Flow and Confinement
Transcript of Flow and Confinement
-
7/28/2019 Flow and Confinement
1/63
Lecture 14: Flow & Confinement
Examples of information flow applications The confinement problem Isolation: virtual machines, sandboxes Covert channels
DetectionMitigation
The pumpFebruary 22, 2011 ECS 235B, Winter Quarter 2011 Slide #14-1
-
7/28/2019 Flow and Confinement
2/63
Examples
Use access controls of various types toinhibit information flows
Security Pipeline InterfaceAnalyzes data moving from host to destination
Secure Network Server Mail GuardControls flow of data between networks that
have different security classifications
February 22, 2011 ECS 235B, Winter Quarter 2011 Slide #14-2
-
7/28/2019 Flow and Confinement
3/63
Security Pipeline Interface
SPI analyzes data going to, from host No access to host main memory Host has no control over SPI
host
second disk
first diskSPI
February 22, 2011 ECS 235B, Winter Quarter 2011 Slide #14-3
-
7/28/2019 Flow and Confinement
4/63
Use
Store files on first disk Store corresponding crypto checksums on second
disk
Host requests file from first disk SPI retrieves file, computes crypto checksum SPI retrieves files crypto checksum from second disk If a match, file is fine and forwarded to host If discrepancy, file is compromised and host notified
Integrity information flow restricted here Corrupt file can be seen but will not be trusted
February 22, 2011 ECS 235B, Winter Quarter 2011 Slide #14-4
-
7/28/2019 Flow and Confinement
5/63
Secure Network Server Mail
Guard (SNSMG)
Filters analyze outgoing messages
Check authorization of sender
Sanitize message if needed (words and viruses, etc.) Uses type checking to enforce this
Incoming, outgoing messages of different type Only appropriate type can be moved in or out
MTA MTA
out in
filters
SECRET
computer
UNCLASSIFIED
computer
February 22, 2011 ECS 235B, Winter Quarter 2011 Slide #14-5
-
7/28/2019 Flow and Confinement
6/63
Confinement
What is the problem? Isolation: virtual machines, sandboxes Detecting covert channels
February 22, 2011 ECS 235B, Winter Quarter 2011 Slide #14-6
-
7/28/2019 Flow and Confinement
7/63
February 22, 2011 ECS 235B, Winter Quarter 2011
Example Problem
Server balances bank accounts for clients Server security issues:
Record correctly who used itSend only balancing info to client
Client security issues:Log use correctlyDo not save or retransmit data client sends
Slide #14-7
-
7/28/2019 Flow and Confinement
8/63
February 22, 2011 ECS 235B, Winter Quarter 2011
Generalization
Client sends request, data to server Server performs some function on data Server returns result to client Access controls:
Server must ensure the resources it accesses on behalfof client include only resources client is authorized to
access
Server must ensure it does not reveal clients data toany entity not authorized to see the clients data
Slide #14-8
-
7/28/2019 Flow and Confinement
9/63
-
7/28/2019 Flow and Confinement
10/63
February 22, 2011 ECS 235B, Winter Quarter 2011
Total Isolation
Process cannot communicate with any otherprocess
Process cannot be observed
Impossible for this process to leak information
Not practical as process uses observableresources such as CPU, secondary storage,networks, etc.
Slide #14-10
-
7/28/2019 Flow and Confinement
11/63
February 22, 2011 ECS 235B, Winter Quarter 2011
Example
Processesp, q not allowed to communicate But they share a file system!
