Distributed Knowledge and Information Flow Security

Transcription

1 Distributed Knowledge and Information Flow Security School of Computer Science and Engineering, University of New South Wales Sydney, Australia meyden September 24, 2008

2 Overiew Starting Point: An intuition concerning distributed knowledge in causally structured systems: An agent s knowledge about other agents must be distributed knowledge to the other agents that can causally affect it. (ESORICS-07) An accepted definition of causality from the security literature does not satisfy the intuition. New definitions of causality that better fit the security literature theory.

3 (KR-08) Exactly how well do the new definitions support the intuition? Outcomes: New definitions of distributed knowledge A refined understanding of information about other agents. an exact characterization of the new definitions of causality in terms of distributed knowledge of information about other agents.

4 Background Multi-level secure systems for military/intelligence applications: Top Secret, Secret, Unclassified Concern with Trojan Horse attacks Covert Channels: e.g. locks on shared resources, timing of process execution. definitions of security wth an information theoretic flavour.

5 Noninterference policies (Goguen and Meseguer 1982) Let Agents be a set of security domains/components/agents. A noninterference policy is a reflexive relation Agents Agents u v means actions of u are permitted to interfere with v, or actions of u are permitted to have effects observable to v, or information is permitted to flow from u to v

6 Policy Examples Downgrading: Channel Control: H D L (header) BYPASS RED BLACK (body) CRYPTO

7 Deterministic System Model Machines have the form M = S, s 0, Actions,agent,step, O where S is a set of states,

8 Deterministic System Model Machines have the form M = S, s 0, Actions,agent,step, O where S is a set of states, s 0 S is the initial state,

9 Deterministic System Model Machines have the form M = S, s 0, Actions,agent,step, O where S is a set of states, s 0 S is the initial state, Actions is a set of actions,

10 Deterministic System Model Machines have the form M = S, s 0, Actions,agent,step, O where S is a set of states, s 0 S is the initial state, Actions is a set of actions, agent : Actions Agents associates each action to an agent in Agents,

11 Deterministic System Model Machines have the form M = S, s 0, Actions,agent,step, O where S is a set of states, s 0 S is the initial state, Actions is a set of actions, agent : Actions Agents associates each action to an agent in Agents, step : S Actions S is a deterministic transition function, and

12 Deterministic System Model Machines have the form M = S, s 0, Actions,agent,step, O where S is a set of states, s 0 S is the initial state, Actions is a set of actions, agent : Actions Agents associates each action to an agent in Agents, step : S Actions S is a deterministic transition function, and O u : S Obs represents each agent u s observations

13 Deterministic System Model Machines have the form M = S, s 0, Actions,agent,step, O where S is a set of states, s 0 S is the initial state, Actions is a set of actions, agent : Actions Agents associates each action to an agent in Agents, step : S Actions S is a deterministic transition function, and O u : S Obs represents each agent u s observations Notation: s α for the state reached by performing the sequence of actions α Actions from state s.

14 Haigh and Young s Purge Given a sequence of actions α = a 1...a n Actions and agent u, the intransitive purge ipurge u (α) is the subsequence of all actions a i such that there exists with i = i 1 < i 2 <... < i k agent(a i1 ) agent(a i2 )... agent(a ik ) u

15 Example: A B D E C E a b a c a d a c b ipurge E a b c d

16 Haigh and Young s definition: IP-security A system M is IP-secure with respect to a (possibly intransitive) policy if for all u D and all sequences α, α A with ipurge u (α) = ipurge u (α ), we have O u (s 0 α) = O u (s 0 α ).

