A Minimal Trusted Computing Base for Dynamically Ensuring Secure Information Flow

With each passing year, more and more valuable, confidential information is stored in government and commercial computer systems. Ensuring the security of those computer systems is a challenge with social, political, and technological aspects; computer networks, however, make the technological aspects particularly important as computer systems are exposed to assault from remote sites. Two critical components of the technological computer security problem are access control and data dissemination control. Access control mechanisms prevent unauthorized parties from accessing (e.g. reading, modifying, or executing) confidential data or programs. Data dissemination control mechanisms prevent confidential data from being exposed to unauthorized parties, either by accident or due to malicious code which has gained read-access to the data; e.g. a malicious or erroneous program should never be able to read a “Top Secret” value and write it out as an “Unclassified” result. In this memo we present two contributions addressing the problem of controlling data dissemination, also known as ensuring secure information flow. First, we present a sound, flexible model which dynamically ensures secure data flow with respect to a lattice-based information flow policy, with security classification on a per-word basis. Second, we present a set of hardware mechanisms, most notably the Hash Execution (HEX) unit, which enable the practical implementation of our model. We believe that recent trends in logic and memory density and costs make the architectural overhead of our mechanisms small, and that they are more than offset by the significant benefits they bring to system security. Our dynamic strategy has several advantages over static (compile-time) verificationof secure information flow. It

[1]  Jeffrey S. Fenton Memoryless Subsystems , 1974, Comput. J..

[2]  David A. Moon,et al.  Architecture of the Symbolics 3600 , 1985, ISCA '85.

[3]  Clark Weissman,et al.  Security controls in the ADEPT-50 time-sharing system , 1899, AFIPS '69 (Fall).

[4]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[5]  Jonathan K. Millen,et al.  Security Kernel validation in practice , 1976, CACM.

[6]  William J. Dally,et al.  Hardware support for fast capability-based addressing , 1994, ASPLOS VI.

[7]  William A. Wulf,et al.  HYDRA , 1974, Commun. ACM.

[8]  Jeffrey S. Fenton Information Protection Systems , 1973 .

[9]  Henry M. Levy,et al.  Capability-Based Computer Systems , 1984 .

[10]  Richard J. Lipton,et al.  The enforcement of security policies for computation , 1975, J. Comput. Syst. Sci..

[11]  Michael D. Schroeder Engineering a security kernel for Multics , 1975, SOSP.

[12]  Andrew C. Myers,et al.  Complete, safe information flow with decentralized labels , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[13]  Robert S. Fabry,et al.  Capability-based addressing , 1974, CACM.

[14]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[15]  Leo Joseph Rotenberg,et al.  Making computers keep secrets , 1973 .

[16]  David Jefferson,et al.  Protection in the Hydra Operating System , 1975, SOSP.

[17]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[18]  Harry J. Saal,et al.  Memoryless execution: A programmer's viewpoint , 1976, Softw. Pract. Exp..

[19]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.

[20]  J DenningPeter,et al.  Certification of programs for secure information flow , 1977 .

[21]  K. J. Biba,et al.  Structured specification of a Security Kernel , 1975, Reliable Software.

[22]  Thomas F. Knight,et al.  A capability representation with embedded address and nearly-exact object bounds , 2000 .

[23]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.