Flow and Confinement

7/28/2019 Flow and Confinement

1/63

Lecture 14: Flow & Confinement

Examples of information flow applications The confinement problem Isolation: virtual machines, sandboxes Covert channels

DetectionMitigation

The pumpFebruary 22, 2011 ECS 235B, Winter Quarter 2011 Slide #14-1


2/63

Examples

Use access controls of various types toinhibit information flows

Security Pipeline InterfaceAnalyzes data moving from host to destination

Secure Network Server Mail GuardControls flow of data between networks that

have different security classifications

February 22, 2011 ECS 235B, Winter Quarter 2011 Slide #14-2


3/63

Security Pipeline Interface

SPI analyzes data going to, from host No access to host main memory Host has no control over SPI

host

second disk

first diskSPI



4/63

Use

Store files on first disk Store corresponding crypto checksums on second

disk

Host requests file from first disk SPI retrieves file, computes crypto checksum SPI retrieves files crypto checksum from second disk If a match, file is fine and forwarded to host If discrepancy, file is compromised and host notified

Integrity information flow restricted here Corrupt file can be seen but will not be trusted



5/63

Secure Network Server Mail

Guard (SNSMG)

Filters analyze outgoing messages

Check authorization of sender

Sanitize message if needed (words and viruses, etc.) Uses type checking to enforce this

Incoming, outgoing messages of different type Only appropriate type can be moved in or out

MTA MTA

out in

filters

SECRET

computer

UNCLASSIFIED

computer



6/63

Confinement

What is the problem? Isolation: virtual machines, sandboxes Detecting covert channels



7/63

February 22, 2011 ECS 235B, Winter Quarter 2011

Example Problem

Server balances bank accounts for clients Server security issues:

Record correctly who used itSend only balancing info to client

Client security issues:Log use correctlyDo not save or retransmit data client sends

Slide #14-7


8/63


Generalization

Client sends request, data to server Server performs some function on data Server returns result to client Access controls:

Server must ensure the resources it accesses on behalfof client include only resources client is authorized to

access

Server must ensure it does not reveal clients data toany entity not authorized to see the clients data

Slide #14-8


9/63


10/63


Total Isolation

Process cannot communicate with any otherprocess

Process cannot be observed

Impossible for this process to leak information

Not practical as process uses observableresources such as CPU, secondary storage,networks, etc.

Slide #14-10


11/63


Example

Processesp, q not allowed to communicate But they share a file system!

Communications protocol:

p sends a bit by creating a file called 0 or 1, then asecond file called send

p waits until sendis deleted before repeating to send anotherbit

q waits until file sendexists, then looks for file 0 or 1;whichever exists is the bit

q then deletes 0, 1, and sendand waits until sendis recreatedbefore repeating to read another bit

Slide #14-11


12/63


Covert Channel

A path of communication not designed to beused for communication

In example, file system is a (storage) covertchannel

Slide #14-12


13/63


Rule of Transitive Confinement

Ifp is confined to prevent leaking, and itinvokes q, then q must be similarly confined

to prevent leaking

Rule: if a confined process invokes a secondprocess, the second process must be as

confined as the first

Slide #14-13


14/63


Lipners Notes

All processes can obtain rough idea of timeRead system clock or wall clock timeDetermine number of instructions executed

All processes can manipulate timeWait some interval of wall clock timeExecute a set number of instructions, then

block

Slide #14-14


15/63


Kochers Attack

This computesx = az mod n, wherez =z0 zk1

x := 1; atmp := a;!for i := 0 to k1 do begin!!if zi = 1 then!! !x := (x * atmp) mod n;!!atmp := (atmp * atmp) mod n;!end

!result := x;! Length of run time related to number of 1 bits inz

Slide #14-15


16/63


17/63


18/63


VMM as Security Kernel

VMM deals with subjects (the VMs) Knows nothing about the processes within the VM

VMM applies security checks to subjects By transitivity, these controls apply to processes on VMs

Thus, satisfies rule of transitive confinement

Slide #14-18


19/63


Example 1: KVM/370

KVM/370 is security-enhanced version ofVM/370 VMM

Goal: prevent communications between VMs ofdifferent security classesLike VM/370, provides VMs with minidisks,

sharing some portions of those disks

Unlike VM/370, mediates access to sharedareas to limit communication in accordancewith security policy

