Attacking the layer below 1 What is

What is “the layer below”
Attacking the layer below 1
Lecture, TDDC03, 26 Feb. 2007
Viiveke Fåk
[email protected]
Computer layer model
Operating System
OS Kernel
Applications: Everything ”not
a general service”
Services: DBMS, SOAP, email services etc.
Operating system: IO, files,
memory handling etc.
Kernel: Process management, security kernel
Hardware: Processor,
storage media and drives, IO
devices etc.
Important “layer below”
• Software
– Applying inference, that is conclusions from other
known facts, e. g. database trackers
– Covert channels
• Hardware
– Using equipment emissions, like electro-magnetic
signals, sounds, power variations etc.
– Manipulating hardware, like using probes, varying
power etc.
• Security mechanisms consist of software, hardware
and/or administrative routines
• Software is usually regarded as protecting a certain
access point or boundary
• Software mechanisms always build on and use other
more fundamental computer parts
• Security failures in those layers invalidate the
mechanisms above
• A perfect mechanism resting on an insecure layer
does not provide perfect protection
”Onion” security model
• A subject should pass
all layers to reach an
• But too often
• Data in inner layers can
be disclosed through
covert channels and
• Users can reach data
directly in an inner layer.
• Hardware can be
observed and
• Infer = to derive as conclusions from
facts and premises
• Here, to get knowledge about secrecy
protected objects, without accessing the
• Trackers in databases is one part
• Hiding existence of object is hard
Database trackers
Example of trackers
• If users are allowed to use statistics, sums etc.
they can gain knowledge about certain secret
elements with the help of knowledge of other
values for the relation
• How?
• You can do statistics of salaries, but
you can not look up individual values
• Obviously you are not allowed to do
“statistics” for just one single value
• You want the salary for you boss Albert
• Create sums of salaries, where some
sums contain the relevant salary while
others don’t
– Create sets, some of which contain the relation
you want to attack, while others don’t
– Do sums for each set over the field, for which you
want the secret element value
– Add and subtract the sums, so that finally you
have just the relevant value left
Albert’s salary 1
• S= The sum of all salaries for the
• T = The sum of all salaries for the
department except those that have
“Department head” as “Position”
• Albert’s salary = S-T
• Defence: Do not allow sets of one or
extra conditions that exclude just one
Albert’s salary 2
• Get the average department salary for
everyone with a salary greater than x,
where x is definitely above your highest
guess at Albert’s salary
• Decrease x until you get a different
• Defence: Still do not allow conditions
that exclude just one
Albert’s salary 3
Albert’s salary 4
• S= The sum of all department salaries
• T = The sum of all department salaries for all
women plus those whose first name is
• U = The sum of all men’s department salaries
• Albert’s salary = T+U-S
• Defence: Do not allow sets of one, or extra
conditions that refer to just one
• S= The sum of all salaries
• The number of department heads named
Albert is not an allowed question
• T = The sum of salaries for those named
Albert, Allowed question, so several
• U= The sum of salaries for department heads.
Allowed question, so several
• V = The sum of salaries for those who are
neither department heads nor named Albert.
• Albert’s salary is V+T+U-S
Defence against database
Conclusion about database
• Do not give exact values as answers to
• Do not allow selections of less than say
three. Excludes relevant legitimate
• With both major defence techniques an
attacker can come close enough to
knowledge, as getting an estimate of
the value or having a high probability of
making a correct guess.
• You cannot avoid trackers while at the
same time allowing lower level users to
do exact statistics for higher level data.
Inference in MLS system
Inference in MLS system
• If you cannot enter a value, you know there is
an object connected to that value
• Example 1: You did not know there was a
secret file with a given name until you wanted
to create a file with that name.
• Example 2: You did not know there was a
secret value in a database field until you
wanted to enter another value in what looked
as an empty field.
• Solution 1: Hide/double the whole structure.
Thus no true multilevel libraries, no true
multilevel databases etc.
• Solution 2: Add cover story, which introduces
deliberately erroneous, innocent data.
• Solution 3: Accept that the existence of the
secret object is not secret.
Covert channels
Covert channels
– Either you need duplicate values, or you
add differences at random in real time
– Real time differences are defeated through
averages of repeated questions
• Any regular way to transmit data across
levels in MLS systems
• Timing channel: The receiver can observe
times, which depend on higher level data
• Storage channel: The receiver can observe
resource properties, which depend on higher
level data and/or actions.
• Timing channel can be the time it takes to
complete a calculation, like encrypting one
block in RSA, when the number of distinct
steps in the calculation depend on the
number of 1:s in the key
• Storage channels are often shared resource
usage, as when a trojan reserves buffers to a
degree depending on the secret value
• Another example is when properties of a file
can be observed in a shared catalogue etc.
Finding covert channels
Shared resource matrix analysis
Analysis of information flow via kernel
Covert flow trees
And pure intuition and hard work….
Shared Resource Matrix
• Similar to using an access control matrix to
check what user can transfer data to what
other user via what file (sender is able to write,
receiver is able to read the same file)
• Basic problem number one is to identify all
possible attributes that could be transmission
• Basic problem number two is to find all
possible ways for how these attributes can or
cannot be altered or detected
• The principle of noninterference inevitably
becomes complicated when formulated in an
unambiguous way
• The crucial point is “instructions from high
level subjects do not influence the state from
the viewpoint of low level subjects”.
• As extension of Bell-LaPadula this can be
expressed as “an object Oi can influence
another object Oj iff Oj≥ Oi”
Information flow analysis
• In this case it is simply the name for analysis
of if and then how kernel variables can leak
information between levels
• Suffers from the same basic problem as
matrix analysis: How do I find every relevant
item, in this case kernel variables
• Specific problems are pointers, more
complicated structures like arrays with many
properties and attributes etc.
Covert flow trees
Covert channel capacity
• Variation of the basic theme: Find variables
that are altered by the action of one party and
influencing what another party sees.
• Trees help to see what happens in more
complicated flows
• Symbols make it easy to do the actual
• Exactly how this is done is not part of the
• If we are interested in deliberate
communication, we should consider what the
user as a human can communicate outside of
the IT system
• Still, there are two very important points
1. A computer can communicate information as soon
as it is there
2. A capacity of just 0.01 kB per second far exceeds
that of most human communications
Measuring channel capacity
Mitigating covert channels
• Measuring capacity means knowledge of
information theory and bandwidth
• This is not required for the course
• The important point is the general realisation
that many channels involve variables that are
influenced by actions of third parties
• This introduces noise in the communications
and lowers the capacity
• How to filter noise is not part of this course
• Isolate users on different levels, where their
available resources are fixed for each level
• Introduce noise deliberately by reserving
resources, creating objects etc in a random
• Both principles decrease system efficiency,
with the decrease in efficiency proportional to
the decrease in covert channel capacity
• Shared efficient multilevel systems
have covert channels