Com puter Security
Last tim e • Introduction • Threat analysis Threats • Introduction to access control Policy matrix Specification Design Implementation Operation and Maintenance
Security in the Course • Lectures – Introduction – Threat analysis – Introduction to access control matrix – Security policies ( today) – Cryptography – Key management – Authentication – Design principles – Access control mechanisms – Assurance – The future • Literature
Today • Multilateral and Multilevel security • Security policies • Confidentiality Policies – The Bell-LaPadula Model • Integrity Policies – The Biba Integrity Model • Hybrid Policies – The Chinese Wall Model
Multilevel Security • Different security levels for resources • Important systems – A lot of research is done – Products for military applications can have a second chance • Firewalls, web servers, etc. – Often applied in the wrong context and in the wrong way
Multilateral Security • To protect information from leaking between compartments on the same level • Different types – Organizations – Privilege-based – A mix
Security Policy A security policy defines “secure” for a system or a set of systems. • Purpose and goal • A foundation for the choice of security mechanisms • Who is responsible for what • What is allowed and what is not allowed • Why the policy looks like it do – important!
Security Policy Def. A security policy is a statement that partitions the states of the system into a set of authorized , or secure , states and a set of unauthorized , or nonsecure , states. Def. A secure system is a system that starts in an authorized state and cannot enter an unauthorized state. Def. A breach of security occurs when a system enters an unauthorized state.
Security Policy - Confidentiality Def. Let X be a set of entities and let I be some information. Then I has the property of confidentiality with respect to X if no member of X can obtain information about I .
Security Policy - I ntegrity Def. Let X be a set of entities and let I be some information or a resource. Then I has the property of integrity with respect to X if all members of X trust I .
Security Policy - Availability Def. Let X be a set of entities and let I be a resource. Then I has the property of availability with respect to X if all members of X can access I .
Security Policy • Confidentiality policy – Identifies those states that can leak information • Integrity policy – Identifies authorized ways in which information may be altered and entities authorized to alter it • Formal statement of desired properties – If the system is to be provably secure • In practice – Informal statements that assumes that the reader understands the context in which the policy is issued
Security Mechanism and Model Def. A security mechanism is an entity or procedure that enforces some part of the security policy. Def. A security model is a model that represents a particular policy or set of policies.
Types of security policies Def. A military security policy (also called a governmental security policy ) is a security policy developed primarily to provide confidentiality. Def. A commercial security policy is a security policy developed primarily to provide integrity. Def. A confidentiality policy is a security policy dealing only with confidentiality. Def. A integrity policy is a security policy dealing only with integrity.
The Role of Trust • An example: A system administrator receives a security patch – Assumes that the patch came from the vendor and was not tampered in transit – Assumes that the vendor tested the patch thoroughly – Assumes that the vendor’s test environment corresponds to her environment – Assumes that the patch is installed correctly • Any security policy, mechanism, or procedure is based on assumptions
Types of Access Control Def. If an individual user can set an access control mechanism to allow or deny access to an object, that mechanism is a discretionary access control (DAC), also called an identity-based access control (IBAC). Def. When a system mechanism controls access to an object and an individual user cannot alter that access, the control is a mandatory access control (MAC), occasionally called a rule-based access control . Def. An originator controlled access control (ORCON or ORGCON) bases access on the creator of an object (or the information it contains).
Capabilities Discretionary Access Control RWX --X R-- Bar ACL Foo RWX --X R-X Alice Sam Bob
Confidentiality Policies • Common in military systems • Also called information flow policy • Models – The Bell-LaPadula Model – Extensions of the Bell-LaPadula Model
The Bell-LaPadula Security Policy Model • The simplest and most known, 1973 • Trusted Computing Base (TCB) – The set of components you trust • Classification and clearance • Information flow control – No process can read information on a higher level – no-read-up – No process can write information to a lower level – no-write-down
The Bell-LaPadula Model • Classify information – A subject has a security clearance • In a linear ordering: – The higher the security clearance, the more sensitive the information – An object has a security classification • Also in a linear ordering – Top Secret, Secret, Confidential, Unclassified • The goal is to prevent read access to objects at a security classification higher than the subject’s clearance • Combines mandatory and discretionary access control
The Bell-LaPadula Model • Notation L(S) = l s : security clearance of subject S – L(O) = l o : security classification of object O – • Linear ordering For all security classifications l i , i = 0, ..., k – 1, l i < l i +1 – Simple Security Condition (prel): S can read O iff l o ≤ l s and S has discretionary read access to O . *-property (prel): S can write O iff l s ≤ l o and S has discretionary write access to O .
Expanding The Bell-LaPadula Model • Add categories From the “need to know”-principle – • Example Categories: NUC, EUR and US give these – combinations • { } , { NUC} , { EUR} , { US} , { NUC, EUR} , { NUC, US} , { EUR, US} and { NUC, EUR, US} Alice is cleared into: (TOP SECRET, { NUC, US} ) – Bob: (SECRET, { EUR} ) – DocA is classified as: (CONFIDENTIAL, { EUR} ) – DocB is classified as: (UNCLASSIFIED, { EUR, US} ) –
Expanding The Bell-LaPadula Model Def. The security level (L, C) dominates (dom) the security level (L', C') iff L' ≤ L and C’ is a subset of C. Simple Security Condition: S can read O iff S dom O and S has discretionary read access to O . *-property: S can write O iff O dom S and S has discretionary write access to O .
The Basic Security Theorem Theorem. Let Σ be a system with a secure initial state σ 0 , and let T be a set of state transformations. If every element of T preserves the simple security condition and the *-property, then every σ i , i ≥ 0, is secure.
Criticism of the Bell-LaPadula Model • The principle of tranquility states that subjects and objects may not change their security levels once they have been instantiated • The Bell-LaPadula model (as presented) says nothing about changing security levels • Strong and weak tranquility • There are other controversies also • But still the simplest, and yet so hard to implement
I ntegrity Policies • Commercial requirements differ from military 1. Users will not write their own programs, but will use existing production programs and databases 2. Programmers will develop and test programs on a nonproduction system 3. A special process must be followed to install a program from the development system onto the production system 4. The special process in (3) must be controlled and audited 5. The managers and auditors must have access to both the system state and the system logs that are generated • Accuracy is much more important than disclosure
I ntegrity Policies • Principles of Operation – Separation of duty – Separation of function – Auditing • Models – Biba Integrity Model – Lipner’s Integrity Matrix Model – Clark-Wilson Integrity Model
The Biba I ntegrity Model • Bell-LaPadula upside down • Handles integrity and ignores confidentiality • Read-up, write-down • Many ”real” systems use this model
The Biba I ntegrity Model • A system consists of a set S of subjects, a set O of objects, and a set I of integrity levels The integrity levels are ordered – The higher the level, the more confidence that a – program will execute correctly Data at a higher level is more accurate and/ or – reliable than data at a lower level
The Biba I ntegrity Model • Functions: min : I × I → I – Gives the lesser of the two integrity levels • i : S ∪ O → I – Returns the integrity level of an subject or object • • Relations: r ⊆ S × O – Defines the ability of a subject to read an object • w ⊆ S × O – Defines the ability of a subject to write to an object • x ⊆ S × O – Defines the ability of a subject to invoke (execute) • another subject
Recommend
More recommend
