CS 4/591: Introduction to Computer Security Lecture 4: Voting Machine Study Access Control James Hook 11/6/2015 4:27 AM.
Download ReportTranscript CS 4/591: Introduction to Computer Security Lecture 4: Voting Machine Study Access Control James Hook 11/6/2015 4:27 AM.
CS 4/591: Introduction to
Computer Security
Lecture 4:
Voting Machine Study
Access Control
James Hook
11/6/2015 4:27 AM
Last Time
• Voting Machine Case Study
• Access Control Mechanisms
– Hardware protection
– OS services (e.g. file systems)
– Middleware (e.g. databases)
– Application Level
11/6/2015 4:27 AM
Today
• Security Models to guide use of Access
Control mechanisms to achieve a goal
– Keep secrets (Confidentiality)
– Maintain integrity (Integrity)
• The Confinement Problem
11/6/2015 4:27 AM
Background
• Clearance levels
– Top Secret
• In-depth background check; highly trusted individual
– Secret
• Routine background check; trusted individual
– For Official Use Only/Sensitive
• No background check, but limited distribution; minimally
trusted individuals
• May be exempt from disclosure
– Unclassified
• Unlimited distribution
• Untrusted individuals
11/6/2015 4:27 AM
Background
• Clearance levels are only half the story
– They give a level of trust of the subject
• The “need to know” policy provides an
orthogonal structure called compartmentalization
• A category (or compartment) is a designation
related to the “need to know” policy
• Examples:
– NUC: Nuclear
– EUR: Europe
– ASI: Asia
11/6/2015 4:27 AM
Categories and Coalitions
• Categories can be critical in complex
coalitions
• The US may have two allies that do not wish
to share information (perhaps Israel and
Saudi Arabia)
• Policy must support:
– Top Secret, Israel
– Top Secret, Saudi Arabia
– Top Secret, Israel and Saudi Arabia
• (probably very few people in this set)
11/6/2015 4:27 AM
Pre-computing
• In a world with paper documents,
secure meeting rooms, and safes how
was data managed?
– Anyone see Tinker, Taylor, Soldier, Spy?
11/6/2015 4:27 AM
Early computing
• How can simple (old) computers be
used for single level secure computing?
11/6/2015 4:27 AM
Multilevel computing
• Scenario:
– Someone is planning a bike ride with
President Obama using Google maps
– Their computer is secure, but connected to
the internet
– Can you discover enough about the route
to compromise physical security?
11/6/2015 4:27 AM
Problem
11/6/2015 4:27 AM
Figure from Bell 2005
Access Control Policies
• Discretionary Access Control (DAC)
– An individual user can set allow or deny access to
an object
• Mandatory Access Control (MAC)
– System mechanism controls access
– User cannot alter that access
• Originator Controlled Access Control (ORCON)
– Access control set by creator of information
– Owner (if different) can’t alter AC
• Like copyright
11/6/2015 4:27 AM
Mandatory Access Control
• In a MAC system all documents are
assigned labels by a set of rules
• Documents can only be relabeled under
defined special circumstances
• Violations of the policy are considered
very serious offenses (criminal or
treasonous acts)
11/6/2015 4:27 AM
Bell LaPadula
• How to apply MAC to computers?
• Documents are analogous to objects in
Lampson’s Access Control model
– Every object can be labeled with a classification
• Cleared personnel are analogous to subjects
– Every subject can be labeled with a clearance
• What about processes?
11/6/2015 4:27 AM
Note on subject labels
• A person is generally cleared “up to” a level
• Cross level communication requires that a
person be able to interact below their level of
clearance
• Subjects are given two labels:
– The maximum level
– The current level
• Current never exceeds maximum
• We will focus on static labelings
– A subject will not dynamically change their current
level
11/6/2015 4:27 AM
Bell LaPadula
• Task was to propose a theory of multilevel security
– supported by a mechanism implemented in
a reference monitor (Simple, Verifiable,
Always invoked, …)
– prevents unwanted information flow
11/6/2015 4:27 AM
BLP model
• Adapt Lampson ACM
• Characterize system as state machine
• Characterize key actions, such as file system
interaction, as transitions
– Classify actions as
• observation (reads)
• alteration (writes)
• [Aside: How to classify execute?]
