US20160357953A1 - Decentralized information flow securing method and system for multilevel security and privacy domains - Google Patents

Decentralized information flow securing method and system for multilevel security and privacy domains Download PDF

Info

Publication number
US20160357953A1
US20160357953A1 US14/733,285 US201514733285A US2016357953A1 US 20160357953 A1 US20160357953 A1 US 20160357953A1 US 201514733285 A US201514733285 A US 201514733285A US 2016357953 A1 US2016357953 A1 US 2016357953A1
Authority
US
United States
Prior art keywords
label
information
access
subject
component
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
US14/733,285
Other versions
US9507929B1 (en
Inventor
N.V. Narendra Kumar
R.K. Shyamasundar
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tata Institute of Fundamental Research
Original Assignee
Tata Institute of Fundamental Research
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tata Institute of Fundamental Research filed Critical Tata Institute of Fundamental Research
Priority to US14/733,285 priority Critical patent/US9507929B1/en
Assigned to TATA INSTITUTE OF FUNDAMENTAL RESEARCH reassignment TATA INSTITUTE OF FUNDAMENTAL RESEARCH ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: SHYAMASUNDAR, R.K., KUMAR, N.V. NARENDRA
Application granted granted Critical
Publication of US9507929B1 publication Critical patent/US9507929B1/en
Publication of US20160357953A1 publication Critical patent/US20160357953A1/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6281Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database at program execution time, where the protection is within the operating system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2113Multi-level security, e.g. mandatory access control