17 Knowledge in Asynchronous Systems Define the view of agent u with respect to a sequence α Actions to be the sequence view u (α) of all actions and observations of that agent, with stuttering of observations eliminated (to model asynchrony). E.g. if α = hhlh generates (Low observations only): O 1 ho 1 ho 1 lo 2 ho 2 then view Low (α) = O 1 lo 2

18 Let π : Prop P(Actions ), α Actions M, π, α = p if α π(p) M, π, α = K u φ if M, π, α = p for all α Actions with view u (α) = view u (α ) M, π, α = D G φ if M, π, α = p for all α Actions with u G view u(α) = view u (α )

19 The Intuition Given a policy and an agent u, define I u = {v v u and v u} the set of agents that may causally affect/interfere with u.

20 The Intuition Given a policy and an agent u, define I u = {v v u and v u} the set of agents that may causally affect/interfere with u. Intuition: if M is secure with respect to then for all agents u, if π interprets p as being about agents other than u, then M, π = K u p D Iu p

21 π interprets p as about agents other than u if For α, α Actions, if α (Agents \ {u}) = α (Agents \ {u}) then α π(p) iff α π(p). where α G is the subsequence of α of all actions a such that agent(a) G.

22 IP-security does not satisfy the intuition (van der Meyden ESORICS 2007) H D 1 1 L H 2 D 2 Define the system M with O u (s 0 α) = ipurge u (α) This is obviously IP-Secure.

23 Let α 1 = h 1 h 2 d 1 d 2 Then O L (α 1 ) = ipurge u (α 1 ) = α 1

24 Let α 1 = h 1 h 2 d 1 d 2 Then O L (α 1 ) = ipurge u (α 1 ) = α 1 So, M, π, α 1 = K L ( h 1 before h 2 )

25 Let α 1 = h 1 h 2 d 1 d 2 Then O L (α 1 ) = ipurge u (α 1 ) = α 1 So, M, π, α 1 = K L ( h 1 before h 2 ) But, if α 2 = h 2 h 1 d 1 d 2 then view D1 (α 1 ) = view D1 (α 2 ) and view D2 (α 1 ) = view D2 (α 2 )

26 Let α 1 = h 1 h 2 d 1 d 2 Then O L (α 1 ) = ipurge u (α 1 ) = α 1 So, M, π, α 1 = K L ( h 1 before h 2 ) But, if α 2 = h 2 h 1 d 1 d 2 then view D1 (α 1 ) = view D1 (α 2 ) and view D2 (α 1 ) = view D2 (α 2 ) M, π, α 1 = K L ( h 1 before h 2 ) D {D1,D 2 }( h 1 before h 2 )

27 An alternative definition - TA security Given a policy, define, for each agent u D, the function ta u, with domain Actions, inductively by ta u (ǫ) = ǫ, and, for α Actions and a Actions, { tau (α) if agent(a) u ta u (αa) = (ta u (α),ta agent(a) (α), a) if agent(a) u

28 An alternative definition - TA security Given a policy, define, for each agent u D, the function ta u, with domain Actions, inductively by ta u (ǫ) = ǫ, and, for α Actions and a Actions, { tau (α) if agent(a) u ta u (αa) = (ta u (α),ta agent(a) (α), a) if agent(a) u Define a system M to be TA-secure with respect to a policy if for all agents u and all α, α Actions such that ta u (α) = ta u (α ), we have O u (s 0 α) = O u (s 0 α ).

29 TA-security gives the right answer in the example: insecure. Theorem: TA-security implies IP-security

30 Theorem: The following are equivalent M is TA-secure with respect to there exist equivalence relations u for u D on the states of uf(m) satisfying Rushby s unwinding conditions for intransitive noninterference uf(m) admits a weak access control interpretation compatible with.

31 Unfolding a system: b a,b a x y uf x y x y y a b a x y a b b x y a b x y a b y y a b y y a b... uf(m) is bisimilar to M (in the expected sense)

32 Rushby s Unwinding Conditions for IP-security Suppose we have for each agent u an equivalence relation u on the states of M. Theorem (Rushby): If these conditions are satisfied and then M is IP-secure for.

33 Rushby s Unwinding Conditions for IP-security Suppose we have for each agent u an equivalence relation u on the states of M. OC: If s u t then O u (s) = O u (t). Theorem (Rushby): If these conditions are satisfied and then M is IP-secure for.

