View
217
Download
2
Tags:
Embed Size (px)
Citation preview
Security and Refinement
John A. ClarkSusan Stepney
Howard Chivers Dept of Computer Science, University of York
7 September 2004
What is Security?????
What is security Stopping people reading what they
shouldn’t. You could be forgiven for believing
this. It’s a start
Bell and La Padula
Top Secret
Secret
Confidential
Restricted
Unclassified
May read and write
May write
May read
Secret
Confidential
Restricted
Unclassified
MaximumClearance
CurrentClearance
Bell and La Padula Various foundational papers in the
early seventies and the ‘Secure Exposition and MULTICS Interpretation’ in 1976.
But it’s not without its problems....
Bell and La Padula In practice objects lie outside the
model; access is not policed. file locks Names
This allows these channels to act a information conduits for information transfer (actually this is their intended function)
Bell and La Padula In practice objects lie outside the
model; access is not policed. file locks Names
This allows these channels to act a information conduits for information transfer (actually this is their intended function)
Covert Channels Computer systems provide channels for
inter-subject communication, e.g. FILES. These are intended to be used for
communication and access to them can be policed by the system.
Generally possible to identify unusual means of communicating via elements of the system so that the intent of the mandatory policy is broken. These means are known as covert channels.
Covert Channels Covert channels arise because subjects
share resources. The shared resources allow one subject (the transmitter) to modulate some aspect of how another subject (the receiver) perceives the system.
Covert channels are generally grouped for working purposes into:
storage channels (where the values returned to the receiver by operations are affected).
timing channels (where the times at which events are perceived by the receiver are modulated).
System Z – the trouble continues Start in a secure state “no one is able to
read a document above their clearance” Make only transitions that preserve that
property Security is maintained????? Not exactly.
A system could downgrade everything to the lowest classification and allow anyone access
Non-interference More modern 1984(1982)++ is non-
interference by Goguen and Meseguer. Actions by high level subjects (e.g. Top Secret)
should not be visible to lower level subjects Formulated in terms of trace validity
HighLow
Non-interference This is generally considered too
strong a policy to implement effectively.
In practice, ruling out every bit of information flow is not the aim. We may wish to allow communication
but only via specific channels (conditional non-interference)
Formal Methods Empowerment
Model based specifications: operations are “atomic” yet consume no power.
Mathematics: f(x) just is (cf. “Be man” from the 1960s)
Computation: You need to calculate f(x) on real
hardware. This consumes power.
Power is a drug – Just say no.
2*5=?? 25*25=?? 16554*54237=??
The amount and pattern of intellectual work you have to do varies according to the data you are multiplying.
So if you don’t want anyone to know (gain information on) what you are multiplying don’t freely accept offers of power (power is a drug, and it causes you to spill the beans)
Time to think, I think
216=?? 2317=??
The time a computer takes to carry out an operation such as exponentiation typically depends on the operands.
If the exponent is a private key (e.g. as in RSA)
And is this what security is about? No. Confidentiality is one part of security. Integrity (if we know what this
means)??? Availability??? Anonymity (again unlikely to be an
all or nothing affair). Accountability/non-repudiation
Breaking the Model
Slides by Susan
Relational model of refinement
initialisation operation finalisation
simulation
what is finalisation? process of moving from (abstract or
concrete) world of programming variables, to “real” (but still modelled) world
how to interpret programming variables “finalisation glasses” both outputs and state components abstract model -- usually identity function
example: set and sequence global “real world” model : a set abstract model : a set
s : P X ; FA(s) = s -- identity finalisation
concrete model : a sequence t : seq X ; FC(t) = ran t look at the sequence through finalisation glasses
that see only the underlying set successive refinements
one step’s concrete model is the next step’s abstract model
example : a clock paradox
(A) clock that is 5 minutes slow -- never right
(B) stopped clock -- right twice a day
(A) a simple finalisation to get the right time -- add 5 minutes
(B) no possible finalisation glasses
unwanted finalisations finalisations “throw away”
information example: order of the sequence
what if you don’t wear the glasses? instead, use the maximal identity
finalisation, to see “more” covert channels
ordering, timing, delays, …
a solution? restrict to identity finalisation
essentially, don’t allow output refinement
but, real devices output concrete things, like bit-streams, or voltages, or …
“extra-logical” finalisations
C
G
G’
R
f
id
x
so, not a solution forbidding the problem merely
moves it somewhere even more covert
instead, use the concept of finalisation to categorise and expose various covert channels, various security attacks
vary the “glasses” intended -- use the glasses unintended -- remove (or de-mist) glasses
view page faults, interrupts, power, timing, …
direct -- observe a single output enhanced -- post-process
view sequences of outputs
single viewpoint multiple viewpoints (multiple different glasses)
passive -- just observe invasive -- break into the device
vary the system standard -- observe the system working as intended perturbed -- observe a perturbed system
under load, irradiated, flexed, …
passive perturbation -- worn out device invasive perturbation -- attack with ion gun
single system multiple systems -- differential analyses
homogeneous multiples -- lots of the “same” system heterogeneous -- “sameness” depends on the
observation engineered, natural
vary the environment standard -- observe within specification (can still
vary) perturbed -- observe outside specification
heated, cooled, …
single environmental attribute multiple attribute
passive perturbation -- naturally very cold smart cards in Sweden cold can lower noise, defeat blinding defences
invasive perturbation -- deliberately modulate power supply
higher order glasses non-standard observations of the
analysis techniques themselves often attacks involve searches
view the trajectory of a search algorithm view the search on a slightly different
problem …
illustrations intended finalisation, single system, perturbed fault injection, bit flip, breaking RSA
unintended finalisation, enhanced, single system
differential power analysis of smart cards
unintended finalisation, single system, perturbed environment
static RAM persists for minutes at –20°C
prevention enforce use of the glasses
by use of a protective screen implement “magic eye” glasses
noise without them -- crypto detect unwanted finalisations
mainly invasive ones and then destroy the secrets!
unusual, wanted, finalisations
multiple finalisations for different roles user, administrator, audit, …
breaking atomicity usefully progressive gifs
finalise the user observe dynamics of hand signatures textual analyses for authorship
anonymity v. authentication tradeoffs destructive quantum finalisation
essential in various security schemes