lecture 1 page 1 cs 236, spring 2008 information flow tracking cs 236 advanced computer security...
TRANSCRIPT
![Page 1: Lecture 1 Page 1 CS 236, Spring 2008 Information Flow Tracking CS 236 Advanced Computer Security Peter Reiher April 8, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bf8a1a28abf838c8a623/html5/thumbnails/1.jpg)
Lecture 1Page 1CS 236, Spring 2008
Information Flow TrackingCS 236
Advanced Computer Security Peter ReiherApril 8, 2008
![Page 2: Lecture 1 Page 1 CS 236, Spring 2008 Information Flow Tracking CS 236 Advanced Computer Security Peter Reiher April 8, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bf8a1a28abf838c8a623/html5/thumbnails/2.jpg)
Lecture 1Page 2CS 236, Spring 2008
Groups for This Week
1. Kenneth Arthur, Vishwa Goudar, Chieh-Ning Lien
2. Golita Benoodi, Michael Hall, Jason Liu
3. Darrell Carbajal, Seongwan Han, Hootan Nikbakht
4. Andrew Castner, Zhen Huang, Ioannis Pefkianakis
5. Chia-Wei Chang, Abishek Jain, Peter Peterson
6. Chien-Chia Chen, Jihyoung Kim, Adam Stoelting
7. Dae-Ki Cho, Joseph Kulisics, Min-Hsieh Tsai
8. Michael Cohen, Nikolay Laptev, Peter Wu
9. Jih Chung Fan, Chen-Kuei Lee, Faraz Zahabian
![Page 3: Lecture 1 Page 1 CS 236, Spring 2008 Information Flow Tracking CS 236 Advanced Computer Security Peter Reiher April 8, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bf8a1a28abf838c8a623/html5/thumbnails/3.jpg)
Lecture 1Page 3CS 236, Spring 2008
Outline
• The problem
• Different approaches
• Applying ideas to one system
![Page 4: Lecture 1 Page 1 CS 236, Spring 2008 Information Flow Tracking CS 236 Advanced Computer Security Peter Reiher April 8, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bf8a1a28abf838c8a623/html5/thumbnails/4.jpg)
Lecture 1Page 4CS 236, Spring 2008
Information Flow Tracking
• Security policies shouldn’t really be applied to files
• They should be applied to the information in the files
• Which implies policies should travel with data
– As it goes from file to file
![Page 5: Lecture 1 Page 1 CS 236, Spring 2008 Information Flow Tracking CS 236 Advanced Computer Security Peter Reiher April 8, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bf8a1a28abf838c8a623/html5/thumbnails/5.jpg)
Lecture 1Page 5CS 236, Spring 2008
For Example,The entire process is
tainted
So everything it writes is also
tainted
![Page 6: Lecture 1 Page 1 CS 236, Spring 2008 Information Flow Tracking CS 236 Advanced Computer Security Peter Reiher April 8, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bf8a1a28abf838c8a623/html5/thumbnails/6.jpg)
Lecture 1Page 6CS 236, Spring 2008
Why Is This a Problem?
• Eventually, most restrictive policy applied to almost everything
• Most of it doesn’t actually need the policy
• The simplistic method of tracking information flow requires conservatism
![Page 7: Lecture 1 Page 1 CS 236, Spring 2008 Information Flow Tracking CS 236 Advanced Computer Security Peter Reiher April 8, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bf8a1a28abf838c8a623/html5/thumbnails/7.jpg)
Lecture 1Page 7CS 236, Spring 2008
Was This Necessary?
• Probably not
• In most cases, the data written was not sensitive
– And thus didn’t need to have the sensitive policy applied
• But what else could you do?