Definitions

  • Embodiments of the invention relates to securing information flow in an information system.
  • one or more embodiments of the invention are directed to develop an information flow securing method which will be adapted to control the decentralized information flow taking into account both the readers and writers of information in the information system.
  • Assurance provides that a computer system is secure with respect to a given security policy—is an important theme in secure computing. Assurance would have been indeed possible, if the underlying hardware and software had been shown to be correct as per the intended specifications. However, showing the correctness of hardware/software in totality is impossible. It may be pointed that bugs in an application can enable data stealing. That is why, it is important to assure the absence of information leaks in any application.
  • One of the beginning building blocks towards such an assurance is the first building of a system's Trusted Computing Base (TCB)—realized correctly—through which a complete secure system could be built. For high assurance, the TCB needs to be small and the policy simple.
  • Information flow control (IFC) is one such policy; it specifies how information is allowed to move around in a system and disseminated.
  • each subject and object is assigned a security class/label, and permissible information flows are defined by a binary relation on security classes.
  • a subject i.e. the active entities whose actions cause information to flow requests an operation to be performed on an object i.e. the passive entities containing information
  • it is granted only if the resulting information flow satisfies the permissible flow relation.
  • the flow rule is good because it composes: if each step obeys the rule, the whole computation does so.
  • the label on every data item is at least the maximum of the labels on everything that affected it; the rule is end to end. It is certainly simple, and assurance is just evidence that each step obeys it.
  • DIFC decentralized model for information flow control.
  • SOSP '97 pages 129-142, New York, N.Y., USA.
  • DIFC became popular due to the decentralized nature of flow control and led to the development of several systems for realizing secure programming systems (Jflow, FlowCaml etc.), operating systems (Asbestos, HiStar, Flume, Laminar etc.) and distributed systems (Fabric, DStar, Airavat etc.).
  • DLM Myers' label system
  • DLM includes only readers for protecting confidentiality and only writers for protecting integrity.
  • Stefan et al. introduced a label system referred to as DC labels [ref.: D. Stefan, A. Russo, D. Mazi'eres, and J. C. Mitchell. Disjunction category labels. In Proceedings of the 16th Nordic Conference on NordSec, pages 223-239, Berlin, Heidelberg, 2012. Springer-Verlag] that incorporate both readers and writers. But it must be noted that it is not easy to derive DC labels for modelling a given requirement. Moreover, their support for discretionary controls is orthogonal to the IFC and thus defeats the purpose of the mandatory controls.
  • the one or more embodiments of the invention propose a novel security method that provides succinct information flow control across the stakeholders of the system consisting of various subjects and objects that are distributed system wide, through the basic actions of read and write.
  • the one or more embodiments of the method of the invention captures the subtle way the information gets disseminated in the system after the resource is accessed in an authorized way and leads to succinct definitions of information flow policies with respect to security, privacy and other legal requirements.
  • a method of securing information flow in an information system comprising: intercepting access requests to information in the information system by all applications running in the information system; intuitively assigning labels to all the information and the applications depending on the application requirements constituting state information; combining the application making the access request and the information for which the access request is made with their respective labels; checking allowance of the access request based on comparison of the label corresponding to the application making the access request and the label corresponding to the information for which the access request is made; accordingly providing access of the information to the application on detection of allowable access request else denying the access request.
  • the state information appropriately changed on allowable access request and if operation corresponding to the access request is either creating or reading of the information or administrative.
  • the assigning the labels to all the information and the applications depending on the application requirements includes assigning the labels to all subjects corresponds to active entities whose actions cause information to flow and all objects corresponds to passive entities containing the information in the said information system.
  • the label assigned to the subject comprises: a first component for denoting authority; a second component for denoting set of subjects that can be influenced indicating set of readers of the information contained in the object which is accessed by the said subject; and a third component for denoting set of subjects that have influenced indicating set of writers of the information contained in the object which is accessed by the said subject.
  • the label assigned to the object comprises: a first component for denoting ownership; a second component for denoting set of subjects that can be influenced indicating set of readers of the information contained in said object; and a third component for denoting set of subjects that have influenced indicating set of writers of the information contained in said object.
  • the label assigned to the subject and the object are defined as (A,R,W) where A is a function denoting the first (administration) component of the label, R is a function denoting the second (readers) component of the label, W is a function denoting the third (writers) component of a label.
  • the label assigned to the subjects are mostly dynamic and includes lowest or default label and highest or clearance label.
  • the label assigned to the objects are mostly static and are assigned at creation/initiation.
  • the lowest label of the subject s is set to (s,S, ⁇ ⁇ ) while its highest label is set to (s, ⁇ s ⁇ ,S), wherein the lowest and the highest labels of the subject can be automatically derived from the object labels, S is the set of all the subjects in the information system.
  • the comparison of the label corresponding to the subject making the access request and the label corresponding to the object for which the access request is made and therefrom allowing the access request includes: allowing access when the subject ‘s’ with label (s 1 ,R 1 ,W 1 ) requests read access to the object ‘o’ with label (s 2 ,R 2 ,W 2 ) and if s 1 ⁇ R 2 ; allowing access when the subject ‘s’ with label (s 1 ,R 1 ,W 1 ) requests write access to the object ‘o’ with label (s 2 ,R 2 ,W 2 ) and if s 1 ⁇ W 2 and R 1 R 2 and W 1 W 2 ; allowing access when the subject ‘s’ with label (s,R,W) requests creation of the object and creating the object ‘o’ with label (s,R,W ⁇ s ⁇ ); allowing access when the subject ‘s’ with label (s 1 ,R 1 ,W 1 )
  • the allowing reading access simultaneously changes the label of ‘s’ to (s 1 ,R 1 ⁇ R 2 ,W 1 ⁇ W 2 ).
  • a computer readable medium embodying computer implemented method for securing information flow in an operating system comprising: a runtime monitor for intercepting calls to system library of the operating system by all applications; a system-state information component for containing the labels associated with the subjects and the objects in the operating system; a state transformation rules component for encoding permissible state transformation rules regarding the levels during the object creation, modification and verification of the subject labels during the object access.
  • the computer readable medium embodying computer implemented method for securing information flow in an operating system comprises rule engine in the state transformation rules component accepts levels of subjects and objects and determines if access is to be granted or denied.
  • the runtime monitor intercepts the request, identifies s, o, operation requested, and any other parameters, fetches ⁇ (s) and ⁇ (o) from the system-state information, passes s, o, operation requested with any parameters, ⁇ (s) and ⁇ (o) to the state transformation rules component and receives the result of access request granting or denial and responds to the application appropriately, here ⁇ is S ⁇ O ⁇ L labelling function that returns the current label of entity, and S is set of the subjects in the operating system, O is set of the objects in the operating system.
  • the method for securing information flow in an operating system by involving the computer readable medium embodying the computer implemented method for securing information flow in an operating system includes: intercepting subject's request call to the system library by involving the runtime monitor and seeking the labels of the subject making the request and the object for which the request is made from the system-state information component; forwarding the request with the labels of the subjects requesting access and the object to the state transformation rules component on receiving the labels desired from the system-state information component; checking state transformation rules based on the labels in the state transformation rules component for determining allowance of the access request; changing in the system-state information component if the decision is to allow request, and if the operation is either create or read or administrative and thereby forwarding result of request in the form of allow or deny to the runtime monitor by involving the system-state information component; forwarding the call together with parameter list to the system library call handler for processing the call and returns the result to the subjects on allowing the requests; and returning an error message to the subjects if the request is denied by
  • the checking State transformation rules based on the labels in the state transformation rules component for determining allowance of the access request includes: allowing access when the subject ‘s’ with label (s 1 ,R 1 ,W 1 ) requests read access to the object ‘o’ with label (s 2 ,R 2 ,W 2 ) and if s 1 ⁇ R 2 ; allowing access when the subject ‘s’ with label (s 1 ,R 1 ,W 1 ) requests write access to the object ‘o’ with label (s 2 ,R 2 ,W 2 ) and if s 1 ⁇ W 2 and R 1 R 2 and W 1 W 2 ; allowing access when the subject ‘s’ with label (s,R,W) requests creation of the object and creating the object ‘o’ with label (s,R,W ⁇ s ⁇ ); allowing access when the subject ‘s’ with label (s 1 ,R 1 ,W 1 ) requests read access to the object ‘o’ with label (s 2 ,R 2 ,W 2 ) and if s 1 ⁇
  • FIG. 1 shows a preferred architecture of a security monitoring in an information system involving RWFM in accordance with an embodiment of the invention.
  • FIG. 2 shows a preferred architecture for securing operating systems using RWFM in accordance with an embodiment of the invention.
  • the basic object of the invention is to develop a method for securing information flow in an information system which would be adapted to consider both the readers and writers of information for a proper tracking of any information flow property and effectively secure the information flow.
  • Another object of the invention is to develop a method for securing information flow in an information system which would be adapted to enable intuitive specification of security policies in the information flow and supports the discretionary controls required for practical applications in a manner so as to preserve the mandatory nature of the information flow control.
  • Yet another object of the invention is to develop a method for securing information flow in an information system which would be adapted to provide succinct information flow control across the stakeholders of the system consisting of various subjects and objects that are distributed system wide, through the basic actions of read and write of the information.
  • a still further object of the invention is to develop a method for securing information flow which would be application independent and adapted to implement in any operating system to secure the information flow to the different stakeholders of the system.
  • the one or more embodiments disclose a novel information flow securing method based on Readers-Writers Flow Model (herein referred as RWFM) for decentralized information flow control taking into account both the readers and writers of information, which is essential for a proper tracking of any information flow property and securing the information flow in an information system or Information Technology infrastructure.
  • RWFM Readers-Writers Flow Model
  • the method proposes a labeling technique which enables intuitive specification of policies, and supports the discretionary controls required for practical applications in a manner so as to preserve the mandatory nature of the information flow control.
