[PDF] - 1 Multilevel Security Different security levels for resources PDF Document

SLIDE 1

1

7/10 - 05 Distributed systems - Jonny Pettersson, UmU 1

Last time

Introduction
Threat analysis
Introduction

to access control matrix Threats Policy Specification Design Implementation Operation and Maintenance

7/10 - 05 Distributed systems - Jonny Pettersson, UmU 2

Security in the Course

Lectures

– Introduction – Threat analysis – Introduction to access control matrix

– Security policies (today)

– Cryptography – Key management – Authentication – Design principles – Access control mechanisms – Assurance – The future

Literature

7/10 - 05 Distributed systems - Jonny Pettersson, UmU 3

Today

Multilevel and multilateral security
Security policies
Confidentiality Policies

– The Bell-LaPadula Model

Integrity Policies

– The Biba Integrity Model

Hybrid Policies

– The Chinese Wall Model

SLIDE 2

2

7/10 - 05 Distributed systems - Jonny Pettersson, UmU 4

Multilevel Security

Different security levels for resources
Important systems

– A lot of research is done – Products for military applications can have a second chance

Firewalls, web servers, etc.

– Often applied in the wrong context and in the wrong way

7/10 - 05 Distributed systems - Jonny Pettersson, UmU 5

Multilateral Security

To protect information from leaking

between compartments on the same level

Different types

– Organizations – Privilege-based – A mix

7/10 - 05 Distributed systems - Jonny Pettersson, UmU 6

Security Policy

Purpose and goal
A foundation for the choice of security

mechanisms

Who is responsible for what
What is allowed and what is not allowed
Why the policy looks like it do – important!

A security policy defines “secure” for a system or a set of system.

SLIDE 3

3

7/10 - 05 Distributed systems - Jonny Pettersson, UmU 7

Security Policy

Def. A security policy is a statement that partitions the states
f the system into a set of authorized, or secure, states and a

set of unauthorized, or nonsecure, states.

Def. A secure system is a system that starts in an authorized

state and cannot enter an unauthorized state.

Def. A breach of security occurs when a system enters an

unauthorized state.

7/10 - 05 Distributed systems - Jonny Pettersson, UmU 8

Confidentiality

Def. Let X be a set of entities and let I be some information.

Then I has the property of confidentiality with respect to X if no member of X can obtain information about I.

7/10 - 05 Distributed systems - Jonny Pettersson, UmU 9

Integrity

Def. Let X be a set of entities and let I be some information or

a resource. Then I has the property of integrity with respect to X if all members of X trust I.

SLIDE 4

4

7/10 - 05 Distributed systems - Jonny Pettersson, UmU 10

Availability

Def. Let X be a set of entities and let I be a resource. Then I

has the property of availability with respect to X if all members of X can access I.

7/10 - 05 Distributed systems - Jonny Pettersson, UmU 11

Types of security policies

Confidentiality policy

– Identifies those states that can leak information

Integrity policy

– Identifies authorized ways in which information may be altered and entities authorized to alter it

Formal statement of the policy

– If the system is to be provably secure

In practice

– Informal statements that assumes that the reader understands the context in which the policy is issued

7/10 - 05 Distributed systems - Jonny Pettersson, UmU 12

Security Mechanism and Model

Def. A security mechanism is an entity or procedure that

enforces some part of the security policy.

Def. A security model is a model that represents a particular

policy or set of policies.

SLIDE 5

5

7/10 - 05 Distributed systems - Jonny Pettersson, UmU 13

Types of security policies

Def. A military security policy (also called a governmental

security policy) is a security policy developed primarily to provide confidentiality.

Def. A commercial security policy is a security policy

developed primarily to provide integrity.

Def. A confidentiality policy is a security policy dealing only

with confidentiality.

Def. A integrity policy is a security policy dealing only with

integrity.

7/10 - 05 Distributed systems - Jonny Pettersson, UmU 14

The Role of Trust

An example: A system administrator

receives a security patch

– Assumes that the patch came from the vendor and was not tampered in transit – Assumes that the vendor tested the patch thoroughly – Assumes that the vendor’s test environment corresponds to her environment – Assumes that the patch is installed correctly

Any security policy, mechanism, or

procedure is based on assumptions

7/10 - 05 Distributed systems - Jonny Pettersson, UmU 15

Types of Access Control

Def. If an individual user can set an access control mechanism to allow or

deny access to an object, that mechanism is a discretionary access control (DAC), also called an identity-based access control (IBAC).

