6/18/2015 Prof. Ehud Gudes Security Ch 7 1 1. Assignment:b := e 2. Compound:begin S 1 ;... ; S n end...
-
date post
20-Dec-2015 -
Category
Documents
-
view
213 -
download
0
Transcript of 6/18/2015 Prof. Ehud Gudes Security Ch 7 1 1. Assignment:b := e 2. Compound:begin S 1 ;... ; S n end...
04/18/23Prof. Ehud Gudes Security
Ch 7 1
1. Assignment: b := e
2. Compound: begin S1; . . . ; Sn end
3. Alternation: if e then S1 [else S2]
4. Iteration: while e do S1
5. Call: q(a1, . . . , am, b1, . . . bn)
Information Flow Controls
04/18/23Prof. Ehud Gudes Security
Ch 7 2
Security Conditions for Assignment:
Execution of an assignmentb := e
is secure if e < b
Information Flow Controls, cont.
04/18/23Prof. Ehud Gudes Security
Ch 7 3
Security Conditions for Compound:
Execution of the statement
begin S1; . . . ; Sn end
is secure if each of the Si is secure
Information Flow Controls, cont.
04/18/23Prof. Ehud Gudes Security
Ch 7 4
Assume a BLP program where lev(Y) < lev(X)
Z := 0 if (X==1) then Z:= 1 Y:=Z Now value of Y is equal to value of X, i.e.
there is an illegal information flow! (high to low…)
Problem – implicit information flow
04/18/23Prof. Ehud Gudes Security
Ch 7 5
Security Conditions for Alternation:
Execution of the statementif e then S1 [else S2]
is secure if(i) Execution of S1 [and S2] is secure, and
(ii) e < S, where S = S1 [ S2] andS1 = {bb is a target of an assignment in
S1),S2 = {bb is a target of an assignment in S2)
Information Flow Controls, cont.
04/18/23Prof. Ehud Gudes Security
Ch 7 6
Example:For the following statement
if x > y thenbegin
z := w;i := k + 1
end,condition (ii) is given by x + y < z I
Information Flow Controls, cont.
04/18/23Prof. Ehud Gudes Security
Ch 7 7
Execution-Based Mechanisms – Problem with sending an Error
Secure execution of the if statementif x=1 then y:=1
Is described byif x=1
then if xy then y:=1 else skipelse skip.
Suppose x is 0 or 1, y is initially 0, x=High, and y=Low; thus, the flow xy is not secure. Because the assignment to y is skipped both when x=1 (because the security check fails) and when x=0 (because the test “x=1” fails), y is always 0 when the statement terminates, thereby giving no information about x. note that if an error flag E is set to 1 when the security check fails, then the value of x is encoded in the flag (E=1 implies x=1, E=0 implies x=0).
04/18/23Prof. Ehud Gudes Security
Ch 7 8
Example:
Consider the statementif x=1 then y:=1 else z:=1
where x=High. Suppose that when x=1, y=High and z=Low, but when x1, y=Low and z=High. If both relations xy and x z are tested on both branches, the program will be rejected, even though it can be securely executed using Fenton’s approach. (Verification of this is left to the reader).
Execution-Based Mechanisms, cont.
04/18/23Prof. Ehud Gudes Security
Ch 7 9
Execution Based Mechanismprocedure copy1 (x: integer;
var y: integer);“copy x to y”var z: integer;begin
y:= 0; Low zz := 0; Low yif x = 0 then z := 1
if z = 0 then y := 1 end
end copy1
Either l(X)<=l(Z) is tested or l(Z)<= l(Y) is tested but not both! Therefore if errors are reported there is information flow.
How to solve? – dont report errors - Fenton’s model (see Bishop or Denning)
Note, at Compile time both are tested!
04/18/23Prof. Ehud Gudes Security
Ch 7 10
Covert Channels (1)
Client, server and collaborator processes
Encapsulated server can still leak to collaborator via
covert channels
04/18/23Prof. Ehud Gudes Security
Ch 7 11
Security PoliciesControl of Information Flow
U1:
The existence of file T (regardless of its label) gives information about the value of profit. Its content even more…
if profit < 0
then delete file T
else begin
write file T, ‘text’;
close file T; end
04/18/23Prof. Ehud Gudes Security
Ch 7 13
Covert Timing Channel
Service Program
Service Program
Service Program
time
Normal Schedulingone
block
Service Program
Service Program
Service Program Communicating 101
04/18/23Prof. Ehud Gudes Security
Ch 7 14
Covert Channels (3)Pictures appear the samePicture on right has text of 5 Shakespeare plays
encrypted, inserted into low order bits of color values
Zebras Hamlet, Macbeth, Julius CaesarMerchant of Venice, King Lear
04/18/23Prof. Ehud Gudes Security
Ch 7 15
Fighting Covert Channels (after Detection)
Deletion of the channel if feasibleAdd random noise on the channelReduce the channel bandwidth,
useful for Timing channelsAudit the channelIgnore, danger is not very serious
04/18/23Prof. Ehud Gudes Security
Ch 7 16
Language-Based Protection
Specification of protection in a programming language allows the high-level description of policies for the allocation and use of resources.