  • the method is adapted to be implemented as a computer program product embodied on a computer-readable medium.
  • FIG. 1 The basic architecture of the information flow securing in an information system using the RWFM based information flow securing method is illustrated in the accompanying FIG. 1 .
  • the information flow securing in accordance with the RWFM based securing method basically includes Information-Flow Monitor (A), System-state Information (B) and State Transformation Rules component (C).
  • A Information-Flow Monitor
  • B System-state Information
  • C State Transformation Rules component
  • the method for securing the information flow in the information system starts with the Information-Flow Monitor (A) which intercepts the access requests to resources or information in the information system by all applications running in the information system for enforcing access control to the information system as per the access rules encoded in the rule engine.
  • the System-state Information component (B) is a certificate database that stores state information having privileges or labels which are intuitively assigned to both the resources and the applications along with unique identifiers for the resources and the applications themselves. The entire state information of the monitor is maintained by the certificate database. This database is modified by a rule engine during resource creation or during administrative action.
  • State Transformation Rule component is the rules engine that encodes the permissible state transformations or the access rules regarding application of privileges or levels during resource creation/modification and verification of application privileges during resource access.
  • the rule engine accepts as inputs privileges or levels of applications and resources and determines if access is to be granted or denied. It defines the dynamic behaviour of the system.
  • Information-flow monitor intercepts all access requests, and seeks from system-state information about the labels of the application making a request and the resource for which the request is made. Then system-state information component provides the labels desired by the monitor. Information-flow monitor combines the application making the access request and the resource for which the access request is made with their respective labels forwards them to the state transformation rules component.
  • State transformation rules component checks the allowance of the access request based on comparing of the label corresponding to the application making the access request and the label corresponding to the resource for which the access request is made by involving the rule engine and if the decision is to allow request, and if the operation is either create or read or the application is administrative, this component makes appropriate changes to the system-state information component.
  • State transformation rules component returns the result of request in the form of allow/deny to the runtime monitor. If the request is allowed, information-flow monitor simply forwards the request to the resource manager; else it returns an error message to the application.
  • FIG. 2 is illustrating a preferred architecture for securing the flow of information in an operating system running in a computing platform by using the RWFM based method.
  • the Runtime Monitor ( 1 ) intercepts the calls to system library (herein referred as libc) of the operating system by all processes for enforcing access control to files on the system as per the rules encoded in the rule engine.
  • system library herein referred as libc
  • the System-state Information component ( 2 ) contains the privileges or labels associated with all subjects and objects in the operating system.
  • the subjects refer to the active entities whose actions cause the information to flow and the objects refer to the passive entities containing the information.
  • the State Transformation Rules component ( 3 ) encodes the permissible state transformations rules regarding application of privileges or levels during object creation/modification and verification of subject privileges during object access.
  • the rule engine in the State Transformation Rules component ( 3 ) accepts as inputs privileges levels of subjects and objects and determines if access is to be granted or denied. It defines the dynamic behavior of the system.
  • the entire state information of the system which is maintained in the certificate database of the System-state Information component ( 2 ) is also modified by the rule engine during object creation or during administrative action.
  • the runtime monitor seeks from system-state information component about the labels of the application or subject making a request and the object for which the request is made.
  • the System-state information component provides the labels desired by the runtime monitor.
  • the Runtime monitor then forwards the operation requested together with the labels of the application or subjects requesting access and the object to state transformation rules component.
  • State transformation rules then are checked based on the labels in the state transformation rules component and if the decision is to allow request, and if the operation is either create or read or the application is administrative, this component makes appropriate changes to the system-state information component.
  • the State transformation rules component returns the result of request in the form of allow/deny to the runtime monitor.
  • runtime monitor simply forwards the libc call together with the parameter list to the libc call handler and the libc call handler processes the call and returns the result to the application or subjects. If the request is denied, then the runtime monitor returns an error message to the application.
  • the labels explicitly identify possible readers and writers of the information and can be automatically inferred from the natural language specifications.
  • the RWFM based information flow securing method is application independent and can be applied to study any information flow property (confidentiality, integrity, privacy etc.).
  • the method of the invention provides a clean semantics of information flow; combines well with DAC and also supports information downgrading (declassifying) and relabelling. It further provides a clean executional model to realize the multi-level security systems for which checking compliance with respect to security and privacy will become natural.
  • the first step is to specify the desired security policy. This is achieved by assigning labels to all the subjects and all the objects in the information system depending on the application requirements.
  • the set of labels in RWFM is given by S ⁇ 2 S ⁇ 2 S , where S denotes the set of subjects in the information system and 2 s denotes the set of subsets of S, and ‘ ⁇ ’ denotes Cartesian product.
  • the first component of the label denotes authority.
  • the second component denotes the set of subjects that can be influenced i.e. the set of readers of the information contained in an object which is accessed by the said subject.
  • the third component denotes the set of subjects that have influenced i.e. the set of writers of the information contained in an object which is accessed by the said subject.
  • the first component of the label denotes ownership.
  • the second component denotes the set of subjects that can be influenced i.e. the set of readers of the information contained in the object.
  • the third component denotes the set of subjects that have influenced i.e. the set of writers of the information contained in the object.
  • Labels for objects are mostly static and are assigned at creation/initiation. However, in the case of subjects, labels are mostly dynamic.
  • the security policy specifies the lowest (default label) and highest (clearance) labels for each subject. Each execution of a subject starts with its default label, and its label is permitted to float up (as it consumes more information) so long as it remains below its clearance.
  • the default label of a subject ‘s’ is set to (s,S, ⁇ ) while its clearance is set to (s, ⁇ s ⁇ ,S). However, depending on the application requirements these may be set more tightly. In fact, the lowest and the highest permissible labels of a subject can be automatically derived from the object labels.
  • the lowest label (default) and the highest label(clearance) for a subject s can be fixed to be (s,S, ⁇ ⁇ ) and (s, ⁇ s ⁇ ,S) respectively, where S is the set of all the subjects in the system.
  • the RWFM supports the following five operations: Read, Write, Create, Downgrade and Relabel by using specific access rules.
  • the RWFM operates as follows to secure the operating systems
  • System-state information component stores S, O, ⁇
  • Runtime monitor intercepts the request, identifies s, o, operation requested, and any other parameters, fetches ⁇ (s) and ⁇ (o) from the system-state information, passes s, o, operation requested with any parameters, ⁇ (s) and ⁇ (o) to the state transformation rules component and receives the result of request and responds to the application appropriately.
  • State transformation rules component performs the access checks given in the algorithm, updates the system-state information component, if any and returns the result of request (ALLOW/DENY) to the run-time monitor.
  • RWFM provides simple label management and efficient checking of information flow.
  • RWFM supports a simple floating label system for subjects, that is useful for supporting the principle of least privilege and enables incompatible operations to be performed by a user in isolated sessions.
  • RWFM provides a complete label system in the sense that, any information flow property that can be reasoned with Denning's model can be simulated in RWFM.
  • RWFM provides the smallest set of labels with which the policy can be defined.
  • RWFM makes it easy to reason about information flows not only between a subject and an object but also between any two entities (subject/object). Thus, the relations between the entities in an information system are made explicit by RWFM, which makes it amenable for easy policy verification/validation and compliance checking.
  • RWFM has been successfully applied for modelling real-world end-to-end security requirements like isolation of processes in operating systems, and interactions amongst the stakeholders in network and web protocols etc and it has been found that RWFM approach to protocol specification unambiguously identifies the origin, intended destination and the purpose of a message.
  • the RWFM based information flow securing method has been applied in a medical information system.
  • a patient information file is need to be accessed by different stakeholders of the medical information system such as hospital authority, doctors or nurses etc.
  • any patient may have the following requirements or restriction on the information:
  • the patient wishes that this information not be disclosed to entities like marketing agencies, drug manufacturers, pharmacies etc who are also stakeholders in a medical information system.
  • the above privacy policy specified by the patient is expressed by labeling the patient information as (P, ⁇ P,H,D,N ⁇ , ⁇ P,D ⁇ ), where P: patient, H: hospital, D: doctor and N:nurse.
  • This label indicates first component is P so it is owned by the patient.
  • the second component of the label is ⁇ P,H,D,N ⁇ so the information is only readable by the patient, hospital, doctor and nurse.
  • the third component of the label is ⁇ P,D ⁇ so the patient and the doctor has writing access. Therefore, the access rule of the RWFM will prevent this labeled information flow towards a subject other than P, H, D and N.
  • RWFM policies are intuitive and simple.
  • the RWFM based information flow securing method also prevents practically exploitable vulnerabilities in the EMV protocol (Chip-and-Pin).
  • vulnerabilities of the EMV protocol reported in literature exploit the fact that there is no way to accurately identify all the stakeholders that influenced a message in the transaction.
  • the label of each message in every transaction clearly identifies: (i) the sender of the message, (ii) the stakeholders for whom the message is intended i.e., the permissible readers of the message, and (iii) all the stakeholders that have influenced the message. This enables the stakeholder receiving a message to decide an appropriate response based on its label and the trust relationships.
  • one of the reported vulnerabilities works as follows: the attacker obtains an authorization certificate from a legitimate transaction on a compromised device, and uses it to perform an illegal transaction on a genuine device. If RWFM model was used, this vulnerability would not have existed, because the message sent in the illegal transaction would have had both the genuine device and the compromised device as the stakeholders that influenced it. Upon receiving the message, the bank can immediately identify the problem and respond with a failure/error message.
  • the one or more embodiments of the invention provide a unified information securing method, including the problems addressed by the present state of art.