Def. When a system mechanism controls access to an object and an

individual user cannot alter that access, the control is a mandatory access control (MAC), occasionally called a rule-based access control.

Def. An originator controlled access control (ORCON or ORGCON)

bases access on the creator of an object (or the information it contains).

SLIDE 6

6

7/10 - 05 Distributed systems - Jonny Pettersson, UmU 16

Discretionary Access Control

ACL Foo Bar Sam RWX RWX Alice

-X
-X

Bob

R-X R-- Capabilities

7/10 - 05 Distributed systems - Jonny Pettersson, UmU 17

Confidentiality Policies

Common in military systems
Also called information flow policy
Models

– The Bell-LaPadula Model – Extensions of the Bell-LaPadula Model

7/10 - 05 Distributed systems - Jonny Pettersson, UmU 18

The Bell-LaPadula Security Policy Model

The simplest and most known, 1973
Trusted Computing Base (TCB)

– The set of components you trust

Classification and clearance
Information flow control

– No process can read information on a higher level – no-read-up – No process can write information to a lower level – no-write-down

SLIDE 7

7

7/10 - 05 Distributed systems - Jonny Pettersson, UmU 19

The Bell-LaPadula Model

Classify information

–

A subject has a security clearance

In a linear ordering:

–

The higher the security clearance, the more sensitive the information

–

An object has a security classification

Also in a linear ordering
The goal is to prevent read access to objects at a

security classification higher than the subject’s clearance

Combines mandatory and discretionary access

control

7/10 - 05 Distributed systems - Jonny Pettersson, UmU 20

The Bell-LaPadula Model

Notation

–

L(S) = ls : security clearance of subject S

–

L(O) = lo : security classification of object O

Linear ordering

–

For all security classifications li, i = 0, ..., k – 1, li < li+1

Simple Security Condition (prel): S can read O iff lo ≤ ls and S has discretionary read access to O. *-property (prel): S can write O iff ls ≤ lo and S has discretionary write access to O.

7/10 - 05 Distributed systems - Jonny Pettersson, UmU 21

Expanding The Bell-LaPadula Model

Add categories

– From the “need to know”-principle

Example

– Categories: NUC, EUR and US give these

combinations

{}, {NUC}, {EUR}, {US}, {NUC, EUR}, {NUC, US}, {EUR,

US} and {NUC, EUR, US}

– Alice is cleared into: (SECRET, {EUR}) – Bob: (TOP SECRET, {NUC, US}) – DocA is classified as: (CONFIDENTIAL, {EUR})

SLIDE 8

8

7/10 - 05 Distributed systems - Jonny Pettersson, UmU 22

Expanding The Bell-LaPadula Model

*-property: S can write O iff O dom S and S has discretionary write access to O.

Def. The security level (L, C) dominates (dom) the security

level (L', C') iff L' ≤ L and C' ⊆ C. Simple Security Condition: S can read O iff S dom O and S has discretionary read access to O.

7/10 - 05 Distributed systems - Jonny Pettersson, UmU 23

The Basic Security Theorem

Theorem. Let Σ be a system with a secure initial state σ0, and

let T be a set of state transformations. If every element of T preserves the simple security condition and the *-property, then every σi, i ≥ 0, is secure.

7/10 - 05 Distributed systems - Jonny Pettersson, UmU 24

Criticism of the Bell-LaPadula Model

The principle of tranquility states that

subjects and objects may not change their security levels once they have been instantiated

The Bell-LaPadula model (as presented)

says nothing about changing security levels

Strong and weak tranquility
There are other controversies also
But still the simplest, and yet so hard to

implement

SLIDE 9

9

7/10 - 05 Distributed systems - Jonny Pettersson, UmU 25

Integrity Policies

Commercial requirements differ from military
1. Users will not write their own programs, but will use

existing production programs and databases

2. Programmers will develop and test programs on a

nonproduction system

3. A special process must be followed to install a program

from the development system onto the production system

4. The special process in (3) must be controlled and

audited

5. The managers and auditors must have access to both the

system state and the system logs that are generated

Accuracy is much more important than disclosure

7/10 - 05 Distributed systems - Jonny Pettersson, UmU 26

Integrity Policies

Principles of Operation

– Separation of duty – Separation of function – Auditing

Models

– Biba Integrity Model – Lipner’s Integrity Matrix Model – Clark-Wilson Integrity Model