• Show that only “safe states” are reachable
11/6/2015 4:27 AM
Simple Security
• The simple security property
– The current level of a subject dominates
the level of every object that it observes
• This property strongly analogous to
paper systems
• It is referred to by the slogan “no read
up”
11/6/2015 4:27 AM
Problem
11/6/2015 4:27 AM
Figure from Bell 2005
Problem
• Simple Security does not account for
alterations (writes)
• Another property is needed to
characterize alterations
11/6/2015 4:27 AM
* - Property
11/6/2015 4:27 AM
Figure from Bell 2005
*- Property
• In any state, if a subject has
simultaneous “observe” access to
object-1 and “alter” access to object-2,
then level (object-1) is dominated by
level (object-2).
– From BLP 1976, Unified Exposition
• Slogan: “No write down”
11/6/2015 4:27 AM
Discretionary
• In addition to the MAC mechanisms of
the simple security and *-properties,
the BLP model also has a discretionary
component
– All accesses must be allowed by both the
MAC and discretionary rules
11/6/2015 4:27 AM
BLP Basic Security Theorem
• If all transitions (consdiered
individually) satisfy
– simple security property
– * - property
– discretionary security property
• Then system security is preserved
inductively (that is, all states reached
from a “secure” state are “secure”)
11/6/2015 4:27 AM
Obama Bike Ride
• Can you imagine a MLS system that
follows BLP and supports planning the
Obama bike ride?
11/6/2015 4:27 AM
Integrity
11/6/2015 4:27 AM
11/6/2015 4:27 AM
Plumbing Analogy
• Potable water
– Cold
– Hot
• Storm water
• Waste water
•
•
•
•
Shower
Toilet
Washing machine
The “CSO” problem
• What comes out of
the tap?
11/6/2015 4:27 AM
Simple integrity
• Integrity Levels
– Potable water
• Cold
• Hot
– Storm water
– Waste water
11/6/2015 4:27 AM
• Multilevel devices:
– Shower
– Toilet
– Washing machine
• What kind(s) of water
can people easily obtain
(read/execute)?
• What kind(s) of water
can people produce
(write)?
“Low water Mark”
• Low water mark principle:
– the integrity of an object is the lowest level
of all the objects that contributed to its
creation
• Biba’s first, and simplest model, was the
low water mark model
– Tends to be too simplistic
– Everything gets contaminated
11/6/2015 4:27 AM
Biba Refinements
• Ring principle (2nd Biba model)
– Allow reads arbitrary untrusted data
– Track execution and writes
• Execution is seen as a subject creating a new
subject at or below current integrity level
• Can write at or below current integrity level
11/6/2015 4:27 AM
Biba’s Strict Integrity model
• Third Biba model
• Integrity levels in a lattice (similar to
BLP)
– Subject can read object if i(s) i(o)
– Subject can write object if i(o) i(s)
– Subject s1 can execute s2 if i(s2) i(s1)
• Dual to BLP
11/6/2015 4:27 AM
Vista Integrity Labels
• Levels:
– System: Network services
– High: Administrators, backup, network configuration, crypto
operators
– Medium: Default for file objects
– Low: Internet explorer and all files it downloads
• Policies
– No write up: default policy
– No read up
– No execute up
11/6/2015 4:27 AM
Intuition for Integrity Levels
• The higher the level, the more
confidence
– That a program will execute correctly
– That data is accurate and/or reliable
• Note relationship between integrity and
trustworthiness
• Important point: integrity levels are not
security levels
11/6/2015 4:27 AM
Biba’s Model
• Similar to Bell-LaPadula model
1.
2.
3.
s S can read o O iff i(s) ≤ i(o)
s S can write to o O iff i(o) ≤ i(s)
s1 S can execute s2 S iff i(s2) ≤ i(s1)
• Add compartments and discretionary controls to get
full dual of Bell-LaPadula model
• Information flow result holds
–
Different proof, though
11/6/2015 4:27 AM
Vista and Biba
• Which Vista Policies are consistent with
Biba?
– Policies
• No write up:
• No read up
• No execute up
11/6/2015 4:27 AM
Voting Machine with Biba
Processor
Touch
Screen
Smart
Card
Reader
Open
Audio
jack
Removable
Printer
Flash
Key Access
On-board
EPROM
Flash
Inside Box
• Subjects? Objects? Integrity Levels?
11/6/2015 4:27 AM
RAM
Example
• Elaborate the Biba integrity model for this system by
assigning integrity levels to all key files. Specifically
assign integrity levels for creating or modifying these
files.
• Several known exploits of the system rely on
infection via removable media. Propose a
mechanism that uses the trusted authentication
mechanism and integrity model to prevent these
exploits.