Abstract

The present invention discloses a method for securing information flow in an information system. The method comprises intercepting access requests to information in the information system by all applications running in the information system, intuitively assigning labels to all the information and the applications depending on the application requirements, combining the application making the access request and the information for which the access request is made with their respective labels, checking allowance of the access request based on comparison of the label corresponding to the application making the access request and the label corresponding to the information for which the access request is made and accordingly providing access of the information to the application on detection of allowable access request else denying the access request.

Description

    FIELD OF THE INVENTION
  • Embodiments of the invention relates to securing information flow in an information system. In particular, one or more embodiments of the invention are directed to develop an information flow securing method which will be adapted to control the decentralized information flow taking into account both the readers and writers of information in the information system.
    • BACKGROUND OF THE INVENTION
  • Assurance—evidence that a computer system is secure with respect to a given security policy—is an important theme in secure computing. Assurance would have been indeed possible, if the underlying hardware and software had been shown to be correct as per the intended specifications. However, showing the correctness of hardware/software in totality is impossible. It may be pointed that bugs in an application can enable data stealing. That is why, it is important to assure the absence of information leaks in any application. One of the beginning building blocks towards such an assurance is the first building of a system's Trusted Computing Base (TCB)—realized correctly—through which a complete secure system could be built. For high assurance, the TCB needs to be small and the policy simple. Information flow control (IFC) is one such policy; it specifies how information is allowed to move around in a system and disseminated.
  • In late 1960s, the US military started the visualization of a “multilevel” computer system wherein information leaks from a user process handling classified data can be either shown to be leak free or at least accountability of the leak can be traced. Of course, it is impractical to require every application program to come from a trusted source; many essential tools are too big and complicated to rebuild, or even to audit. IFC solves this problem by requiring that no action of a secret process can affect the state of an unclassified one.
  • In 1973, Bell and LaPadula [ref: D. E. Bell and L. J. LaPadula. Secure computer systems: Unified exposition and multics interpretation. In Technical Report ESD-TR-75-306, MTR-2997, MITRE, Bedford, Mass, 1975.] formulated a mathematical framework and a model for IFC to deal with the problems of confidentiality in the context of military computer systems. The model has since been refined and extended with the objective of producing a secure computer system design. From a different perspective, Biba [ref: K. Biba. Integrity considerations for secure computer systems. Tech Report ESDTR-76-372, MITRE, Mass, 1976.] developed integrity policies for addressing the problems of improper data modification posed by secure military computer utility.
  • In 1976, Denning [ref.: D. E. Denning A lattice model of secure information flow. Comm ACM, 19(5):236-243, 1976.] derived a lattice model of secure information flow that permits concise formulations of the security requirements of several existing systems and facilitates construction of mechanisms that enforce security. Further, the model provides a unifying view of all systems that restrict information flow including BLP and Biba.
  • In Denning's model, each subject and object is assigned a security class/label, and permissible information flows are defined by a binary relation on security classes. When a subject i.e. the active entities whose actions cause information to flow requests an operation to be performed on an object i.e. the passive entities containing information, it is granted only if the resulting information flow satisfies the permissible flow relation. The flow rule is good because it composes: if each step obeys the rule, the whole computation does so. Hence the label on every data item is at least the maximum of the labels on everything that affected it; the rule is end to end. It is certainly simple, and assurance is just evidence that each step obeys it.
  • The work of Myers and Liskov [ref.: A. C. Myers and B. Liskov. A decentralized model for information flow control. In SOSP '97, pages 129-142, New York, N.Y., USA.] (DIFC) in 1997, revived the field by deriving a decentralized label model that allows subjects to create their own labels for controlling the flow of their data. DIFC became popular due to the decentralized nature of flow control and led to the development of several systems for realizing secure programming systems (Jflow, FlowCaml etc.), operating systems (Asbestos, HiStar, Flume, Laminar etc.) and distributed systems (Fabric, DStar, Airavat etc.).
  • In the early 1980s research on information flow led to the Trusted Computer System Evaluation Criteria (“Orange Book”) [ref.: Department of Defense Standard—5200.28-STD. Trusted Computer System Evaluation Criteria. December 1985], which defines the security of a computer system by how well it implements flow control and how good its assurance is. Despite a lot of effort being invested in developing systems satisfying these criteria, they all had the following problems: large TCB, slow, not easy to use, and very limited functionality.
  • Myers' label system called DLM [ref.: A. C. Myers and B. Liskov. Protecting privacy using the decentralized label model. ACM Trans. Softw. Eng. Methodol. 9(4):410-442, October 2000.] includes only readers for protecting confidentiality and only writers for protecting integrity. However, it is important to note that for a proper tracking of any information flow property, it is important to control both reading and writing by subjects. Stefan et al. introduced a label system referred to as DC labels [ref.: D. Stefan, A. Russo, D. Mazi'eres, and J. C. Mitchell. Disjunction category labels. In Proceedings of the 16th Nordic Conference on NordSec, pages 223-239, Berlin, Heidelberg, 2012. Springer-Verlag] that incorporate both readers and writers. But it must be noted that it is not easy to derive DC labels for modelling a given requirement. Moreover, their support for discretionary controls is orthogonal to the IFC and thus defeats the purpose of the mandatory controls.
  • Butler Lampson—a Distinguished Computer Scientist, in a recent technical perspective [B. Lampson. Making untrusted code useful: technical perspective. CACM, Vol. 54 No. 11, Page 92, November 2011.] on HiStar says “This is the latest step in the long and frustrating journey toward secure computing. It is a convincing solution for some serious practical problems. The general-purpose computing that failed in the 1980s has not been tried”.
    • SUMMARY OF THE INVENTION
  • With the explosion of information, it has become essential for trusted information systems to interact with untrusted systems, particularly so, with the promotion of cloud computing. In fact, building secure applications from mostly untrusted code by using information flow control to enforce data security is a challenge. For example, enforcing data security policy when executing untrusted code with access to sensitive data is important as an untrusted application may be able to read some sensitive data, but it should never be able to surreptitiously export this data from the system. Thus, it has become essential to avoid information leaks and protect systems from information adulteration. While there is a spectrum of good access/authorization mechanisms available, the existing security models do not cater to the challenges. One of the main reasons for this has been the lack of models that provide a robust unification of mandatory access control (MAC) and discretionary access control (DAC) of information. In the context of networked distributed systems, it becomes further necessary to broaden the scope to include the control of information flow between distributed nodes on a system wide basis rather than on an individual basis. It may be noted that different data manipulated by an application have different security requirements. A unified security model is indeed the need of the hour for assuring security of operating systems, programming languages, virtualization, web interaction etc. The one or more embodiments of the invention propose a novel security method that provides succinct information flow control across the stakeholders of the system consisting of various subjects and objects that are distributed system wide, through the basic actions of read and write. The one or more embodiments of the method of the invention captures the subtle way the information gets disseminated in the system after the resource is accessed in an authorized way and leads to succinct definitions of information flow policies with respect to security, privacy and other legal requirements.
  • Thus, according to the basic aspect of the one or more embodiments of the invention there is provided a method of securing information flow in an information system comprising: intercepting access requests to information in the information system by all applications running in the information system; intuitively assigning labels to all the information and the applications depending on the application requirements constituting state information; combining the application making the access request and the information for which the access request is made with their respective labels; checking allowance of the access request based on comparison of the label corresponding to the application making the access request and the label corresponding to the information for which the access request is made; accordingly providing access of the information to the application on detection of allowable access request else denying the access request.
  • According to another aspect in the method of securing information flow in an information system, the state information appropriately changed on allowable access request and if operation corresponding to the access request is either creating or reading of the information or administrative.
  • According to another aspect in the method of securing information flow in an information system, the assigning the labels to all the information and the applications depending on the application requirements includes assigning the labels to all subjects corresponds to active entities whose actions cause information to flow and all objects corresponds to passive entities containing the information in the said information system.
  • According to a further aspect in the method of securing information flow in an information system, the label assigned to the subject comprises: a first component for denoting authority; a second component for denoting set of subjects that can be influenced indicating set of readers of the information contained in the object which is accessed by the said subject; and a third component for denoting set of subjects that have influenced indicating set of writers of the information contained in the object which is accessed by the said subject.
  • According to a further aspect in the method of securing information flow in an information system, the label assigned to the object comprises: a first component for denoting ownership; a second component for denoting set of subjects that can be influenced indicating set of readers of the information contained in said object; and a third component for denoting set of subjects that have influenced indicating set of writers of the information contained in said object.
  • According to yet another aspect in the method of securing information flow in an information system, the label assigned to the subject and the object are defined as (A,R,W) where A is a function denoting the first (administration) component of the label, R is a function denoting the second (readers) component of the label, W is a function denoting the third (writers) component of a label.
  • According to a further aspect in the method of securing information flow in an information system, the label assigned to the subjects are mostly dynamic and includes lowest or default label and highest or clearance label.
  • According to yet another aspect in the method of securing information flow in a information system, the label assigned to the objects are mostly static and are assigned at creation/initiation.
  • According to another aspect in the method of securing information flow in an information system, the lowest label of the subject s is set to (s,S,{ }) while its highest label is set to (s,{s},S), wherein the lowest and the highest labels of the subject can be automatically derived from the object labels, S is the set of all the subjects in the information system.
  • According to a further aspect in the method of securing information flow in a information system, the comparison of the label corresponding to the subject making the access request and the label corresponding to the object for which the access request is made and therefrom allowing the access request includes: allowing access when the subject ‘s’ with label (s1,R1,W1) requests read access to the object ‘o’ with label (s2,R2,W2) and if s1∈R2; allowing access when the subject ‘s’ with label (s1,R1,W1) requests write access to the object ‘o’ with label (s2,R2,W2) and if s1∈W2 and R1
    Figure US20160357953A1-20161208-P00001
    R2 and W1
    Figure US20160357953A1-20161208-P00002