7/10 - 05 Distributed systems - Jonny Pettersson, UmU 27

The Biba Integrity Model

Bell-LaPadula upside down
Handles integrity and ignores

confidentiality

Read-up, write-down
Many ”real” systems use this model

SLIDE 10

10

7/10 - 05 Distributed systems - Jonny Pettersson, UmU 28

The Biba Integrity Model

A system consists of a set S of subjects, a

set O of objects, and a set I of integrity levels

– The integrity levels are ordered – The higher the level, the more confidence that

a program will execute correctly

– Data at a higher level is more accurate and/or

reliable than data at a lower level

7/10 - 05 Distributed systems - Jonny Pettersson, UmU 29

The Biba Integrity Model

Functions:

–

min: I × I → I

Gives the lesser of the two integrity levels

–

i: S ∪ O → I

Returns the integrity level of an subject or object
Relations:

–

r ⊆ S × O

Defines the ability of a subject to read an object

–

w ⊆ S × O

Defines the ability of a subject to write to an object

–

x ⊆ S × O

Defines the ability of a subject to invoke (execute) another

subject

7/10 - 05 Distributed systems - Jonny Pettersson, UmU 30

The Biba Integrity Model

Low-Water-Mark Policy

1. s ∈ S can write to o ∈ O iff i(o) ≤ i(s)

2. If s ∈ S reads o ∈ O, then i'(s) = min(i(s), i(o)),

where i'(s) is the subject's integrity level after the read

3. s1 ∈ S can execute s2 ∈ S iff i(s2) ≤ i(s1)

SLIDE 11

11

7/10 - 05 Distributed systems - Jonny Pettersson, UmU 31

The Biba Integrity Model

Ring Policy

1. Any subject may read any object, regardless

f integrity levels
2. s ∈ S can write to o ∈ O iff i(o) ≤ i(s)
3. s1 ∈ S can execute s2 ∈ S iff i(s2) ≤ i(s1)

7/10 - 05 Distributed systems - Jonny Pettersson, UmU 32

The Biba Integrity Model

Biba’s Model (Strict Integrity Policy)

1. s ∈ S can read o ∈ O iff i(s) ≤ i(o)

2. s ∈ S can write to o ∈ O iff i(o) ≤ i(s)
3. s1 ∈ S can execute s2 ∈ S iff i(s2) ≤ i(s1)

7/10 - 05 Distributed systems - Jonny Pettersson, UmU 33

Hybrid Policies

Many organizations desire both confidentiality and

integrity

Conflict of interest

–

Chinese Wall Model

Medical ethics and laws about dissemination of

patient data

–

Clinical Information Systems

Originator controlled access control

–

Lets the creator determine (or assign) who should access the data and how

Role-based access control

–

The ability, or need, to access information may depend on

ne’s job functions

SLIDE 12

12

7/10 - 05 Distributed systems - Jonny Pettersson, UmU 34

The Chinese Wall Model

To prevent a conflict of interest

– Example: Investment house

–

Information about companies is stored in database

Definitions

–

The objects of the database are items of information related to a company.

–

A company dataset (CD) contains objects related to a single company.

–

A conflict of interest (COI) class contains the datasets

f companies in competition.

7/10 - 05 Distributed systems - Jonny Pettersson, UmU 35

The Chinese Wall Model

History is important
PR(S) is set of objects that S has read

CW-Simple Security Condition. S can read O iff any of the following holds.

1. There is an object O' such that S has accessed O' and

CD(O') = CD(O).

2. For all objects O', O' ∈ PR(S) ⇒ COI(O') ≠ COI(O).
3. Object O is a sanitized object.

7/10 - 05 Distributed systems - Jonny Pettersson, UmU 36

The Chinese Wall Model

CW-*-property. A subject S may write to an object O iff both of the following conditions hold.

1. The CW-simple security condition permits S to read

O.

2. For all unsanitized objects O', S can read O' ⇒

CD(O') = CD(O)

SLIDE 13

13

7/10 - 05 Distributed systems - Jonny Pettersson, UmU 37

Summary

Multilevel and multilateral security
Security policies
Confidentiality Policies

– The Bell-LaPadula Model

Integrity Policies

– The Biba Integrity Model

Hybrid Policies

– The Chinese Wall Model

7/10 - 05 Distributed systems - Jonny Pettersson, UmU 38

Next Time

Cryptography
Key management
Authentication