science, 2nd Edition

Slide 17-26 Dual Mapping of R Elements lR, hR: lR(public) = { public } hR(public = { public } lR(analysis) = { analysis } hR(analysis) = { public, analysis } lR(covert) = { covert } hR(covert) = { public, covert } lR(top-level) = { top-level } hR(top-level) = { public, analysis, covert, top-level } Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-27

confine Let p be entity of type PRO, a of type A, s of type S In terms of P (not R), we get: confine(p) = [ { public }, { public, analysis } ] confine(a) = [ { analysis }, { public, analysis, covert, top-level } ] confine(s) = [ { covert }, { public, analysis, covert, top-level } ] Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-28 And the Flow Relations Are p a as lR(p) hR(a) lR(p) = { public } hR(a) = { public, analysis, covert, top-level }

Similarly: a p, p s, a s, s a But s p is false as lR(s) hR(p) lR(s) = { covert } hR(p) = { public, analysis } Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-29 Analysis (SP, P) is a lattice, so it can be analyzed like a lattice policy Dual mapping preserves ordering, hence non-ordering and nontransitivity, of original policy So results of analysis of (SP, P) can be mapped back into (SCR, R, joinR) Version 1.0

Computer Security: Art and Science, 2nd Edition Slide 17-30 Compiler-Based Mechanisms Detect unauthorized information flows in a program during compilation Analysis not precise, but secure If a flow could violate policy (but may not), it is unauthorized No unauthorized path along which information could flow remains undetected Set of statements certified with respect to information flow policy if flows in set of statements do not violate that policy Version 1.0

Computer Security: Art and Science, 2nd Edition Slide 17-31 Example if x = 1 then y := a; else y := b; Information flows from x and a to y, or from x and b to y Certified only if x y and a y and b y Note flows for both branches must be true unless compiler can determine that one branch will never be taken Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-32

Declarations Notation: x: int class { A, B } means x is an integer variable with security class at least lub{ A, B }, so lub{ A, B } x Distinguished classes Low, High Constants are always Low Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-33 Input Parameters Parameters through which data passed into procedure Class of parameter is class of actual argument

ip: type class { ip } Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-34 Output Parameters Parameters through which data passed out of procedure If data passed in, called input/output parameter As information can flow from input parameters to output parameters, class must include this: op: type class { r1, , rn } where ri is class of ith input or input/output argument Version 1.0

Computer Security: Art and Science, 2nd Edition Slide 17-35 Example proc sum(x: int class { A }; var out: int class { A, B }); begin out := out + x; end; Require x out and out out Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-36

Array Elements Information flowing out: := a[i] Value of i, a[i] both affect result, so class is lub{ a[i], i } Information flowing in: a[i] := Only value of a[i] affected, so class is a[i] Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-37 Assignment Statements x := y + z; Information flows from y, z to x, so this requires lub{ y, z } x

More generally: y := f(x1, , xn) the relation lub{ x1, , xn } y must hold Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-38 Compound Statements x := y + z; a := b * c x; First statement: lub{ y, z } x Second statement: lub{ b, c, x } a So, both must hold (i.e., be secure) More generally: S1; Sn; Each individual Si must be secure

Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-39 Conditional Statements if x + y < z then a := b else d := b * c x; end Statement executed reveals information about x, y, z, so lub{ x, y, z } glb{ a, d } More generally: if f(x1, , xn) then S1 else S2; end S1, S2 must be secure lub{ x1, , xn } glb{y | y target of assignment in S1, S2 } Version 1.0

Computer Security: Art and Science, 2nd Edition Slide 17-40 Iterative Statements while i < n do begin a[i] := b[i]; i := i + 1; end Same ideas as for if, but must terminate More generally: while f(x1, , xn) do S; Loop must terminate; S must be secure lub{ x1, , xn } glb{y | y target of assignment in S } Version 1.0 Computer Security: Art and Science, 2nd Edition

Slide 17-41 Goto Statements No assignments Hence no explicit flows Need to detect implicit flows Basic block is sequence of statements that have one entry point and one exit point Control in block always flows from entry point to exit point Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-42