    W2; allowing access when the subject ‘s’ with label (s,R,W) requests creation of the object and creating the object ‘o’ with label (s,R,W∪{s}); allowing access when the subject ‘s’ with label (s1,R1,W1) requests the object ‘o’ with label (s2,R2,W2) to be downgraded to label (s3,R3,W3) if s1∈R2 and s1=s2=s3 and W1=W2=W3 and R1=R2 and R3
    Figure US20160357953A1-20161208-P00001
    R2 and R3-R2
    Figure US20160357953A1-20161208-P00002
    W2; allowing access when the subject ‘s’ with label (s1,R1,W1) requests the object ‘o’ with label (s2,R2,W2) to be relabelled with (s3,R3,W3) if s1∈R2 and s1=s2=s3 and W2
    Figure US20160357953A1-20161208-P00002
    W1 and W3=W1∪{s} and R2
    Figure US20160357953A1-20161208-P00001
    R1
    Figure US20160357953A1-20161208-P00001
    R3.
  • According to yet another aspect in the method of securing information flow in a information system, the allowing reading access simultaneously changes the label of ‘s’ to (s1,R1∩R2,W1∪W2).
  • In accordance with another aspect of the one or more embodiments of the invention there is provided a computer readable medium embodying computer implemented method for securing information flow in an operating system comprising: a runtime monitor for intercepting calls to system library of the operating system by all applications; a system-state information component for containing the labels associated with the subjects and the objects in the operating system; a state transformation rules component for encoding permissible state transformation rules regarding the levels during the object creation, modification and verification of the subject labels during the object access.
  • According to another aspect, the computer readable medium embodying computer implemented method for securing information flow in an operating system comprises rule engine in the state transformation rules component accepts levels of subjects and objects and determines if access is to be granted or denied.
  • According to yet another aspect in the computer readable medium embodying computer implemented method for securing information flow in an operating system, the runtime monitor intercepts the request, identifies s, o, operation requested, and any other parameters, fetches λ(s) and λ(o) from the system-state information, passes s, o, operation requested with any parameters, λ(s) and λ(o) to the state transformation rules component and receives the result of access request granting or denial and responds to the application appropriately, here λ is S∪O→L labelling function that returns the current label of entity, and S is set of the subjects in the operating system, O is set of the objects in the operating system.
  • According to another aspect, the method for securing information flow in an operating system by involving the computer readable medium embodying the computer implemented method for securing information flow in an operating system, includes: intercepting subject's request call to the system library by involving the runtime monitor and seeking the labels of the subject making the request and the object for which the request is made from the system-state information component; forwarding the request with the labels of the subjects requesting access and the object to the state transformation rules component on receiving the labels desired from the system-state information component; checking state transformation rules based on the labels in the state transformation rules component for determining allowance of the access request; changing in the system-state information component if the decision is to allow request, and if the operation is either create or read or administrative and thereby forwarding result of request in the form of allow or deny to the runtime monitor by involving the system-state information component; forwarding the call together with parameter list to the system library call handler for processing the call and returns the result to the subjects on allowing the requests; and returning an error message to the subjects if the request is denied by involving the runtime monitor.
  • According to another aspect in the method for securing information flow in an operating system by involving the computer readable medium embodying the computer implemented method for securing information flow in an operating system, the checking State transformation rules based on the labels in the state transformation rules component for determining allowance of the access request includes: allowing access when the subject ‘s’ with label (s1,R1,W1) requests read access to the object ‘o’ with label (s2,R2,W2) and if s1∈R2; allowing access when the subject ‘s’ with label (s1,R1,W1) requests write access to the object ‘o’ with label (s2,R2,W2) and if s1∈W2 and R1
    Figure US20160357953A1-20161208-P00001
    R2 and W1
    Figure US20160357953A1-20161208-P00002
    W2; allowing access when the subject ‘s’ with label (s,R,W) requests creation of the object and creating the object ‘o’ with label (s,R,W∪{s}); allowing access when the subject ‘s’ with label (s1,R1,W1) requests the object ‘o’ with label (s2,R2,W2) to be downgraded to label (s3,R3,W3) if s1∈R2 and s1=s2=s3 and W1=W2=W3 and R1=R2 and R3
    Figure US20160357953A1-20161208-P00001
    R2 and R3-R2
    Figure US20160357953A1-20161208-P00002
    W2; allowing access when the subject ‘s’ with label (s1,R1,W1) requests the object ‘o’ with label (s2,R2,W2) to be relabelled with (s3,R3,W3) if s1∈R2 and s1=s2=s3 and W2
    Figure US20160357953A1-20161208-P00002
    W1 and W3=W1∪{s} and R2
    Figure US20160357953A1-20161208-P00001
    R1
    Figure US20160357953A1-20161208-P00001
    R3.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 shows a preferred architecture of a security monitoring in an information system involving RWFM in accordance with an embodiment of the invention.
  • FIG. 2 shows a preferred architecture for securing operating systems using RWFM in accordance with an embodiment of the invention.
    •  DETAILED DESCRIPTION
  • A summary of the drawbacks of two prominent label models is presented in the table below, also indicating what would be desirable in the ideal scenario.
  • DLM DC Ideal
    Confidentiality only Readers only Readers Readers and
    Writers
    Integrity only Writers only Writers Readers and
    Writers
    Downgrading Purely Purely Consistent with
    (DAC) discretionary discretionary IFC (MAC)
    Ownership Explicit Implicit Explicit
    Authority Orthogonal Orthogonal Explicit in the
    to the label to the label label
    Principal hierarchy Orthogonal Orthogonal Embedded
    and Delegation to the label to the label in the label
    Bi-directional flow Difficult Difficult Simple and
    Accurate
    Ease of use Moderate Moderate Easy
    Label size Moderate to Large Small
    Large
    No. of labels Large Large Small
    (as required
    by the
    application)
  • Thus, there has been a need for developing a label system and an information flow model for decentralized information flow control which will consider both the readers and writers of information for a proper tracking of any flow property and effectively secure information flow in multilevel security and privacy domains.
  • It is thus the basic object of the invention is to develop a method for securing information flow in an information system which would be adapted to consider both the readers and writers of information for a proper tracking of any information flow property and effectively secure the information flow.
  • Another object of the invention is to develop a method for securing information flow in an information system which would be adapted to enable intuitive specification of security policies in the information flow and supports the discretionary controls required for practical applications in a manner so as to preserve the mandatory nature of the information flow control.
  • Yet another object of the invention is to develop a method for securing information flow in an information system which would be adapted to provide succinct information flow control across the stakeholders of the system consisting of various subjects and objects that are distributed system wide, through the basic actions of read and write of the information.
  • A still further object of the invention is to develop a method for securing information flow which would be application independent and adapted to implement in any operating system to secure the information flow to the different stakeholders of the system.
  • The one or more embodiments disclose a novel information flow securing method based on Readers-Writers Flow Model (herein referred as RWFM) for decentralized information flow control taking into account both the readers and writers of information, which is essential for a proper tracking of any information flow property and securing the information flow in an information system or Information Technology infrastructure. The method proposes a labeling technique which enables intuitive specification of policies, and supports the discretionary controls required for practical applications in a manner so as to preserve the mandatory nature of the information flow control. The method is adapted to be implemented as a computer program product embodied on a computer-readable medium.
  • The basic architecture of the information flow securing in an information system using the RWFM based information flow securing method is illustrated in the accompanying FIG. 1.
  • As shown in the FIG. 1, the information flow securing in accordance with the RWFM based securing method basically includes Information-Flow Monitor (A), System-state Information (B) and State Transformation Rules component (C).
  • The method for securing the information flow in the information system starts with the Information-Flow Monitor (A) which intercepts the access requests to resources or information in the information system by all applications running in the information system for enforcing access control to the information system as per the access rules encoded in the rule engine. The System-state Information component (B) is a certificate database that stores state information having privileges or labels which are intuitively assigned to both the resources and the applications along with unique identifiers for the resources and the applications themselves. The entire state information of the monitor is maintained by the certificate database. This database is modified by a rule engine during resource creation or during administrative action. State Transformation Rule component is the rules engine that encodes the permissible state transformations or the access rules regarding application of privileges or levels during resource creation/modification and verification of application privileges during resource access. The rule engine accepts as inputs privileges or levels of applications and resources and determines if access is to be granted or denied. It defines the dynamic behaviour of the system.
  • Information-flow monitor intercepts all access requests, and seeks from system-state information about the labels of the application making a request and the resource for which the request is made. Then system-state information component provides the labels desired by the monitor. Information-flow monitor combines the application making the access request and the resource for which the access request is made with their respective labels forwards them to the state transformation rules component.
  • State transformation rules component checks the allowance of the access request based on comparing of the label corresponding to the application making the access request and the label corresponding to the resource for which the access request is made by involving the rule engine and if the decision is to allow request, and if the operation is either create or read or the application is administrative, this component makes appropriate changes to the system-state information component.
  • State transformation rules component returns the result of request in the form of allow/deny to the runtime monitor. If the request is allowed, information-flow monitor simply forwards the request to the resource manager; else it returns an error message to the application.
  • Referring now to FIG. 2, which is illustrating a preferred architecture for securing the flow of information in an operating system running in a computing platform by using the RWFM based method. As shown in the referred figure, the Runtime Monitor (1) intercepts the calls to system library (herein referred as libc) of the operating system by all processes for enforcing access control to files on the system as per the rules encoded in the rule engine.
  • Since all user process' access to file system (running Linux OS variant) goes through the libc, it is sufficient to intercept these library calls to implement cooperative access control. One could move the access control layer within the kernel layer by intercepting system calls to make the system more secure.
  • The System-state Information component (2) contains the privileges or labels associated with all subjects and objects in the operating system. Herein the subjects refer to the active entities whose actions cause the information to flow and the objects refer to the passive entities containing the information.
  • The State Transformation Rules component (3) encodes the permissible state transformations rules regarding application of privileges or levels during object creation/modification and verification of subject privileges during object access. The rule engine in the State Transformation Rules component (3) accepts as inputs privileges levels of subjects and objects and determines if access is to be granted or denied. It defines the dynamic behavior of the system.
  • The entire state information of the system which is maintained in the certificate database of the System-state Information component (2) is also modified by the rule engine during object creation or during administrative action.
