Multilevel Security (MLS) Models Classifications and Clearances Classifications apply to objects Clearances apply to subjects US Department of Defense

nse (DoD) uses 4 levels: TOP SECRET SECRET CONFIDENTIAL UNCLASSIFIED To obtain a SECRET clearance requires a routine background check A TOP SECRET clearance requires extensive background check Practical classification problems o o o Proper classification not always clear Level of granularity to apply classifications Aggregation flipside of granularity

Subjects and Objects Let O be an object, S a subject o o o O has a classification S has a clearance Security level denoted L(O) and L(S)

For DoD levels, we have TOP SECRET>SECRET> CONFIDENTIAL >UNCLASSIFIED Multilevel Security (MLS) MLS needed when subjects/objects at different levels use/on same system

 MLS is a form of Access Control Military and government interest in MLS for many decades o o o Lots of research into MLS Strengths and weaknesses of MLS well understood (almost entirely theoretical) Many possible uses of MLS outside military

MLS Applications Classified government/military systems Business example: info restricted to o Senior management only, all management, everyone in company, or general public

Network firewall Confidential medical info, databases, etc. Usually, MLS not a viable technical system o More of a legal device than technical system

MLS Security Models MLS models explain what needs to be done Models do not tell you how to implement Models are descriptive, not prescriptive o That is, high level description, not an algorithm

There are many MLS models Well discuss simplest MLS model o o Bell-LaPadula BLP security model designed to express essential requirements for MLS Other models are more realistic Other models also more complex, more difficult to enforce, harder to verify, etc.

 BLP deals with confidentiality o To prevent unauthorized reading

Recall that O is an object, S a subject o o o Object O has a classification Subject S has a clearance Security level denoted L(O) and L(S)

BLP security model designed to express essential requirements for MLS BLP deals with confidentiality o To prevent unauthorized reading

Recall that O is an object, S a subject o o o Object O has a classification Subject S has a clearance Security level denoted L(O) and L(S)

BLP consists of Simple Security Condition: S can read O if and only if L(O) L(S) *-Property (Star Property): S can write O if and only if L(S) L(O) No read up, no write down McLeans Criticisms of BLP McLean: BLP is so trivial that it is hard to imagine a realistic security model for which it does not hold McLeans system Z allowed administrator to reclassify object, then write down Is this fair? Violates spirit of BLP, but not expressly forbidden in statement of BLP Raises fundamental questions about the nature of (and limits of) modeling B and LPs Response

 BLP enhanced with tranquility property o o Strong tranquility: security labels never change Weak tranquility: security label can only change if it does not violate established security policy

Strong tranquility impractical in real world o o o o Often want to enforce least privilege Give users lowest privilege for current work Then upgrade as needed (and allowed by policy) This is known as the high water mark principle

Weak tranquility allows for least privilege (high water mark), but the property is vague BLP: The Bottom Line BLP is simple, probably too simple BLP is one of the few security models that can be used to prove things about systems BLP has inspired other security models o o o Bibas Model BLP for confidentiality, Biba for integrity o Biba is to prevent unauthorized writing Most other models try to be more realistic Other security models are more complex Models difficult to analyze, apply in practice

Biba is (in a sense) the dual of BLP Integrity model o o Spse you trust the integrity of O but not O If object O includes O and O then you cannot trust the integrity of O

Integrity level of O is minimum of the integrity of any object in O

 Low water mark principle for integrity Let I(O) denote the integrity of object O and I(S) denote the integrity of subject S Biba can be stated as Write Access Rule:S can write O if and only if I(O) I(S) (if S writes O, the integrity of O that of S) Bibas Model:S can read O if and only if (if S reads O, the integrity of S that of O) Often, replace Bibas Model with Low Water Mark Policy: If S reads O, then BLP vs Biba I(S) = min(I(S), I(O)) I(S) I(O)

Compartments Multilevel Security (MLS) enforces access control up and down Simple hierarchy of security labels is generally notflexible enough Compartments enforces restrictions across Suppose TOP SECRET divided into TOP SECRET {CAT} and TOP SECRET {DOG} Both are TOP SECRET but information flow restricted across the TOP SECRET level Why compartments? Why not create a new classification level? May not want either of