![Page 8: Lecture 1 Page 1 CS 236, Spring 2008 Information Flow Tracking CS 236 Advanced Computer Security Peter Reiher April 8, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bf8a1a28abf838c8a623/html5/thumbnails/8.jpg)
Lecture 1Page 8CS 236, Spring 2008
Core Idea• Follow information flow on a finer granularity
• A process that reads tainted data need not always write tainted data
• Somehow figure out which writes need this policy to be applied
–Using the finer granularity of tracking
![Page 9: Lecture 1 Page 1 CS 236, Spring 2008 Information Flow Tracking CS 236 Advanced Computer Security Peter Reiher April 8, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bf8a1a28abf838c8a623/html5/thumbnails/9.jpg)
Lecture 1Page 9CS 236, Spring 2008
What’s Really Going On
Only important to track
where the tainted
data goes
Not where untainted data goes
![Page 10: Lecture 1 Page 1 CS 236, Spring 2008 Information Flow Tracking CS 236 Advanced Computer Security Peter Reiher April 8, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bf8a1a28abf838c8a623/html5/thumbnails/10.jpg)
Lecture 1Page 10CS 236, Spring 2008
Possible Granularities• Processes
– Too big and expensive• Threads
– Typically share memory• Sub-process units
– Not available in most systems• Memory pages or addresses
– How?
![Page 11: Lecture 1 Page 1 CS 236, Spring 2008 Information Flow Tracking CS 236 Advanced Computer Security Peter Reiher April 8, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bf8a1a28abf838c8a623/html5/thumbnails/11.jpg)
Lecture 1Page 11CS 236, Spring 2008
Approaches
• Language approaches
• Asbestos and HiStar
• Rifle
![Page 12: Lecture 1 Page 1 CS 236, Spring 2008 Information Flow Tracking CS 236 Advanced Computer Security Peter Reiher April 8, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bf8a1a28abf838c8a623/html5/thumbnails/12.jpg)
Lecture 1Page 12CS 236, Spring 2008
Language Approaches
• Use data typing to propagate security labels through program
• Jif is one example language that does this
• Language can prohibit illegal flows
• Or simply ensure labels are propagated properly
![Page 13: Lecture 1 Page 1 CS 236, Spring 2008 Information Flow Tracking CS 236 Advanced Computer Security Peter Reiher April 8, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bf8a1a28abf838c8a623/html5/thumbnails/13.jpg)
Lecture 1Page 13CS 236, Spring 2008
Advantages and Disadvantages
+Most costs paid at compile time
+Other forms of source code analysis possible
−Only works for programs written in that language
−Relies on correctness of compiler
−Hard to prove binary is correct
![Page 14: Lecture 1 Page 1 CS 236, Spring 2008 Information Flow Tracking CS 236 Advanced Computer Security Peter Reiher April 8, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bf8a1a28abf838c8a623/html5/thumbnails/14.jpg)
Lecture 1Page 14CS 236, Spring 2008
Asbestos Approach• Use a sub-process abstraction
• The event process
– Process state belonging to a single user (user defined broadly)
• One process contains multiple event processes
• Process isolates each event process’ state from the others
![Page 15: Lecture 1 Page 1 CS 236, Spring 2008 Information Flow Tracking CS 236 Advanced Computer Security Peter Reiher April 8, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bf8a1a28abf838c8a623/html5/thumbnails/15.jpg)
Lecture 1Page 15CS 236, Spring 2008
Conceptually,
![Page 16: Lecture 1 Page 1 CS 236, Spring 2008 Information Flow Tracking CS 236 Advanced Computer Security Peter Reiher April 8, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bf8a1a28abf838c8a623/html5/thumbnails/16.jpg)
Lecture 1Page 16CS 236, Spring 2008
How It Really Works
• Base processes hold multiple event processes• Each event process has its own memory• Kernel schedules base process
– But transfers control and limits memory on event process basis