Example Program proc tm(x: array[1..10][1..10] of integer class {x}; var y: array[1..10][1..10] of integer class {y}); var i, j: integer class {i}; begin b1 i := 1; b2 L2: b3 j := 1; b4 L4: b5 if i > 10 goto L7;

if j > 10 then goto L6; y[j][i] := x[i][j]; j := j + 1; goto L4; b6 L6: i := i + 1; goto L2; b7 L7: end; Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-43 Flow of Control

b1 b2 b7 b3 b6 j>n in i>n b4 jn b5

Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-44 IFDs Idea: when two paths out of basic block, implicit flow occurs Because information says which path to take When paths converge, either: Implicit flow becomes irrelevant; or Implicit flow becomes explicit Immediate forward dominator of basic block b (written IFD(b)) is first basic block lying on all paths of execution passing through b Version 1.0

Computer Security: Art and Science, 2nd Edition Slide 17-45 IFD Example In previous procedure: IFD(b1) = b2 IFD(b2) = b7 IFD(b3) = b4 IFD(b4) = b6

IFD(b5) = b4 IFD(b6) = b2 Version 1.0 one path b2b7 or b2b3b6b2b7 one path b4b6 or b4b5b6 one path one path Computer Security: Art and Science, 2nd Edition Slide 17-46 Requirements Bi is set of basic blocks along an execution path from bi to IFD(bi)

Analogous to statements in conditional statement xi1, , xin variables in expression selecting which execution path containing basic blocks in Bi used Analogous to conditional expression Requirements for secure: All statements in each basic blocks are secure lub{ xi1, , xin } glb{ y | y target of assignment in Bi } Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-47 Example of Requirements Within each basic block:

b1: Low i b3: Low j b6: lub{ Low, i } i b5: lub{ x[i][j], i, j } y[j][i] }; lub{ Low, j } j Combining, lub{ x[i][j], i, j } y[j][i] } From declarations, true when lub{ x, i } y B2 = {b3, b4, b5, b6} Assignments to i, j, y[j][i]; conditional is i 10 Requires i glb{ i, j, y[j][i] } From declarations, true when i y Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-48

Example (continued) B4 = { b5 } Assignments to j, y[j][i]; conditional is j 10 Requires j glb{ j, y[j][i] } From declarations, means i y Result: Combine lub{ x, i } y; i y; i y Requirement is lub{ x, i } y Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-49 Procedure Calls

tm(a, b); From previous slides, to be secure, lub{ x, i } y must hold In call, x corresponds to a, y to b Means that lub{ a, i } b, or a b More generally: proc pn(i1, , im: int; var o1, , on: int); begin S end; S must be secure For all j and k, if ij ok, then xj yk For all j and k, if oj ok, then yj yk Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-50 Exceptions proc copy(x: integer class { x };

var y: integer class Low); var sum: integer class { x }; z: int class Low; begin y := z := sum := 0; while z = 0 do begin sum := sum + x; y := y + 1; end end Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-51 Exceptions (cont) When sum overflows, integer overflow trap

Procedure exits Value of x is MAXINT/y Information flows from y to x, but x y never checked Need to handle exceptions explicitly Idea: on integer overflow, terminate loop on integer_overflow_exception sum do z := 1; Now information flows from sum to z, meaning sum z This is false (sum = { x } dominates z = Low) Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-52 Infinite Loops proc copy(x: integer 0..1 class { x };

var y: integer 0..1 class Low); begin y := 0; while x = 0 do (* nothing *); y := 1; end If x = 0 initially, infinite loop If x = 1 initially, terminates with y set to 1 No explicit flows, but implicit flow from x to y Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-53 Semaphores

Use these constructs: wait(x): if x = 0 then block until x > 0; x := x 1; signal(x): x := x + 1; x is semaphore, a shared variable Both executed atomically Consider statement wait(sem); x := x + 1; Implicit flow from sem to x Certification must take this into account! Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-54

Flow Requirements Semaphores in signal irrelevant Dont affect information flow in that process Statement S is a wait shared(S): set of shared variables read Idea: information flows out of variables in shared(S) fglb(S): glb of assignment targets following S So, requirement is shared(S) fglb(S) begin S1; Sn end All Si must be secure For all i, shared(Si) fglb(Si) Version 1.0 Computer Security: Art and Science, 2nd Edition

Slide 17-55 Example begin x := y + z; (* S1 *) wait(sem); (* S2 *) a := b * c x; (* S3 *) end

Requirements: lub{ y, z } x lub{ b, c, x } a sem a Because fglb(S2) = a and shared(S2) = sem Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-56 Concurrent Loops Similar, but wait in loop affects all statements in loop Because if flow of control loops, statements in loop before wait may be executed after wait Requirements Loop terminates

