Information Flow. Piotr (Peter) Mardziel CMU. Fall 2018

Transcription

1 Information Flow Piotr (Peter) Mardziel CMU Fall 2018

2 Recall Bootstrapping lecture... Dataset A Dataset B Process 1 Scope, Hive, Dremel Data in the form of Tables Code Transforms Columns to Columns No Shared State Limited Hidden Flows Dataset C users = SELECT _name, _age FROM datasetab user_tag = SELECT GenerateTag(_name, _age) FROM users OUTPUT user_tag TO datasetc 2

3 Recall Bootstrapping lecture... Dataset A Dataset B Dataset D Dataset G Process 1 Process 4 Dataset C Dataset H Dataset I Process 2 Process 5 Dataset E Dataset F Dataset J Process 3 Process 6 3

4 Recall Bootstrapping lecture... Dataset A Dataset B Dataset D Dataset G Purpose Labels Annotate programs with purpose labels Process NewAcct 1 Dataset C Dataset H Process GeoIP 4 Dataset I Process Login 2 Check Process 5 Fraud Dataset E Dataset F Dataset J Check Process Hijack 3 Reporting Process 6 4

5 Recall Bootstrapping lecture... Purpose Labels Annotate programs with purpose labels Initial Data Labels Heuristics and Annotations Dataset Dataset Dataset NameA Dataset Age B IPAddress IDX D G users = SELECT _name, Name _age Age FROM datasetab user_tag = Process NewAcct 1 Process GeoIP 4 SELECT GenerateTag(_name, _age) FROM users OUTPUT user_tag TO datasetc Dataset Dataset?? Country C H Dataset IDX I Process Login 2 Check Process 5 Fraud Dataset Timestamp E Dataset Hash F Dataset?? J Check Process Hijack 3 Reporting Process 6 5

6 Recall Bootstrapping lecture... Purpose Labels Annotate programs with purpose labels Initial Data Labels Heuristics and Annotations Flow Labels Source labels propagated via data flow graph Dataset Dataset Dataset NameA Dataset Age B IPAddress IDX D G users = SELECT _name, Name _age Age FROM datasetab user_tag = Process NewAcct 1 Process GeoIP 4 SELECT GenerateTag(_name, _age) FROM users OUTPUT user_tag TO Name datasetc Profile + Age Dataset Dataset Profile Country C H Dataset IDX I Dataset Timestamp E Check Process Hijack 3 Process Login 2 Dataset Hash F Reporting Process 6 Check Process 5 Fraud Dataset IDX J D. E. Denning. A lattice model of secure information flow 6

7 Information flow } Does (some particular) information flow from Dataset A to Dataset C? Dataset A Dataset B Process 1 Dataset C 7

8 Lattices } Lattices as mathematical structures } Lattices as modeling tools } Lattices as enforcement tools

9 Lattices as mathematical structures } Total ordering } A set X } x,y in X either x y or y x... } Example: numbers in day-to-day maths } Example: in a group of Football teams, their standing } Patriots Bills Dolphins Jets... } Example: in a group of Basketball teams, their standing } Celtics Cavaliers Raptors Wizards Hawks...

10 Lattices as mathematical structures } Partial ordering } x,y either x y or y x or neither } Example: in a group of Football and Basketball teams, their standing } Patriots Bills Dolphins Jets... } Celtics Cavaliers Raptors Wizards Hawks... } Neither Patriots Celtics nor Celtics Patriots

11 Lattices as mathematical structures } Lattice } Order for every pair is not necessary } But, every pair has to have sheared least upper and greatest lower bounds, written (join), (meet) } Example: } A = {1,2}, B = {1,2,3}, C = {2,3}, D = {2} } A B, C B but neither A C nor C A A C = B ( A B and C B ) A C = D ( D A and D C)

12 Lattices as mathematical structures } Non-Example: } Piotr Boss1 } Piotr Boss2 } Arthur Boss1 } Arthur Boss2 } Neither Boss1 Boss2 nor Boss2 Boss1 } Example? (add Superboss) } Boss1 Superboss } Boss2 Superboss

13 Lattices as mathematical structures } Non-Example: } Airman Basic... General of the Air Force } Seaman Recruit... Fleet Admiral } Private... General of the Army } Example? (add Secretary of Defense) } General of the Air Force Secretary of Defense } Fleet Admiral Secretary of Defense } General of the Army Secretary of Defense

14 Examples: Policy labels top Profile Name Age bottom 14

15 Examples: Policy labels 15

16 Lattices as a modeling tool } Policy: SearchTeam can access the Test Database. } Can Bob access the Test Database? } Access(P, testdatabase) :- PartOf(P, searchteam) } PartOf(bob, searchfraudteam) } PartOf(searchfraudteam, searchteam) } Transitivity: } PartOf(a,c) :- PartOf(a,b),PartOf(b,c)

17 Lattices as an enforcement tool } Do together. For each policy: } Define the objects and orderings over them necessary for modeling systems governed by that policy. } What questions about a system s execution need to be asked to determine whether a policy was violated or followed? } Show how to use the lattice to answer the question and how to correctly implement the policy.