  • During the operation, when application or any subject makes call to a libc routine, the call is intercepted by the runtime monitor. Then, the runtime monitor seeks from system-state information component about the labels of the application or subject making a request and the object for which the request is made. The System-state information component provides the labels desired by the runtime monitor. The Runtime monitor then forwards the operation requested together with the labels of the application or subjects requesting access and the object to state transformation rules component. State transformation rules then are checked based on the labels in the state transformation rules component and if the decision is to allow request, and if the operation is either create or read or the application is administrative, this component makes appropriate changes to the system-state information component. The State transformation rules component returns the result of request in the form of allow/deny to the runtime monitor.
  • If the request is allowed, runtime monitor simply forwards the libc call together with the parameter list to the libc call handler and the libc call handler processes the call and returns the result to the application or subjects. If the request is denied, then the runtime monitor returns an error message to the application.
  • The labels explicitly identify possible readers and writers of the information and can be automatically inferred from the natural language specifications. The RWFM based information flow securing method is application independent and can be applied to study any information flow property (confidentiality, integrity, privacy etc.). The method of the invention provides a clean semantics of information flow; combines well with DAC and also supports information downgrading (declassifying) and relabelling. It further provides a clean executional model to realize the multi-level security systems for which checking compliance with respect to security and privacy will become natural.
  • For securing an information system using RWFM, the first step is to specify the desired security policy. This is achieved by assigning labels to all the subjects and all the objects in the information system depending on the application requirements.
  • The set of labels in RWFM is given by S×2S×2S, where S denotes the set of subjects in the information system and 2s denotes the set of subsets of S, and ‘×’ denotes Cartesian product. In the label assigned to a subject, the first component of the label denotes authority. The second component denotes the set of subjects that can be influenced i.e. the set of readers of the information contained in an object which is accessed by the said subject. The third component denotes the set of subjects that have influenced i.e. the set of writers of the information contained in an object which is accessed by the said subject. In the label assigned to an object, the first component of the label denotes ownership. The second component denotes the set of subjects that can be influenced i.e. the set of readers of the information contained in the object. The third component denotes the set of subjects that have influenced i.e. the set of writers of the information contained in the object.
  • An exemplary labeling of the subjects and objects are as follows:
    • S: set of subjects in the system
    • O: set of objects in the system
    • λ: S∪O→L: labelling function that returns the current label of an entity
    • A: L→S: function that returns the first (administration) component of a label
    • R: L→2S: function that returns the second (readers) component of a label
    • W: L→2S: function that returns the third (writers) component of a label
  • Labels for objects are mostly static and are assigned at creation/initiation. However, in the case of subjects, labels are mostly dynamic. The security policy specifies the lowest (default label) and highest (clearance) labels for each subject. Each execution of a subject starts with its default label, and its label is permitted to float up (as it consumes more information) so long as it remains below its clearance. In the case of method, the default label of a subject ‘s’ is set to (s,S,Ø) while its clearance is set to (s,{s},S). However, depending on the application requirements these may be set more tightly. In fact, the lowest and the highest permissible labels of a subject can be automatically derived from the object labels. Without loss of generality, the lowest label (default) and the highest label(clearance) for a subject s can be fixed to be (s,S,{ }) and (s,{s},S) respectively, where S is the set of all the subjects in the system.
  • The RWFM supports the following five operations: Read, Write, Create, Downgrade and Relabel by using specific access rules.
  • During reading of the information in the information system which is secured by the RWFM, when a subject ‘s’ with label (s1,R1,W1) requests read access to an object ‘o’ with label (s2,R2,W2), if s1∈R2, then the label of ‘s’ is changed to (s1,R1∩R2,W1∪W2) and the access is allowed, otherwise access is denied. This results in a state change.
  • During writing of the information in the information system which is secured by the RWFM, when a subject ‘s’ with label (s1,R1,W1) requests write access to an object ‘o’ with label (s2,R2,W2), if s1∈W2 and R1
    Figure US20160357953A1-20161208-P00001
    R2 and W1
    Figure US20160357953A1-20161208-P00002
    W2, then access is allowed, otherwise access is denied. This never results in a state change.
  • During creating of the information in the information system which is secured by the RWFM,_when a subject ‘s’ with label (s,R,W) requests creation of an object ‘o’, an object is created and labelled it as (s,R,W∪{s}). This is a new object, ‘o’, together with its label are added to the system, thus, changing the state of the system.
  • During downgrading in the information system which is secured by the RWFM, when a subject ‘s’ with label (s1,R1,W1) requests an object ‘o’ with label (s2,R2,W2) to be downgraded to label (s3,R3,W3), if s1∈R2 and s1=s2=s3 and W1=W2=W3 and R1=R2 and R3
    Figure US20160357953A1-20161208-P00001
    R2 and R3-R2
    Figure US20160357953A1-20161208-P00002
    W2, then access is allowed, otherwise access is denied. The label of ‘o’ may change in this case.
  • During relabeling in the information system which is secured by the RWFM, when a subject ‘s’ with label (s1,R1,W1) requests an object ‘o’ with label (s2,R2,W2) to be relabelled with (s3,R3,W3), if s1∈R2 and s1=s2=s3 and W2
    Figure US20160357953A1-20161208-P00002
    W1 and W3=W1∪{s} and R2
    Figure US20160357953A1-20161208-P00001
    R1
    Figure US20160357953A1-20161208-P00001
    R3, then access is allowed, otherwise access is denied.
  • The algorithm for the access rules are as follows
  • Access rule for read:
  •
    Subject s ∈ S requests read access to object o ∈ O
    if (s ∈ R(λ(o))) then
         a = A(λ(s))
         r = R(λ(s))∩R(λ(o))
         w = W(λ(s))∪W(λ(o))
         λ(s) = (a,r,w)
         ALLOW
    else
         DENY
  • Access rule for write:
  •
    Subject s ∈ S requests write access to object o ∈ O
    if (s ∈ W(λ(o)) 
    Figure US20160357953A1-20161208-P00003
     R(λ(s)) 
    Figure US20160357953A1-20161208-P00004
     R(λ(o)) 
    Figure US20160357953A1-20161208-P00003
     W(λ(s)) 
    Figure US20160357953A1-20161208-P00005
     W(λ(o))) then
         ALLOW
    else
         DENY
  • Access rule for create:
  •
    Subject s ∈ S requests creation of an object
    new object o
    O = O ∪ {o}
    a = s
    r = R(λ(s))
    w = W(λ(s)) ∪ {s}
    λ(o) = (a,r,w)
  • Access rule for downgrade:
  •
    Subject s ∈ S requests to downgrade object o ∈ O to (a,r,w)
    if (a=A(λ(s))=A(λ(o)) 
    Figure US20160357953A1-20161208-P00003
     w=W(λ(s))=W(λ(o)) 
    Figure US20160357953A1-20161208-P00003
     R(λ(s))=
    R(λ(o)) 
    Figure US20160357953A1-20161208-P00003
     s ∈ R(λ(o)) 
    Figure US20160357953A1-20161208-P00003
     (W(λ(o))={s} 
    Figure US20160357953A1-20161208-P00006
     (r 
    Figure US20160357953A1-20161208-P00004
     R(λ(o)) 
    Figure US20160357953A1-20161208-P00003
     r-R(λ(o)) 
    Figure US20160357953A1-20161208-P00005
    W(λ(o))))) then
         λ(o) = (a,r,w)
         ALLOW
    else
         DENY
  • Access rule for relabel:
  •
    Subject s ∈ S requests to relabel object o ∈ O with (a,r,w)
    if (a=A(λ(s))=A(λ(o)) 
    Figure US20160357953A1-20161208-P00003
     W(λ(s)) 
    Figure US20160357953A1-20161208-P00004
     W(λ(o)) 
    Figure US20160357953A1-20161208-P00003
     R(λ(s)) 
    Figure US20160357953A1-20161208-P00005
     R(λ(o)) 
    Figure US20160357953A1-20161208-P00003
    s ∈ R(λ(o)) 
    Figure US20160357953A1-20161208-P00003
     =W(λ(s))∪{s} 
    Figure US20160357953A1-20161208-P00003
     r 
    Figure US20160357953A1-20161208-P00005
     R(λ(s))) then
         λ(o) = (a,r,w)
         ALLOW
    else
         DENY
  • With reference to the algorithm of the access rule described herein before, the RWFM operates as follows to secure the operating systems
  • System-state information component stores S, O, λ
  • Runtime monitor intercepts the request, identifies s, o, operation requested, and any other parameters, fetches λ(s) and λ(o) from the system-state information, passes s, o, operation requested with any parameters, λ(s) and λ(o) to the state transformation rules component and receives the result of request and responds to the application appropriately.
  • State transformation rules component performs the access checks given in the algorithm, updates the system-state information component, if any and returns the result of request (ALLOW/DENY) to the run-time monitor.
  • Therefore from the perspective of performance of an implementation, RWFM provides simple label management and efficient checking of information flow. RWFM supports a simple floating label system for subjects, that is useful for supporting the principle of least privilege and enables incompatible operations to be performed by a user in isolated sessions. RWFM provides a complete label system in the sense that, any information flow property that can be reasoned with Denning's model can be simulated in RWFM. Further, for a given information flow policy, RWFM provides the smallest set of labels with which the policy can be defined. RWFM makes it easy to reason about information flows not only between a subject and an object but also between any two entities (subject/object). Thus, the relations between the entities in an information system are made explicit by RWFM, which makes it amenable for easy policy verification/validation and compliance checking.
  • RWFM has been successfully applied for modelling real-world end-to-end security requirements like isolation of processes in operating systems, and interactions amongst the stakeholders in network and web protocols etc and it has been found that RWFM approach to protocol specification unambiguously identifies the origin, intended destination and the purpose of a message.
  • The RWFM based information flow securing method has been applied in a medical information system. In medical information system, a patient information file is need to be accessed by different stakeholders of the medical information system such as hospital authority, doctors or nurses etc. However, for privacy reasons, any patient may have the following requirements or restriction on the information:
  • accessible to no one other than himself, the hospital, doctor and the nurse
  • not influenced by anyone other than himself and the doctor
  • This means that, the patient wishes that this information not be disclosed to entities like marketing agencies, drug manufacturers, pharmacies etc who are also stakeholders in a medical information system. On application of RWFM, the above privacy policy specified by the patient is expressed by labeling the patient information as (P,{P,H,D,N},{P,D}), where P: patient, H: hospital, D: doctor and N:nurse. This label indicates first component is P so it is owned by the patient. The second component of the label is {P,H,D,N} so the information is only readable by the patient, hospital, doctor and nurse. The third component of the label is {P,D} so the patient and the doctor has writing access. Therefore, the access rule of the RWFM will prevent this labeled information flow towards a subject other than P, H, D and N.
  • This example clearly demonstrates that RWFM policies are intuitive and simple. The RWFM based information flow securing method also prevents practically exploitable vulnerabilities in the EMV protocol (Chip-and-Pin). In particular, vulnerabilities of the EMV protocol reported in literature exploit the fact that there is no way to accurately identify all the stakeholders that influenced a message in the transaction. With the involvement of the RWFM approach, the label of each message in every transaction clearly identifies: (i) the sender of the message, (ii) the stakeholders for whom the message is intended i.e., the permissible readers of the message, and (iii) all the stakeholders that have influenced the message. This enables the stakeholder receiving a message to decide an appropriate response based on its label and the trust relationships.
  • For example, one of the reported vulnerabilities works as follows: the attacker obtains an authorization certificate from a legitimate transaction on a compromised device, and uses it to perform an illegal transaction on a genuine device. If RWFM model was used, this vulnerability would not have existed, because the message sent in the illegal transaction would have had both the genuine device and the compromised device as the stakeholders that influenced it. Upon receiving the message, the bank can immediately identify the problem and respond with a failure/error message.
  • Thus, the one or more embodiments of the invention provide a unified information securing method, including the problems addressed by the present state of art. Having thus described the invention of the present application in detail and by reference to the one or more embodiments thereof, it will be apparent that modifications and variations are possible without departing from the scope of the invention defined in the appended claims.

