|
|
|
The example above suggests an alternative view of security phrased in terms of interference. In essence, a system is secure if groups of subjects cannot interfere with one another. In the first example in Section 8.1, the "interference" would be Matt's interfering with Holly's acquiring the CPU for her process. Intuitively, this notion is more inclusive than "writing" and enables us to express policies and models more simply. Gougen and Meseguer [412] used this approach to define security policies.
To begin, we view a system as a state machine consisting of a set S = { s1, ... } of subjects, a set S = { s0, s1, ... } of states, a set O = { o1, ... } of outputs, and a set Z = { z1, ... } of commands. For notational convenience, we define a set of state transition commands C = S x Z, because in what follows the clearance of the subject executing the command affects the actual command that is performed.
Definition 81. A state transition function T: C x S
S describes the effect of executing command c when in state s, and an output function P: C x S
We do not define any inputs, because either they select the specific commands to be executed or they can be encoded in the set of state transition commands. If the number x is to be input, we simply define a command that corresponds to reading x. We can encode the initial state as a command; the system begins at the empty state (and the first command moves it to s0). This notation simplifies the abstract system.
In this system, the state transition commands produce outputs. The outputs are therefore functions of the transition commands, and thus are functions of the inputs and the initial state. We have also assumed that the system is deterministic, since the state transition functions are functions, and time is not considered. We will relax this restriction later.
|
EXAMPLE: Consider a machine with two bits of state information, H and L (for "high" and "low," respectively). The machine has two commands, xor0 and xor1, which exclusive-or both bits with 0 and 1, respectively. There are two users: Holly (who can read high and low information) and Lucy (who can read only low information). The system keeps two bits of state (H, L). For future reference, this will be called the two-bit machine. For this example, the operation affects both state bits regardless of whether Holly or Lucy executes the instruction. (This is not a requirement of the two-bit machine and will be varied later on.) The set S = { (0, 0), (0, 1), (1, 0), (1, 1) }. The set S = { Holly, Lucy }. The set C = { xor0, xor1 }. Table 8-1 shows the result of the state transition function. The output function for Holly is both bits; for Lucy, it is the L bit only. |
Next, let us relate outputs to state. Two observations will make the formulation straightforward. First, T is inductive in the first argument, because T(c0, s0) = s1 and T(ci+1, si+1) = T(ci+1, T(ci, si)). This gives us the notion of applying a sequence of commands to an initial state, so let C* be the set of sequences of commands in Cthat is, C* is the transitive closure of C under composition. Then T*: C* x S S, where
cs = c0, ..., cn
T*(cs, si) = T(cn, T(cn1, ..., T(c0, si)...))
Second, the output function P is also inductive in the second argument. This allows us to define a similar function P*: C* x S O, which gives the sequence of outputs resulting from a sequence of commands to a system beginning at an initial state.
Given the assumptions above, the outputs provide a record of the system's functioning. The problem is that some subjects are restricted in the outputs (and actions) they can see. In the first example in Section 8.1, Holly should not have seen Matt's outputs, but Matt could see any outputs from Holly. We make this notion rigorous.
Definition 82. Let T*(cs, si) be a sequence of state transitions for a system. Let P*(cs, si) be the corresponding outputs. Then proj(s, cs, si) is the set of outputs in P*(cs, si) that subject s is authorized to see, in the same order as those outputs appear in P*(cs, si).
In this definition, each command may produce some output, but subjects with insufficient clearance may not be able to see that output, lest they deduce information about the previous state of the system. The function proj(s, cs, si) is simply the list of outputs resulting from removing the outputs that s is not authorized to see.
This captures the notion that s may not see all outputs because the security policy may restrict s's access to them. However, s may not have knowledge of all commands, either, and so we need a corresponding definition for them.
