6/18/2015 prof. ehud gudes security ch 7 1 1. assignment:b := e 2. compound:begin s 1 ;... ; s n end...

04/18/23Prof. Ehud Gudes Security

Ch 7 1

1. Assignment: b := e

2. Compound: begin S1; . . . ; Sn end

3. Alternation: if e then S1 [else S2]

4. Iteration: while e do S1

5. Call: q(a1, . . . , am, b1, . . . bn)

Information Flow Controls


Ch 7 2

Security Conditions for Assignment:

Execution of an assignmentb := e

is secure if e < b

Information Flow Controls, cont.


Ch 7 3

Security Conditions for Compound:

Execution of the statement

begin S1; . . . ; Sn end

is secure if each of the Si is secure



Ch 7 4

Assume a BLP program where lev(Y) < lev(X)

Z := 0 if (X==1) then Z:= 1 Y:=Z Now value of Y is equal to value of X, i.e.

there is an illegal information flow! (high to low…)

Problem – implicit information flow


Ch 7 5

Security Conditions for Alternation:

Execution of the statementif e then S1 [else S2]

is secure if(i) Execution of S1 [and S2] is secure, and

(ii) e < S, where S = S1 [ S2] andS1 = {bb is a target of an assignment in

S1),S2 = {bb is a target of an assignment in S2)



Ch 7 6

Example:For the following statement

if x > y thenbegin

z := w;i := k + 1

end,condition (ii) is given by x + y < z I



Ch 7 7

Execution-Based Mechanisms – Problem with sending an Error

Secure execution of the if statementif x=1 then y:=1

Is described byif x=1

then if xy then y:=1 else skipelse skip.

Suppose x is 0 or 1, y is initially 0, x=High, and y=Low; thus, the flow xy is not secure. Because the assignment to y is skipped both when x=1 (because the security check fails) and when x=0 (because the test “x=1” fails), y is always 0 when the statement terminates, thereby giving no information about x. note that if an error flag E is set to 1 when the security check fails, then the value of x is encoded in the flag (E=1 implies x=1, E=0 implies x=0).


Ch 7 8

Example:

Consider the statementif x=1 then y:=1 else z:=1

where x=High. Suppose that when x=1, y=High and z=Low, but when x1, y=Low and z=High. If both relations xy and x z are tested on both branches, the program will be rejected, even though it can be securely executed using Fenton’s approach. (Verification of this is left to the reader).

Execution-Based Mechanisms, cont.


Ch 7 9

Execution Based Mechanismprocedure copy1 (x: integer;

var y: integer);“copy x to y”var z: integer;begin

y:= 0; Low zz := 0; Low yif x = 0 then z := 1

if z = 0 then y := 1 end

end copy1

Either l(X)<=l(Z) is tested or l(Z)<= l(Y) is tested but not both! Therefore if errors are reported there is information flow.

How to solve? – dont report errors - Fenton’s model (see Bishop or Denning)

Note, at Compile time both are tested!


Ch 7 10

Covert Channels (1)

Client, server and collaborator processes

Encapsulated server can still leak to collaborator via

covert channels


Ch 7 11

Security PoliciesControl of Information Flow

U1:

The existence of file T (regardless of its label) gives information about the value of profit. Its content even more…

if profit < 0

then delete file T

else begin

write file T, ‘text’;

close file T; end


Ch 7 12

Covert Channels (2)

A covert channel using file locking


Ch 7 13

Covert Timing Channel

Service Program

Service Program

Service Program

time

Normal Schedulingone

block

Service Program

Service Program

Service Program Communicating 101


Ch 7 14

Covert Channels (3)Pictures appear the samePicture on right has text of 5 Shakespeare plays

encrypted, inserted into low order bits of color values

Zebras Hamlet, Macbeth, Julius CaesarMerchant of Venice, King Lear


Ch 7 15

Fighting Covert Channels (after Detection)

Deletion of the channel if feasibleAdd random noise on the channelReduce the channel bandwidth,

useful for Timing channelsAudit the channelIgnore, danger is not very serious


Ch 7 16

Language-Based Protection

Specification of protection in a programming language allows the high-level description of policies for the allocation and use of resources.