– Essentially, copy-on-write– Efficiency requires special programming
![Page 17: Lecture 1 Page 1 CS 236, Spring 2008 Information Flow Tracking CS 236 Advanced Computer Security Peter Reiher April 8, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bf8a1a28abf838c8a623/html5/thumbnails/17.jpg)
Lecture 1Page 17CS 236, Spring 2008
Real Point of Asbestos
• Not so much tracking of data
– Though that’s necessary
• As enforcing that tainted data doesn’t go where it shouldn’t
• With such enforcement, can provide mandatory access control policies
![Page 18: Lecture 1 Page 1 CS 236, Spring 2008 Information Flow Tracking CS 236 Advanced Computer Security Peter Reiher April 8, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bf8a1a28abf838c8a623/html5/thumbnails/18.jpg)
Lecture 1Page 18CS 236, Spring 2008
Practicalities of Asbestos
• Requires rewriting applications
– To use event process paradigm
• Built as a proof-of-concept system
• Not suitable for real-world use
– But applications doing real things demonstrated on Asbestos
![Page 19: Lecture 1 Page 1 CS 236, Spring 2008 Information Flow Tracking CS 236 Advanced Computer Security Peter Reiher April 8, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bf8a1a28abf838c8a623/html5/thumbnails/19.jpg)
Lecture 1Page 19CS 236, Spring 2008
HiStar• Built using Asbestos data labeling methods
– Preventing information leakage
• Goal is to allow trusted applications with minimum trusted code
• Including minimum trusted kernel code
• Unlike Asbestos, includes Unix library
– But provides no new security
![Page 20: Lecture 1 Page 1 CS 236, Spring 2008 Information Flow Tracking CS 236 Advanced Computer Security Peter Reiher April 8, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bf8a1a28abf838c8a623/html5/thumbnails/20.jpg)
Lecture 1Page 20CS 236, Spring 2008
HiStar and Code Wrapping
• HiStar can make old apps more secure– With some new design and a little new
wrapper code• Essentially, wrap existing code with new code
– Which enforces security restrictions• E.g., wrapping OpenVPN
– Required a few hundred lines of code
![Page 21: Lecture 1 Page 1 CS 236, Spring 2008 Information Flow Tracking CS 236 Advanced Computer Security Peter Reiher April 8, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bf8a1a28abf838c8a623/html5/thumbnails/21.jpg)
Lecture 1Page 21CS 236, Spring 2008
Key Advantages of HiStar
• Over Asbestos
• Less trusted code
• Ability to wrap untrusted code with new code
– Gaining security advantages
– Thus, easier to work with legacy apps
![Page 22: Lecture 1 Page 1 CS 236, Spring 2008 Information Flow Tracking CS 236 Advanced Computer Security Peter Reiher April 8, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bf8a1a28abf838c8a623/html5/thumbnails/22.jpg)
Lecture 1Page 22CS 236, Spring 2008
Rifle
• Asbestos and HiStar required new OS structure
– Limiting what could be run with them
– Getting new security required new applications
• Rifle takes a different approach
![Page 23: Lecture 1 Page 1 CS 236, Spring 2008 Information Flow Tracking CS 236 Advanced Computer Security Peter Reiher April 8, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bf8a1a28abf838c8a623/html5/thumbnails/23.jpg)
Lecture 1Page 23CS 236, Spring 2008
The Rifle Approach
• Dynamic code rewriting• Take a standard executable• Attach security labels to data• As executable touches labeled data,
– Rewrite executable to copy labels• OS must still enforce policies• But rewritten code does label tracking
![Page 24: Lecture 1 Page 1 CS 236, Spring 2008 Information Flow Tracking CS 236 Advanced Computer Security Peter Reiher April 8, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bf8a1a28abf838c8a623/html5/thumbnails/24.jpg)
Lecture 1Page 24CS 236, Spring 2008
Rifle In More Detail
• Tag memory with security label
– Preferably using new hardware