Definition 83. Let G
S be a group of subjects, and let A
G. Define pA(cs) as the subsequence of cs obtained by deleting all elements (s, z) in cs with z
This purge function p captures the notion that certain command executions must be invisible to some subjects. Applying the purge function to an output string generates the output string corresponding to those commands that the subject is allowed to see. For a specific system, the desired protection domains would dictate the membership of G and A.
|
EXAMPLE: In the two-bit machine, let s0 = (0, 1). Holly applies the command xor0, Lucy the command xor1, and Holly the command xor1 to the state machine. The commands affect both state bits, and both bits are output after each command. We take cs to be the sequence (Holly, xor0), (Lucy, xor1), (Holly, xor1). The output is 011001 (where bits are written sequentially, the High bit being first in each pair).
|
Intuitively, if the set of outputs that any user can see corresponds to the set of inputs that that user can see, then the system is secure. The following definition formalizes this as "noninterference."
Definition 84. Let G, G'
If either A or G is not present, we handle it in the obvious way.
|
EXAMPLE:
Consider the sequence cs = (Holly, xor0), (Lucy, xor1), (Holly, xor1) in the two-bit machine with operations affecting both state bits and both bits being output after each command. Take G = { Holly }, G' = { Lucy }, and A = Ø. Then pHolly(cs) = (Lucy, xor1), so proj(Lucy, pHolly(cs), s0) = 1. This means that the statement { Holly } :| { Lucy } is false, because proj(Lucy, cs, s0) = 101 |
|
EXAMPLE: Modify the set of commands above so that Holly can alter only the H bit and Lucy only the L bit. Consider the sequence cs = (Holly, xor0), (Lucy, xor1), (Holly, xor1). Given an initial state of (0, 0), the output is 0H1L1H, where the subscripts indicate the security level of the output. Take G = { Holly }, G' = { Lucy }, and A = Ø; so pHolly(cs) = (Lucy, xor1) and proj(Lucy, pHolly(cs), s0) = (1). Now we have proj(Lucy, cs, s0) = proj(Lucy, pHolly(cs), s0), and { Holly } :| { Lucy } holds. Again, intuition suggests that it should, because no action that Holly takes has an effect on the part of the system that Lucy can observe. |
We can now formulate an alternative definition of a security policy. By Definition 41, a security policy describes states in which forbidden interferences do not occur (authorized states). Viewed in this light [412], we have:
Definition 85. A security policy is a set of noninterference assertions.
The set of noninterference relations defined in Definition 84 characterize the security policy completely. An alternative, less common but more elegant, approach begins with the notion of a security policy and characterizes noninterference in terms of that definition [858].
Consider a system X as a set of protection domains D = { d1, …, dn }. Associated with X are states, commands, subjects, and transition commands. Whenever a transition command c is executed, the domain in which it is executed is written dom(c).
Definition 85A. Let r be a reflexive relation on D x D. Then r defines a security policy for M.
The relation r defines how information can flow. If dirdj, then information can flow from domain di to domain dj. Otherwise, it cannot. Because information can flow within a protection domain, dirdi. Note that this definition says nothing about the content of the security policy; it merely defines what a "policy" is.
We can define a function p' analogous to the p in Definition 83, but the commands in A and the subjects in G and G' are now part of the protection domains, so we express p' in terms of protection domains.
Definition 83A. Let d
This says that if executing c will interfere with protection domain d, then c will be "visible." Otherwise, the resulting command sequence has the same effect as if c were not executed.
Given this definition, defining noninterference security is immediate.
Definition 84A. Let a system consist of a set of domains D. Then it is noninterference-secure with respect to the policy r if P*(c, T*(cs, s0)) = P*(c, T*(pd'(cs), s0)).
Rather than defining a projection function (as in Definition 82), consider the set of states related by an equivalence relation with respect to a domain of a command.
Definition 82A. Let c
Two states are output-equivalent if, for the subjects in dom(c), the projections of the outputs for both states after c is applied are the same. This immediately leads to the following lemma.