34 Rushby s Unwinding Conditions for IP-security Suppose we have for each agent u an equivalence relation u on the states of M. OC: If s u t then O u (s) = O u (t). WSC: If s u t and s agent(a) t then s a u t a. Theorem (Rushby): If these conditions are satisfied and then M is IP-secure for.

35 Rushby s Unwinding Conditions for IP-security Suppose we have for each agent u an equivalence relation u on the states of M. OC: If s u t then O u (s) = O u (t). WSC: If s u t and s agent(a) t then s a u t a. LR: If agent(a) u then s u s a. Theorem (Rushby): If these conditions are satisfied and then M is IP-secure for.

36 Access Control (Rushby s semantics for Bell-La Padula) A system with structured state is a machine S, s 0, Actions,step, O,agent together with a set N of names, a set V of values, and functions contents : S N V, with contents(s, n) interpreted as the value of object n in state s, observe : Agents P(N), with observe(u) interpreted as the set of objects that agent u can observe, and alter : D P(N), with alter(u) interpreted as the set of objects whose values agent u is permitted to alter.

37 A refinement of Rushby s Reference Monitor Assumptions A system with structured states is a weak access control system if where s oc u t if contents(s, n) = contents(t, n) for all n observe(u)

38 A refinement of Rushby s Reference Monitor Assumptions A system with structured states is a weak access control system if RM1 If s oc u t then O u(s) = O u (t). where s oc u t if contents(s, n) = contents(t, n) for all n observe(u)

39 A refinement of Rushby s Reference Monitor Assumptions A system with structured states is a weak access control system if RM1 If s oc u t then O u(s) = O u (t). RM2 For all actions a states s, t and names n alter(agent(a)), if s oc agent(a) t and contents(s, n) = contents(t, n) we have contents(s a, n) = contents(t a, n). where s oc u t if contents(s, n) = contents(t, n) for all n observe(u)

40 A refinement of Rushby s Reference Monitor Assumptions A system with structured states is a weak access control system if RM1 If s oc u t then O u(s) = O u (t). RM2 For all actions a states s, t and names n alter(agent(a)), if s oc agent(a) t and contents(s, n) = contents(t, n) we have contents(s a, n) = contents(t a, n). RM3 If contents(s a, n) contents(s, n) then n alter(agent(a)). where s oc u t if contents(s, n) = contents(t, n) for all n observe(u)

41 Consistency of an access control system with a policy: AOI. If alter(u) observe(v) then u v.

42 d h h,d. h.. d H D L A TA-secure system for H D L

43 TO-security Given a policy, define the functions to u with domain Actions by to u (ǫ) = ǫ and to u (αa) = to u (α) when agent(a) u and to u (αa) = (to u (α),view agent(a) (α), a) otherwise.

44 TO-security Given a policy, define the functions to u with domain Actions by to u (ǫ) = ǫ and to u (αa) = to u (α) when agent(a) u and to u (αa) = (to u (α),view agent(a) (α), a) otherwise. Define M to be TO-secure with respect to if for all agents u and all α, α Actions with to u (α) = to u (α ), we have O u (s 0 α) = O u (s 0 α ).

45 d h h,d. h.. d H D L A TA-secure system for H D L, not TO-secure

46 d h h,d. h.. d H D L TO-secure for H D L

47 d h h,d. h.. d H D L not TO-secure for H D L

48 How these definitions are related TO-security TA-security IP-security. If is transitive then all are equivalent.

49 Strengthening Distributed Knowledge (KR 08 paper) Consider D 1 L, D 2 L Observation: L may observe/know the relative order of actions of D 1, D 2, but this is not distributed knowledge to D 1, D 2. Define M, π, α = D p G φ if M, π, α = φ for all α such that α G = α G and u G view u(α) = view u (α ).

