A Lattice Model of Secure Information Flow

By Dorothy E. Denning

Presented by Drayton Benner

March 22, 2000

Agenda

Introduction The Information Flow Model Enforcement of Security Mechanisms for Static Binding Mechanisms for Dynamic Binding Conclusions

Introduction

Security – “no unauthorized flow of information is possible”

Data from files/users of higher security can not be transmitted to files/users of lower security directly or indirectly

Goal: “to find suitable and viable restrictions according to which the security of a system would not only be decidable, but simply so.”

The Model

FM = < N, P, SC, , > N = { a, b, … } – a set of logical storage

objects or information receptacles – files, segments, program variables, and also users.

P = processes. “Processes are the active agents responsible for all information flow.”

The Model (cont.)

FM = < N, P, SC, , > SC = { A, B, …} is a set of security classes. The security classes are disjoint classes of

information. Every object belongs to a security class. An example would be { public knowledge,

confidential, secret, top secret, only available to teenage hackers }.

The Model (cont.)

FM = < N, P, SC, , > Binding of objects to security classes can be

static or dynamic. With static binding, the security class of an

object never changes. With dynamic binding, the object’s security class can change based on the contents of the object.

A process can also be bound to a security class.

The Model (cont.)

FM = < N, P, SC, , > is a class combining (binary) operator that

is associative and commutative. Let A and B be security classes. A B

refers to the security class of the result of any binary function on values a and b (a = A, b = B).

is function independent.

The Model (cont.)

FM = < N, P, SC, , > is a flow relation. A B if and only if information in class A is

allowed to flow to class B. Information can be passed by copying,

assignment, I/O, parameter passing, message sending, etc.

Concerned with information flow on “legitimate” and “storage” channels, not “covert” channels.

The Model (cont.)

FM = < N, P, SC, , > The purpose of coming up with a flow

model FM is for us now to be able to say that “FM is secure if and only if execution of a sequence of operations cannot give rise to a flow that violates the relation ‘’.”

Universally bounded lattice

What is a universally bounded lattice? “a structure consisting of a finite partially

ordered set together with least upper and greatest lower bound operators on the set.”

So, what is a partially ordered set? a set with a relation R that is reflexive,

transitive, and antisymmetric

Universally Bounded Lattice (cont.) So, what are least upper and greatest lower

bounds? Suppose <= is the relation. C is an upper

bound of A and B if A <= C and B <= C. C is a least upper bound of A and B if for any upper bound D of A and B, C <= D. Lower bounds and greatest lower bounds work the same way.

Derivation of Lattice Structure

First we show that < SC, > is a poset. Reflexive: A A (for consistency sake) Transitive: if A B and B C, then A C

(for consistency sake) Antisymmetric: if A B and B A, then A =

B (otherwise, you have a superfluous security class, so this assumption can be made without loss of generality)

Derivation of Lattice Structure (cont.) Second, we assume SC is finite because we

are hopefully dealing with the real world. Third, we can assume that there exists a

lower bound L on SC without loss of generality. If needed, we can insert L with no objects. Or, perhaps we could fill it with constants.

Fourth, we show that is a least upper bound operator.

Derivation of Lattice Structure (cont.) A B is an upper bound of A and B because

from the definition information must be able to flow from A or B into A B.

A B is a least upper bound because an upper bound C of A and B can get information from A and B in the same way as A B, so preventing information from flowing from A B to C does not make sense.

Derivation of Lattice Structure (cont.) Similar to the operator, we can define the

operator such that A B is the greatest lower bound of A and B.

The greatest lower bound of SC we call L, and the least upper bound of SC we call H.

Thus, we have established that SC, “”, and “” form a universally bounded lattice with greatest lower bound L and least upper bound H.

Enforcement of Security The goal, of course, of deriving this information

flow model is for it to help us enforce security. To do this, we must monitor all flow causing

operations (yikes!!!). We must monitor explicit flow (assignment, I/O)

and implicit flow. An example of implicit flow:

if a = 0 then b := c can cause information to flow from a to b whether or not the line b := c is executed.

Enforcement of Security (cont.)

We want to represent a program or statement S in a way that easily allows us to evaluate whether or not it is secure.

Define S recursively:– S is an elementary statement (assignment, I/O)

– S = S1; S2

– S = c: S1, …, Sm (c is an m-valued variable)

Enforcement of Security (cont.)

For elementary statements, S is secure if any explicit flow caused by S is secure.

For S = S1; S2 , S is secure if both S1 and S2 are secure.

For S = c: S1, …, Sm , S is secure if each Sk is secure and all implicit flows from c are secure.

Enforcement of Security (cont.)

Some or all of these security requirements are being used in the following:– ADEPT-50

– The MITRE system

– The Case system

– Rotenberg’s Privacy Restriction Processor

– Fenton’s Data Mark Machine

– Gat and Saal (proposed)

– Jones and Lipton (proposed)

– Denning (proposed)

Mechanisms for Static Binding

Mechanisms for static binding can occur at run-time or at compile-time.

Access Control Mechanisms operate at run-time.

The Data Mark Machine also operates at run-time.

The Certification Mechanism operates at compile-time.

Access Control Mechanisms

Both the Case system and the MITRE system use Access Control Mechanisms.

Each process has an associated clearance (security) class.

This clearance class is the highest class from which the process can read and the lowest class into which the process can write.

The Data Mark Machine

Proposed by Fenton to run on an abstract computer called a Data Mark Machine.

A security class p is associated with the program counter of the process p.

When a conditional structure c: S1, …, Sm is reached, p is pushed onto the stack, and the new security class is c p. Once the conditional is finished, the old value p is popped off the stack.

Certification Mechanism

This is a mechanism proposed by the author.

Compile-time advantages:– Execution is guaranteed to be secure before it

executes.– The program’s speed is not impaired.– Higher-level language constructs can be used in

the certification process rather than low-level hardware instructions.

Certification Mechanism (cont.)

Compile-time disadvantages:– Flows caused by program language

implementation defects cannot be verified (e.g. unchecked array bounds)

– Hardware malfunctions can cause insecure behavior

– The programmer has to assign a security level to each object in the program

Mechanisms for Dynamic Binding If a system is based purely on dynamic

binding, it’s useless. A user at a low security level can raise his security level simply by accessing high security information.

Dynamic Data Mark Machine Nondecreasing Class Mechanisms

Dynamic Data Mark Machine A modified version of the Data Mark Machine

designed for dynamic binding. Whenever information flows from objects to a

dynamically bound object, the class of the dynamically bound object is updated to be the join (least upper bound) of the class of the objects and the class of the program counter.

Security violations can occur using this system because it does not adequately consider implicit flow. Modifications have been proposed by Fenton, Gat and Saal, and Denning.

Nondecreasing Class Mechanisms This method of dynamically binding objects

operates under the principle that the security class of an object never goes down.

That is, if information flows from an object a to an object b, the security class of b is updated to be a b.

This mechanism is used in the ADEPT system and the Rotenberg’s Processor system. Neither of these systems adequately consider implicit flow.

Conclusions

Applications of the model and mechanisms described:– Confinement: do not let a process leak

confidential information– Databases: ability to control the flow of raw

data in the database as well as the flow of correlations of the data

– Some requirements modeled by an access matrix have been omitted. Practical systems need access and flow control.

Questions?