Com puter Security – Part Tw o
Previously • Introduction • Threat analysis Threats Policy Specification Design Implementation Operation and Maintenance
Now • Multilateral and Multilevel security • Security policies • Confidentiality Policies – The Bell-LaPadula Model • Integrity Policies – The Biba Integrity Model • Hybrid Policies – The Chinese Wall Model
Multilevel Security • Different security levels for resources • Important systems – A lot of research is done – Products for military applications can have a second chance • Firewalls, web servers, etc. – Often applied in the wrong context and in the wrong way
Multilateral Security • To protect information from leaking between compartments on the same level • Different types – Organizations – Privilege-based – A mix
Security Policy A security policy defines “secure” for a system or a set of systems. • Purpose and goal • A foundation for the choice of security mechanisms • Who is responsible for what • What is allowed and what is not allowed • Why the policy looks like it do – important!
Security Policy • Confidentiality policy – Identifies those states that can leak information • Integrity policy – Identifies authorized ways in which information may be altered and entities authorized to alter it • Formal statement of desired properties – If the system is to be provably secure • In practice – Informal statements that assumes that the reader understands the context in which the policy is issued
Security Mechanism and Model Def. A security mechanism is an entity or procedure that enforces some part of the security policy. Def. A security model is a model that represents a particular policy or set of policies.
Types of security policies Def. A military security policy (also called a governmental security policy ) is a security policy developed primarily to provide confidentiality. Def. A commercial security policy is a security policy developed primarily to provide integrity. Def. A confidentiality policy is a security policy dealing only with confidentiality. Def. A integrity policy is a security policy dealing only with integrity.
The Role of Trust • An example: A system administrator receives a security patch – Assumes that the patch came from the vendor and was not tampered in transit – Assumes that the vendor tested the patch thoroughly – Assumes that the vendor’s test environment corresponds to her environment – Assumes that the patch is installed correctly • Any security policy, mechanism, or procedure is based on assumptions
Confidentiality Policies • Common in military systems • Also called information flow policy • Models – The Bell-LaPadula Model – Extensions of the Bell-LaPadula Model
The Bell-LaPadula Security Policy Model • The simplest and most known, 1973 • Trusted Computing Base (TCB) – The set of components you trust • Classification and clearance • Information flow control – No process can read information on a higher level – no-read-up – No process can write information to a lower level – no-write-down
The Bell-LaPadula Model • Classify information – A subject has a security clearance • In a linear ordering: – The higher the security clearance, the more sensitive the information – An object has a security classification • Also in a linear ordering – Top Secret, Secret, Confidential, Unclassified • The goal is to prevent read access to objects at a security classification higher than the subject’s clearance • Combines mandatory and discretionary access control
The Bell-LaPadula Model • Notation L(S) = l s : security clearance of subject S – L(O) = l o : security classification of object O – • Linear ordering For all security classifications l i , i = 0, ..., k – 1, l i < l i +1 – Simple Security Condition (prel): S can read O iff l o ≤ l s and S has discretionary read access to O . *-property (prel): S can write O iff l s ≤ l o and S has discretionary write access to O .
Criticism of the Bell-LaPadula Model • The principle of tranquility states that subjects and objects may not change their security levels once they have been instantiated • The Bell-LaPadula model (as presented) says nothing about changing security levels • Strong and weak tranquility • There are other controversies also • But still the simplest, and yet so hard to implement
I ntegrity Policies • Commercial requirements differ from military 1. Users will not write their own programs, but will use existing production programs and databases 2. Programmers will develop and test programs on a nonproduction system 3. A special process must be followed to install a program from the development system onto the production system 4. The special process in (3) must be controlled and audited 5. The managers and auditors must have access to both the system state and the system logs that are generated • Accuracy is much more important than disclosure
I ntegrity Policies • Principles of Operation – Separation of duty – Separation of function – Auditing • Models – Biba Integrity Model – Lipner’s Integrity Matrix Model – Clark-Wilson Integrity Model
The Biba I ntegrity Model • Bell-LaPadula upside down • Handles integrity and ignores confidentiality • Read-up, write-down • Many ”real” systems use this model
The Biba I ntegrity Model • A system consists of a set S of subjects, a set O of objects, and a set I of integrity levels The integrity levels are ordered – The higher the level, the more confidence that a – program will execute correctly Data at a higher level is more accurate and/ or – reliable than data at a lower level
Hybrid Policies • Many organizations desire both confidentiality and integrity • Conflict of interest Chinese Wall Model – • Medical ethics and laws about dissemination of patient data Clinical Information Systems – • Originator controlled access control Lets the creator determine (or assign) who should – access the data and how • Role-based access control The ability, or need, to access information may – depend on one’s job functions
The Chinese W all Model • To prevent a conflict of interest – Example: Investment house Information about companies is stored in a database – • Definitions The objects of the database are items of information – related to a company. A company dataset (CD) contains objects related to a – single company. A conflict of interest (COI) class contains the datasets – of companies in competition.
The Chinese W all Model COI Example •
The Chinese W all Model • History is important • PR(S) is a set of objects that S has read CW-Simple Security Condition. S can read O iff any of the following holds. 1. There is an object O' such that S has accessed O' and CD(O') = CD(O) . 2. For all objects O' , O' ∈ PR(S) ⇒ COI(O') ≠ COI(O). 3. Object O is a sanitized object.
Sum m ary • Multilevel and multilateral security • Security policies • Confidentiality Policies – The Bell-LaPadula Model • Integrity Policies – The Biba Integrity Model • Hybrid Policies – The Chinese Wall Model
Recommend
More recommend