Lemma 81. Let T*(cs, s0) ~d T*(pd(cs), s0) for c
Proof Take d = dom(c) for some c
Contrasting this approach with the more common first approach illuminates the importance of the security policy. In the first approach, the security policy was defined in terms of noninterference, but it arose from the conditions that caused the particular set of subjects G and the commands A. So, in some sense, Definition 85 is circular. The second approach eliminates this circularity, because noninterference is characterized in terms of a defined security policy. However, the second approach obscures the relationship among subjects, commands, and noninterference requirements because of the abstraction of "protection domains." The notion of outputs characterizing commands is crucial, because information flow is defined in terms of outputs. So both characterizations have their places.
The unwinding theorem links the security of sequences of state transition commands to the security of the individual state transition commands. The name comes from "unwinding" of the sequence of commands. This theorem is central to the analysis of systems using noninterference, because it reduces the problem of proving that a system design is multilevel-secure to proving that if the system design matches the specifications from which certain lemmata are derived, then the design is mathematically certain to provide multilevel-security correctly.[2]
[2] This says nothing about the implementation of that design, of course. See Part 6, "Assurance."
We follow Rushby's treatment [858]. The next two definitions provide the necessary background.
Definition 86. Let r be a policy. Then a system X locally respects r if dom(c) being noninterfering with d
If the command c does not have any effect on domain d under policy r, then the result of applying c to the current state should appear to have no effect with respect to domain d. When this is true, the system locally respects r.
Definition 87. Let r be a policy and d
Transition consistency simply means that states remain equivalent with respect to d for all commands c.
Lemma 82. Let c1, c2
Proof See Exercise 2.
Theorem 81. Unwinding Theorem. Let r be a policy, and let X be a system that is output consistent, transition consistent, and locally respects r. Then X is non-interference secure with respect to the policy r.
Proof The goal is to establish that sa ~d sb implies T*(cs, sa) ~d T*(pd'(cs), sb). We do this by induction on the length of cs.
Basis. If cs = n, T*(cs, sa) = sa and pd'(n) = n. The claim follows immediately.
Hypothesis. Let cs = c1...cn. Then sa ~d sb implies T*(cs, sa) ~d T*(pd'(cs), sb).
Step. Consider cscn+1. We assume sa ~d sb. We must show the consequent. We consider two distinct cases for T*(pd'(cscn+1), sb).
If (dom(cn+1), d)
T*(pd'(cscn+1), sb) = T*(pd'(cs)cn+1, sb) = T(cn+1, T*(pd'(cs), sb)).
As X is transition consistent, if sa ~d sb, then T(cn+1, sa) ~d T(cn+1, sb). From this and the induction hypothesis,
T(cn+1, T*(cs, sa)) ~d T(cn+1, T*(pd'(cs), sb)).
Substituting for the right side from the previous equality,
T(cn+1, T*(cs, sa)) ~d T*(pd'(cscn+1), sb).
From the definition of T*, this becomes
T*(cscn+1, sa) ~d T*(pd'(cscn+1), sb).
proving the hypothesis.
If (dom(cn+1), d)
r, by definition 8-3A,
T*(pd'(cscn+1), sb) = T*(pd'(cs), sb).
From the induction hypothesis, this means
T*(cs, sa) ~d T*(pd'(cscn+1), sb).
As X locally respects r, s ~d T(cn+1, s) for any s. Then T(cn+1, sa) ~d sa, so
T(cn+1, T*(cs, sa)) ~d T*(cs, sa).
Substituting back, this becomes
T(cn+1, T*(cs, sa)) ~d T*(pd'(cscn+1), sb)
verifying the hypotheses.
In either case, then, the hypothesis holds, completing the induction step.
Having completed the induction, take sa = sb = s0. Then, by Lemma 81, if ~d is output consistent, X is non-interference secure with respect to the policy r.
The significance of Theorem 81 is that it provides a basis for analyzing systems that purport to enforce a noninterference policy. Essentially, one establishes the conditions of the theorem for a particular set of commands and states with respect to some policy and a set of protection domains. Then noninterference security with respect to r follows.
Rushby presented a simple example of the use of the unwinding theorem [858]. The goal is to apply the theorem to a system with a static access control matrix. Our question is whether or not the given conditions are sufficient to provide noninterference security.
