Com puter Security Last tim e Introduction Threat analysis - - PDF document

Com puter Security

Last tim e

• Introduction
• Threat analysis
• Introduction to

access control matrix

Threats Policy Specification Design Implementation Operation and Maintenance

Security in the Course

• Lectures

– Introduction – Threat analysis – Introduction to access control matrix

– Security policies ( today)

– Cryptography – Key management – Authentication – Design principles – Access control mechanisms – Assurance – The future

• Literature

Today

• Multilateral and Multilevel security
• Security policies
• Confidentiality Policies

– The Bell-LaPadula Model

• Integrity Policies

– The Biba Integrity Model

• Hybrid Policies

– The Chinese Wall Model

Multilevel Security

• Different security levels for resources
• Important systems

– A lot of research is done – Products for military applications can have a second chance

• Firewalls, web servers, etc.

– Often applied in the wrong context and in the wrong way

Multilateral Security

• To protect information from leaking between

compartments on the same level

• Different types

– Organizations – Privilege-based – A mix

Security Policy

• Purpose and goal
• A foundation for the choice of security mechanisms
• Who is responsible for what
• What is allowed and what is not allowed
• Why the policy looks like it do – important!

A security policy defines “secure” for a system

• r a set of systems.

Security Policy

• Def. A security policy is a statement that partitions the

states of the system into a set of authorized, or secure, states and a set of unauthorized, or nonsecure, states.

• Def. A secure system is a system that starts in an

authorized state and cannot enter an unauthorized state.

• Def. A breach of security occurs when a system enters

an unauthorized state.

Security Policy - Confidentiality

• Def. Let X be a set of entities and let I be some
• information. Then I has the property of confidentiality

with respect to X if no member of X can obtain information about I.

Security Policy - I ntegrity

• Def. Let X be a set of entities and let I be some

information or a resource. Then I has the property of integrity with respect to X if all members of X trust I.

Security Policy - Availability

• Def. Let X be a set of entities and let I be a resource.

Then I has the property of availability with respect to X if all members of X can access I.

Security Policy

• Confidentiality policy

– Identifies those states that can leak information

• Integrity policy

– Identifies authorized ways in which information may be altered and entities authorized to alter it

• Formal statement of desired properties

– If the system is to be provably secure

• In practice

– Informal statements that assumes that the reader understands the context in which the policy is issued

Security Mechanism and Model

• Def. A security mechanism is an entity or procedure

that enforces some part of the security policy.

• Def. A security model is a model that represents a

particular policy or set of policies.

Types of security policies

• Def. A military security policy (also called a

governmental security policy) is a security policy developed primarily to provide confidentiality.

• Def. A commercial security policy is a security policy

developed primarily to provide integrity.

• Def. A confidentiality policy is a security policy dealing
• nly with confidentiality.
• Def. A integrity policy is a security policy dealing only

with integrity.

The Role of Trust

• An example: A system administrator receives a

security patch – Assumes that the patch came from the vendor and was not tampered in transit – Assumes that the vendor tested the patch thoroughly – Assumes that the vendor’s test environment corresponds to her environment – Assumes that the patch is installed correctly

• Any security policy, mechanism, or procedure is

based on assumptions

Types of Access Control

• Def. If an individual user can set an access control mechanism to

allow or deny access to an object, that mechanism is a discretionary access control (DAC), also called an identity-based access control (IBAC).

• Def. When a system mechanism controls access to an object and

an individual user cannot alter that access, the control is a mandatory access control (MAC), occasionally called a rule-based access control.

• Def. An originator controlled access control (ORCON or

ORGCON) bases access on the creator of an object (or the information it contains).

Discretionary Access Control

ACL

Foo Sam

RWX

Alice

• -X

Bob

R-X

Bar

RWX

• -X

R--

Capabilities

Confidentiality Policies

• Common in military systems
• Also called information flow policy
• Models

– The Bell-LaPadula Model – Extensions of the Bell-LaPadula Model

The Bell-LaPadula Security Policy Model

• The simplest and most known, 1973
• Trusted Computing Base (TCB)

– The set of components you trust

• Classification and clearance
• Information flow control

– No process can read information on a higher level – no-read-up – No process can write information to a lower level – no-write-down

The Bell-LaPadula Model

• Classify information

– A subject has a security clearance

• In a linear ordering:

– The higher the security clearance, the more sensitive the information – An object has a security classification

• Also in a linear ordering

– Top Secret, Secret, Confidential, Unclassified

• The goal is to prevent read access to objects at a

security classification higher than the subject’s clearance

• Combines mandatory and discretionary access

control

The Bell-LaPadula Model

• Notation

–

L(S) = ls : security clearance of subject S

–

L(O) = lo : security classification of object O

• Linear ordering

–

For all security classifications li, i = 0, ..., k – 1, li < li+1

Simple Security Condition (prel): S can read O iff lo ≤ ls and S has discretionary read access to O. *-property (prel): S can write O iff ls ≤ lo and S has discretionary write access to O.