Language implementation can provide software for protection enforcement when automatic hardware-supported checking is unavailable.

Interpret protection specifications to generate calls on whatever protection system is provided by the hardware and the operating system.


Ch 7 17

Language-Based Protection

Two aspects:Integrity, Type checking – preventing

bugs, writing safe code

Providing protection and Access control mechanisms


Ch 7 18

Security in Java

Language features – verified by the Bytecode verifier

Sandbox model – using the Security manager

No bypass of the security manager – using the Class-loader


Ch 7 19

Security in Java – Language Features

No #typedef or #define

No automatic type conversion

No casting

Strongly typed language

Indexes to arrays and strings range validated

Automatic garbage collection

Use of OO features like: Public, Private


Ch 7 20

Java Security [J8,J9]

A type safe language compiler rejects attempts to misuse variable

Bytecode Verifier: Checks include …1. Attempts to forge pointers2. Violation of access restrictions on private class

members3. Misuse of variables by type4. Generation of stack over/underflows5. Illegal conversion of variables to another type AND6. All system calls are done via the Security Manager!


Ch 7 21

The Java Sandboxclient

Browser

Byte code verifier

Security manager

Applet class loader

Executable code

Server

Web page

Applet

(Byte code)

Java source code

Byte code compilerApplet

22

שיטות של מנהל אבטחהMethodDescription

gethnCheckDetermine whether a security check is in progress

checkCreateClassLoader

Check to prevent the installation of additional ClassLoaders

CheckAccessCheck to see if a thread ot thread group can modify the thread group

CheckExitChecks if the Exit command can be executed

CheckExecChecks if the system commands can be executed

CheckLinkChecks if dynamic libraries can be linked

CheckReadChecks if a file can be read from

CheckWriteChecks if a file can be written to

CheckConnectChecks if a network connection can be created

checkListenChecks if a certain network port can be listened to for connections

CheckAcceptChecks if a network connection can be accepted

CheckPropertiesChecks if the system properties can be accepted

CheckTopLevelWindow

Checks whether a window must have a special Warning

CheckPackageAccessChecks if a certain package can be accessed

CheckPackgeDefinition

Checks if a new class can be added to a package

CheckSetFactoryChecks if an Applet can set a networking-related object factory.


Ch 7 23

Protection in Java 1.2

Protection is handled by the Java Virtual Machine (JVM)

A class is assigned a protection domain when it is loaded by the JVM.

The protection domain indicates what operations the class can (and cannot) perform.

If a library method is invoked that performs a privileged operation, the stack is inspected to ensure the operation can be performed by the library.


Ch 7 24

Java Security (2)

Examples of specified protection with JDK 1.2


Ch 7 25

Java 2 Security

JCA – Java cryptography architecture

JCE – Java cryptography extension JSSE – Java SSL support

JAAS – Java authentication service

JGSS – Java GSS


Ch 7 26

Mobile Code

How code signing works


Ch 7 27

Software (copy) protection [J10,J11]

Hardware devices – Tokens or Dongles problem: taking ports, what about multiple

programs?Bad sectors – bit copiers can be usedDisk hardware: using invisible sector, weak

writing, erasing a sector by lazer Problem: creating valid backups! And

reinstalling if disk crashes!License and registration using cryptographic

hash of the machine id. Problem: too many connections to vendor

Legal – best protection commercially! Watermarking technology


Ch 7 28

Watermarking Requirements

Easy and convenient to insert into document (picture)

Impossible to eraseNo bad effect on the quality of document or

picture Reasonable actions on document, such as:

cut & paste must preserve the watermarkEasy to verify by a legal authority

6/18/2015 prof. ehud gudes security ch 7 1 1. assignment:b := e 2. compound:begin s 1 ;... ; s n end...

Documents