All statements S1, , Sn in loop secure lub{ shared(S1), , shared(Sn) } glb(t1, , tm) Where t1, , tm are variables assigned to in loop Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-57 Loop Example while i < n do begin a[i] := item; (* S1 *) wait(sem);

(* S2 *) i := i + 1; (* S3 *) end Conditions for this to be secure: Loop terminates, so this condition met S1 secure if lub{ i, item } a[i] S2 secure if sem i and sem a[i] S3 trivially secure

Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-58 cobegin/coend cobegin x := y + z; (* S1 *) a := b * c y; (* S2 *) coend

No information flow among statements For S1, lub{ y, z } x For S2, lub{ b, c, y } a Security requirement is both must hold So this is secure if lub{ y, z } x lub{ b, c, y } a Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-59 Soundness Above exposition intuitive Can be made rigorous: Express flows as types Equate certification to correct use of types

Checking for valid information flows same as checking types conform to semantics imposed by security policy Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-60 Execution-Based Mechanisms Detect and stop flows of information that violate policy Done at run time, not compile time Obvious approach: check explicit flows Problem: assume for security, x y if x = 1 then y := a; When x 1, x = High, y = Low, a = Low, appears okaybut implicit flow violates condition!

Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-61 Fentons Data Mark Machine Each variable has an associated class Program counter (PC) has one too Idea: branches are assignments to PC, so you can treat implicit flows as explicit flows Stack-based machine, so everything done in terms of pushing onto and popping from a program stack Version 1.0 Computer Security: Art and Science, 2nd Edition

Slide 17-62 Instruction Description skip means instruction not executed push(x, x) means push variable x and its security class x onto program stack pop(x, x) means pop top value and security class from program stack, assign them to variable x and its security class x respectively Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-63 Instructions x := x + 1 (increment)

Same as: if PC x then x := x + 1 else skip if x = 0 then goto n else x := x 1 (branch and save PC on stack) Same as: if x = 0 then begin push(PC, PC); PC := lub{PC, x}; PC := n; end else if PC x then x := x - 1 else skip; Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-64

More Instructions if x = 0 then goto n else x := x 1 (branch without saving PC on stack) Same as: if x = 0 then if x PC then PC := n else skip else if PC x then x := x - 1 else skip Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-65 More Instructions return (go to just after last if) Same as:

pop(PC, PC); halt (stop) Same as: if program stack empty then halt Note stack empty to prevent user obtaining information from it after halting Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-66 Example Program 1 2 3 4

5 6 7 if x = if z = halt z := z return y := y return 0 then goto 4 else x := x - 1 0 then goto 6 else z := z - 1 - 1 - 1 Initially x = 0 or x = 1, y = 0, z = 0

Program copies value of x to y Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-67 Example Execution x 1 0 0 0 0 y 0 0

0 1 1 Version 1.0 z 0 0 0 0 0 PC 1 2 6 7

3 PC stack check Low Low Low x z (3, Low) PC y z (3, Low) Low Computer Security: Art and Science, 2nd Edition Slide 17-68 Handling Errors Ignore statement that causes error, but continue execution If aborted or a visible exception taken, user could deduce information Means errors cannot be reported unless user has clearance at least equal to

that of the information causing the error Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-69 Variable Classes Up to now, classes fixed Check relationships on assignment, etc. Consider variable classes Fentons Data Mark Machine does this for PC On assignment of form y := f(x1, , xn), y changed to lub{ x1, , xn } Need to consider implicit flows, also Version 1.0

Computer Security: Art and Science, 2nd Edition Slide 17-70 Example Program (* Copy value from x to y. Initially, x is 0 or 1 *) proc copy(x: integer class { x }; var y: integer class { y }) var z: integer class variable { Low }; begin y := 0; z := 0; if x = 0 then z := 1; if z = 0 then y := 1; end; z changes when z assigned to

Assume y < x Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-71 Analysis of Example x=0 z := 0 sets z to Low if x = 0 then z := 1 sets z to 1 and z to x So on exit, y = 0 x=1 z := 0 sets z to Low if z = 0 then y := 1 sets y to 1 and checks that lub{Low, z} y So on exit, y = 1

Information flowed from x to y even though y < x Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-72 Handling This (1) Fentons Data Mark Machine detects implicit flows violating certification rules Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-73 Handling This (2)