11/6/2015 4:27 AM
Example (cont)
• Argue that the intended operations can be
carried out by appropriate subjects without
violating the policy.
• Argue that with these mechanisms and a
faithful implementation of the integrity model
that Felten's vote stealing and denial of
service attacks would not be allowed.
11/6/2015 4:27 AM
Voting Machine Architecture
Processor
Touch
Screen
Smart
Card
Reader
Open
11/6/2015 4:27 AM
Audio
jack
Removable
Flash
Printer
Key Access
On-board
Flash
RAM
EPROM
Inside Box
Boot Process
• Boot device specified by hardware jumpers (inside box)
– EPROM
– on-board flash (default)
– ext flash
• On Boot:
– Copy bootloader into RAM; init hardware
– Scan Removable flash for special files
• “fboot.nb0” => replace bootloader in on-board flash
• “nk.bin” => replace OS in on-board flash
• “EraseFFX.bsq” => erase file system on on-board flash
– If no special files uncompress OS image
– Jump to entry point of OS
11/6/2015 4:27 AM
Boot (continued)
• On OS start up:
– run Filesys.exe
• unpacks registry
• runs programs in HKEY_LOCAL_MACHINE\Init
–
–
–
–
shell.exe (debug shell)
device.exe (Device manager)
gwes.exe (graphics and event)
taskman.exe (Task Manager)
– Device.exe mounts file systems
• \ (root): RAM only
• \FFX: mount point for on-board flash
• \Storage Card: mount point for removable flash
11/6/2015 4:27 AM
Boot (continued)
• Customized taskman.exe
– Check removable flash
• explorer.glb => launch windows explorer
• *.ins => run proprietary scripts
– (script language has buffer overflow vulnerabilities)
– used to configure election data
• default => launch “BallotStation”
– \FFX\Bin\BallotStation.exe
11/6/2015 4:27 AM
BallotStation
• Four modes: pre-download, preelection testing, election, post-election
• Mode recorded in election results file
– \Storage Card\CurrentElection\election.brs
11/6/2015 4:27 AM
Stealing Votes
• Malicious processes runs in parallel with
BallotStation
• Polls election results file every 15
seconds
– If election mode and new results
– temporarily suspend Ballot Station
– steal votes
– resume Ballot Station
11/6/2015 4:27 AM
Viral propagation
• Malicious bootloader
– Infects host by replacing existing
bootloader in on-board flash
– subsequent bootloader updates print
appropriate messages but do nothing
• fboot.nb0
– package contains malicious boot loader
– and vote stealing software
11/6/2015 4:27 AM
Discussion
• Having developed this design, it is now
time to critique it!
– Are you satisfied with the protection
against external threats?
– Are you satisfied with the protection
against insider threats?
11/6/2015 4:27 AM
Plan
• Confinement Problem (Lampson)
• Isolation
– Virtual Machines
– Sandboxes
• Covert Channels
11/6/2015 4:27 AM
The Confinement Problem
• Lampson, “A Note on the Confinement
Problem”, CACM, 1973.
This note explores the problem of confining a
program during its execution so that it
cannot transmit information to any other
program except its caller. A set of examples
attempts to stake out the boundaries of the
problem. Necessary conditions for a solution
are stated and informally justified.
11/6/2015 4:27 AM
Discussion
•
•
•
•
Reactions?
What is a “customer”?
What is a “service”?
What does Lampson’s motivating
scenario look like?
11/6/2015 4:27 AM
Possible Leaks
0. If a service has memory, it can collect data,
wait for its owner to call it, then return the
data
1. The service may write into a permanent file
2. The service may create a temporary file
3. The service may send a message to a
process controlled by its owner [via ipc]
4. More subtly, the information may be
encoded in the bill rendered for the
service…
11/6/2015 4:27 AM
Possible Leaks (cont)
5. If the system has interlocks which
prevent files from being open for
writing and reading at the same time,
the service can leak data if it is merely
allowed to read files which can be
written by the owner.
