The Confinement Problem

Problem The confinement problem deals with preventing a process from taking disallowed actions. Consider a client/server situation: the client sends a data request to the server; the server uses the data, performs some function, and sends the results (data) back to the client. In this case the confinement problem deals with preventing a server from leaking information that the user of that service considers confidential.

EXAMPLE: A server balances accounts for subscribers. The subscribers use a client to transmit the register entries, the current bank balance, and those withdrawals and deposits that have cleared the bank to the server. The server returns the list of outstanding checks and deposits and any discrepancy between the register balance and the bank balance. Subscribers pay a fee for each use. The service provider requires that the server correctly record who used the service each time it is used. Otherwise, the service provider cannot bill for the use of the service. The threat is that someone may use the service without being detected (and therefore without being charged) or that the user may impersonate another subscriber (resulting in the wrong subscriber being charged). The service provider also does not want the server to transmit billing records or any other unauthorized information to the client. The server should send only the information it derived from the data that the client sent. So the server must be confined to operating only on the data it is sent. The subscriber expects certain security services from the server. The server must correctly log the user's invocation so that the user is not charged incorrectly. (This matches the need of the service provider.) The server must not record or transmit the data that the subscriber sends to it because the subscriber's data is confidential to the subscriber and is not relevant to the service provider. So the server must be confined to keeping the data to itself and to sending the results only to the subscriber.

Access control affects the function of the server in 2 ways Goal of service provider 1. The server must ensure that the resources it accesses on behalf of the client include only those resources that the client is authorized to access. Goal of the service user 2. The server must ensure that it does not reveal the clients data to any other entity not authorized to see the clients data.

Definition: The confinement problem is the problem of preventing a server from leaking information that the user of the service considers confidential. One solution: Total isolation Total isolation: A confined program shall make no calls on any other program. In which, Process cannot communicate with any other process Process cannot be observed In practice, achieving total isolation is difficult. The processes to be confined usually share resources such as CPUs, networks, and disk storage with other unconfined processes. The unconfined processes can transmit information over those shared resources Covert Channel Definition: A covert (concealed / hidden) channel is a path of communication that was not designed to be used for communication EXAMPLE: Process p is to be confined such that it cannot communicate with process q. However, processes p and q share a file system. In order for process p to send a message to process q, it creates a file called send in a directory that both processes can read. Just before process q is to read the information, q deletes the send file. Process p then transmits a bit by creating a file named 0bit or 1bit, as appropriate. When q detects either file, it records the bit and deletes the file. This continues until p creates a file called end, at which point the communication ceases.

Transitive confinement Confinement is transitive. Assume that a process p is confined to prevent leakage. If it invokes a second process q, then q must be similarly confined or q could leak the information that p passes. Definition: The rule of transitive confinement states that if a confined process invokes a second process, the second process must be as confined as the caller. Isolation Systems isolate processes in two ways. 1. In the first, the process is presented with an environment that appears to be a computer running only that process or those processes to be isolated. 2. In the second, an environment is provided in which process actions are analyzed to determine if they leak information. The first type of environment prevents the process from accessing the underlying (original) computer system and any processes or resources that are not part of that environment. The second type of environment does not emulate a computer. It merely alters the interface between the existing computer and the process(es). Isolation method 1: a. Virtual Machines The first type of environment is called a virtual machine. Definition: A virtual machine is a program that simulates the hardware of a (possibly abstract) computer system. A virtual machine uses a special operating system called a virtual machine monitor to provide a virtual machine on which conventional operating systems can run. The primary advantage of a virtual machine is that existing operating systems do not need to be modified. They run on the virtual machine monitor. The virtual machine monitor enforces the desired security policy. This is transparent to the user. The virtual machine monitor functions as a security kernel.