 TOP SECRET {CAT}TOP SECRET {DOG} TOP SECRET {DOG}TOP SECRET {CAT} Compartments designed to enforce the need to know principle Regardless of clearance, you only have access to info that you need to know to do your job

Not all classifications are comparable, e.g., TOP SECRET {CAT}vsSECRET {CAT, DOG} MLS vs Compartments MLS can be used without compartments o And vice-versa

But, MLS almost always uses compartments Example o MLS mandated for protecting medical records of British Medical Association (BMA) AIDS was TOP SECRET, prescriptions SECRET What is the classification of an AIDS drug? Everything tends toward TOP SECRET Defeats the purpose of the system!

o o o o

Compartments-only approach used instead Covert Channel

 MLS designed to restrict legitimate channels of communication May be other ways for information to flow For example, resources shared at different levels could be used to signal information Covert channel: a communication path not intended as such by systems designers Alice has TOP SECRET clearance, Bob has CONFIDENTIAL clearance Suppose the file space shared by all users Alice creates file FileXYzW to signal 1 to Bob, and removes file to signal 0 Once per minute Bob lists the files If file FileXYzW does not exist, Alice sent 0 If file FileXYzW exists, Alice sent 1 Alice can leak TOP SECRET info to Bob!

Covert Channel Other possible covert channels? o o o Print queue ACK messages Network traffic, etc.

When does covert channel exist? o o Sender and receiver have a shared resource Sender able to vary some property of resource that receiver can observe

Communication between sender and receiver can be synchronized

So, covert channels are everywhere Easy to eliminate covert channels: o o Eliminate all shared resources and all communication

Virtually impossible to eliminate covert channels in any useful system o o DoD guidelines: reduce covert channel capacity to no more than 1 bit/second Implication? DoD has given up on eliminating covert channels!

Consider 100MB TOP SECRET file o o Plaintext stored in TOP SECRET location Ciphertext (encrypted with AES using 256-bit key) stored in UNCLASSIFIED location

Suppose we reduce covert channel capacity to 1 bit per second It would take more than 25 years to leak entire document thru a covert channel But it would take less than 5 minutes to leak 256-bit AES key thru covert channel! Real-World Covert Channel

Hide data in TCP header reserved field Or use covert_TCP, tool to hide data in o Sequence number

ACK number

Hide data in TCP sequence numbers Tool: covert_TCP Sequence number X contains covert info

CAPTCHA Turing Test Proposed by Alan Turing in 1950 Human asks questions to another human and a computer, without seeing either If questioner cannot distinguish human from computer, computer passes the test The gold standard in artificial intelligence No computer can pass this today o o But some claim to be close to passing Completely Automated Public Turing test to tell Computers and Humans Apart

Automated test is generated and scored by a computer program Public program and data are public Turing test to tell humans can pass the test, but machines cannot pass o Also known as HIP == Human Interactive Proof

Like an inverse Turing test (well, sort of) CAPTCHA Paradox?

 CAPTCHA is a program that can generate and grade tests that it itself cannot pass o much like some professors

Paradox computer creates and scores test that it cannot pass! CAPTCHA used so that only humans can get access (i.e., no bots/computers) CAPTCHA is for access control CAPTCHA Uses? Original motivation: automated bots stuffed ballot box in vote for best CS grad school o SJSU vs Stanford?

Free email services spammers like to use bots to sign up for 1000s of email accounts o CAPTCHA employed so only humans get accounts

Sites that do not want to be automatically indexed by search engines o CAPTCHA would force human intervention

CAPTCHA: Rules of the Game Easy for most humans to pass Difficult or impossible for machines to pass o Even with access to CAPTCHA software

From Trudys perspective, the only unknown is a random number o Analogous to Kerckhoffs Principle

Desirable to have different CAPTCHAs in case some person cannot pass one type o Blind person could not pass visual test, etc.

Do CAPTCHAs Exist?

 Current types of CAPTCHAs o o Visual like previous example Audio distorted words or music

No text-based CAPTCHAs o Maybe this is impossible

CAPTCHAs and AI OCR is a challenging AI problem o o Hard part is the segmentation problem Humans good at solving this problem

Distorted sound makes good CAPTCHA o Humans also good at solving this

Hackers who break CAPTCHA have solved a hard AI problem o So, putting hackers effort to good use!

Other ways to defeat CAPTCHAs???