18 Lattices as an enforcement tool } Do together. For each policy: } Define the objects and orderings over them necessary for modeling systems governed by that policy. } What questions about a system s execution need to be asked to determine whether a policy was violated or followed? } Show how to use the lattice to answer the question and how to correctly implement the policy. } PolicyA: PII cannot be used for advertising purposes. } PolicyB: PII can be sent for medical purposes. } PolicyC: Transmitted PII should be encrypted. } PolicyD: Transmissions with PII should be logged.

19 Lattices as an enforcement tool } Do together. For each policy: } Define the objects and orderings over them necessary for modeling systems governed by that policy. } What questions about a system s execution need to be asked to determine whether a policy was violated or followed? } Show how to use the lattice to answer the question and how to correctly implement the policy. } PolicyA: PII cannot be used for advertising purposes. } PolicyB: PII can be sent for medical purposes. } PolicyC: Transmitted PII should be encrypted. } PolicyD: Transmissions with PII should be logged.

20 Lattices as an enforcement tool } Do together. For each policy: } Define the objects and orderings over them necessary for modeling systems governed by that policy. } What questions about a system s execution need to be asked to determine whether a policy was violated or followed? } Show how to use the lattice to answer the question and how to correctly implement the policy. } PolicyA: PII cannot be used for advertising purposes. } PolicyB: PII can be sent for medical purposes. } PolicyC: Transmitted PII should be encrypted. } PolicyD: Transmissions with PII should be logged.

21 Lattices as an enforcement tool } Do together. For each policy: } Define the objects and orderings over them necessary for modeling systems governed by that policy. } What questions about a system s execution need to be asked to determine whether a policy was violated or followed? } Show how to use the lattice to answer the question and how to correctly implement the policy. } PolicyA: PII cannot be used for advertising purposes. } PolicyB: PII can be sent for medical purposes. } PolicyC: Transmitted PII should be encrypted. } PolicyD: Transmissions with PII should be logged.

22 Information Flow } Logical formulation } Language-based enforcement

23 Information Flow } Logical formulation: Non-interference } f: (X,Y) à Z } Does input X interfere in output Z? } x 1,x 2, and y such that } f(x 1,y) f(x 2,y) } X does not-interfere with output Z: } x 1,x 2, and y } f(x 1,y) = f(x 2,y) x f z y

24 Information Flow } Does input X interfere in output Z? } x 1,x 2, and y such that } f(x 1,y) f(x 2,y) } Examples: x y } f(x,y) = x } f(x,y) = y } f(x,y) = x + y f z } f(x,y) = x * y } f(x,y) = x * y * 0

25 Information Flow } Does input X interfere in output Z? } x 1,x 2, and y s.t. } f(x 1,y) = z 1 x y } f(x 2,y) = z 2 } Now: f is a program. f } def f(x,y): } print x } return 0 } f: (X,Y) à Return Value } f: (X,Y) à (ReturnValue, PrintOutput) z

26 Information Flow: Problems with definition } Programs are complicated } anything written in perl } Programs as implemented may involve more observables than as described logically } if x == 42 : do some long operation } return 0 } Programs sometimes need to use secret things: } if x == password : return login success } else: return login fail x f z y

27 Information Flow } Logical formulation } Language-based enforcement } Background: syntax and semantics of a simple language } Semantics of information flow labels

28 Language-based Information Flow } Example: perl, ruby taint mode } Anything from outside of a program is tainted. } Nothing can be sent to outside of a program if it is tainted. } If x is tainted and is used to compute y, y becomes tainted. } Example } $username, $password =... # from webform } $real_password = db::do( username } select password from USERS where username= $username ) } if $password == $real_password { return login succes }... login database password

29 Language-based Information Flow username password login database } when $username = Robert ; DROP TABLE Students; -- } db::do( } select password from USERS where username= Robert ; DROP TABLE Students; -- } ) } in perl taint mode; this would fail before executing on database