We begin with a model of the system. As usual, it is composed of subjects and objects. The objects are locations in memory containing some data. The access control matrix controls the reading and writing of the data. The system is in a particular state; the state encapsulates the values in the access control matrix.
Specifically, let L = { 11, …, lm } be the set of objects (locations) in memory or on disk. Let V = { v1, …, vn } be the set of values that the objects may assume. As usual, the set of states is S = { s1, …, sk }. The set D = { d1, …, dj } is the set of protection domains. We also define three functions for convenience.
value:
L x S V returns the value stored in the given object when the system is in the given state.
read:
D P(V) returns the set of objects that can be observed under the named domain (here, POW(V) denotes the power set of V).
write:
D P(V) returns the set of objects that can be written under the named domain.
Let s be a subject in the protection domain d, and let o be an object. The functions represent the access control matrix A because the entry corresponding to A[s, o] contains "read" if o read(d) and contains "write" if o write(d). This also leads to a natural interpretation of the equivalence relation in Definition 82Anamely, that two states are equivalent with respect to a given protection domain if and only if the values of all objects that can be read under that protection domain are the same. Symbolically,
[sa ~dom(c) sb]
[
li
value(li, T(c, sa))] ]
The system X enforces the relevant access control policy r when the following three conditions are met.
The output of some command c being executed within the protection domain dom(c) depends only on the values for which subjects in dom(c) have read access.
sa ~dom(c) sb P(c, sa) = P(c, sb)
If command c changes the value in object li, then c can only use values in objects in the set read(dom(c)) to determine the new value:
[sa ~dom(c) sb and (value(li, T(c, sa)) value(li, sa) or value(li, T(c, sb)) value(li, sb)) ] value(li, T(c, sa)) = value(li, T(c, sb))
The second part of the disjunction ensures that if li read(dom(c)), the values in li after c is applied to state sa and state sb may differ.
If command c changes the value in object li, then dom(c) provides the subject executing c with write access to li:
value(li, T(c, sa)) value(li, sa) li write(dom(c))
These requirements are standard for access control mechanisms (in particular, note that they are independent of any particular security policy, although such a policy must exist). We now augment our system with two more requirements for some security policy r.
Let u, v D. Then urv read(u) read(v).
This requirement says that if u can interfere with v, then every object that can be read in protection domain u can also be read in protection domain v. This follows from the need of v to read information from something in u. Given this, if an object that could not be read in u could be read in v, but some other object in u could be read in v, information could flow from the first object to the second and hence out of domain u.
li read(u) and li write(v) vru.
This simply says that if a subject can read an object in domain v, and another subject can read that object in domain u, then domain v can interfere with domain u.
Theorem 82. Let X be a system satisfying the five conditions above. Then X is noninterference-secure with respect to the policy r.
Proof Taking the equivalence relation to be ~d in Definition 82A, condition 1 and the definition of "output-consistent" are the same.
We use proof by contradiction to show that X locally respects r. Assume that (dom(c), d)
li
By condition 3, li
We next consider transition consistency. Assume that sa ~d sb; we must show that value(li, T(c, sa)) = value(li, T(c, sb)) for li
Let value(li, T(c, sa)) value(li, sa). By condition 3, li write(dom(c)). Because li read(d), condition 5 yields (dom(c), d) r. By condition 4, read(dom(c)) read(d). Because sa ~d sb, sa ~dom(c) sb. Condition 2 then yields the desired result.
If value(li, T(c, sb)) value(li, sb), an argument similar to case 1 yields the desired result.
Let value(li, T(c, sa)) = value(li, sa) and value(li, T(c, sb)) = value(li, sb). The interpretation of sa ~d sb is that value(li, sa) = value(li, sb) for li read(d). The result follows immediately.
In all three cases, X is transition-consistent.
Under the stated conditions, X is output-consistent, locally respects r, and is transition-consistent. By the unwinding theorem (Theorem 81), then, X is noninterference-secure with respect to the policy r.
All that remains is to verify that the five conditions hold for the system being modeled.