Communications protocol:
p sends a bit by creating a file called 0 or 1, then asecond file called send
p waits until sendis deleted before repeating to send anotherbit
q waits until file sendexists, then looks for file 0 or 1;whichever exists is the bit
q then deletes 0, 1, and sendand waits until sendis recreatedbefore repeating to read another bit
Slide #14-11
-
7/28/2019 Flow and Confinement
12/63
February 22, 2011 ECS 235B, Winter Quarter 2011
Covert Channel
A path of communication not designed to beused for communication
In example, file system is a (storage) covertchannel
Slide #14-12
-
7/28/2019 Flow and Confinement
13/63
February 22, 2011 ECS 235B, Winter Quarter 2011
Rule of Transitive Confinement
Ifp is confined to prevent leaking, and itinvokes q, then q must be similarly confined
to prevent leaking
Rule: if a confined process invokes a secondprocess, the second process must be as
confined as the first
Slide #14-13
-
7/28/2019 Flow and Confinement
14/63
February 22, 2011 ECS 235B, Winter Quarter 2011
Lipners Notes
All processes can obtain rough idea of timeRead system clock or wall clock timeDetermine number of instructions executed
All processes can manipulate timeWait some interval of wall clock timeExecute a set number of instructions, then
block
Slide #14-14
-
7/28/2019 Flow and Confinement
15/63
February 22, 2011 ECS 235B, Winter Quarter 2011
Kochers Attack
This computesx = az mod n, wherez =z0 zk1
x := 1; atmp := a;!for i := 0 to k1 do begin!!if zi = 1 then!! !x := (x * atmp) mod n;!!atmp := (atmp * atmp) mod n;!end
!result := x;! Length of run time related to number of 1 bits inz
Slide #14-15
-
7/28/2019 Flow and Confinement
16/63
-
7/28/2019 Flow and Confinement
17/63
-
7/28/2019 Flow and Confinement
18/63
February 22, 2011 ECS 235B, Winter Quarter 2011
VMM as Security Kernel
VMM deals with subjects (the VMs) Knows nothing about the processes within the VM
VMM applies security checks to subjects By transitivity, these controls apply to processes on VMs
Thus, satisfies rule of transitive confinement
Slide #14-18
-
7/28/2019 Flow and Confinement
19/63
February 22, 2011 ECS 235B, Winter Quarter 2011
Example 1: KVM/370
KVM/370 is security-enhanced version ofVM/370 VMM
Goal: prevent communications between VMs ofdifferent security classesLike VM/370, provides VMs with minidisks,
sharing some portions of those disks
Unlike VM/370, mediates access to sharedareas to limit communication in accordancewith security policy
Slide #14-19
-
7/28/2019 Flow and Confinement
20/63
February 22, 2011 ECS 235B, Winter Quarter 2011
Example 2: VAX/VMM
Can run either VMS or Ultrix 4 privilege levels for VM system
VM user, VM supervisor, VM executive, VMkernel (both physical executive)
VMM runs in physical kernel modeOnly it can access certain resources
VMM subjects: users and VMsSlide #14-20
-
7/28/2019 Flow and Confinement
21/63
February 22, 2011 ECS 235B, Winter Quarter 2011
Example 2
VMM has flat file system for itselfRest of disk partitioned among VMsVMs can use any file system structure
Each VM has its own set of file systemsSubjects, objects have security, integrity classes
Called access classesVMM has sophisticated auditing mechanism
Slide #14-21
-
7/28/2019 Flow and Confinement
22/63
February 22, 2011 ECS 235B, Winter Quarter 2011
Problem
Physical resources sharedSystem CPU, disks, etc.
May share logical resourcesDepends on how system is implemented
Allows covert channels
Slide #14-22
-
7/28/2019 Flow and Confinement
23/63
February 22, 2011 ECS 235B, Winter Quarter 2011
Sandboxes
An environment in which actions arerestricted in accordance with security policy
Limit execution environment as needed Program not modified Libraries, kernel modified to restrict actions
Modify program to check, restrict actions
Like dynamic debuggers, profilers
Slide #14-23
-
7/28/2019 Flow and Confinement
24/63
February 22, 2011 ECS 235B, Winter Quarter 2011
Examples Limiting Environment
Java virtual machine Security manager limits access of downloaded
programs as policy dictates
Sidewinder firewall Type enforcement limits access Policy fixed in kernel by vendor
Domain Type Enforcement
Enforcement mechanism for DTEL Kernel enforces sandbox defined by system
administrator
Slide #14-24
-
7/28/2019 Flow and Confinement
25/63
February 22, 2011 ECS 235B, Winter Quarter 2011
Modifying Programs
Add breakpoints or special instructions tosource, binary code
On trap or execution of special instructions,analyze state of process
Variant: software fault isolationAdd instructions checking memory accesses,
other security issues
Any attempt to violate policy causes trapSlide #14-25
-
7/28/2019 Flow and Confinement
26/63
February 22, 2011 ECS 235B, Winter Quarter 2011
Example: Janus
Implements sandbox in which system callschecked
Frameworkdoes runtime checkingModules determine which accesses allowed
Configuration file Instructs loading of modulesAlso lists constraints
Slide #14-26
-
7/28/2019 Flow and Confinement
27/63
February 22, 2011 ECS 235B, Winter Quarter 2011
Configuration File
# basic module!basic!!# define subprocess environment variables!putenv IFS=\t\n PATH=/sbin:/bin:/usr/bin TZ=PST8PDT!!# deny access to everything except files under /usr!path deny read,write *!path allow read,write /usr/*!# allow subprocess to read files in library directories!# needed for dynamic loading!path allow read /lib/* /usr/lib/* /usr/local/lib/*!# needed so child can execute programs!path allow read,exec /sbin/* /bin/* /usr/bin/*!
Slide #14-27
-
7/28/2019 Flow and Confinement
28/63
February 22, 2011
ECS 235B, Winter Quarter 2011
How It Works
Framework builds list of relevant system calls Then marks each with allowed, disallowed actions
When monitored system call executed Framework checks arguments, validates that call is allowed for
those arguments
If not, returns failure Otherwise, give control back to child, so normal system call proceeds
Slide #14-28
-
7/28/2019 Flow and Confinement
29/63
-
7/28/2019 Flow and Confinement
30/63
February 22, 2011
ECS 235B, Winter Quarter 2011
Sandboxes, VMs, and TCB
Sandboxes, VMs part of trusted computingbases
Failure: less protection than security officers,users believe
False sense of security Must ensure confinement mechanismcorrectly implements desired security policy
Slide #14-30
-
7/28/2019 Flow and Confinement
31/63
Covert Channels
Shared resources as communication paths Covert storage channel uses attribute of
shared resource Disk space, message size, etc.
Covert timing channel uses temporal orordering relationship among accesses toshared resource Regulating CPU usage, order of reads on disk
February 22, 2011
ECS 235B, Winter Quarter 2011 Slide #14-31
-
7/28/2019 Flow and Confinement
32/63
Example Storage Channel
Processesp, q not allowed to communicate But they share a file system!
Communications protocol:
p sends a bit by creating a file called 0 or 1, then asecond file called send
p waits until sendis deleted before repeating to send anotherbit
q waits until file sendexists, then looks for file 0 or 1;whichever exists is the bit q then deletes 0, 1, and sendand waits until sendis recreated
before repeating to read another bit
February 22, 2011
ECS 235B, Winter Quarter 2011 Slide #14-32
-
7/28/2019 Flow and Confinement
33/63
Example Timing Channel
System has two VMs Sending machine S, receiving machineR
To send: For 0, Simmediately relinquishes CPU
For example, run a process that instantly blocks For 1, S uses full quantum
For example, run a CPU-intensive process R measures how quickly it gets CPU
Uses real-time clock to measure intervals between access to sharedresource (CPU)
February 22, 2011
ECS 235B, Winter Quarter 2011 Slide #14-33
-
7/28/2019 Flow and Confinement
34/63
Example Covert Channel
Uses ordering of events; does not use clock Two VMs sharing disk cylinders 100 to 200
SCAN algorithm schedules disk accesses One VM isHigh (H), other isLow (L)
Idea:L will issue requests for blocks on cylinders 139 and161 to be read
If read as 139, then 161, its a 1 bit If read as 161, then 139, its a 0 bit
February 22, 2011
ECS 235B, Winter Quarter 2011 Slide #14-34
-
7/28/2019 Flow and Confinement
35/63
How It Works
L issues read for data on cylinder 150 Relinquishes CPU when done; arm now at 150
Hruns, issues read for data on cylinder 140 Relinquishes CPU when done; arm now at 140
L runs, issues read for data on cylinders 139 and 161 Due to SCAN, reads 139 first, then 161 This corresponds to a 1
To send a 0,Hwould have issued read for data on cylinder160
February 22, 2011
ECS 235B, Winter Quarter 2011 Slide #14-35
-
7/28/2019 Flow and Confinement
36/63
Analysis
Timing or storage? Usual definition storage (no timer, clock)
Modify example to include timer
L uses this to determine how long requests take tocomplete
Time to seek to 139 < time to seek to 161 1;otherwise, 0
Channel works same way Suggests its a timing channel; hence our definition
February 22, 2011
ECS 235B, Winter Quarter 2011 Slide #14-36
-
7/28/2019 Flow and Confinement
37/63
-
7/28/2019 Flow and Confinement
38/63
Key Properties
Existence: the covert channel can be used tosend/receive information
Bandwidth: the rate at which informationcan be sent along the channel Goal of analysis: establish these properties
for each channel
If you can eliminate the channel, great! If not, reduce bandwidth as much as possible
February 22, 2011
ECS 235B, Winter Quarter 2011 Slide #14-38
-
7/28/2019 Flow and Confinement
39/63
-
7/28/2019 Flow and Confinement
40/63
Noninterference
View read, write as instances ofinformation transfer
Then two processes can communicate ifinformation can be transferred betweenthem, even in the absence of a directcommunication path
A covert channelAlso sounds like interference
February 22, 2011
ECS 235B, Winter Quarter 2011 Slide #14-40
-
7/28/2019 Flow and Confinement
41/63
Example: SAT
Secure Ada Target, multilevel security policy Approach:
(i, l) removes all instructions issued by subjects dominated bylevel l from instruction stream i
A(i, ) state resulting from execution ofi on state .v(s) describes subject ss view of state
System is noninterference-secure iff for all instructionsequences i, subjects s with security level l(s), states ,
A((i, l(s)), ).v(s) =A(i, ).v(s)
February 22, 2011
ECS 235B, Winter Quarter 2011 Slide #14-41
-
7/28/2019 Flow and Confinement
42/63
Theorem
Version of the Unwinding Theorem Let be set of system states. A specification is
noninterference-secure if, for each subject s at security
level l(s), there exists an equivalence relation : suchthat for 1, 2, when 12, 1.v(s) = 2.v(s) for 1, 2 and any instruction i, when 12,A(i, 1) A(i,
2)
for and instruction stream i, if(i, l(s)) is empty,A((i, l(s)),).v(s) = .v(s)
February 22, 2011
ECS 235B, Winter Quarter 2011 Slide #14-42
-
7/28/2019 Flow and Confinement
43/63
Intuition
System is noninterference-secure if:Equivalent states have the same view for each
subject
View remains unchanged if any instruction isexecuted
Instructions from higher-level subjects do notaffect the state from the viewpoint of the lower-
level subjects
February 22, 2011
ECS 235B, Winter Quarter 2011 Slide #14-43
-
7/28/2019 Flow and Confinement
44/63
Analysis of SAT
Focus on object creation instruction andreadable object set
In these specifications:s subject with security level l(s)o object with security level l(o), type (o) current stateSet of existing objects listed in a global object
table T()
February 22, 2011
ECS 235B, Winter Quarter 2011 Slide #14-44
-
7/28/2019 Flow and Confinement
45/63
Specification 1
object_create:[ = object_create(s,o,l(o),(o),) ]
[ oT() l(s) l(o) ]
The create succeeds if, and only if, the object does not yetexist and the clearance of the object will dominate the
clearance of its creator
In accord with the writes up okay idea
February 22, 2011
ECS 235B, Winter Quarter 2011 Slide #14-45
-
7/28/2019 Flow and Confinement
46/63
Specification 2
readable object set: set of existing objects that subjectcould read can_read(s, o, ) true if in state , o is of a type that s can read
(ignoring permissions)
oreadable(s, ) [ oT() (l(o) l(s)) (can_read(s, o, ))]
Cant read a nonexistent object, one with a security levelthat the subjects security level does not dominate, or
object of the wrong type
February 22, 2011 ECS 235B, Winter Quarter 2011 Slide #14-46
-
7/28/2019 Flow and Confinement
47/63
Specification 3
SAT enforces tranquility Adding object to readable set means creating new object
Add to readable set:[oreadable(s, ) oreadable(s, )] [ = object_create(s,o,l(o),(o),) oT() l(s) l(o) l(s) can_read(s, o, )]
Says object must be created, levels and discretionary access controlsset properly
February 22, 2011 ECS 235B, Winter Quarter 2011 Slide #14-47
-
7/28/2019 Flow and Confinement
48/63
-
7/28/2019 Flow and Confinement
49/63
Continue Analysis
s issues command to create o with: l(o) = l(s) of type with can_read(s, o, 1)
1 state after object_create(s, o, l(o), (o), 1) Specification 1
1 differs from 1 with o in T(1) New entry satisfies:
can_read(s, o, 1) l(s) l(o) l(s), where s created o
February 22, 2011 ECS 235B, Winter Quarter 2011 Slide #14-49
-
7/28/2019 Flow and Confinement
50/63
Continue Analysis
o exists in 2 so:2 = object_create(s, o, 2) = 2
But this means
[ A(object_create(s, o, l(o), (o), 2), 2) A(object_create(s, o, l(o), (o), 1), 1) ]
Because create fails in 2 but succeeds in 1 So condition 2 of theorem fails This implies a covert channel as system is not
noninterference-secure
February 22, 2011 ECS 235B, Winter Quarter 2011 Slide #14-50
-
7/28/2019 Flow and Confinement
51/63
Example Exploit
To send 1: High subject creates high object Recipient tries to create same object but at low
Creation fails, but no indication given Recipient gives different subject type permission to read, write
object
Again fails, but no indication given Subject writes 1 to object, reads it
Read returns nothing
February 22, 2011 ECS 235B, Winter Quarter 2011 Slide #14-51
-
7/28/2019 Flow and Confinement
52/63
Example Exploit
To send 0: High subject creates nothing Recipient tries to create same object but at low
Creation succeeds as object does not exist Recipient gives different subject type permission to read, write
object
Again succeeds Subject writes 1 to object, reads it
Read returns 1
February 22, 2011 ECS 235B, Winter Quarter 2011 Slide #14-52
-
7/28/2019 Flow and Confinement
53/63
Use
Can analyze covert storage channelsNoninterference techniques reason in terms of
security levels (attributes of objects)
Covert timing channels much harderYou would have to make ordering an attribute
of the objects in some way
February 22, 2011 ECS 235B, Winter Quarter 2011 Slide #14-53
-
7/28/2019 Flow and Confinement
54/63
SRMM
Shared Resource Matrix Methodology Goal: identify shared channels, how they are
shared
Steps: Identify all shared resources, their visible attributes
[rows]
Determine operations that reference (read), modify(write) resource [columns]
Contents of matrix show how operation accesses theresource
February 22, 2011 ECS 235B, Winter Quarter 2011 Slide #14-54
-
7/28/2019 Flow and Confinement
55/63
Example
Multilevel security model File attributes:
existence, owner, label, size File manipulation operations:
read, write, delete, create create succeeds if file does not exist; gets creator as owner,
creators label
others require file exists, appropriate labels Subjects:
High, Low
February 22, 2011 ECS 235B, Winter Quarter 2011 Slide #14-55
-
7/28/2019 Flow and Confinement
56/63
Shared Resource Matrix
read write delete createexistence R R R, M R, Mowner R Mlabel R R R Msize R M M MFebruary 22, 2011 ECS 235B, Winter Quarter 2011 Slide #14-56
-
7/28/2019 Flow and Confinement
57/63
Covert Storage Channel
Properties that must hold for covert storagechannel:
1.Sending, receiving processes have access tosame attribute of shared object;
2. Sender can modify that attribute;3. Receiver can reference that attribute; and4. Mechanism for starting processes, properly
sequencing their accesses to resource
February 22, 2011 ECS 235B, Winter Quarter 2011 Slide #14-57
-
7/28/2019 Flow and Confinement
58/63
Example
Consider attributes with both R, M in rows Let High be sender, Low receiver create operation both references, modifies existence
attribute
Low can use this due to semantics of create Need to arrange for proper sequencing accesses to
existence attribute of file (shared resource)
February 22, 2011 ECS 235B, Winter Quarter 2011 Slide #14-58
-
7/28/2019 Flow and Confinement
59/63
Use of Channel
3 files: ready, done, 1bit Low creates ready at High level
High checks that file exists
If so, to send 1, it creates 1bit; to send 0, skip Delete ready, create done at High level
Low tries to create done at High level On failure, High is done Low tries to create 1bitat level High
Low deletes done, creates ready at High levelFebruary 22, 2011 ECS 235B, Winter Quarter 2011 Slide #14-59
-
7/28/2019 Flow and Confinement
60/63
Covert Timing Channel
Properties that must hold for covert timingchannel:
1.Sending, receiving processes have access to sameattribute of shared object;
2.Sender, receiver have access to a time reference (wallclock, timer, event ordering, );
3.Sender can control timing of detection of change to thatattribute by receiver; and
4.Mechanism for starting processes, properly sequencingtheir accesses to resource
February 22, 2011 ECS 235B, Winter Quarter 2011 Slide #14-60
-
7/28/2019 Flow and Confinement
61/63
Example
Revisit variant of KVM/370 channel Sender, receiver can access ordering of requests by disk
arm scheduler (attribute)
Sender, receiver have access to the ordering of therequests (time reference)
High can control ordering of requests of Low processby issuing cylinder numbers to position arm
appropriately (timing of detection of change)
So whether channel can be exploited depends onwhether there is a mechanism to (1) start sender,receiver and (2) sequence requests as desired
February 22, 2011 ECS 235B, Winter Quarter 2011 Slide #14-61
-
7/28/2019 Flow and Confinement
62/63
Uses of SRM Methodology
Applicable at many stages of software life cyclemodel
Flexbility is its strength Used to analyze Secure Ada Target
Participants manually constructed SRM from flowanalysis of SAT model
Took transitive closure Found 2 covert channels
One used assigned level attribute, another assigned typeattribute
February 22, 2011 ECS 235B, Winter Quarter 2011 Slide #14-62
-
7/28/2019 Flow and Confinement
63/63
Summary
Methodology comprehensive but incomplete How to identify shared resources? What operations access them and how?
Incompleteness a benefit Allows use at different stages of software engineering life cycle
Incompleteness a problem Makes use of methodology sensitive to particular stage of software
development