30 Language-based Information Flow } Label Lattices } Origin labels username password } Tainted, NotTainted login } TopSecret, Secret, NotSecret } Data labels } Name, Address, Profile database } IPAddress, IPAddress:truncated } Purpose labels } Advertising, Policing } Role labels } Advertising, Marketing, LawEnforcement

31 Language-based Information Flow } Syntax and Semantics for a simple language

32 Syntax } Expressions // expressions evaluate to values } exp ::= value } variable } readstring // read an int from outside } dbquery(exp) // execute a query specified by exp } exp + exp... } Statements // statements manipulate state and control execution } stmt ::= variable = exp } if exp: stmt } stmta ; stmtb // sequences of statements

33 Semantics } Imperative language has State } State: Variable à Value } Store the values of variables } Write {x = 4, y = 3} for state where variable x is 4, y is 3.

34 Semantics } Expressions } evalexp(exp): State àvalue } Examples } evalexp( 42 ) {} à 42 } evalexp( 5 + y ) {y=3} à 8 } evalexp( 5 + x ) {y=3} à error

35 Semantics } Statements } evalstmt(stmt): State à State } Example: } evalstmt( y = 3 ) {} à {y=3} } evalstmt( x = 5 + y ) {y=3} à {y=3,x=8}

36 Rules for Evaluation } EvalPlus: } evalexp( expl + expr )(S) à evalexp(expl)(s) + evalexp(expr)(s) } Example: evalexp( (1+2) + x ){x=3} } = evalexp( 1+2 ){x=3} + evalexp( x ){x=3} } = evalexp( 1 ){x=3} + evalexp( 2 ){x=3} + evalexp( x ){x=3} } = = 6

37 Rules for Evaluation } EvalCond: } evalstmt( if exp then stmt ) S à } if evalexp(exp)(s) is true then evalstmt(stmt)(s) otherwise S } Example: evalstmt( if x > 2: x = x + 10 ){x=3} } è if evalexp( x > 2 ){x=3} is true then evalstmt( x = x + 10 ){x=3} } è if 3 > 2 is true then evalstmt( x = x + 10 ){x = 3} else { x = 3 } } è evalstmt( x = x + 10 ){x=3} } è {x = evalexp( x + 10 ){x=3}} } è {x = } } è {x = 13}

38 Rules for Information Flow } Implement taint mode: read input should not interfere with written output } Input: readstring } Output dbquery(exp) } Parallel state for labels (taints, security level, other...) } evalexp(exp): (State, LabelState) à (Value, Label) or ERROR } evalstmt(stmt): (State, LabelState) à (State, LabelState) or ERROR } LabelState: Variable à Label

39 Rules for Information Flow } Expressions } evalexp( readstring ) S, LS } evalexp( hello ) S à ( hello, NotTainted) } evalexp( readstring ) S,LS à } ( Robert ; DROP TABLE Students;--, Tainted) } evalexp( dbquery(exp) ) S, LS } evalexp( SELECT password from Users where username= + username + ; ) } {} { username = Tainted } à ERROR

40 Rules for Information Flow } Do together: for each expression or statement, state combination: } Evaluate the given expression/statement under the given state. } (or for general statements) define a general recursive rule for evaluating the on any state. } Goal: inputs (readstring) do not interfere with what is sent to the database (dbquery argument).

41 Rules for Information Flow } Expressions } evalexp( z * 0 ){y=1, z=2}{y = NotTainted, z=tainted} } evalexp( y + z ){y=1, z=2}{y= NotTainted, z=tainted} } general: evalexp( expl + expr ) S SL } general: evalexp( readstring ) S SL //assuming the string hello will be read } evalexp( dbquery(x) ) {x= knock knock }{x = NotTainted} // assuming the database will return who is there? } evalexp( dbquery(x) ) {x= knock knock }{x = Tainted} // assuming the database will return who is there? } general: evalexp( dbquery(exp) ) S SL // assuming the database will return who is there?

42 Rules for Information Flow } Statements } evalstmt( x = y + z ){y = 1,z=2}{y = NotTainted, z=tainted} } general: evalstmt( var = expl + expr ) S SL } evalstmt( if x > 2: x = x + 10 ){x=3}{x=tainted} } evalstmt( if x > 2: y = 1 ){y=0, x=3}{x=tainted} } evalstmt( if (x == hello ): dbquery( there ) ) {x= not hello }{x=tainted} } general: evalstmt( if exp then stmt ) S SL } problem? (see goal a few slides ago)