Formal Security Models CSM27 Computer Security Dr Hans Georg Schaathun University of Surrey Autumn 2009 – Week 7 Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 1 / 41
The session Outline The session 1 Bell-LaPadula 2 Other models 3 Execution Monitors 4 Conclusion 5 Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 2 / 41
The session Session objectives Have an overview of a range of security models Be able to use the principle of finite automata to describe security models. Understand the confidentiality policy of Bell-LaPadula Understand the limitations of Bell-LaPadula Be able to choose an appropriate model for a given scenario Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 3 / 41
The session Session Overview BLP the pioneer in security models (confidentiality) Biba a BLP analogue for integrity Chinese Wall Resolve Conflicts of interest. Scenario: consultancy firm with competing clients. Clark-Wilson Integrity is the primary concern in commercial business. (Contrary to the secrecy requirement in military applications.) Harrison-Ruzzo-Ullman Managing Access Rights Information Flow Models Measuring the exact leak of information (or misinformation in an integrity scenario). Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 4 / 41
Bell-LaPadula Outline The session 1 Bell-LaPadula 2 Finite Automata Bell-LaPadula Security Properties Limitations Other models 3 Execution Monitors 4 Conclusion 5 Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 5 / 41
Bell-LaPadula Finite Automata A finite automata state-machine ≈ automata 1 0 1 A set of states , Q An input alphabet Σ 0 1 1 0 labels for the state transitions 2 3 0 inital state q 0 ∈ Q 0 accepting states A ⊂ Q 0 1 1 transition function δ : Q × Σ → Q 5 4 1 0 equivalent to the edges (arrows) Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 6 / 41
Bell-LaPadula Finite Automata A finite automata 1 A state can be good or bad 0 1 secure or insecure 0 1 1 Transitions from good to bad 0 states are dangerous. 2 3 0 Two criteria 0 0 1 1 Start state be secure No transition from secure to 5 4 1 0 insecure Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 7 / 41
Bell-LaPadula Finite Automata A finite automata 1 A state can be good or bad 0 1 secure or insecure 0 1 1 Transitions from good to bad 0 states are dangerous. 2 3 0 Two criteria 0 0 1 1 Start state be secure No transition from secure to 5 4 1 0 insecure Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 7 / 41
Bell-LaPadula Finite Automata A finite automata 1 A state can be good or bad 0 1 secure or insecure 0 1 1 Transitions from good to bad 0 1 states are dangerous. 2 3 0 Two criteria 0 0 1 1 Start state be secure No transition from secure to 5 4 1 0 insecure Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 7 / 41
Bell-LaPadula Bell-LaPadula The principle of an automata model Describe all secure states 1 Describe transitions from secure states 2 Prove that no transition leads from secure to insecure 3 If this is possible, the system is provably secure. Bell-LaPadula is one description of secure states. Similar principles apply to e.g. database development Database has to be maintained in a consistent state No operation (transition) allowed to bring the database to an inconsistent state Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 8 / 41
Bell-LaPadula Bell-LaPadula Elements of Access Control a set of subjects S a set of objects O set of access operations A = { execute , read , append , write } A set of security levels L , with a partial ordering ≤ Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 9 / 41
Bell-LaPadula Bell-LaPadula The State Set A state : ( b , M , f ) , includes Access operations currently in use b List of tuples ( s , o , a ) , s ∈ S , o ∈ O , a ∈ A . Access permission matrix M = ( M s , o ) s ∈ S , o ∈ O , where M s , o ⊂ A Clearance and classification f = ( f S , f C , f O ) f S : S → L maximal security level of a subject f C : S → L current security level of a subject ( f C ≤ f S ) f O : O → L classification of an object Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 10 / 41
Bell-LaPadula Security Properties Simple Security Property (SS-property) A state ( b , M , f ) satisfies the SS-property if ∀ ( s , o , a ) ∈ b , such that a ∈ { read , write } f O ( o ) ≤ f S ( s ) I.e. a subject can only observe objects of lower classification Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 11 / 41
Bell-LaPadula Security Properties What about write access? What policy do we need for write access? Integrity: no write-up (to higher security levels) Confidentiality: no write-down (to lower security levels) Bell-LaPadula concerns confidentiality Subject must not transmit messages to subjects at lower levels Current security level allows communications A subject has to be downgraded to send messages Because subjects are computer programs they can be made to forget their knowledge when downgraded Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 12 / 41
Bell-LaPadula Security Properties What about write access? What policy do we need for write access? Integrity: no write-up (to higher security levels) Confidentiality: no write-down (to lower security levels) Bell-LaPadula concerns confidentiality Subject must not transmit messages to subjects at lower levels Current security level allows communications A subject has to be downgraded to send messages Because subjects are computer programs they can be made to forget their knowledge when downgraded Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 12 / 41
Bell-LaPadula Security Properties What about write access? What policy do we need for write access? Integrity: no write-up (to higher security levels) Confidentiality: no write-down (to lower security levels) Bell-LaPadula concerns confidentiality Subject must not transmit messages to subjects at lower levels Current security level allows communications A subject has to be downgraded to send messages Because subjects are computer programs they can be made to forget their knowledge when downgraded Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 12 / 41
Bell-LaPadula Security Properties What about write access? What policy do we need for write access? Integrity: no write-up (to higher security levels) Confidentiality: no write-down (to lower security levels) Bell-LaPadula concerns confidentiality Subject must not transmit messages to subjects at lower levels Current security level allows communications A subject has to be downgraded to send messages Because subjects are computer programs they can be made to forget their knowledge when downgraded Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 12 / 41
Bell-LaPadula Security Properties What about write access? What policy do we need for write access? Integrity: no write-up (to higher security levels) Confidentiality: no write-down (to lower security levels) Bell-LaPadula concerns confidentiality Subject must not transmit messages to subjects at lower levels Current security level allows communications A subject has to be downgraded to send messages Because subjects are computer programs they can be made to forget their knowledge when downgraded Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 12 / 41
Bell-LaPadula Security Properties What about write access? What policy do we need for write access? Integrity: no write-up (to higher security levels) Confidentiality: no write-down (to lower security levels) Bell-LaPadula concerns confidentiality Subject must not transmit messages to subjects at lower levels Current security level allows communications A subject has to be downgraded to send messages Because subjects are computer programs they can be made to forget their knowledge when downgraded Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 12 / 41
Bell-LaPadula Security Properties *-property A state ( b , M , f ) satisfies the *-property if ∀ ( s , o , a ) ∈ b , such that a ∈ { append , write } f C ( s ) ≤ f O ( o ) and if ∃ ( s , o , a ) ∈ b where a ∈ { append , write } , then ∀ o ′ , a ′ ∈ { read , write } , such that ( s , o ′ , a ′ ) ∈ b f O ( o ′ ) ≤ f O ( o ) I.e. a subject can only alter objects of higher classification, and cannot read a high-level object while writing to a low-level object. Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 13 / 41
Bell-LaPadula Security Properties Discretionary Security Property Previous security properties provide Mandatory Access Control i.e. a centrally defined access policy The security levels are defined by a central policy Discreationary Access Control (DAC) decentralises the control The access control matrix M allows DAC in Bell-LaPadula A state ( b , M , f ) satisfies the DS-property if ∀ ( s , o , a ) ∈ b a ∈ M s , o . Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 14 / 41
Recommend
More recommend