EXAMPLE: Digital Equipment Corporation developed a virtual machine monitor (VMM) for the DEC VAX. The monitor is a security kernel and can run either the VMS or the Ultrix operating system. The VMM runs on the native VAX hardware and is invoked whenever the virtual machine executes a privileged instruction. Its structure is typical of virtual machines designed to provide security. The VAX has four levels of privilege: user, supervisor, executive, and kernel modes. In order to provide a compatible virtual machine, the virtual machines must also have four levels of privilege. However, the kernel mode allows a process to access privileged instructions on the VAX hardware directly. Only the VMM is allowed to do this. The virtual machines cannot access kernel mode. The solution is to provide virtual modes. These modes are VM user (corresponding to user mode), VM supervisor mode, and VM executive and VM kernel modes (both actually executive mode). The VMM subjects are users and virtual machines. VMM has a basic, flat file system for its own use and partitions the remaining disk space among the virtual machines. Those machines may use any file structure they desire, and each virtual machine has its own set of file systems. Each subject and object has a multilevel security and integrity label, and the security and integrity levels form an access class. Two entities have the same access class if and only if their security and integrity labels are the same, and one entity dominates another if and only if both the security and integrity classes dominate. An integral component of the VMM is an auditing mechanism. This mechanism records actions for later analysis. b. Sandboxes A playground sandbox provides a safe environment for children to stay in. If the children leave the sandbox without supervision, they may do things they are not supposed to do. The computer sandbox is similar. It provides a safe environment for programs to execute in. If the programs "leave" the sandbox, they may do things that they are not supposed to do. Both types of sandboxes restrict the actions of their occupants. Definition: A sandbox is an environment in which the actions of a process are restricted according to a security policy. Example: The Java virtual machine, in which downloaded applets are executed, is an example of a sandbox. The sandbox restricts the set of files that the applet can access and the hosts to which the applet can connect.

Isolation method 2: The second enforcement method is to modify the program (or process) to be executed. Dynamic debuggers and some profilers use this technique by adding breakpoints to the code and, when the trap occurs, analyzing the state of the running process. A variant, known as software fault isolation adds instructions that perform memory access checks or other checks as the program runs, so any attempt to violate the security policy causes an error. Example: Software Janus implements a sandbox. It is an execution environment in which system calls are trapped and checked. Users execute it to restrict the objects and modes of access of an untrusted program. Janus consists of a framework, which does the runtime checking, and modules, which determine which accesses are to be allowed.

Covert Channels Covert channels use shared resources as paths of communication. This requires sharing of space or sharing of time. Definition: A covert storage channel uses an attribute of the shared resource. A covert timing channel uses a temporal or ordering relationship among accesses to a shared resource.

Example Storage Channel Processes p, q not allowed to communicate but they share a file system p sends a bit by creating a file called 0 or 1, then a second file called send p waits until send is deleted before repeating to send another bit

q waits until file send exists, then looks for file 0 or 1; whichever exists is the bit

q then deletes 0, 1, and send and waits until send is recreated before repeating to read another bit

Example Timing Channel In which system has two VMs Sending machine S, receiving machine R

To send: For 0, S immediately relinquishes CPU For example, run a process that instantly blocks

For 1, S uses full quantum For example, run a CPU-intensive process

R measures how quickly it gets CPU Uses real-time clock to measure intervals between access to shared resource (CPU)

Example Covert Channel Two VMs sharing disk cylinders 100 to 200 One VM is High (H), other is Low (L)

Idea: L will issue requests for blocks on cylinders 139 and 161 to be read If read as 139, then 161, its a 1 bit If read as 161, then 139, its a 0 bit

How It Works? L issues read for data on cylinder 150 Relinquishes CPU when done; arm now at 150

H runs, issues read for data on cylinder 140 Relinquishes CPU when done; arm now at 140

L runs, issues read for data on cylinders 139 and 161 Due to SCAN, reads 139 first, then 161

This corresponds to a 1

To send a 0, H would have issued read for data on cylinder 160

Noisy vs. Noiseless Noiseless: covert channel uses resource available only to sender, receiver Noisy: covert channel uses resource available to others as well as to sender, receiver

Key Properties Existence: the covert channel can be used to send/receive information Bandwidth: the rate at which information can be sent along the channel Goal of analysis: establish these properties for each channel If you can eliminate the channel, great! If not, reduce bandwidth as much as possible

Detection of Covert Channels

Covert channels require sharing. The manner in which the resource is shared controls which subjects can send and receive information using that shared resource. Detection methods : Noninterference Shared Resource Matrix Methodology Information flow analysis Covert flow trees

1. Noninterference If a subject can interfere with another subject in some way, there is a covert channel, and the nature of the interference identifies the channel. Theorem

Let be set of system states. A specification is noninterference-secure if, for each subject s at security level l(s), there exists an equivalence relation : such that

for 1, 2 , when 1 2, 1.v(s) = 2.v(s) for 1, 2 and any instruction i, when 1 2, A(i, 1) A(i, 2) for and instruction stream i, if (i, l(s)) is empty, A((i, l(s)), ).v(s) = .v(s) Intuition System is noninterference-secure if: 2. Equivalent states have the same view for each subject View remains unchanged if any instruction is executed Instructions from higher-level subjects do not affect the state from the viewpoint of the lower-level subjects

