Last time Threats • Introduction • Threat analysis Policy • Introduction to access Specification control matrix Design Implementation Operation and Maintenance 7/10 - 05 Distributed systems - Jonny Pettersson, UmU 1 Security in the Course • Lectures – Introduction – Threat analysis – Introduction to access control matrix – Security policies (today) – Cryptography – Key management – Authentication – Design principles – Access control mechanisms – Assurance – The future • Literature 7/10 - 05 Distributed systems - Jonny Pettersson, UmU 2 Today • Multilevel and multilateral security • Security policies • Confidentiality Policies – The Bell-LaPadula Model • Integrity Policies – The Biba Integrity Model • Hybrid Policies – The Chinese Wall Model 7/10 - 05 Distributed systems - Jonny Pettersson, UmU 3 1
Multilevel Security • Different security levels for resources • Important systems – A lot of research is done – Products for military applications can have a second chance • Firewalls, web servers, etc. – Often applied in the wrong context and in the wrong way 7/10 - 05 Distributed systems - Jonny Pettersson, UmU 4 Multilateral Security • To protect information from leaking between compartments on the same level • Different types – Organizations – Privilege-based – A mix 7/10 - 05 Distributed systems - Jonny Pettersson, UmU 5 Security Policy A security policy defines “secure” for a system or a set of system. • Purpose and goal • A foundation for the choice of security mechanisms • Who is responsible for what • What is allowed and what is not allowed • Why the policy looks like it do – important! 7/10 - 05 Distributed systems - Jonny Pettersson, UmU 6 2
Security Policy Def. A security policy is a statement that partitions the states of the system into a set of authorized , or secure , states and a set of unauthorized , or nonsecure , states. Def. A secure system is a system that starts in an authorized state and cannot enter an unauthorized state. Def. A breach of security occurs when a system enters an unauthorized state. 7/10 - 05 Distributed systems - Jonny Pettersson, UmU 7 Confidentiality Def. Let X be a set of entities and let I be some information. Then I has the property of confidentiality with respect to X if no member of X can obtain information about I . 7/10 - 05 Distributed systems - Jonny Pettersson, UmU 8 Integrity Def. Let X be a set of entities and let I be some information or a resource. Then I has the property of integrity with respect to X if all members of X trust I . 7/10 - 05 Distributed systems - Jonny Pettersson, UmU 9 3
Availability Def. Let X be a set of entities and let I be a resource. Then I has the property of availability with respect to X if all members of X can access I . 7/10 - 05 Distributed systems - Jonny Pettersson, UmU 10 Types of security policies • Confidentiality policy – Identifies those states that can leak information • Integrity policy – Identifies authorized ways in which information may be altered and entities authorized to alter it • Formal statement of the policy – If the system is to be provably secure • In practice – Informal statements that assumes that the reader understands the context in which the policy is issued 7/10 - 05 Distributed systems - Jonny Pettersson, UmU 11 Security Mechanism and Model Def. A security mechanism is an entity or procedure that enforces some part of the security policy. Def. A security model is a model that represents a particular policy or set of policies. 7/10 - 05 Distributed systems - Jonny Pettersson, UmU 12 4
Types of security policies Def. A military security policy (also called a governmental security policy ) is a security policy developed primarily to provide confidentiality. Def. A commercial security policy is a security policy developed primarily to provide integrity. Def. A confidentiality policy is a security policy dealing only with confidentiality. Def. A integrity policy is a security policy dealing only with integrity. 7/10 - 05 Distributed systems - Jonny Pettersson, UmU 13 The Role of Trust • An example: A system administrator receives a security patch – Assumes that the patch came from the vendor and was not tampered in transit – Assumes that the vendor tested the patch thoroughly – Assumes that the vendor’s test environment corresponds to her environment – Assumes that the patch is installed correctly • Any security policy, mechanism, or procedure is based on assumptions 7/10 - 05 Distributed systems - Jonny Pettersson, UmU 14 Types of Access Control Def. If an individual user can set an access control mechanism to allow or deny access to an object, that mechanism is a discretionary access control (DAC), also called an identity-based access control (IBAC). Def. When a system mechanism controls access to an object and an individual user cannot alter that access, the control is a mandatory access control (MAC), occasionally called a rule-based access control . Def. An originator controlled access control (ORCON or ORGCON) bases access on the creator of an object (or the information it contains). 7/10 - 05 Distributed systems - Jonny Pettersson, UmU 15 5
Discretionary Access Control Foo Bar Sam RWX RWX Alice --X --X Capabilities Bob R-X R-- ACL 7/10 - 05 Distributed systems - Jonny Pettersson, UmU 16 Confidentiality Policies • Common in military systems • Also called information flow policy • Models – The Bell-LaPadula Model – Extensions of the Bell-LaPadula Model 7/10 - 05 Distributed systems - Jonny Pettersson, UmU 17 The Bell-LaPadula Security Policy Model • The simplest and most known, 1973 • Trusted Computing Base (TCB) – The set of components you trust • Classification and clearance • Information flow control – No process can read information on a higher level – no-read-up – No process can write information to a lower level – no-write-down 7/10 - 05 Distributed systems - Jonny Pettersson, UmU 18 6
The Bell-LaPadula Model • Classify information A subject has a security clearance – In a linear ordering: • The higher the security clearance, the more sensitive the – information An object has a security classification – Also in a linear ordering • • The goal is to prevent read access to objects at a security classification higher than the subject’s clearance • Combines mandatory and discretionary access control 7/10 - 05 Distributed systems - Jonny Pettersson, UmU 19 The Bell-LaPadula Model • Notation L(S) = l s : security clearance of subject S – L(O) = l o : security classification of object O – • Linear ordering For all security classifications l i , i = 0, ..., k – 1, l i < l i +1 – Simple Security Condition (prel): S can read O iff l o ≤ l s and S has discretionary read access to O . *-property (prel): S can write O iff l s ≤ l o and S has discretionary write access to O . 7/10 - 05 Distributed systems - Jonny Pettersson, UmU 20 Expanding The Bell-LaPadula Model • Add categories – From the “need to know”-principle • Example – Categories: NUC, EUR and US give these combinations • {}, {NUC}, {EUR}, {US}, {NUC, EUR}, {NUC, US}, {EUR, US} and {NUC, EUR, US} – Alice is cleared into: (SECRET, {EUR}) – Bob: (TOP SECRET, {NUC, US}) – DocA is classified as: (CONFIDENTIAL, {EUR}) 7/10 - 05 Distributed systems - Jonny Pettersson, UmU 21 7
Expanding The Bell-LaPadula Model Def. The security level (L, C) dominates (dom) the security level (L', C') iff L' ≤ L and C' ⊆ C. Simple Security Condition: S can read O iff S dom O and S has discretionary read access to O . *-property: S can write O iff O dom S and S has discretionary write access to O . 7/10 - 05 Distributed systems - Jonny Pettersson, UmU 22 The Basic Security Theorem Theorem. Let Σ be a system with a secure initial state σ 0 , and let T be a set of state transformations. If every element of T preserves the simple security condition and the *-property, then every σ i , i ≥ 0, is secure. 7/10 - 05 Distributed systems - Jonny Pettersson, UmU 23 Criticism of the Bell-LaPadula Model • The principle of tranquility states that subjects and objects may not change their security levels once they have been instantiated • The Bell-LaPadula model (as presented) says nothing about changing security levels • Strong and weak tranquility • There are other controversies also • But still the simplest, and yet so hard to implement 7/10 - 05 Distributed systems - Jonny Pettersson, UmU 24 8
Recommend
More recommend