We now extend the preceding noninterference analysis to include policies that are not static. As an example of such a policy, consider an access control matrix for a discretionary access control mechanism. Subjects may revoke permissions, or add permissions, over objects they own. The analysis above assumes that the matrix will be constant; in practice, the matrix rarely is.
|
EXAMPLE: Let w be the sequence of elements of C leading up to the current state. Let cando(w, s, z) be true if the subject s has permission to execute the command z in the current state. We condition noninterference for the system on cando. In the current state, if cando(w, Holly, "read f") is false, then Holly cannot interfere with any other user by reading file f. |
We now generalize the notion of noninterference to handle this case. First, we must define a function analogous to pG,A(w).
Definition 88. Let G
The essence of the definition lies in the use of the predicate. Informally, p"(cs) is cs; however, when the predicate p is true and an element of cs involves a subject in G and a command in A, the corresponding element of cs is replaced by n. This deletes that element. From this, the extension to noninterference is straightforward.
Definition 89. Let G, G'
|
EXAMPLE: Return to the discretionary access control example. A very simple security policy based on noninterference is
This says that if a subject cannot execute the command in any state, that subject cannot use that command to interfere with any subject in the system. |
|
EXAMPLE:
Gougen and Meseguer [412] amplify this policy by considering systems in which rights can be passed to other users. Define the command pass(s, z), s
Suppose the user s1
So s2's first execution of z does not affect any subject's observation of the system. |
As noted earlier, Gougen and Meseguer [412] assume that the output is a function of the input. This implies determinism, because a nondeterministic mapping (that is, one with two or more elements of the range corresponding to one element of the domain) is not a function. It also implies uninterruptibility, because differences in timing of interrupts can result in differences in state, and hence in output. For example, suppose a user enters a command to delete a file. This appears to take some time, so the user interrupts the command. If the interrupt occurs before the deletion, the system will be in a different state than if the interrupt occurs after the deletion (but before the command can terminate properly).
McCullough [673] has examined the implications of the determinism for composing systems. Consider composing the following systems. Systems Louie and Dewey compute at the LOW level. System Hughie computes at the HIGH level. The composed system has one output buffer, bL, which anyone can read. It also has one input buffer, bH, which receives input from a HIGH source. Three buffers connect the three systems. Buffer bLH connects Louie to Hughie, and buffer bDH connects Dewey to Hughie. Dewey and Louie write to these buffers, and Hughie reads from them. Both Dewey and Louie can write to the third buffer, bLDH, from which Hughie can read. Figure 8-2 summarizes this composition. Note that all three systems are noninterference-secure. Hughie never outputs anything, so its inputs clearly do not interfere with its (nonexistent) outputs. Similarly, neither Dewey nor Louie input anything, so their (nonexistent) inputs do not interfere with their outputs.
If all buffers are of finite capacity, and blocking sends and receives are used, the system is not noninterference-secure. Without loss of generality, assume that buffers bDH and bLH have capacity 1. Louie cycles through the following algorithm.
Louie sends a message to bLH. This fills the buffer.
Louie sends a second message to bLH.
Louie sends a 0 to buffer bL.
Louie sends a message to bLDH to signal Hughie that Louie has completed a cycle.
Dewey follows the same algorithm, but uses bDH for bLH and writes a 1 to bL. Hughie reads a bit from bH, receives a message from bLH (if the bit read from bH is 0) or from bDH (if the bit read from bH is 1), and finally does a receive on bLDH (to wait for the buffer to be filled).
Suppose Hughie reads a 0 from bH. It reads a message from bLH. At that point, Louie's second message can go into the buffer and Louie completes step 2. Louie then writes a 0 into bL. Dewey, meanwhile, is blocked at step 1 and so cannot write anything to bL. A similar argument shows that if Hughie reads a 1 from bH, a 1 will appear in the buffer bL. Hence, a HIGH input is copied to a LOW output.
So, even though the systems are noninterference-secure, their composition is not. Exercise 3 examines the influence of the requirement that buffers be finite and of the use of blocking sends and receives.
|
|
|
| Top |