The Shared Resource Matrix Methodology (SRMM) Goal: identify shared channels, how they are shared Steps: a. Identify all shared resources, their visible attributes [rows] b. Determine operations that reference (read), modify (write) resource [columns] Contents of matrix show how operation accesses the resource

EXAMPLE: Consider a system that implements a multilevel security model. Files have four attributes: file existence, file owner, file label, and file size. Two subjects, one High and one Low, are active. The file manipulation operations are read_ file, write_ file, delete_ file, and create_ file. Reading succeeds if the file exists and the subject's label is greater than or equal to the file's label. Writing and deletion succeed if the file exists and the subject's label is less than or equal to the file's label. Creation succeeds if no file with the given name exists. The file is given the creating process as its owner and the label of the creating process as its label. The shared resource matrix is as follows.
file file file file existence owner label size read_file R R R write_file R R M delete_file R, M R R M create_file R, M M M M

Because all four operations check for the existence of the file, they reference the attribute. The "R" in each matrix location reflects this. The create_ file and delete_ file operations also modify that attribute. This is reflected by the "M." Read and write do not check ownership, but delete and create do; create modifies the owner, and delete references it. The file label is set by create_ file and referenced by the other operations, and all but read_ file modify the file size. The read_ file operation checks the size of the file to determine if the end of the file will be (or has been) encountered. The requirements for covert timing channels are similar to those for covert storage channels. 1. Both the sending and receiving processes must have access to the same attribute of a shared object. 2. Both the sending and receiving processes must have access to a time reference, such as a real-time clock, a timer, or the ordering of events. 3. The sending process must be able to control the timing of the detection of a change in the attribute by the receiving process. 4. A mechanism for initiating both processes, and properly sequencing their respective accesses to the shared resource, must exist. Example Consider attributes with both R, M in rows Let High be sender, Low receiver create operation both references, modifies existence attribute Need to arrange for proper sequencing accesses to existence attribute of file (shared resource)

The SRMM methodology was used to analyze the Secure Ada Target. The SRMM methodology is comprehensive but incomplete. In particular, it does not address the problem of determining what the shared resources are and what the primitives used to access them are. In some ways, this is appropriate, because the techniques used differ at the different steps of the software life cycle. 3. Information Flow Analysis When an exception occurring depends on the value of a variable, a covert channel exists because information leaks about the value in that variable. Tsai, Gligor, and Chandersekaran have developed a method for identifying covert storage channels in source code. The method asserts that covert (storage) channels arise when processes can view or alter kernel variables.

It focuses on identifying variables that processes can refer to directly or that processes can view or alter indirectly (through system calls). 1. The first step is to identify the kernel functions and processes for analysis. 2. The second step identifies the kernel variables that user processes can read and/or alter. 3. The third step is to analyze these shared variables, looking for covert channels. 4. Covert Flow Trees A covert flow tree is a tree-structured representation of the sequence of operations that move information from one process to another. It consists of five types of nodes. 1. Goal symbols specify states that must exist for the information to flow. There are several such states: a. A modification goal is reached when an attribute is modified. b. A recognition goal is reached when a modification of an attribute is detected. c. A direct recognition goal is reached when a subject can detect the modification of an attribute by referencing it directly or calling a function that returns it. d. An inferred recognition goal is reached when a subject can detect the modification of an attribute without referencing it directly and without calling a function that references the attribute directly. For example, the subject may call a function that performs one of two computations depending on the value of the attribute in question. e. An inferred-via goal is reached when information is passed from one attribute to other attributes using a specified primitive operation (such as a system call). f. A recognize-new-state goal is reached when an attribute that was modified when information was passed using it is specified by an inferred-via goal. The value need not be determined, but the fact that the attribute has been modified must be determined. 2. An operation symbol is a symbol that represents a primitive operation. The operation symbols may vary among systems if they have different primitive operations. 3. A failure symbol indicates that information cannot be sent along the path on which it lies. It means that the goal to which it is attached cannot be met.