Slide #14-19


20/63


Example 2: VAX/VMM

Can run either VMS or Ultrix 4 privilege levels for VM system

VM user, VM supervisor, VM executive, VMkernel (both physical executive)

VMM runs in physical kernel modeOnly it can access certain resources

VMM subjects: users and VMsSlide #14-20


21/63


Example 2

VMM has flat file system for itselfRest of disk partitioned among VMsVMs can use any file system structure

Each VM has its own set of file systemsSubjects, objects have security, integrity classes

Called access classesVMM has sophisticated auditing mechanism

Slide #14-21


22/63


Problem

Physical resources sharedSystem CPU, disks, etc.

May share logical resourcesDepends on how system is implemented

Allows covert channels

Slide #14-22


23/63


Sandboxes

An environment in which actions arerestricted in accordance with security policy

Limit execution environment as needed Program not modified Libraries, kernel modified to restrict actions

Modify program to check, restrict actions

Like dynamic debuggers, profilers

Slide #14-23


24/63


Examples Limiting Environment

Java virtual machine Security manager limits access of downloaded

programs as policy dictates

Sidewinder firewall Type enforcement limits access Policy fixed in kernel by vendor

Domain Type Enforcement

Enforcement mechanism for DTEL Kernel enforces sandbox defined by system

administrator

Slide #14-24


25/63


Modifying Programs

Add breakpoints or special instructions tosource, binary code

On trap or execution of special instructions,analyze state of process

Variant: software fault isolationAdd instructions checking memory accesses,

other security issues

Any attempt to violate policy causes trapSlide #14-25


26/63


Example: Janus

Implements sandbox in which system callschecked

Frameworkdoes runtime checkingModules determine which accesses allowed

Configuration file Instructs loading of modulesAlso lists constraints

Slide #14-26


27/63


Configuration File

# basic module!basic!!# define subprocess environment variables!putenv IFS=\t\n PATH=/sbin:/bin:/usr/bin TZ=PST8PDT!!# deny access to everything except files under /usr!path deny read,write *!path allow read,write /usr/*!# allow subprocess to read files in library directories!# needed for dynamic loading!path allow read /lib/* /usr/lib/* /usr/local/lib/*!# needed so child can execute programs!path allow read,exec /sbin/* /bin/* /usr/bin/*!

Slide #14-27


28/63

February 22, 2011

ECS 235B, Winter Quarter 2011

How It Works

Framework builds list of relevant system calls Then marks each with allowed, disallowed actions

When monitored system call executed Framework checks arguments, validates that call is allowed for

those arguments

If not, returns failure Otherwise, give control back to child, so normal system call proceeds

Slide #14-28


29/63


30/63

February 22, 2011

ECS 235B, Winter Quarter 2011

Sandboxes, VMs, and TCB

Sandboxes, VMs part of trusted computingbases

Failure: less protection than security officers,users believe

False sense of security Must ensure confinement mechanismcorrectly implements desired security policy

Slide #14-30


31/63

Covert Channels

Shared resources as communication paths Covert storage channel uses attribute of

shared resource Disk space, message size, etc.

Covert timing channel uses temporal orordering relationship among accesses toshared resource Regulating CPU usage, order of reads on disk

February 22, 2011

ECS 235B, Winter Quarter 2011 Slide #14-31


32/63

Example Storage Channel

Processesp, q not allowed to communicate But they share a file system!

Communications protocol:

p sends a bit by creating a file called 0 or 1, then asecond file called send

p waits until sendis deleted before repeating to send anotherbit

q waits until file sendexists, then looks for file 0 or 1;whichever exists is the bit q then deletes 0, 1, and sendand waits until sendis recreated

before repeating to read another bit

February 22, 2011



33/63

Example Timing Channel

System has two VMs Sending machine S, receiving machineR

To send: For 0, Simmediately relinquishes CPU

For example, run a process that instantly blocks For 1, S uses full quantum

For example, run a CPU-intensive process R measures how quickly it gets CPU

Uses real-time clock to measure intervals between access to sharedresource (CPU)

February 22, 2011



34/63

Example Covert Channel

Uses ordering of events; does not use clock Two VMs sharing disk cylinders 100 to 200

SCAN algorithm schedules disk accesses One VM isHigh (H), other isLow (L)

Idea:L will issue requests for blocks on cylinders 139 and161 to be read

If read as 139, then 161, its a 1 bit If read as 161, then 139, its a 0 bit

February 22, 2011



35/63

How It Works

L issues read for data on cylinder 150 Relinquishes CPU when done; arm now at 150

Hruns, issues read for data on cylinder 140 Relinquishes CPU when done; arm now at 140

L runs, issues read for data on cylinders 139 and 161 Due to SCAN, reads 139 first, then 161 This corresponds to a 1

To send a 0,Hwould have issued read for data on cylinder160

February 22, 2011



36/63

Analysis

Timing or storage? Usual definition storage (no timer, clock)

Modify example to include timer

L uses this to determine how long requests take tocomplete

Time to seek to 139 < time to seek to 161 1;otherwise, 0

Channel works same way Suggests its a timing channel; hence our definition

February 22, 2011



37/63


38/63

Key Properties

Existence: the covert channel can be used tosend/receive information

Bandwidth: the rate at which informationcan be sent along the channel Goal of analysis: establish these properties

for each channel

If you can eliminate the channel, great! If not, reduce bandwidth as much as possible

February 22, 2011



39/63


40/63

Noninterference

View read, write as instances ofinformation transfer

Then two processes can communicate ifinformation can be transferred betweenthem, even in the absence of a directcommunication path

A covert channelAlso sounds like interference

February 22, 2011



41/63

Example: SAT

Secure Ada Target, multilevel security policy Approach:

(i, l) removes all instructions issued by subjects dominated bylevel l from instruction stream i

A(i, ) state resulting from execution ofi on state .v(s) describes subject ss view of state

System is noninterference-secure iff for all instructionsequences i, subjects s with security level l(s), states ,

A((i, l(s)), ).v(s) =A(i, ).v(s)

February 22, 2011



42/63

Theorem

Version of the Unwinding Theorem Let be set of system states. A specification is

noninterference-secure if, for each subject s at security

level l(s), there exists an equivalence relation : suchthat for 1, 2, when 12, 1.v(s) = 2.v(s) for 1, 2 and any instruction i, when 12,A(i, 1) A(i,

2)

for and instruction stream i, if(i, l(s)) is empty,A((i, l(s)),).v(s) = .v(s)

February 22, 2011



43/63

Intuition

System is noninterference-secure if:Equivalent states have the same view for each

subject

View remains unchanged if any instruction isexecuted

Instructions from higher-level subjects do notaffect the state from the viewpoint of the lower-

level subjects

February 22, 2011



44/63

Analysis of SAT

Focus on object creation instruction andreadable object set

In these specifications:s subject with security level l(s)o object with security level l(o), type (o) current stateSet of existing objects listed in a global object

table T()

February 22, 2011



45/63

Specification 1

object_create:[ = object_create(s,o,l(o),(o),) ]

[ oT() l(s) l(o) ]

The create succeeds if, and only if, the object does not yetexist and the clearance of the object will dominate the

clearance of its creator

In accord with the writes up okay idea

February 22, 2011



46/63

Specification 2

readable object set: set of existing objects that subjectcould read can_read(s, o, ) true if in state , o is of a type that s can read

(ignoring permissions)

oreadable(s, ) [ oT() (l(o) l(s)) (can_read(s, o, ))]

Cant read a nonexistent object, one with a security levelthat the subjects security level does not dominate, or

object of the wrong type



47/63

Specification 3

SAT enforces tranquility Adding object to readable set means creating new object

Add to readable set:[oreadable(s, ) oreadable(s, )] [ = object_create(s,o,l(o),(o),) oT() l(s) l(o) l(s) can_read(s, o, )]

Says object must be created, levels and discretionary access controlsset properly



48/63


49/63

Continue Analysis

s issues command to create o with: l(o) = l(s) of type with can_read(s, o, 1)

1 state after object_create(s, o, l(o), (o), 1) Specification 1

1 differs from 1 with o in T(1) New entry satisfies:

can_read(s, o, 1) l(s) l(o) l(s), where s created o



50/63

Continue Analysis

o exists in 2 so:2 = object_create(s, o, 2) = 2

But this means

[ A(object_create(s, o, l(o), (o), 2), 2) A(object_create(s, o, l(o), (o), 1), 1) ]

Because create fails in 2 but succeeds in 1 So condition 2 of theorem fails This implies a covert channel as system is not

noninterference-secure



51/63

Example Exploit

To send 1: High subject creates high object Recipient tries to create same object but at low

Creation fails, but no indication given Recipient gives different subject type permission to read, write

object

Again fails, but no indication given Subject writes 1 to object, reads it

Read returns nothing



52/63

Example Exploit

To send 0: High subject creates nothing Recipient tries to create same object but at low

Creation succeeds as object does not exist Recipient gives different subject type permission to read, write

object

Again succeeds Subject writes 1 to object, reads it

Read returns 1



53/63

Use

Can analyze covert storage channelsNoninterference techniques reason in terms of

security levels (attributes of objects)

Covert timing channels much harderYou would have to make ordering an attribute

of the objects in some way



54/63

SRMM

Shared Resource Matrix Methodology Goal: identify shared channels, how they are

shared

Steps: Identify all shared resources, their visible attributes

[rows]

Determine operations that reference (read), modify(write) resource [columns]

Contents of matrix show how operation accesses theresource



55/63

Example

Multilevel security model File attributes:

existence, owner, label, size File manipulation operations:

read, write, delete, create create succeeds if file does not exist; gets creator as owner,

creators label

others require file exists, appropriate labels Subjects:

High, Low



56/63

Shared Resource Matrix

read write delete createexistence R R R, M R, Mowner R Mlabel R R R Msize R M M MFebruary 22, 2011 ECS 235B, Winter Quarter 2011 Slide #14-56


57/63

Covert Storage Channel

Properties that must hold for covert storagechannel:

1.Sending, receiving processes have access tosame attribute of shared object;

2. Sender can modify that attribute;3. Receiver can reference that attribute; and4. Mechanism for starting processes, properly

sequencing their accesses to resource



58/63

Example

Consider attributes with both R, M in rows Let High be sender, Low receiver create operation both references, modifies existence

attribute

Low can use this due to semantics of create Need to arrange for proper sequencing accesses to

existence attribute of file (shared resource)



59/63

Use of Channel

3 files: ready, done, 1bit Low creates ready at High level

High checks that file exists

If so, to send 1, it creates 1bit; to send 0, skip Delete ready, create done at High level

Low tries to create done at High level On failure, High is done Low tries to create 1bitat level High

Low deletes done, creates ready at High levelFebruary 22, 2011 ECS 235B, Winter Quarter 2011 Slide #14-59


60/63

Covert Timing Channel

Properties that must hold for covert timingchannel:

1.Sending, receiving processes have access to sameattribute of shared object;

2.Sender, receiver have access to a time reference (wallclock, timer, event ordering, );

3.Sender can control timing of detection of change to thatattribute by receiver; and

4.Mechanism for starting processes, properly sequencingtheir accesses to resource



61/63

Example

Revisit variant of KVM/370 channel Sender, receiver can access ordering of requests by disk

arm scheduler (attribute)

Sender, receiver have access to the ordering of therequests (time reference)

High can control ordering of requests of Low processby issuing cylinder numbers to position arm

appropriately (timing of detection of change)

So whether channel can be exploited depends onwhether there is a mechanism to (1) start sender,receiver and (2) sequence requests as desired



62/63

Uses of SRM Methodology

Applicable at many stages of software life cyclemodel

Flexbility is its strength Used to analyze Secure Ada Target

Participants manually constructed SRM from flowanalysis of SAT model

Took transitive closure Found 2 covert channels

One used assigned level attribute, another assigned typeattribute



63/63

Summary

Methodology comprehensive but incomplete How to identify shared resources? What operations access them and how?

Incompleteness a benefit Allows use at different stages of software engineering life cycle

Incompleteness a problem Makes use of methodology sensitive to particular stage of software

development

Documents

Flow and Confinement