april 17 policy
play

April 17: Policy Limits on secure and precise mechanisms - PowerPoint PPT Presentation

Sep 18, 2022 •148 likes •449 views

April 17: Policy Limits on secure and precise mechanisms Bell-LaPadula confidentiality model Tranquility Declassification McLeans criticism and System Z April 17, 2017 ECS 235B Spring Quarter 2017 Slide #1 Types of

  1. April 17: Policy • Limits on secure and precise mechanisms • Bell-LaPadula confidentiality model • Tranquility • Declassification • McLean’s criticism and System Z April 17, 2017 ECS 235B Spring Quarter 2017 Slide #1

  2. Types of Mechanisms secure broad precise set of reachable states set of secure states April 17, 2017 ECS 235B Spring Quarter 2017 Slide #2

  3. Secure, Precise Mechanisms • Can one devise a procedure for developing a mechanism that is both secure and precise? – Consider confidentiality policies only here – Integrity policies produce same result • Program a function with multiple inputs and one output – Let p be a function p : I 1 × ... × I n → R . Then p is a program with n inputs i k ∈ I k , 1 ≤ k ≤ n , and one output r → R April 17, 2017 ECS 235B Spring Quarter 2017 Slide #3

  4. Programs and Postulates • Observability Postulate: the output of a function encodes all available information about its inputs – Covert channels considered part of the output • Example: authentication function – Inputs name, password; output Good or Bad – If name invalid, immediately print Bad; else access database – Problem: time output of Bad, can determine if name valid – This means timing is part of output April 17, 2017 ECS 235B Spring Quarter 2017 Slide #4

  5. Protection Mechanism • Let p be a function p : I 1 × ... × I n → R . A protection mechanism m is a function m : I 1 × ... × I n → R ∪ E for which, when i k ∈ I k , 1 ≤ k ≤ n , either – m ( i 1 , ..., i n ) = p ( i 1 , ..., i n ) or – m ( i 1 , ..., i n ) ∈ E . • E is set of error outputs – In above example, E = { “ Password Database Missing ” , “ Password Database Locked ” } April 17, 2017 ECS 235B Spring Quarter 2017 Slide #5

  6. Confidentiality Policy • Confidentiality policy for program p says which inputs can be revealed – Formally, for p : I 1 × ... × I n → R , it is a function c : I 1 × ... × I n → A , where A ⊆ I 1 × ... × I n – A is set of inputs available to observer • Security mechanism is function m : I 1 × ... × I n → R ∪ E – m is secure if and only if ∃ m ´: A → R ∪ E such that, ∀ i k ∈ I k , 1 ≤ k ≤ n , m ( i 1 , ..., i n ) = m ´( c ( i 1 , ..., i n )) – m returns values consistent with c April 17, 2017 ECS 235B Spring Quarter 2017 Slide #6

  7. Examples • c ( i 1 , ..., i n ) = C , a constant – Deny observer any information (output does not vary with inputs) • c ( i 1 , ..., i n ) = ( i 1 , ..., i n ), and m ´ = m – Allow observer full access to information • c ( i 1 , ..., i n ) = i 1 – Allow observer information about first input but no information about other inputs. April 17, 2017 ECS 235B Spring Quarter 2017 Slide #7

  8. Precision • Security policy may be over-restrictive – Precision measures how over-restrictive • m 1 , m 2 distinct protection mechanisms for program p under policy c – m 1 as precise as m 2 ( m 1 ≈ m 2 ) if, for all inputs i 1 , …, i n , m 2 ( i 1 , …, i n ) = p ( i 1 , …, i n ) ⇒ m 1 ( i 1 , …, i n ) = p ( i 1 , …, i n ) – m 1 more precise than m 2 ( m 1 ~ m 2 ) if there is an input ( i 1 ´, …, i n ´) such that m 1 ( i 1 ´, …, i n ´) = p ( i 1 ´, …, i n ´) and m 2 ( i 1 ´, …, i n ´) ≠ p ( i 1 ´, …, i n ´). April 17, 2017 ECS 235B Spring Quarter 2017 Slide #8