4. An AND symbol is a goal that is reached when both of the following hold for all children: a. If the child is a goal, then the goal is reached. b. The child is an operation. 5. An OR symbol is a goal that is reached when either of the following holds for any children: a. If the child is a goal, then the goal is reached. b. The child is an operation. Constructing the tree is a three-step process. To make the steps concrete, we present a simple set of operations and then ask if they can create a covert channel. EXAMPLE: Consider a file system in which each file has three attributes. The boolean attributes locked and isopen are true when the file is locked or opened, respectively, and are false otherwise. The third attribute, inuse, is a set that contains the process ID of each process that has the file open. The function read_access(p, f ) is true if process p has read rights over file f, and empty(s) is true if set s has no members. The function random returns one of its arguments chosen at random. The following operations are defined. (* lock the file if it is not locked and not opened *) (* otherwise indicate it is locked by returning false *) procedure Lockfile(f: file): boolean; begin if not f.locked and empty(f.inuse) then f.locked := true; end; (* unlock the file *) procedure Unlockfile(f: file); begin if f.locked then f.locked := false; end; (* say whether the file is locked *) function Filelocked(f: file): boolean; begin Filelocked := f.locked; end; (* open the file if it isn't locked and the *) (* process has the right to read the file *) procedure Openfile(f: file); begin

if not f.locked and read_access(process_id, f) then (* add the process ID to the inuse set *) f.inuse = f.inuse + process_id; end; (* if the process can read the file, say if the *) (* file is open, otherwise return a value at random *) function Fileopened(f: file): boolean; begin if not read_access(process_id, f) then Fileopened := random(true, false); else Fileopened := not isempty(f.inuse); end Assuming that processes are not allowed to communicate with one another, the reader is invited to try to find a covert storage channel. The first step in constructing a covert flow tree is to determine what attributes (if any) the primitive operations reference, modify, and return. EXAMPLE: The functions in the preceding example affect file attributes in different ways, as follows. Lockfile Unlockfile Filelocked Openfile Fileopened reference locked, inuse modify return locked locked locked locked locked, inuse inuse inuse inuse

The symbol means that no attribute is affected in the specified manner. The second step begins with the goal of locating a covert storage channel that uses some attribute. The analyst constructs the covert flow tree. The type of goal controls the construction, as follows. 1. The topmost goal requires that the attribute be modified and that the modification be recognized. Hence, it has one child (an and symbol), which in turn has two children (a modification goal symbol and a recognition goal symbol). 2. A modification goal requires some primitive operation to modify the attribute. Hence, it has one or child, which has one child operation symbol per operation for all operations that modify the attribute.

3. A recognition goal requires that a subject either directly recognize or infer a change in an attribute. It has an or symbol as its child. The or symbol has two children, one a direct recognition goal symbol and the other an inferred recognition goal symbol. 4. A direct recognition goal requires that an operation access the attribute. Like the modification goal, it has one or child, and that child in turn has one child operation symbol for each operation that returns the attribute. If no operation returns the attribute, a failure symbol is attached. 5. An inferred recognition goal requires that the modification be inferred on the basis of one or more other attributes. Hence, it has one child, an or symbol, which has one child inferred-via symbol for each operation that references an attribute and that modifies some attribute (possibly the same one that was referenced). 6. An inferred-via goal requires that the value of the attribute be inferred via some operation and a recognition of the new state of the attribute resulting from that operation. Hence, it has one child (an and symbol), which has two children (an operation symbol representing the primitive operation used to draw the inference and a recognize-newstate goal symbol). 7. A recognize-new-state goal requires that the value of the attribute be inferred via some operation and a recognition of the new state of the attribute resulting from that operation. The latter requires a recognition goal for the attribute. So, the child node of the recognizenew-state goal symbol is an or symbol, and for each attribute enabling the inference of the modification of the attribute in question, the or symbol has a recognition goal symbol child. Tree construction ends when all paths through the tree terminate in either an operation symbol or a failure symbol. Because the construction is recursive, the analyst may encounter a loop in the tree construction. Should this happen, a parameter called repeat defines the number of times that the path may be traversed. This places an upper bound on the size of the tree. EXAMPLE: We build the covert flow tree for the attribute locked in our previous two examples. The goal state is "covert storage channel via attribute locked." The and node beneath it has two children, "modification of attribute locked" and "recognition of attribute locked." At this point, the tree looks like this:

From the table in the preceding example, the operations Lockfile and Unlockfile modify the attribute locked. So that branch of the tree becomes:

The recognition branch expands into direct recognition and inferred recognition branches. The direct recognition branch has an and with one child, Filelocked, because Filelocked returns the value of the locked attribute. The inferred recognition branch has an or child with one child, an "inferred-via" node that infers locked from inuse. This branch comes from comparing the "reference" row of the table in the preceding example with the "modify" row. If an operation references the locked attribute and modifies another attribute, inference is possible (assuming that the modification can be detected). At this point, the recognition branch looks like this: