An Information and Privilege Flow Model for Intrusion Detection in Computer Systems

Computer system intrusion typically occurs as a result of either system penetration or misuse of access authorization that exploits operational security problems. In principle, access control and authentication mechanisms can provide the penetration resistance necessary to prevent illegitimate access by unauthorized users. However, intrusion resulting from operational security problems cannot be prevented by authentication or access control since unauthorized access is not necessarily attempted. This dissertation justifies the need for, and presents, a pattern-oriented, intrusion-detection model that can be used to analyze privilege and data flows in secure computer systems to detect intrusion occurrences that result from exploiting operational security problems. This model addresses context-dependent intrusion, such as the unintended use of foreign programs, the unintended use of foreign input data and virus propagation, and has been used to build an intrusion detection system for Trusted Xenix(TM) (*). Pattern-oriented intrusion detection is expected to complement, not replace, current statistical approaches to intrusion detection.One of the most difficult to detect context-dependent intrusion patterns is the use of covert storage channels. In this dissertation, the requirements for auditing covert storage channels are defined, and some fundamental problems which appear in most computer systems are illustrated. It is argued that audit subsystems designed to minimally satisfy the TCSEC requirements (TCSEC85, GUATS88) are unable to detect many instances of covert storage channel use, and hence require major design and implementation changes before they are able to detect all the uses of covert storage channels. Finally, the design of a Trusted Xenix(TM) tool for covert-channel audit, which has been in operation since July 1989, is presented. Results of experiments indicate that the tool is able to detect all the uses of covert storage channels without raising false alarms. ftn(*) Xenix(TM) is a registered trademark of Microsoft Inc. Unix(R) is a registered trademark of the AT&T Laboratories. AIX is a trademark of IBM Corp. Secure Xenix(TM) was developed by IBM Federal Sector Division for B2-level evaluation and is now marketed as Trusted Xenix(TM) by Trusted Information Systems Inc. The work of this dissertation was done on Secure Xenix(TM), an early version of Trusted Xenix(TM).