  9. Combining Mechanisms • m 1 , m 2 protection mechanisms • m 3 = m 1 ∪ m 2 – For inputs on which m 1 and m 2 return same value as p , m 3 does also; otherwise, m 3 returns same value as m 1 • Theorem: if m 1 , m 2 secure, then m 3 secure – Also, m 3 ≈ m 1 and m 3 ≈ m 2 – Follows from definitions of secure, precise, and m 3 April 17, 2017 ECS 235B Spring Quarter 2017 Slide #9

  10. Existence Theorem • For any program p and security policy c , there exists a precise, secure mechanism m * such that, for all secure mechanisms m associated with p and c , m * ≈ m – Maximally precise mechanism – Ensures security – Minimizes number of denials of legitimate actions April 17, 2017 ECS 235B Spring Quarter 2017 Slide #10

  11. Lack of Effective Procedure • There is no effective procedure that determines a maximally precise, secure mechanism for any policy and program. – Sketch of proof: let policy c be constant function, and p compute function T ( x ). Assume T ( x ) = 0. Consider program q , where p ; if z = 0 then y := 1 else y := 2; halt ; April 17, 2017 ECS 235B Spring Quarter 2017 Slide #11

  12. Rest of Sketch • m associated with q , y value of m , z output of p corresponding to T ( x ) • ∀ x [ T ( x ) = 0] → m ( x ) = 1 • ∃ x´ [ T ( x´ ) ≠ 0] → m ( x ) = 2 or m ( x ) ↑ • If you can determine m , you can determine whether T ( x ) = 0 for all x • Determines some information about input (is it 0?) • Contradicts constancy of c . • Therefore no such procedure exists April 17, 2017 ECS 235B Spring Quarter 2017 Slide #12

  13. Key Points • Policies describe what is allowed • Mechanisms control how policies are enforced • Trust underlies everything April 17, 2017 ECS 235B Spring Quarter 2017 Slide #13

  14. Confidentiality Policy • Goal: prevent the unauthorized disclosure of information – Deals with information flow – Integrity incidental • Multi-level security models are best-known examples – Bell-LaPadula Model basis for many, or most, of these April 17, 2017 ECS 235B Spring Quarter 2017 Slide #14

  15. Bell-LaPadula Model, Step 1 • Security levels arranged in linear ordering – Top Secret: highest – Secret – Confidential – Unclassified: lowest • Levels consist of security clearance L ( s ) – Objects have security classification L ( o ) April 17, 2017 ECS 235B Spring Quarter 2017 Slide #15

  16. Example security level subject object Top Secret Tamara Personnel Files Secret Samuel E-Mail Files Confidential Claire Activity Logs Unclassified Ulaley Telephone Lists • Tamara can read all files • Claire cannot read Personnel or E-Mail Files • Ulaley can only read Telephone Lists April 17, 2017 ECS 235B Spring Quarter 2017 Slide #16

  17. Reading Information • Information flows up , not down – “Reads up” disallowed, “reads down” allowed • Simple Security Condition (Step 1) – Subject s can read object o iff, L ( o ) ≤ L ( s ) and s has permission to read o • Note: combines mandatory control (relationship of security levels) and discretionary control (the required permission) – Sometimes called “no reads up” rule April 17, 2017 ECS 235B Spring Quarter 2017 Slide #17

  18. Writing Information • Information flows up, not down – “Writes up” allowed, “writes down” disallowed • *-Property (Step 1) – Subject s can write object o iff L ( s ) ≤ L ( o ) and s has permission to write o • Note: combines mandatory control (relationship of security levels) and discretionary control (the required permission) – Sometimes called “no writes down” rule April 17, 2017 ECS 235B Spring Quarter 2017 Slide #18

  19. Basic Security Theorem, Step 1 • If a system is initially in a secure state, and every transition of the system satisfies the simple security condition, step 1, and the *- property, step 1, then every state of the system is secure – Proof: induct on the number of transitions April 17, 2017 ECS 235B Spring Quarter 2017 Slide #19

  20. Bell-LaPadula Model, Step 2 • Expand notion of security level to include categories • Security level is ( clearance , category set ) • Examples – ( Top Secret, { NUC, EUR, ASI } ) – ( Confidential, { EUR, ASI } ) – ( Secret, { NUC, ASI } ) April 17, 2017 ECS 235B Spring Quarter 2017 Slide #20