– But possible without it
• When tagged memory accessed by executable,
– Rewrite it to propagate tag
• If policy prohibits write, don’t do it
![Page 25: Lecture 1 Page 1 CS 236, Spring 2008 Information Flow Tracking CS 236 Advanced Computer Security Peter Reiher April 8, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bf8a1a28abf838c8a623/html5/thumbnails/25.jpg)
Lecture 1Page 25CS 236, Spring 2008
Advantages of Rifle Approach
• Works on finer granularity
– Only truly prohibited flows are trapped
• No need to re-write or create new apps
![Page 26: Lecture 1 Page 1 CS 236, Spring 2008 Information Flow Tracking CS 236 Advanced Computer Security Peter Reiher April 8, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bf8a1a28abf838c8a623/html5/thumbnails/26.jpg)
Lecture 1Page 26CS 236, Spring 2008
Disadvantages of Rifle Approach
• Probably more subject to covert channels
• Requires special hardware
– More precisely, good performance requires it
– Hardware not currently available
• Probably bigger performance penalty
![Page 27: Lecture 1 Page 1 CS 236, Spring 2008 Information Flow Tracking CS 236 Advanced Computer Security Peter Reiher April 8, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bf8a1a28abf838c8a623/html5/thumbnails/27.jpg)
Lecture 1Page 27CS 236, Spring 2008
Rifle’s Special Hardware• Essentially tags for memory and registers
– To store security labels
• Augmented instructions
– To propagate security labels
– And combine multiple labels
– Otherwise, effects like ordinary counterparts
![Page 28: Lecture 1 Page 1 CS 236, Spring 2008 Information Flow Tracking CS 236 Advanced Computer Security Peter Reiher April 8, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bf8a1a28abf838c8a623/html5/thumbnails/28.jpg)
Lecture 1Page 28CS 236, Spring 2008
Why Rewrite Code?
• Why not just use special hardware to move labels around?
• Because of implicit data flows
– Flows where the data divulged is not through an actual obvious assignments
![Page 29: Lecture 1 Page 1 CS 236, Spring 2008 Information Flow Tracking CS 236 Advanced Computer Security Peter Reiher April 8, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bf8a1a28abf838c8a623/html5/thumbnails/29.jpg)
Lecture 1Page 29CS 236, Spring 2008
An Implicit Data Flow
B = false;
C = false;
if (!A)
C = true;
if (!C)
B = true;
print B;
![Page 30: Lecture 1 Page 1 CS 236, Spring 2008 Information Flow Tracking CS 236 Advanced Computer Security Peter Reiher April 8, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bf8a1a28abf838c8a623/html5/thumbnails/30.jpg)
Lecture 1Page 30CS 236, Spring 2008
What’s the Problem?• What if the value of A is a secret?• If you execute this code and A is true, B is printed
as true– And printed as false, if A is false
• Could propagate labels as you do the assignments– Refuse to print B if it was “copied” from A– But you’ll only do that if A is true– Which will leak the information
![Page 31: Lecture 1 Page 1 CS 236, Spring 2008 Information Flow Tracking CS 236 Advanced Computer Security Peter Reiher April 8, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bf8a1a28abf838c8a623/html5/thumbnails/31.jpg)
Lecture 1Page 31CS 236, Spring 2008
Solving the Problem
• Dynamically rewrite the code “as needed”
– On the fly, depending on actual execution
![Page 32: Lecture 1 Page 1 CS 236, Spring 2008 Information Flow Tracking CS 236 Advanced Computer Security Peter Reiher April 8, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bf8a1a28abf838c8a623/html5/thumbnails/32.jpg)
Lecture 1Page 32CS 236, Spring 2008
An Example1 // Assume R[1] contains a
2 // b will be stored in R[2]
3 // c will be stored in R[3]
4 mov R[2] = 0
5 mov R[3] = 0
6 (R[1]) branch .L1
7 mov R[3] = 1
8 .L1: (R[3]) branch .L2
9 mov R[2] = 1
10 .L2: store [R[5]] = R[2]