Claims (16)

We claim:
1. A method of securing information flow in an information system comprising:
intercepting access requests to information in the information system by all applications running in the information system;
intuitively assigning labels to all the information and the applications depending on the application requirements constituting state information;
combining the application making the access request and the information for which the access request is made with their respective labels;
checking allowance of the access request based on comparison of the label corresponding to the application making the access request and the label corresponding to the information for which the access request is made; and
accordingly providing access of the information to the application on detection of allowable access request else denying the access request.
2. The method of claim 1, wherein the state information appropriately changed on allowable access request and if operation corresponding to the access request is either creating or reading of the information or administrative.
3. The method of claim 1, wherein the assigning the labels to all the information and the applications depending on the application requirements includes assigning the labels to all subjects corresponds to active entities whose actions cause information to flow and all objects corresponds to passive entities containing the information in the said information system.
4. The method of claim 1, wherein the label assigned to the subject comprises:
a first component for denoting authority;
a second component for denoting set of subjects that can be influenced indicating set of readers of the information contained in the object which is accessed by the said subject; and
a third component for denoting set of subjects that have influenced indicating set of writers of the information contained in the object which is accessed by the said subject.
5. The method of claim 1, wherein the label assigned to the object comprises:
a first component for denoting ownership;
a second component for denoting set of subjects that can be influenced indicating set of readers of the information contained in said object; and
a third component for denoting set of subjects that have influenced indicating set of writers of the information contained in said object.
6. The method of claim 1, wherein the label assigned to the subject and the object are defined as (A,R,W) where A is a function denoting the first (administration) component of the label, R is a function denoting the second (readers) component of the label, W is a function denoting the third (writers) component of a label.
7. The method of claim 4, wherein the label assigned to the subjects are mostly dynamic and includes lowest or default label and highest or clearance label.
8. The method of claim 5, wherein the label assigned to the objects are mostly static and are assigned at creation/initiation.
9. The method of claim 7, the lowest label of the subject s is set to (s,S,{ }) while its highest label is set to (s,{s},S), wherein the lowest and the highest labels of the subject can be automatically derived from the object labels, S is the set of all the subjects in the information system.
10. The method of claim 1, wherein the comparison of the label corresponding to the subject making the access request and the label corresponding to the object for which the access request is made and therefrom allowing the access request includes:
allowing access when the subject ‘s’ with label (s1,R1,W1) requests read access to the object ‘o’ with label (s2,R2,W2) and if s1∈R2;
allowing access when the subject ‘s’ with label (s1,R1,W1) requests write access to the object ‘o’ with label (s2,R2,W2) and if s1∈W2 and R1
Figure US20160357953A1-20161208-P00007
R2 and W1
Figure US20160357953A1-20161208-P00008
W2;
allowing access when the subject ‘s’ with label (s,R,W) requests creation of the object and creating the object ‘o’ with label (s,R,W∪{s}).
allowing access when the subject ‘s’ with label (s1,R1,W1) requests the object ‘o’ with label (s2,R2,W2) to be downgraded to label (s3,R3,W3) if s1∈R2 and s1=s2=s3 and W1=W2=W3 and R1=R2 and R3
Figure US20160357953A1-20161208-P00007
R2 and R3-R2
Figure US20160357953A1-20161208-P00008
W2; and
allowing access when the subject ‘s’ with label (s1,R1,W1) requests the object ‘o’ with label (s2,R2,W2) to be relabelled with (s3,R3,W3) if s1∈R2 and s1=s2=s3 and W2
Figure US20160357953A1-20161208-P00008
W1 and W3=W1∪{s} and R2
Figure US20160357953A1-20161208-P00007
R1
Figure US20160357953A1-20161208-P00007
R3.
11. The method of claim 10, wherein the allowing reading access simultaneously change the label of ‘s’ to (s1,R1∩R2,W1∪W2).
12. A computer readable medium embodying computer implemented method for securing information flow in an operating system comprising:
a runtime monitor for intercepting calls to system library of the operating system by all application;
a system-state information component for containing the labels associated with the subjects and the objects in the operating system;
a state transformation rules component for encoding permissible state transformations rules regarding the levels during the object creation, modification and verification of the subject labels during the object access.
13. The computer readable medium of claim 12, comprising a rule engine in the state transformation rules component to accept levels of subjects and objects and determine if access is to be granted or denied.
14. The computer readable medium of claim 13, wherein the runtime monitor intercepts the request, identifies s, o, operation requested, and any other parameters, fetches λ(s) and λ(o) from the system-state information, passes s, o, operation requested with any parameters, λ(s) and λ(o) to the state transformation rules component and receives the result of access request granting or denial and responds to the application appropriately, here λ is S∪O→L labelling function that returns the current label of entity, and S is set of the subjects in the operating system, O is set of the objects in the operating system.
15. A method for securing information flow in an operating system by involving the computer readable medium embodying the computer implemented method for securing information flow in an operating system of claim 12, comprising:
intercepting subject's request call to the system library by involving the runtime monitor and seeking the labels of the subject making the request and the object for which the request is made from the system-state information component;
forwarding the request with the labels of the subjects requesting access and the object to the state transformation rules component on receiving the labels desired form the system-state information component;
checking state transformation rules based on the labels in the state transformation rules component for determining allowance of the access request;
changing in the system-state information component if the decision is to allow request, and if the operation is either create or read or administrative and thereby forwarding result of request in the form of allow or deny to the runtime monitor by involving the system-state information component;
forwarding the call together with parameter list to the system library call handler for processing the call and returns the result to the subjects on allowing the requests; and
returning an error message to the subjects if the request is denied by involving the runtime monitor.
16. A method for securing information flow in an operating system by involving the computer readable medium embodying the computer implemented method for securing information flow in an operating system of claim 12, wherein the checking state transformation rules based on the labels in the state transformation rules component for determining allowance of the access request includes:
allowing access when the subject ‘s’ with label (s1,R1,W1) requests read access to the object ‘o’ with label (s2,R2,W2) and if s1∈R2;
allowing access when the subject ‘s’ with label (s1,R1,W1) requests write access to the object ‘o’ with label (s2,R2,W2) and if s1∈W2 and R1 R2 and W1 W2;
allowing access when the subject ‘s’ with label (s,R,W) requests creation of the object and creating the object ‘o’ with label (s,R,W∪{s}).
allowing access when the subject ‘s’ with label (s1,R1,W1) requests the object ‘o’ with label (s2,R2,W2) to be downgraded to label (s3,R3,W3) if s1∈R2 and s1=s2=s3 and W1=W2=W3 and R1=R2 and R3 R2 and R3-R2 W2; and
allowing access when the subject ‘s’ with label (s1,R1,W1) requests the object ‘o’ with label (s2,R2,W2) to be relabelled with (s3,R3,W3) if s1∈R2 and s1=s2=s3 and W2 W1 and W3=W1∪{s} and R2 R1 R3.
US14/733,285 2015-06-08 2015-06-08 Decentralized information flow securing method and system for multilevel security and privacy domains Active US9507929B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US14/733,285 US9507929B1 (en) 2015-06-08 2015-06-08 Decentralized information flow securing method and system for multilevel security and privacy domains

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US14/733,285 US9507929B1 (en) 2015-06-08 2015-06-08 Decentralized information flow securing method and system for multilevel security and privacy domains

Publications (2)

Publication Number Publication Date
US9507929B1 US9507929B1 (en) 2016-11-29
US20160357953A1 true US20160357953A1 (en) 2016-12-08

Family

ID=57352082

Family Applications (1)

Application Number Title Priority Date Filing Date
US14/733,285 Active US9507929B1 (en) 2015-06-08 2015-06-08 Decentralized information flow securing method and system for multilevel security and privacy domains

Country Status (1)

Country Link
US (1) US9507929B1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10366244B2 (en) * 2015-06-09 2019-07-30 International Business Machines Corporation Performing an operation on sensitive data

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8438224B1 (en) * 2008-04-24 2013-05-07 Adobe Systems Incorporated Methods and systems for community-based content aggregation
US20120291106A1 (en) * 2010-01-19 2012-11-15 Nec Corporation Confidential information leakage prevention system, confidential information leakage prevention method, and confidential information leakage prevention program
US9378387B2 (en) * 2010-03-24 2016-06-28 Oracle International Corporation Multi-level security cluster
US9405923B2 (en) * 2011-09-29 2016-08-02 Red Hat, Inc. Establishing isolation between content hosting services executing on common support server
CN104025544B (en) * 2011-12-01 2017-05-24 日本电气方案创新株式会社 Sensitive information leakage prevention system, and sensitive information leakage prevention method
US9047463B2 (en) * 2012-06-29 2015-06-02 Sri International Method and system for protecting data flow at a mobile device
US9521280B2 (en) * 2013-12-04 2016-12-13 Hellermanntyton Corporation Systems and methods for display of regulatory information related to labeling
US20150188949A1 (en) * 2013-12-31 2015-07-02 Lookout, Inc. Cloud-based network security

Also Published As

Publication number Publication date
US9507929B1 (en) 2016-11-29

Similar Documents

Publication Publication Date Title
US6934758B2 (en) Stack-based access control using code and executor identifiers
CN102299914B (en) For enabling the trusted intermediary accessing control of Internet statement
US8051459B2 (en) Method and system for extending SELinux policy models and their enforcement
Abdunabi et al. Specification, validation, and enforcement of a generalized spatio-temporal role-based access control model
Singh et al. Big ideas paper: Policy-driven middleware for a legally-compliant Internet of Things
JP2011526387A (en) Granting least privilege access for computing processes
US9374377B2 (en) Mandatory protection control in virtual machines
CN105827645B (en) Method, equipment and system for access control
Birrell et al. SGX enforcement of use-based privacy
US8132261B1 (en) Distributed dynamic security capabilities with access controls
Rizvi et al. Interoperability of relationship-and role-based access control
Beznosov Engineering access control for distributed enterprise applications
Nauman et al. Remote attestation of attribute updates and information flows in a ucon system
US9507929B1 (en) Decentralized information flow securing method and system for multilevel security and privacy domains
Teigao et al. Applying a usage control model in an operating system kernel
Rosado et al. A study of security architectural patterns
BS et al. Towards unifying RBAC with information flow control
Kim et al. Building hybrid access control by configuring RBAC and MAC features
Franco et al. Security enhanced Linux to enforce mandatory access control in health information systems
Bijon Constraints for attribute based access control with application in cloud IaaS
Zhao et al. Modeling and checking the security of DIFC system configurations
Gamble et al. Security policy foundations in context UNITY
CN111400750B (en) Trusted measurement method and device based on access process judgment
Kedjar et al. The hybrid model for web services security access control and information flow control
Shyamasundar et al. Sechadoop: A privacy preserving hadoop

Legal Events

Date Code Title Description
AS Assignment

Owner name: TATA INSTITUTE OF FUNDAMENTAL RESEARCH, INDIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:KUMAR, N.V. NARENDRA;SHYAMASUNDAR, R.K.;SIGNING DATES FROM 20150603 TO 20150604;REEL/FRAME:035803/0782

STCF Information on status: patent grant

Free format text: PATENTED CASE

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 4