  21. Levels and Lattices • ( A , C ) dom ( A ʹ , C ʹ ) iff A ʹ ≤ A and C ʹ ⊆ C • Examples – (Top Secret, {NUC, ASI}) dom (Secret, {NUC}) – (Secret, {NUC, EUR}) dom (Confidential,{NUC, EUR}) – (Top Secret, {NUC}) ¬ dom (Confidential, {EUR}) • Let C be set of classifications, K set of categories. Set of security levels L = C × K , dom form lattice – lub ( L ) = ( max ( A ) , C ) – glb ( L ) = ( min ( A ), ∅ ) April 17, 2017 ECS 235B Spring Quarter 2017 Slide #21

  22. Levels and Ordering • Security levels partially ordered – Any pair of security levels may (or may not) be related by dom • “dominates” serves the role of “greater than” in step 1 – “greater than” is a total ordering, though April 17, 2017 ECS 235B Spring Quarter 2017 Slide #22

  23. Reading Information • Information flows up , not down – “Reads up” disallowed, “reads down” allowed • Simple Security Condition (Step 2) – Subject s can read object o iff L ( s ) dom L ( o ) and s has permission to read o • Note: combines mandatory control (relationship of security levels) and discretionary control (the required permission) – Sometimes called “no reads up” rule April 17, 2017 ECS 235B Spring Quarter 2017 Slide #23

  24. Writing Information • Information flows up, not down – “Writes up” allowed, “writes down” disallowed • *-Property (Step 2) – Subject s can write object o iff L ( o ) dom L ( s ) and s has permission to write o • Note: combines mandatory control (relationship of security levels) and discretionary control (the required permission) – Sometimes called “no writes down” rule April 17, 2017 ECS 235B Spring Quarter 2017 Slide #24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Presentation Policy April 2011 ST IPPOLYTS CE (AIDED) PRIMARY SCHOOL PRESENTATION POLICY April

Presentation Policy April 2011 ST IPPOLYTS CE (AIDED) PRIMARY SCHOOL PRESENTATION POLICY April

St Ippolyts C.E. Primary School Presentation Policy April 2011 ST IPPOLYTS CE (AIDED) PRIMARY SCHOOL PRESENTATION POLICY April 2011 INTRODUCTION The purpose of this policy is to produce a consistent approach towards the presentation of work

422 views • 4 slides
Policy Advisory Committee 17 April 2018 Meeting - PAC # 15 1 Policy Advisory Committee - Agenda

Policy Advisory Committee 17 April 2018 Meeting - PAC # 15 1 Policy Advisory Committee - Agenda

Policy Advisory Committee 17 April 2018 Meeting - PAC # 15 1 Policy Advisory Committee - Agenda 6. Policy changes arising from the introduction of GDPR 1. Apologies (absentees) a. Privacy Policy 2. Minutes of the Meeting of PAC # 14

710 views • 34 slides
EPA Audit Policy EPAs Audit Policy April- May 2010 Focus and Agenda Focus EPAs

EPA Audit Policy EPAs Audit Policy April- May 2010 Focus and Agenda Focus EPAs

EPA Audit Policy EPAs Audit Policy April- May 2010 Focus and Agenda Focus EPAs Audit Policy 65 Fed Reg. 19, 618 (April 11, 2000) revised the original 1995 Policy Agenda EPAs Audit Policy Summary of

205 views • 5 slides
Checklist of G20 Employment and Social Policy Measures following the April 2010 Washington

Checklist of G20 Employment and Social Policy Measures following the April 2010 Washington

Checklist of G20 Employment and Social Policy Measures following the April 2010 Washington Ministers' meeting Policy Integration Department September 2011 April 2010 G20 Washington Communiqu Recommendations I. Accelerate Job Creation to

410 views • 12 slides
27 April 2017 Policy change submission 27 April 2017 Agenda Introduction & background

27 April 2017 Policy change submission 27 April 2017 Agenda Introduction & background

PAC #10 27 April 2017 Policy change submission 27 April 2017 Agenda Introduction & background Proposal Benefits and Drivers Policy development process Q&A Introduction & Background In order to register a new .ie

690 views • 15 slides
Awareness as a policy lever Webinar 3 10.00 11:00 BST 4 April 2016 #ToolsForChange WELCOME