50 Theorem: Suppose that is acyclic, M is TO-secure with respect to and that π interprets q as depending only on Agents \ {u}. Then M, π = K u q D p I u q

51 Theorem: Suppose that is acyclic, M is TO-secure with respect to and that π interprets q as depending only on Agents \ {u}. Then M, π = K u q D p I u q Question: is the converse true?

52 Theorem: Suppose that is acyclic, M is TO-secure with respect to and that π interprets q as depending only on Agents \ {u}. Then M, π = K u q D p I u q Question: is the converse true? Answer: No, for several reasons (counter-examples in the paper)

53 A first refinement: Given α Actions, define m u (α) to be the prefix of α up to but excluding the rightmost action a with agent(a) = u.

54 A first refinement: Given α Actions, define m u (α) to be the prefix of α up to but excluding the rightmost action a with agent(a) = u. Intuition: if u v, then view u (m u (α)) is the latest information u could have passed to v in α.

55 A first refinement: Given α Actions, define m u (α) to be the prefix of α up to but excluding the rightmost action a with agent(a) = u. Intuition: if u v, then view u (m u (α)) is the latest information u could have passed to v in α. Define M, π, α = D m G φ if M, π, α = φ for all α such that α G = α G and u G view u(m u (α)) = view u (m u (α )).

56 A strengthened version of the theorem... Theorem: Suppose that is acyclic, M is TO-secure with respect to and that π interprets q as depending only on Agents \ {u}. Then M, π = K u q D m I u q

57 A strengthened version of the theorem... Theorem: Suppose that is acyclic, M is TO-secure with respect to and that π interprets q as depending only on Agents \ {u}. Then M, π = K u q D m I u q But this is still not enough to yield the converse...

58 A refined notion of proposition about other agents: Given a sequence α A, an agent u, and a set of agents G, define α u G to be the subsequence of α consisting of all actions of agents in G {u}, but with u s actions replaced by u.

59 A refined notion of proposition about other agents: Given a sequence α A, an agent u, and a set of agents G, define α u G to be the subsequence of α consisting of all actions of agents in G {u}, but with u s actions replaced by u. h d 1 l 2 h d 2 l 2 h h L {D} = d 1 L d 2 L

60 A refined notion of proposition about other agents: Given a sequence α A, an agent u, and a set of agents G, define α u G to be the subsequence of α consisting of all actions of agents in G {u}, but with u s actions replaced by u. h d 1 l 2 h d 2 l 2 h h L {D} = d 1 L d 2 L Say π interprets q as depending only on G relative to u if for all α, α A, if α u G = α u G, then α π(p) iff α π(p).

61 And a relativized notion of distributed knowledge... Define M, π, α = D m G,u φ if M, π, α = φ for all α such that α u G = α u G and u G view u(m u (α)) = view u (m u (α )).

62 Now we get the converse: Theorem: Suppose that is acyclic. Then M is TO-secure with respect to iff for all u Agents, and for all π that interpret q as depending only on Agents \ {u} relative to u, we have M, π = K u q D m I u,u q

63 Now we get the converse: Theorem: Suppose that is acyclic. Then M is TO-secure with respect to iff for all u Agents, and for all π that interpret q as depending only on Agents \ {u} relative to u, we have M, π = K u q D m I u,u q See the paper for a more general presentation that yields a similar result for other definitions of security

64 Summary An intuition concerning causality and distributed knowledge intuition: An agent s knowledge about other agents must be distributed knowledge to the other agents that can causally affect it. An accepted definition of causality from the security literature does not satisfy the intuition. New definitions of causality that better fit the security literature theory.

65 Refined definitions of distributed knowledge a proposition being about other agents that enable a theorem: causality in a system is consistent with iff the system satisfies the intuition with respect to.

66 Open Questions Extensions of the definitions/results to nondeterministic systems synchronous systems probabilistic systems cyclic policies Applications! Paper at FAST-08 on information flow in transactional memory