Information-theoretical models
One of the most intractable security problems in information systems, including those based on mandatory access models, is the problem of hidden information leakage channels.
A hidden information leakage channel is a mechanism by which information flow (information transfer) between entities can be carried out in the system, bypassing the access control policy.
For example, the hidden channels of information leakage include the previously discussed flows arising from "Trojan" programs, and implicit information flows in systems based on discretionary models.
A hidden channel for information leakage in mandatory access systems is a mechanism by which information can be transferred from entities with a high level of security to entities with a low level of security without violating the rules of NRU and NWD. In certain cases, information can be received or transmitted without directly performing read/write operations on objects, in particular based on the analysis of certain processes and system parameters. For example, if, according to the NRU rule, a secret file cannot be read, but its volume can be "seen", then a high-level subject, changing the volume of a secret file according to a certain rule, can transmit secret information to a low-level object in such a coded way.
Information about the number of secret files being created or deleted can be transmitted from high-level subjects, which low-level subjects cannot access by reading, but they can "see" their presence and, accordingly, determine their number.
Other possibilities of the "secret" transmission of information may be based on the analysis of the time parameters of the processes.
Hidden channels of information leakage can be divided into three types:
hidden channels by memory (based on the analysis of volume and other static parameters of system objects);
hidden channels in time (based on the analysis of the time parameters of the system processes);
hidden statistical channels (based on the analysis of statistical parameters of the system processes).
For the first time, the requirements for blocking and excluding hidden channels were included in the specification of the protection levels of automated systems designed to process information constituting a state secret in the United States (Orange Book).
The theoretical foundations of approaches to solving the problem of hidden channels were developed by D. Dening, who studied the principles of analyzing data flows in software and the principles of controlling shared resources. Based on the ideas of Dening, J. Gauguin and J. Meziger proposed an information-theoretic approach based on the concepts of information non-removability and information non-interference.
The essence of this approach lies in the rejection of considering the process of functioning of an information system as a deterministic process. When considering end-state models (HRU, TAKE-GRANT, Bella-LaPadula), it was assumed that the transition function, depending on the request of the subject and the current state of the system, uniquely determines the next state of the system. In systems of collective access (many users, many objects), transitions, therefore, and the state of the system are determined by a large number of very diverse, including random, factors, which implies the use of the apparatus of probability theory to describe the system.
With this approach, the security policy requires a certain modification and, in particular, a theoretical and probabilistic interpretation of the processes of functioning of systems and dangerous information flows:
1. An information system is considered as a set of two disjoint sets of entities:
sets of high-level objects N;
sets of low-level objects L.
The information system is represented by a mandatory system with a grid consisting of only two levels of security - high and low and, accordingly, determining the impossibility of ordinary (read/write) information flows "from top to bottom".
2. The state of any object is random. The concept of information non-removability is based on the definition of "dangerous" flows: there is an information flow in the system from high-level objects to low-level ones if a certain possible value of a variable in a certain state of a low-level object is impossible simultaneously with certain possible values of variable states of high-level objects.
3. The following criterion of information non-removability is formulated: the system is safe in the sense of information non-removability if it does not contain information flows of the type specified in clause 2.
Analysis of the criterion of information non-removability shows that its requirements are extremely stringent and achievable, in particular, with complete isolation of high-level objects from low-level ones.
The requirement that high-level information is not deducible based on the analysis of the states of low-level objects simultaneously leads to the opposite, i.e., there is no possibility of deducing low-level information from the analysis of the states of high-level objects. This property is redundant and contradicts the main provisions of the mandatory policy, namely, the non-danger and permissibility of bottom-up flows from low-level entities to entities with higher levels of security.
Another approach is based on the idea of information non-interference. The concept of dangerous flows has the following meaning here: there is an information flow in the system from high-level objects to low-level ones, if the information (state) of low-level objects depends on the information of high-level objects. This means that the state of high-level objects at the current time is not affected by the state of low-level objects at the previous time and vice versa. Multi-level objects do not have the ability to influence the subsequent states of objects of another level. An analysis of the processes of functioning of the information system shows that such requirements are extremely stringent, in fact coinciding with the requirements of complete isolation of multi-level entities.
Despite the fact that the concepts of information non-removability and information non-interference are not directly applicable for access differentiation, they have served as the basis for widely used in modern information systems technologies of representations and permitted procedures. These technologies have historically emerged as a policy of access control in the DBMS.
The presentation of information in an information system is the procedure for forming and presenting to the user (after logging in and authenticating) the necessary subset of information objects, including with their possible quantitative and structural modification based on the tasks of delimiting access to information.
In presentation technologies, when users log in and work in the system, they operate not with a real system, but with a virtual system that is formed individually for everyone. As a result, the task of access control is solved automatically. At the same time, security problems are reduced to hidden channels of information leakage, the consideration and neutralization of which is carried out on the basis of an analysis of conditions and procedures that ensure the fulfillment of security criteria.
The technology of representations solves the problem of hidden leakage channels of the first type. Some of the channels of the second and third types are blocked by the technique of permitted procedures. A system of authorized procedures is a type of system interface when, upon logging in, authenticated users are only given the opportunity to launch and execute a finite set of logical and technological information processing procedures without the possibility of using elementary access methods (read, write, create, etc.) to information objects of the system. Therefore, in systems with an interface of allowed procedures, users do not see information objects, but perform operations at the level of logical procedures. At the same time, the automated system turns into a discrete automaton for users, receiving commands at the input and issuing processed information at the output.
For the first time, such an approach to the representation of an information system was considered by Gauguin (J. Goguen) and Mesiger (J. Meseguer), who proposed an automatic model of information non-interference (non-interference) - the GM model.
