Lecture 2 – Multilevel Security

Context of Multilevel Security

• Hierarchy: Top Secret, Secret, Confidential, …
• Information mustn’t leak from High down to Low
• Enforcement must be independent of user actions!
• Perpetual problem: careless staff
• 1970s worry: operating system insecurity
• 1990s worry: virus at Low copies itself to High
and starts signalling down (e.g. covert channel)
Context of Multilevel Security (2)
• Nowadays: see our paper ‘The Snooping Dragon’
• September 2008: Dalai Lama’s office realised
there had been a security failure
• Initial break: targeted email with bad pdf
• Then: took over the mail server and spread it
• About 35 or their 50 PCs were infected
• Fix (Dharamsala): take ‘Secret’ stuff offline
• Fix (UKUSA agencies): use MLS mail guards and
firewalls to prevent ‘Secret’ stuff getting out
 Formalising the Policy
• Bell-LaPadula (1973):
– simple security policy: no read up
– *-policy: no write down
• With these, one can prove that a system which
starts in a secure state will remain in one
• Ideal: minimise the Trusted Computing Base (set
of hardware, software and procedures that can
break the security policy) so it’s verifiable
• 1970s idea: use a reference monitor
 Objections to BLP
• Some processes, such as memory
management, need to read and write at all
levels
• Fix: put them in the trusted computing base
• Consequence: once you put in all the stuff a
real system needs (backup, recovery,
comms, …) the TCB is no longer small
enough to be easily verifiable
 Objections to BLP (2)
• John MacLean’s “System Z”: as BLP but lets users
request temporary declassification of any file
• Fix: add tranquility principles
– Strong tranquility: labels never change
– Weak tranquility: they don’t change in such a way as to
break the security policy
• Usual choice: weak tranquility using the “high
watermark principle” – a process acquires the
highest label of any resource it’s touched
• Problem: have to rewrite apps (e.g. license server)
 Covert Channels
• In 1973 Butler Lampson warned BLP might be
impractical because of covert channels: “neither
designed nor intended to carry information at all”
• A Trojan at High signals to a buddy at Low by
modulating a shared system resource
– Fills the disk (storage channel)
– Loads the CPU (timing channel)
• Capacity depends on bandwidth and S/N. So: cut
the bandwidth or increase the noise
• But it’s really hard to get below 1bps or so…
 Objections to BLP (3)
• High can’t acknowledge receipt from Low
• This blind write-up is often inconvenient:
information vanishes into a black hole
• Option 1: accept this and engineer for it (Morris
theory) – CIA usenet feed
• Option 2: allow acks, but be aware that they might
be used by High to signal to Low
• Use some combination of software trust and
covert channel elimination (more later …)
 Variants on Bell-LaPadula
• Noninterference: no input by High can affect what
Low can see. So whatever trace there is for High
input X, there’s a trace with High input Ø that
looks the same to Low (Goguen and Messeguer
1982)
• Nondeducibility: weakens this so that Low is
allowed to see High data, just not to understand it
– e.g. a LAN where Low can see encrypted High
packets going past (Sutherland 1986)
 Variants on Bell-LaPadula (2)
• Biba integrity model: deals with integrity
rather than confidentiality. It’s “BLP upside
down” – high integrity data mustn’t be
contaminated with lower integrity stuff
• Domain and Type Enforcement (DTE):
subjects are in domains, objects have types
• Role-Based Access Control (RBAC):
current fashionable policy framework
The Cascade Problem
 Composability
• Systems can become insecure when
interconnected, or when feedback is added
 Composability
• So nondeducibility doesn’t compose
• Neither does noninterference
• Many things can go wrong – clash of timing
mechanisms, interaction of ciphers, interaction of
protocols
• Practical problem: lack of good security interface
definitions (we’ll talk later about API failures)
• Labels can depend on data volume, or even be non-
monotone (e.g. Secret laser gyro in a Restricted
inertial navigation set)
 Consistency
• US approach (polyinstantiation):
Cargo Destination
Secret Missiles Iran
Unclassified Spares Cyprus
• UK approach (don’t tell low users):
Cargo Destination
Secret Missiles Iran
Restricted Classified Classified
 Downgrading
• A related problem to the covert channel is how to
downgrade information
• Analysts routinely produce Secret briefings based
on Top Secret intelligence, by manual paraphrasis
• Also, some objects are downgraded as a matter of
deliberate policy – an act by a trusted subject
• For example, a Top Secret satellite image is to be
declassified and released to the press
 Downgrading (2)

Text hidden in least significant bits of image

 Downgrading (3)

Picture hidden in three least significant bits of text

 Examples of MLS Systems
• SCOMP – Honeywell variant of Multics,
launched 1983. Four protection rings,
minimal kernel, formally verified hardware
and software. Became the XTS-300
• Used in military mail guards
• Motivated the ‘Orange Book’ – the Trusted
Computer System Evaluation Criteria
• First system rated A1 under Orange Book
 Examples of MLS Systems (2)
• Blacker – series of encryption devices designed to
prevent leakage from “red” to “black”. Very hard
to accommodate administrative traffic in MLS!
• Compartmented Mode Workstations (CMWs) –
used by analysts who read Top Secret intelligence
material and produce briefings at Secret or below
for troops, politicians … Mechanisms allow cut-
and-paste from L  H, L  L and H  H but not
HL
• The Australian failure
 Examples of MLS Systems (3)
• The NRL Pump was designed to copy data
continuously up from Low to High with
minimal covert channel leakage
 Examples of MLS Systems (4)
• LITS – RAF Logistics IT System – a project to
control stores at 80 bases in 12 countries. Most
stores ‘Restricted’, rest ‘Secret’, so two databases
connected by a pump
• Other application-level rules, e.g. ‘don’t put
explosives and detonators in the same truck’
• Software project disaster, 1989–99!
• Eventual solution: almost all stuff at one level,
handle nukes differently
 Examples of MLS Systems (5)
• DERA’s ‘Purple Penelope’ was an attempt to
relax MLS to accountability for lower levels of
stuff
• Driver: people determined to use Office
• Solution: wrapper around Windows that tracks
current level using high watermark
• Downgrading allowed, but system forces
authentication and audit
• Now called ‘Sybard Suite’
 Multilevel Integrity
• The Biba model – data may flow only down from
high-integrity to low-integrity
• Dual of BLP:
– Simple integrity property: subject may alter object only
at same or lower level
– *-integrity property: subject that can observe X is
allowed to alter objects dominated by X
• So you have low watermark properties, etc
• Example: medical equipment with two levels,
“calibrate” and “operate”
 Multilevel Integrity (2)
• Big potential application – control systems
• E.g. in future “smart grid”
– Safety: highest integrity level
– Control: next level
– Monitoring (SCADA): third level
– Enterprise apps (e.g. billing): fourth level
• Complexity: prefer not to operate plant if SCADA
system down (though you could)
• So a worm attack on SCADA can close an asset
 Multilevel Integrity (3)
• LOMAC was an experimental Linux system with
system files at High, network at Low
• A program that read traffic was downgraded
• Vista adopted this – marks objects Low, Medium,
High or System, and has default policy of
NoWriteUp
• Critical stuff is System, most other stuff is Medium,
IE is Low
• Could in theory provide good protection – in
practice, UAC trains people to override it!