Raise class of variables assigned to in conditionals even when branch not taken Also, verify information flow requirements even when branch not taken Example: In if x = 0 then z := 1, z raised to x whether or not x = 0 Certification check in next statement, that z y, fails, as z = x from previous statement, and y x Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-74 Handling This (3) Change classes only when explicit flows occur, but all flows (implicit as well as explicit) force certification checks

Example When x = 0, first if sets z to Low, then checks x z When x = 1, first if checks x z This holds if and only if x = Low Not possible as y < x = Low by assumption and there is no such class Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-75 Integrity Mechanisms The above also works with Biba, as it is mathematical dual of BellLaPadula All constraints are simply duals of confidentiality-based ones presented above Version 1.0

Computer Security: Art and Science, 2nd Edition Slide 17-76 Example 1 For information flow of assignment statement: y := f(x1, , xn) the relation glb{ x1, , xn } y must hold Why? Because information flows from x1, , xn to y, and under Biba, information must flow from a higher (or equal) class to a lower one Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-77

Example 2 For information flow of conditional statement: if f(x1, , xn) then S1; else S2; end; then the following must hold: S1, S2 must satisfy integrity constraints glb{ x1, , xn } lub{y | y target of assignment in S1, S2 } Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-78 Example Information Flow Control Systems Use access controls of various types to inhibit information flows Privacy and Android Cell Phones Analyzes data being sent from the phone

Firewalls Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-79 Privacy and Android Cell Phones Many commercial apps use advertising libraries to monitor clicks, fetch ads, display them So they send information, ostensibly to help tailor advertising to you Many apps ask to have full access to phone, data This is because of complexity of permission structure of Android system Ads displayed with privileges of app

And if they use Javascript, that executes with those privileges So if it has full access privilege, it can send contact lists, other information to others Information flow problem as information is flowing from phone to external party Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-80 Analyzing Android Flows Android based on Linux App executables in bytecode format (Dalvik executables, or DEX) and run in Dalvik VM Apps event driven Apps use system libraries to do many of their functions Binder subsystem controls interprocess communication

Analysis uses 2 security levels, untainted and tainted No categories, and tainted < untainted Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-81 TaintDroid: Checking Information Flows All objects tagged tainted or untainted Interpreters, Binder augmented to handle tags Android native libraries trusted Those communicating externally are taint sinks

When untrusted app invokes a taint sink library, taint tag of data is recorded Taint tags assigned to external variables, library return values These are assigned based on knowledge of what native code does Files have single taint tag, updated when file is written Database queries retrieve information, so tag determined by database query responder Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-82 TaintDroid: Checking Information Flows Information from phone sensor may be sensitive; if so, tainted TaintDroid determines this from characteristics of information

Experiment 1 (2010): select 30 popular apps out of a set of 358 that required permission to access Internet, phone location, camera, or microphone; also could access cell phone information 105 network connections accessed tainted data 2 sent phone identification information to a server 9 sent device identifiers to third parties, and 2 didnt tell user 15 sent location information to third parties, none told user No false positives Version 1.0 Computer Security: Art and Science, 2nd Edition

Slide 17-83 TaintDroid: Checking Information Flows Experiment 2 (2010): revisit 18 out of the 30 apps (others did not run on current version of Android) 3 still sent location information to third parties 8 sent device identification information to third parties without consent 3 of these did so in 2010 experiment 5 were new 2 new flows that could reveal tainted data No false positives Version 1.0 Computer Security: Art and Science, 2nd Edition

Slide 17-84 Firewalls Host that mediates access to a network Allows, disallows accesses based on configuration and type of access Example: block Conficker worm Conficker connects to botnet, which can use system for many purposes Spreads through a vulnerability in a particular network service Firewall analyze packets using that service remotely, and look for Conficker and its variants If found, packets discarded, and other actions may be taken Conficker also generates list of host names, tried to contact botnets at those hosts As set of domains known, firewall can also block outbound traffic to those hosts

Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-85 Filtering Firewalls Access control based on attributes of packets and packet headers Such as destination address, port numbers, options, etc. Also called a packet filtering firewall Does not control access based on content Examples: routers, other infrastructure systems

Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-86 Proxy Intermediate agent or server acting on behalf of endpoint without allowing a direct connection between the two endpoints So each endpoint talks to proxy, thinking it is talking to other endpoint Proxy decides whether to forward messages, and whether to alter them Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-87

Proxy Firewall Access control done with proxies Usually bases access control on content as well as source, destination addresses, etc. Also called an applications level or application level firewall Example: virus checking in electronic mail Version 1.0 Incoming mail goes to proxy firewall Proxy firewall receives mail, scans it If no virus, mail forwarded to destination If virus, mail rejected or disinfected before forwarding

Computer Security: Art and Science, 2nd Edition Slide 17-88 Example Want to scan incoming email for malware Firewall acts as recipient, gets packets making up message and reassembles the message It then scans the message for malware If none, message forwarded If some found, mail is discarded (or some other appropriate action) As email reassembled at firewall by a mail agent acting on behalf of mail agent at destination, its a proxy firewall (application layer firewall) Version 1.0 Computer Security: Art and Science, 2nd Edition

Slide 17-89 Stateful Firewall Keeps track of the state of each connection Similar to a proxy firewall No proxies involved, but this can examine contents of connections Analyzes each packet, keeps track of state When state indicates an attack, connection blocked or some other appropriate action taken Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-90 Network Organization: DMZ

DMZ is portion of network separating a purely internal network from external network Usually put systems that need to connect to the Internet here Firewall separates DMZ from purely internal network Firewall controls what information is allowed to flow through it Control is bidirectional; it control flow in both directions Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-91 One Setup of DMZ One dual-homed firewall that routes messages to internal network or DMZ as appropriate

Internet DMZ Version 1.0 firewall internal network Computer Security: Art and Science, 2nd Edition Slide 17-92 Another Setup of DMZ Internet

internal network outer firewall inner firewall Version 1.0 DMZ Two firewalls, one (outer firewall) connected to the Internet, the other (inner firewall) connected to internal

network, and the DMZ is between the firewalls Computer Security: Art and Science, 2nd Edition Slide 17-93 Key Points Both amount of information, direction of flow important Flows can be explicit or implicit Analysis assumes lattice model Non-lattices can be embedded in lattices Compiler-based checks flows at compile time Execution-based checks flows at run time Analysis can be for confidentiality, integrity, or both

Version 1.0 Computer Security: Art and Science, 2nd Edition Slide 17-94

## Recently Viewed Presentations

• Google, Amazon, Microsoft, Apple, DropBox. XSEDE, Condor, BOINC. HydroShare is a web based collaborative system to support analysis, modeling and data publication Observers and instruments. ... School Teacher Kindergarten to 12th Grade, Other, Unspecified ...
• CCGPS Standards. MCC9-12.G.SRT.2 Given two figures, use the definition of similarity in terms of similarity transformations to decide if they are similar; explain using similarity transformations the meaning of similarity for triangles as the equality of all corresponding pairs of...
• GACollege 411. Big Future (College Board) Career Cruising. Get Involved in your community! Studies show students who are involved in their community have better grades. Volunteer & community service. Join a club. Youth groups. Summer/part-time jobs or internships.
• Shintoism. Shin (kami) = gods/deities. To - "the way of" Native and earliest religion of Japan. It teaches that every natural thing in the environment, e.g. people, animals, rocks, trees, rivers, mountains has a spirit (kami) -> Compare Australian Aboriginal...
• Anthem is a work of dystopian fiction. Anthem. has a first-person narrator (Equality 7-2521. ... Topic Sentence/Main Idea: State which part of the theme you will discuss. ... Clincher sentence: Say something interesting that will keep your reader thinking about...
• Types of body cells. 3 basic categories of cells make up the mammalian body: germ cells (oocytes and sperm cells) somatic . cells, and . stem cells. Each of the approximately 100 trillion (1014) cells in an adult human has...
• Marshall Public Schools was already invested in much of the Windows Education stack (Office 365, Intune, Windows Store for Education) and would benefit from working with Microsoft Experts to help configure a Windows 10 in S mode pilot which helps...
• CME Group 是Chicago Group Inc. 的商标。"地球标志"、CME、Globex和 Chicago Mercantile Exchange是Chicago Mercantile Exchange Inc. 的商标。CBOT和Chicago Board of Trade是Board of Trade of the City of Chicago, Inc. 的商标。NYMEX、New York Mercantile Exchange和ClearPort 是New York Mercantile Exchange, Inc. 的注册商标。