11/6/2015 4:27 AM
Leak 5 (cont)
The interlocks allow a file to simulate a shared Boolean
variable which one program can set and the other
can’t
Given a procedure open (file, error) which does
goto error if the file is already open, the following
procedures will perform this simulation:
procedure settrue (file);
begin loop1: open (file, loop1) end;
procedure setfalse (file);
begin close (file) end;
Boolean procedure value (file);
begin value : = true;
open (file, loop2);
value := false;
close (file);
loop2:
end;
11/6/2015 4:27 AM
Leak 5 (cont)
Using these procedures and three files called data, sendclock, and
receiveclock, a service can send a stream of bits to another
concurrently running program. Referencing the files as though
they were variables of this rather odd kind, then, we can
describe the sequence of events for transmitting a single bit:
sender:
receiver:
sender:
receiver:
sender:
11/6/2015 4:27 AM
data : = bit being sent;
sendclock : = true
wait for sendclock = true;
received bit : = data;
receive clock : = true;
wait for receive clock = true;
sendclock : = false;
wait for sendclock = false;
receiveclock : = false;
wait for receiveclock = false;
Leak 6
6. By varying its ratio of computing to
input/output or its paging rate, the service
can transmit information which a
concurrently running process can receive by
observing the performance of the system.
…
11/6/2015 4:27 AM
One solution
• Just say no!
• Total isolation: A confined program shall
make no calls on any other program
• Impractical
11/6/2015 4:27 AM
Confinement rule
• Transitivity: If a confined program calls
another program which is not trusted, the
called program must also be confined.
11/6/2015 4:27 AM
Classification of Channels:
• Storage
• Legitimate (such as the bill)
• Covert
– I.e. those not intended for information transfer at
all, such as the service program’s effect on the
system load
• In which category does Lampson place 5?
11/6/2015 4:27 AM
Mitigation
• Lampson proposes a mitigation strategy
for 5
• Confined read makes a copy (this can
be done lazily on a conflicting write)
11/6/2015 4:27 AM
Root Problem:
• Resource sharing enables covert
channels
• The more our operating systems and
hardware enable efficient resource
sharing the greater the risk of covert
channels
11/6/2015 4:27 AM
Lipner’s Comments
• 1975 paper discusses how
confidentiality models and access
control address storage and legitimate
channels
• Discussion?
• How does Lipner think BLP fits in?
11/6/2015 4:27 AM
Lipner’s Contribution
• Identifies time as “A difficult problem”
– “While the storage and legitimate channels
of Lampson can be closed with a minimal
impact on system efficiency, closing the
covert channel seems to impose a direct
and unreasonable performance penalty.”
11/6/2015 4:27 AM
Resources
• Lampson, A note on the Confinement
Problem, CACM Vol 16, no. 10, October 1973.
– http://doi.acm.org/10.1145/362375.362389
• Lipner, A Comment on the Confinement
Problem, Proceedings of the 5th Symposium
on Operating Systems Principles, pp 192 196 (Nov. 1975)
– http://doi.acm.org/10.1145/800213.806537
11/6/2015 4:27 AM
Virtualization Returns
• Intel’s Vanderpool architecture brings
Virtual Machines back to the
mainstream
• Intel Virtualization Paper
– ftp://download.intel.com/technology/comp
uting/vptech/vt-ieee-computer-final.pdf
– (Some figures that follow are taken from
the paper)
11/6/2015 4:27 AM
Applications of Virtualization
• Workload isolation
• Workload consolidation
• Workload migration
11/6/2015 4:27 AM
Isolation
11/6/2015 4:27 AM
Consolidation
11/6/2015 4:27 AM
Migration
11/6/2015 4:27 AM
Virtualizing Intel architectures
• As is, Intel architectures do not meet the two
requirements:
– Nonfaulting access to privileged state
• IA-32 has registers that describe and manipulate the “global
descriptor table”
• These registers can only be set in ring 0
• They can be queried in any ring without generating a fault
– This violates rule 2 (all references to sensitive data traps)
• Software products to virtualize Intel hardware had to
get around this.
– Vmware and Virtual PC dynamically rewrite binary code!
– Xen requires source changes (paravirtualization)
11/6/2015 4:27 AM
Intel solutions
• VT-x, virtualization for IA-32
• VT-i, virtualization for Itanium
• Changed architecture to meet the
criteria
11/6/2015 4:27 AM
Ring aliasing and ring
compression
• Solution is to allow guest to run at
intended privilege level by augmenting
privilege levels.
• See Figure 2(d).