![Page 33: Lecture 1 Page 1 CS 236, Spring 2008 Information Flow Tracking CS 236 Advanced Computer Security Peter Reiher April 8, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bf8a1a28abf838c8a623/html5/thumbnails/33.jpg)
Lecture 1Page 33CS 236, Spring 2008
The Rewritten Code
1 // Assume R[1] contains a
2 // b will be stored in R[2]
3 // c will be stored in R[3]
4 mov R[2] = 0 5 mov R[3] = 0
6 mov S[1] = labelof(R[1])
7 (R[1]) branch .L1
8 <S[1]> mov R[3] = 1
9 .L1: <S[1]> mov S[3] = labelof(R[3])
10 (R[3]) branch .L2
11 <S[3]> mov R[2] = 1
12 .L2: <S[3]> store [R[5]] = R[2]
![Page 34: Lecture 1 Page 1 CS 236, Spring 2008 Information Flow Tracking CS 236 Advanced Computer Security Peter Reiher April 8, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bf8a1a28abf838c8a623/html5/thumbnails/34.jpg)
Lecture 1Page 34CS 236, Spring 2008
What’s the Rewriting Done?1 // Assume R[1] contains a
2 // b will be stored in R[2]
3 // c will be stored in R[3]
4 mov R[2] = 0
5 mov R[3] = 0
6 mov S[1] = labelof(R[1])
7 (R[1]) branch .L1
8 <S[1]> mov R[3] = 1
9 .L1: <S[1]> mov S[3] = labelof(R[3])
10 (R[3]) branch .L2
11 <S[3]> mov R[2] = 1
12 .L2: <S[3]> store [R[5]] = R[2]
Anything depending on S[1] will have the label of R[1]
Propagates label S[1] to R[3] if branch L1 not taken
Combines labels S[1] and R[3] if branch L1
is takenPropagates labels S[3] to R[2] if branch L2 not
taken Combines labels S[3] to R[2] and R[5] if branch
L2 not taken
![Page 35: Lecture 1 Page 1 CS 236, Spring 2008 Information Flow Tracking CS 236 Advanced Computer Security Peter Reiher April 8, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bf8a1a28abf838c8a623/html5/thumbnails/35.jpg)
Lecture 1Page 35CS 236, Spring 2008
The Net Effect
• If A (stored in R[1] in program) is secret,
• Then line 12 will be executed with a secret label
• Regardless of value of A and information flow
![Page 36: Lecture 1 Page 1 CS 236, Spring 2008 Information Flow Tracking CS 236 Advanced Computer Security Peter Reiher April 8, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bf8a1a28abf838c8a623/html5/thumbnails/36.jpg)
Lecture 1Page 36CS 236, Spring 2008
What About That Hardware?• Essentially only stores extra information
• Information could be stored in regular memory
• How to propagate it?
• More code re-writing
– To explicitly copy/combine labels
• Later research suggests feasibility
– In both correctness and performance
![Page 37: Lecture 1 Page 1 CS 236, Spring 2008 Information Flow Tracking CS 236 Advanced Computer Security Peter Reiher April 8, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bf8a1a28abf838c8a623/html5/thumbnails/37.jpg)
Lecture 1Page 37CS 236, Spring 2008
The Data Tethers ProblemFile A
If the laptop is stolen, file A goes
with it
File A
![Page 38: Lecture 1 Page 1 CS 236, Spring 2008 Information Flow Tracking CS 236 Advanced Computer Security Peter Reiher April 8, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bf8a1a28abf838c8a623/html5/thumbnails/38.jpg)
Lecture 1Page 38CS 236, Spring 2008
The Data Tethers Solution
File A
If the laptop is stolen, file A isn’t
there
File A
![Page 39: Lecture 1 Page 1 CS 236, Spring 2008 Information Flow Tracking CS 236 Advanced Computer Security Peter Reiher April 8, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bf8a1a28abf838c8a623/html5/thumbnails/39.jpg)
Lecture 1Page 39CS 236, Spring 2008
Basic Data Tethers Operations
• Tie policies to pieces of data
– E.g., “file X cannot leave the office”
• Observe environmental conditions
– E.g., “leaving the office”
• Apply policies to remove files when necessary
![Page 40: Lecture 1 Page 1 CS 236, Spring 2008 Information Flow Tracking CS 236 Advanced Computer Security Peter Reiher April 8, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bf8a1a28abf838c8a623/html5/thumbnails/40.jpg)
Lecture 1Page 40CS 236, Spring 2008
What’s That Got To Do With Flow Tracking?