Expanding The Bell-LaPadula Model

• Add categories

–

From the “need to know”-principle

• Example

–

Categories: NUC, EUR and US give these combinations

• { } , { NUC} , { EUR} , { US} , { NUC, EUR} , { NUC,

US} , { EUR, US} and { NUC, EUR, US}

–

Alice is cleared into: (TOP SECRET, { NUC, US} )

–

Bob: (SECRET, { EUR} )

–

DocA is classified as: (CONFIDENTIAL, { EUR} )

–

DocB is classified as: (UNCLASSIFIED, { EUR, US} )

Expanding The Bell-LaPadula Model

*-property: S can write O iff O dom S and S has discretionary write access to O.

• Def. The security level (L, C) dominates (dom) the

security level (L', C') iff L' ≤ L and C’ is a subset of C. Simple Security Condition: S can read O iff S dom O and S has discretionary read access to O.

The Basic Security Theorem

• Theorem. Let Σ be a system with a secure initial state

σ0, and let T be a set of state transformations. If every element of T preserves the simple security condition and the *-property, then every σi, i ≥ 0, is secure.

Criticism of the Bell-LaPadula Model

• The principle of tranquility states that subjects

and objects may not change their security levels

• nce they have been instantiated
• The Bell-LaPadula model (as presented) says

nothing about changing security levels

• Strong and weak tranquility
• There are other controversies also
• But still the simplest, and yet so hard to

implement

I ntegrity Policies

• Commercial requirements differ from military
• 1. Users will not write their own programs, but will

use existing production programs and databases

• 2. Programmers will develop and test programs on a

nonproduction system

• 3. A special process must be followed to install a

program from the development system onto the production system

• 4. The special process in (3) must be controlled and

audited

• 5. The managers and auditors must have access to

both the system state and the system logs that are generated

• Accuracy is much more important than disclosure

I ntegrity Policies

• Principles of Operation

– Separation of duty – Separation of function – Auditing

• Models

– Biba Integrity Model – Lipner’s Integrity Matrix Model – Clark-Wilson Integrity Model

The Biba I ntegrity Model

• Bell-LaPadula upside down
• Handles integrity and ignores confidentiality
• Read-up, write-down
• Many ”real” systems use this model

The Biba I ntegrity Model

• A system consists of a set S of subjects, a set O of
• bjects, and a set I of integrity levels

–

The integrity levels are ordered

–

The higher the level, the more confidence that a program will execute correctly

–

Data at a higher level is more accurate and/ or reliable than data at a lower level

The Biba I ntegrity Model

• Functions:

–

min: I × I → I

• Gives the lesser of the two integrity levels

–

i: S ∪ O → I

• Returns the integrity level of an subject or object
• Relations:

–

r ⊆ S × O

• Defines the ability of a subject to read an object

–

w ⊆ S × O

• Defines the ability of a subject to write to an object

–

x ⊆ S × O

• Defines the ability of a subject to invoke (execute)

another subject

The Biba I ntegrity Model

• Low-Water-Mark Policy

1. s ∈ S can write to o ∈ O iff i(o) ≤ i(s) 2. If s ∈ S reads o ∈ O, then i'(s) = min(i(s), i(o)), where i'(s) is the subject's integrity level after the read 3. s1 ∈ S can execute s2 ∈ S iff i(s2) ≤ i(s1)

The Biba I ntegrity Model

• Ring Policy

1. Any subject may read any object, regardless of integrity levels 2. s ∈ S can write to o ∈ O iff i(o) ≤ i(s) 3. s1 ∈ S can execute s2 ∈ S iff i(s2) ≤ i(s1)

The Biba I ntegrity Model

• Biba’s Model (Strict Integrity Policy)

1. s ∈ S can read o ∈ O iff i(s) ≤ i(o) 2. s ∈ S can write to o ∈ O iff i(o) ≤ i(s) 3. s1 ∈ S can execute s2 ∈ S iff i(s2) ≤ i(s1)

Hybrid Policies

• Many organizations desire both confidentiality and

integrity

• Conflict of interest

–

Chinese Wall Model

• Medical ethics and laws about dissemination of patient

data

–

Clinical Information Systems

• Originator controlled access control

–

Lets the creator determine (or assign) who should access the data and how

• Role-based access control

–

The ability, or need, to access information may depend on one’s job functions

The Chinese W all Model

• To prevent a conflict of interest

– Example: Investment house

–

Information about companies is stored in a database

• Definitions

–

The objects of the database are items of information related to a company.

–

A company dataset (CD) contains objects related to a single company.

–

A conflict of interest (COI) class contains the datasets

• f companies in competition.

The Chinese W all Model

• COI Example

The Chinese W all Model

• History is important
• PR(S) is a set of objects that S has read

CW-Simple Security Condition. S can read O iff any

• f the following holds.
• 1. There is an object O' such that S has accessed

O' and CD(O') = CD(O).

• 2. For all objects O', O' ∈ PR(S) ⇒ COI(O') ≠

COI(O).

• 3. Object O is a sanitized object.

The Chinese W all Model

CW-*-property. A subject S may write to an object O iff both of the following conditions hold.

• 1. The CW-simple security condition permits S to

read O.

• 2. For all unsanitized objects O', S can read O' ⇒

CD(O') = CD(O)

Sum m ary

• Multilevel and multilateral security
• Security policies
• Confidentiality Policies

– The Bell-LaPadula Model

• Integrity Policies

– The Biba Integrity Model

• Hybrid Policies

– The Chinese Wall Model

Next Tim e

• Cryptography
• Key management
• Authentication