Awareness as a policy lever Webinar 3 10.00 11:00 BST 4 April 2016 #ToolsForChange WELCOME

Awareness as a policy lever Webinar 3 10.00 11:00 BST 4 April 2016 #ToolsForChange WELCOME AND INTRODUCTIONS Jeff Lazarus Editor-in-Chief of Hepatology, Medicine and Policy & Professor, University of Copenhagen, Denmark Partha S

530 views • 23 slides
Awareness as a policy lever Webinar 3 19.00 20:00 BST 4 April 2016 #ToolsForChange WELCOME

Awareness as a policy lever Webinar 3 19.00 20:00 BST 4 April 2016 #ToolsForChange WELCOME

Awareness as a policy lever Webinar 3 19.00 20:00 BST 4 April 2016 #ToolsForChange WELCOME AND INTRODUCTIONS Jeff Lazarus Editor-in-Chief of Hepatology, Medicine and Policy & Professor, University of Copenhagen, Denmark Monica

557 views • 26 slides
Learning Output T anzania Webinar for PSAM Learning 5 th April 2018 Policy Forum is network of

Learning Output T anzania Webinar for PSAM Learning 5 th April 2018 Policy Forum is network of

Policy Forum Learning Output T anzania Webinar for PSAM Learning 5 th April 2018 Policy Forum is network of 79 Tanzanian CSOs drawn to influence policy processes that help in poverty reduction, equity & democratization About Policy

166 views • 15 slides
Innovation ISRN Policy Day, Halifax, April 29, 2009 Douglas Robertson, Director, Innovation

Innovation ISRN Policy Day, Halifax, April 29, 2009 Douglas Robertson, Director, Innovation

Infrastructure, Policy and Innovation ISRN Policy Day, Halifax, April 29, 2009 Douglas Robertson, Director, Innovation Policy Atlantic Canada Opportunities Agency D Doug Framing the Question Key considerations Organizational

302 views • 26 slides
Managing security policy in distributed systems Tim Moses 13 April 2004 v2 1 1 PDF created

Managing security policy in distributed systems Tim Moses 13 April 2004 v2 1 1 PDF created

Managing security policy in distributed systems Tim Moses 13 April 2004 v2 1 1 PDF created with FinePrint pdfFactory trial version www.pdffactory.com Agenda Definitions Motivation Policy models Policy languages Future w ork

226 views • 18 slides
Presentation Policy 28 th April 2015 Date of policy 28 th April 2015 Review date Headteachers

Presentation Policy 28 th April 2015 Date of policy 28 th April 2015 Review date Headteachers

Presentation Policy 28 th April 2015 Date of policy 28 th April 2015 Review date Headteachers signature Signed copy on file in HT office Chair of Governors Signed copy on file in HT office signature Presentation Policy Aim The purpose

313 views • 4 slides
Food Policy Overview: Presentation to Vancouver Food Policy Council April 2015 Role of Local

Food Policy Overview: Presentation to Vancouver Food Policy Council April 2015 Role of Local

Food Policy Overview: Presentation to Vancouver Food Policy Council April 2015 Role of Local Government What local Governments Do: Engineering Services (Street, Water, Sewers, Garbage, and Recycling) Parks and Recreation Police and

1k views • 17 slides
Chan Stroman An Interdisciplinary Policy Project Wisconsin LEND 2014-2015 April 7, 2017

Chan Stroman An Interdisciplinary Policy Project Wisconsin LEND 2014-2015 April 7, 2017

Making Lifelong Connections 2017 Chan Stroman An Interdisciplinary Policy Project Wisconsin LEND 2014-2015 April 7, 2017 Policy project team disciplines: Genetic Counseling School Psychology Audiology Family Policy topic:

253 views • 6 slides
www.unhabitat.org Stakeholder Engagement Policy, 1 st Draft, 25 April 2018 External Relations

www.unhabitat.org Stakeholder Engagement Policy, 1 st Draft, 25 April 2018 External Relations

www.unhabitat.org Stakeholder Engagement Policy, 1 st Draft, 25 April 2018 External Relations Division Objectives of a SEP A SEP aims to: Increase stakeholders influence of governance, policy and decision-making processes Enhance