File A File
A
File A’ What if the user
copies the data to another file?
Will the copy be tethered?
Or not . . .?
File A’
![Page 41: Lecture 1 Page 1 CS 236, Spring 2008 Information Flow Tracking CS 236 Advanced Computer Security Peter Reiher April 8, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bf8a1a28abf838c8a623/html5/thumbnails/41.jpg)
Lecture 1Page 41CS 236, Spring 2008
Information Flow and Data Tethers
• We want to tether data, not files
• Requires tethers to be propagated as data is copied
• But how to avoid unnecessary tethering?
• Requires sophisticated data flow tracking
![Page 42: Lecture 1 Page 1 CS 236, Spring 2008 Information Flow Tracking CS 236 Advanced Computer Security Peter Reiher April 8, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bf8a1a28abf838c8a623/html5/thumbnails/42.jpg)
Lecture 1Page 42CS 236, Spring 2008
Returning to the Example
File A
File A’ A’ is a copy of AFile
B B is unrelated to A
How do we tell which to tether?
![Page 43: Lecture 1 Page 1 CS 236, Spring 2008 Information Flow Tracking CS 236 Advanced Computer Security Peter Reiher April 8, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bf8a1a28abf838c8a623/html5/thumbnails/43.jpg)
Lecture 1Page 43CS 236, Spring 2008
So What Do We Do?
• Data Tethers wants to work on commodity operating systems
• Don’t want to reimplement executables
• Don’t have special hardware
• How do we make it work?
![Page 44: Lecture 1 Page 1 CS 236, Spring 2008 Information Flow Tracking CS 236 Advanced Computer Security Peter Reiher April 8, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bf8a1a28abf838c8a623/html5/thumbnails/44.jpg)
Lecture 1Page 44CS 236, Spring 2008
Proposed Approach
• Use code re-writing
• Assume few things have tethers attached
– Might limit performance problems
• Rewrite code to propagate labels in reserved memory area
![Page 45: Lecture 1 Page 1 CS 236, Spring 2008 Information Flow Tracking CS 236 Advanced Computer Security Peter Reiher April 8, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bf8a1a28abf838c8a623/html5/thumbnails/45.jpg)
Lecture 1Page 45CS 236, Spring 2008
Effect on Our Example
• Program that copies A to A’ propagates the label to A’
• Program that copies B from untethered data C doesn’t label B
• Underlying OS structures deal with applying policies, as required
– Today, we only care about labeling
![Page 46: Lecture 1 Page 1 CS 236, Spring 2008 Information Flow Tracking CS 236 Advanced Computer Security Peter Reiher April 8, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bf8a1a28abf838c8a623/html5/thumbnails/46.jpg)
Lecture 1Page 46CS 236, Spring 2008
A Different Kind of Code Rewriting
Before After
![Page 47: Lecture 1 Page 1 CS 236, Spring 2008 Information Flow Tracking CS 236 Advanced Computer Security Peter Reiher April 8, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062423/5697bf8a1a28abf838c8a623/html5/thumbnails/47.jpg)
Lecture 1Page 47CS 236, Spring 2008
Issues to Be Addressed
• Are you crazy?• Granularity of labeling• Granularity of rewriting• When does rewriting occur?• How many labels?• How to combine them?• Would we be better off with HiStar?