Information Flow Mapping & Detection

In my previous blog posting I discussed the applicability of information flow model (IFM) for assessing security and privacy policies of biometric systems. Implementing this model requires the ability to monitor exchange of content between hosts, which can be either on internal or external networks. Once implemented the IFM can be used for: 

• testing compliance of information exchange policies for biometric information

• monitoring information flow path of biometric information

• detecting unauthorized leakage of biometric

Recently I had an opportunity to use Fidelis XPS, which is designed and used for malware threat detection and prevention. One of the core product capabilities allows a user to setup a rule for detecting string patterns in the information being exchanged between two hosts. If the rule detects presence of the string pattern in any information flowing between two hosts then an alarm is generated and further preventive action can be taken. To test the functionality of monitoring biometric information flow between two hosts I downloaded INCITS 378 dataset from the NIST website consisting of standardized finger minutiae templates. All templates conforming to this standard have the string “FMR” embedded in it, and a rule was setup to detect any files with this string pattern in it.

The files were downloaded in gzip format over HTTP and Fidelis XPS successfully detected 100% of the files. Although this was quite a simple experiment it highlights existing technical capabilities for creating and implementing information flow models. Such products can also be deployed to prevent leakage of personally identifiable information to unauthorized recipients.

There are a few challenges that need to be addressed for a comprehensive IFM, including : language for expressing exchange policies, getting buy-in from all entities in the ecosystem, and automating enforcement of policies.   

Comments and discussions are welcome!

Sensor Level Security

Last week an attack on iris recognition systems was described at the Black Hat conference. The attack made several assumptions : access to the registered template, access to highly granular similarity score from the matching subsystem, absence of managerial controls against multiple attempts and no liveness detection at the acquisition sensor. The attack described is a classic "hill climbing attack"; going through several iterations of generating a synthetic iris image, verifying it against the registered template and utilizing the similarity score to generate a new synthetic iris image that eventually will be close enough to the registered template.

Although the underlying idea employed by this attack is not new, it has brought attention to the need to design security controls around these attacks. The first one is to use liveness detection to ensure that a synthetic sample cannot be provided to the sensor. A hill climbing attack can only be successful if the synthetic sample is accepted by the sensor. Liveness detection techniques include measuruing biological features to ascertain that the source is live, as well as simple challenge response actions which only a live human can complete. Another technique to prevent hill climbing attacks is to provide a coarse response for the verification attempt. For example, the UID system implemented in India, which utilizes biometric technologies, only provides a "yes/no" response for each verification attempt.

From a practitioners standpoint these type of attacks can be mitigated using appropriate operational controls and providing only the amount of information necessary for the system to operate. Please feel free to leave your comments!