Usually refer to the “keeper of the keys” as the “Trusted Computing Base"
TCB must be tamper proof, un-bypassable, and vulnerability free (partially unrealistic)
TCB response for: Authentication, Authorization, and Auditing
TCSEC defined a set of criteria (followed by Common criteria) which defined a set of expectations.
Trusted Policy Module (TPM) is a HW-based root of trust that does platform measurement, attestation, etc.
Principles of systems security
Security cost must be appropriate with threat level and asset level (defender vs. attacker cost curves)
Should be easy enough to use
System should be as simple as possible (economy of mechanism)
Least privilege and separation of privilege
Defense in depth
Requirements of HW
HW necessary component of separation (TCB). We have to trust it (simplification)
Unit of protection: Address space + Privileged instructions
Modes: Real, Protected, Long/Flat
Logical Address Space per Process —> Physical Address map required
Address space divided into logical units (segments). e.g. code, data, stack, etc.
Segment further divided (pages). Pages are fixed size (e.g. 4KB in 32bit x86)
Logical Address: (Segment number, page number, page offset)
Global and local segment descriptor tables (GDT, LDT) store segment mappings
Page table for pages, etc.
Logical Address = (segment number, displacement)
Physical = *(SGTBR + STE * STE Size) + displacement
Complicated by segment selectors and paging
Each segment gets protection bits (representing protection level or DPL). 0 - 3 (0 most privileged)
Current Protection Level (CPL)
Requestor Privilege Level (RPL)
Specified in segment selector
Check: Max (CPL, RPL) <= DPL of target
Why RPL? To avoid privilege execution (kernel executing code on behalf of an application)
Page level Protection
PPL (page protection level) of 0 (privileged) and 1 (non-priv)
CPL with 3 can only access PPL 1
Execute disable protection
Can combine segment and page protections
Changing Privilege Level
Can only be executed at CPL 0
e.g. LGDT, LLDT, MOV (control registers), HLT, etc.
Attack examples including row hammer, kernel rootkits, etc.
Virtualization & Security
Simplifies the TCB
Assumes IO instructions are privileged (this wasn’t always true)
VMM Types: Type 1 (Hostless) Type 2 (Hosted)
Green & Red Virtual Machines
Transparency: VMM must provide execution environment which is identical to underlying physical machine (ignoring some performance degradation)
Complete Mediation: No way to bypass VMMs control on physical resources
Efficiency: Most VM instructions should execute natively
Requirements for Type 1 VMM
OS Aware it is not ring 0: Para-virtualization. Requires changes to OS
Ring concept: VMM (Ring -1) —> Ring 0 (“root”) —> Ring 3 ("App Space")
Intel SGX: HW-protected enclave that protects data in an address space that can’t be accessed including the hypervisor
Mandatory access control helps control data, but few OSes support by default.
Basis of SELinux is the Linux Security Module
SELinux Security Context
Access: allow source target:class operation
Inheritance: Child inherits parent. In the context of files, inherit from parent directory
Transition happens through execution
Not allowed to override
Helps with info flow problems during read and write between parties of different security “levels”
SELinux implements BLP and BLP+ (BLP+ refers to BLP but do not allow read up)
MLS Policy implemented by policy constraint rules (with extra process expressions e.g. l1 and h1 to refer to low and high contexts). Also new operators like eq, dom, domby, incomparable
Informal Definition: Information leakage via paths that can not be protected by MAC (i.e. not legitimate channels)
More technical definition: Given MAC policy M, any potential info flow from S_m to S_n is covert if it is forbidden by M
Covert channels refer to cooperating processes. If no collusion than called “side channel"
What can be done?
Detection done via “Shared Resource Matrix”
Bandwidth estimation done via computation (depends on channel), but usually computing bits per time interval
Distributed Systems Security
“Principals” make requests to request operations that exist on remote hosts
Authentication is hard because there is no trusted path between user and trusted TCB node
Authorization between nodes implies node must speak on other’s behalf
Access control hard when resources are distributed
Handling distributed requests
Compound principals can logically exist (e.g. “Alice as Manager”, “Alice and Bob”, “Alice for Bob"
Principals make statements
Statements simply refer to types of formal logic
Secure Boot and Loading
A program can be characterized by its digest (Hash)
Program P comes from trusted file system; or
P comes form an untrusted file system, but node (some principal as an OS) has a digest D for P
If P (as above) is the OS, call this “Secure Boot"
Physical hardware is base case. Assume as part of installation M comes with keys and certificate.
Must keep keys separate from OS. Revisit SGX, etc.
Encryption and secure channel protocol handle cross-node issues
Machine M, with certificate, is root of trust
Secure boot transfers trust to OS
Delegation during login allows a node to demonstrate to remote server that the user actually logged in
SGX an example of this in real life
Securing a DB requires: Authentication; Authorization; Audit, but some things are harder: Inference attacks
Want RBAC-like model for structured DBs.
Stored procedure security
DB “View” refers to a subset of the actual DB such that the resulting data matches a specific user’s security level
Functional Dependency attacks: Get (Name, Rank), Get (Rank, Salary). Combine to disclosure salary for name.
Statistical queries: Use statistics averages to guess sensitive data with high precision
Better solution: De-identification and Differential Privacy
DB transformed so at least k different rows with same “trace” are produced
Utility of DB drops with increasing K
Linking attack s and l-diversity are still a problem
Curator will add noise to response R to return R'
This needs to be done carefully so noise cannot be easily cancelled out with multiple queries
Guassian or Laplace mechanism - noise derived from these distributions
Local differential privacy (LDP)
What about Multi-Level Databases. e.g. Can we add BLP to databases?
SeaView once such instance of a MLD with BLP support
Access class is assigned at an element in row
Tuple access class is LUB of access classes of elements in tuple (row)
Relation/table access class is GLB of any element in a type in table
Database access class is GLB of any table access class.
In order for data to be accessible, tuple key access class is the least privileged class in a tuple
User’s see elements in a “read down” fashion. If sensitive data is too high, cause it to become NULL