Language implementation can provide software for protection enforcement when automatic hardware-supported checking is unavailable.
Interpret protection specifications to generate calls on whatever protection system is provided by the hardware and the operating system.
04/18/23Prof. Ehud Gudes Security
Ch 7 17
Language-Based Protection
Two aspects:Integrity, Type checking – preventing
bugs, writing safe code
Providing protection and Access control mechanisms
04/18/23Prof. Ehud Gudes Security
Ch 7 18
Security in Java
Language features – verified by the Bytecode verifier
Sandbox model – using the Security manager
No bypass of the security manager – using the Class-loader
04/18/23Prof. Ehud Gudes Security
Ch 7 19
Security in Java – Language Features
No #typedef or #define
No automatic type conversion
No casting
Strongly typed language
Indexes to arrays and strings range validated
Automatic garbage collection
Use of OO features like: Public, Private
04/18/23Prof. Ehud Gudes Security
Ch 7 20
Java Security [J8,J9]
A type safe language compiler rejects attempts to misuse variable
Bytecode Verifier: Checks include …1. Attempts to forge pointers2. Violation of access restrictions on private class
members3. Misuse of variables by type4. Generation of stack over/underflows5. Illegal conversion of variables to another type AND6. All system calls are done via the Security Manager!
04/18/23Prof. Ehud Gudes Security
Ch 7 21
The Java Sandboxclient
Browser
Byte code verifier
Security manager
Applet class loader
Executable code
Server
Web page
Applet
(Byte code)
Java source code
Byte code compilerApplet
22
שיטות של מנהל אבטחהMethodDescription
gethnCheckDetermine whether a security check is in progress
checkCreateClassLoader
Check to prevent the installation of additional ClassLoaders
CheckAccessCheck to see if a thread ot thread group can modify the thread group
CheckExitChecks if the Exit command can be executed
CheckExecChecks if the system commands can be executed
CheckLinkChecks if dynamic libraries can be linked
CheckReadChecks if a file can be read from
CheckWriteChecks if a file can be written to
CheckConnectChecks if a network connection can be created
checkListenChecks if a certain network port can be listened to for connections
CheckAcceptChecks if a network connection can be accepted
CheckPropertiesChecks if the system properties can be accepted
CheckTopLevelWindow
Checks whether a window must have a special Warning
CheckPackageAccessChecks if a certain package can be accessed
CheckPackgeDefinition
Checks if a new class can be added to a package
CheckSetFactoryChecks if an Applet can set a networking-related object factory.
04/18/23Prof. Ehud Gudes Security
Ch 7 23
Protection in Java 1.2
Protection is handled by the Java Virtual Machine (JVM)
A class is assigned a protection domain when it is loaded by the JVM.
The protection domain indicates what operations the class can (and cannot) perform.
If a library method is invoked that performs a privileged operation, the stack is inspected to ensure the operation can be performed by the library.
04/18/23Prof. Ehud Gudes Security
Ch 7 24
Java Security (2)
Examples of specified protection with JDK 1.2
04/18/23Prof. Ehud Gudes Security
Ch 7 25
Java 2 Security
JCA – Java cryptography architecture
JCE – Java cryptography extension JSSE – Java SSL support
JAAS – Java authentication service
JGSS – Java GSS
04/18/23Prof. Ehud Gudes Security
Ch 7 27
Software (copy) protection [J10,J11]
Hardware devices – Tokens or Dongles problem: taking ports, what about multiple
programs?Bad sectors – bit copiers can be usedDisk hardware: using invisible sector, weak
writing, erasing a sector by lazer Problem: creating valid backups! And
reinstalling if disk crashes!License and registration using cryptographic
hash of the machine id. Problem: too many connections to vendor
Legal – best protection commercially! Watermarking technology
04/18/23Prof. Ehud Gudes Security
Ch 7 28
Watermarking Requirements
Easy and convenient to insert into document (picture)
Impossible to eraseNo bad effect on the quality of document or
picture Reasonable actions on document, such as:
cut & paste must preserve the watermarkEasy to verify by a legal authority