11/6/2015 4:27 AM
Nonvirtuallized and 0/1/3
•
•
(a) is typical of x86 operating systems
(b) and (c) give two strategies for virtualization in software
11/6/2015 4:27 AM
0/3/3 and VT-x
11/6/2015 4:27 AM
Nonfaulting access to
privileged state
• Two kinds of changes
– Make access fault to the VM
– Allow nonfaulting access, but to state
under the control of the VMM
11/6/2015 4:27 AM
• Intel Virtualization Paper
– ftp://download.intel.com/technology/comp
uting/vptech/vt-ieee-computer-final.pdf
11/6/2015 4:27 AM
Next Week
• Intro to Crypto Mechanisms
– Anderson Chapters 5 and 3
11/6/2015 4:27 AM
Backup Slides
11/6/2015 4:27 AM
Case Study
• We will use the FHF paper as a case
study
• As we encounter concepts we will
attempt to instantiate them in the
context of the voting machine domain
11/6/2015 4:27 AM
Voting Machine Architecture
Processor
Touch
Screen
Smart
Card
Reader
Open
11/6/2015 4:27 AM
Audio
jack
Removable
Flash
Printer
Key Access
On-board
Flash
RAM
EPROM
Inside Box
Boot Process
• Boot device specified by hardware jumpers (inside box)
– EPROM
– on-board flash (default)
– ext flash
• On Boot:
– Copy bootloader into RAM; init hardware
– Scan Removable flash for special files
• “fboot.nb0” => replace bootloader in on-board flash
• “nk.bin” => replace OS in on-board flash
• “EraseFFX.bsq” => erase file system on on-board flash
– If no special files uncompress OS image
– Jump to entry point of OS
11/6/2015 4:27 AM
Boot (continued)
• On OS start up:
– run Filesys.exe
• unpacks registry
• runs programs in HKEY_LOCAL_MACHINE\Init
–
–
–
–
shell.exe (debug shell)
device.exe (Device manager)
gwes.exe (graphics and event)
taskman.exe (Task Manager)
– Device.exe mounts file systems
• \ (root): RAM only
• \FFX: mount point for on-board flash
• \Storage Card: mount point for removable flash
11/6/2015 4:27 AM
Boot (continued)
• Customized taskman.exe
– Check removable flash
• explorer.glb => launch windows explorer
• *.ins => run proprietary scripts
– (script language has buffer overflow vulnerabilities)
– used to configure election data
• default => launch “BallotStation”
– \FFX\Bin\BallotStation.exe
11/6/2015 4:27 AM
BallotStation
• Four modes: pre-download, preelection testing, election, post-election
• Mode recorded in election results file
– \Storage Card\CurrentElection\election.brs
11/6/2015 4:27 AM
Stealing Votes
• Malicious processes runs in parallel with
BallotStation
• Polls election results file every 15
seconds
– If election mode and new results
– temporarily suspend Ballot Station
– steal votes
– resume Ballot Station
11/6/2015 4:27 AM
Viral propagation
• Malicious bootloader
– Infects host by replacing existing
bootloader in on-board flash
– subsequent bootloader updates print
appropriate messages but do nothing
• fboot.nb0
– package contains malicious boot loader
– and vote stealing software
11/6/2015 4:27 AM
Classification Systems
• Both notions of classification induce a
partial order
– TS is more trusted that S
– You can only see information if you are
cleared to access all categories that label it
• Mathematicians Bell and LaPadula
picked a lattice structure as a natural
model for security levels
11/6/2015 4:27 AM
Partially Ordered Set
• A Set S with relation (written (S, ) is
called a partially ordered set if is
– Anti-symmetric
• If a b and b a then a = b
– Reflexive
• For all a in S, a a
– Transitive
• For all a, b, c. a b and b c implies a c
11/6/2015 4:27 AM
Poset examples
• Natural numbers with less than (total
order)
• Sets under the subset relation (not a
total order)
• Natural numbers ordered by divisibility
11/6/2015 4:27 AM
Lattice
• Partially ordered set (S, ) and two operations:
– greatest lower bound (glb X)
• Greatest element less than all elements of set X
– least upper bound (lub X)
• Least element greater than all elements of set X
• Every lattice has
– bottom (glb L) a least element
– top (lub L) a greatest element
11/6/2015 4:27 AM
Lattice examples
• Natural numbers in an interval (0 .. n) with
less than
– Also the linear order of clearances
(U FOUO S TS)
• The powerset of a set of generators under
inclusion
– E.g. Powerset of security categories
{NUC, Crypto, ASI, EUR}
• The divisors of a natural number under
divisibility
11/6/2015 4:27 AM
New lattices from old
• The opposite of a lattice is a lattice
• The product of two lattices is a lattice
• The lattice of security classifications
used by Bishop is the product of the
lattice of clearances and the lattice of
sets generated from the categories
(compartments)
11/6/2015 4:27 AM