408 views • 17 slides
Introduction to the Health Policy Commission Massachusetts Health Policy Forum April 6, 2018 In

Introduction to the Health Policy Commission Massachusetts Health Policy Forum April 6, 2018 In

Introduction to the Health Policy Commission Massachusetts Health Policy Forum April 6, 2018 In 2009, Massachusetts had the highest per capita spending on health care of any state and the U.S. spends the most per capita of any OECD country

817 views • 40 slides
Agreed Whole School Policy Presentation Policy DRAFT STATUS: AGREED Review Date: April

Agreed Whole School Policy Presentation Policy DRAFT STATUS: AGREED Review Date: April

TOWNSEND PRIMARY SCHOOL Agreed Whole School Policy Presentation Policy DRAFT STATUS: AGREED Review Date: April 2019 Cycle: 2 Years Agreed by Governing Body

498 views • 8 slides
Artificial Intelligence Probabilistic Reasoning (Part 3) CS 444 Spring 2019 Dr. Kevin

Artificial Intelligence Probabilistic Reasoning (Part 3) CS 444 Spring 2019 Dr. Kevin

Artificial Intelligence Probabilistic Reasoning (Part 3) CS 444 Spring 2019 Dr. Kevin Molloy Department of Computer Science James Madison University Some Exercises Consider this Bayesian network. 1. If no evidence is observed, are

345 views • 11 slides
A Crash Course on Discrete Probability Events and Probability Consider a random process (e.g.,

A Crash Course on Discrete Probability Events and Probability Consider a random process (e.g.,

A Crash Course on Discrete Probability Events and Probability Consider a random process (e.g., throw a die, pick a card from a deck) Each possible outcome is a simple event (or sample point). The sample space is the set of all

737 views • 53 slides
Discrete random variables Probability mass function Given a discrete random variable X taking

Discrete random variables Probability mass function Given a discrete random variable X taking

Discrete random variables Probability mass function Given a discrete random variable X taking values in X = { v 1 , . . . , v m } , its probability mass function P : X [0 , 1] is defined as: P ( v i ) = Pr [ X = v i ] and satisfies the

662 views • 30 slides
Modern Discrete Probability IV - Coupling Review S ebastien Roch UWMadison Mathematics

Modern Discrete Probability IV - Coupling Review S ebastien Roch UWMadison Mathematics

Basics Application: Erd os-R enyi degree sequence Application: Harmonic functions on lattices and trees Modern Discrete Probability IV - Coupling Review S ebastien Roch UWMadison Mathematics October 27, 2014 S ebastien Roch,

597 views • 30 slides
Community Advisory Committee Meeting Davis Senior Center December 5, 2017 1 Item 5 Work

Community Advisory Committee Meeting Davis Senior Center December 5, 2017 1 Item 5 Work

Community Advisory Committee Meeting Davis Senior Center December 5, 2017 1 Item 5 Work Plan It Advisory November Power Mix Targets Review, refer to Committee Reserve Policy sub-group 27, 2017 Wholesale

135 views • 9 slides
Discretionary and Mandatory Controls for Role-Based Administration Jason Crampton Royal

Discretionary and Mandatory Controls for Role-Based Administration Jason Crampton Royal

Introduction Fundamental concepts Discretionary and mandatory controls Concluding remarks Questions Discretionary and Mandatory Controls for Role-Based Administration Jason Crampton Royal Holloway, University of London 20th Annual IFIP WG

398 views • 38 slides
Function Point Analysis for Software Maintenance Anandi Hira and Barry Boehm CREST Open Workshop

Function Point Analysis for Software Maintenance Anandi Hira and Barry Boehm CREST Open Workshop

Function Point Analysis for Software Maintenance Anandi Hira and Barry Boehm CREST Open Workshop Predictive Models in Software Engineering: Measures, Models, and Benchmark Outline Motivation Introduction Goal Metrics Dataset Baseline

564 views • 22 slides
Selecting Features Note! First Work on core mechanics (movement, shooting, etc.)

Selecting Features Note! First Work on core mechanics (movement, shooting, etc.)

Interactive Media and Game Development Game Design Outline Selecting Features (next) Level Design Core Design 1 Selecting Features Note! First Work on core mechanics (movement, shooting, etc.) Get bugs worked

310 views • 15 slides

More recommend