Com puter Security Part Tw o Previously Introduction Threat - - PDF document

Com puter Security – Part Tw o

Previously

• Introduction
• Threat analysis

Threats Policy Specification Design Implementation Operation and Maintenance

Now

• Multilateral and Multilevel security
• Security policies
• Confidentiality Policies

– The Bell-LaPadula Model

• Integrity Policies

– The Biba Integrity Model

• Hybrid Policies

– The Chinese Wall Model

Multilevel Security

• Different security levels for resources
• Important systems

– A lot of research is done – Products for military applications can have a second chance

• Firewalls, web servers, etc.

– Often applied in the wrong context and in the wrong way

Multilateral Security

• To protect information from leaking between

compartments on the same level

• Different types

– Organizations – Privilege-based – A mix

Security Policy

• Purpose and goal
• A foundation for the choice of security mechanisms
• Who is responsible for what
• What is allowed and what is not allowed
• Why the policy looks like it do – important!

A security policy defines “secure” for a system

• r a set of systems.

Security Policy

• Confidentiality policy

– Identifies those states that can leak information

• Integrity policy

– Identifies authorized ways in which information may be altered and entities authorized to alter it

• Formal statement of desired properties

– If the system is to be provably secure

• In practice

– Informal statements that assumes that the reader understands the context in which the policy is issued

Security Mechanism and Model

• Def. A security mechanism is an entity or procedure

that enforces some part of the security policy.

• Def. A security model is a model that represents a

particular policy or set of policies.

Types of security policies

• Def. A military security policy (also called a

governmental security policy) is a security policy developed primarily to provide confidentiality.

• Def. A commercial security policy is a security policy

developed primarily to provide integrity.

• Def. A confidentiality policy is a security policy dealing
• nly with confidentiality.
• Def. A integrity policy is a security policy dealing only

with integrity.

The Role of Trust

• An example: A system administrator receives a

security patch – Assumes that the patch came from the vendor and was not tampered in transit – Assumes that the vendor tested the patch thoroughly – Assumes that the vendor’s test environment corresponds to her environment – Assumes that the patch is installed correctly

• Any security policy, mechanism, or procedure is

based on assumptions

Confidentiality Policies

• Common in military systems
• Also called information flow policy
• Models

– The Bell-LaPadula Model – Extensions of the Bell-LaPadula Model

The Bell-LaPadula Security Policy Model

• The simplest and most known, 1973
• Trusted Computing Base (TCB)

– The set of components you trust

• Classification and clearance
• Information flow control

– No process can read information on a higher level – no-read-up – No process can write information to a lower level – no-write-down

The Bell-LaPadula Model

• Classify information

– A subject has a security clearance

• In a linear ordering:

– The higher the security clearance, the more sensitive the information – An object has a security classification

• Also in a linear ordering

– Top Secret, Secret, Confidential, Unclassified

• The goal is to prevent read access to objects at a

security classification higher than the subject’s clearance

• Combines mandatory and discretionary access

control

The Bell-LaPadula Model

• Notation

–

L(S) = ls : security clearance of subject S

–

L(O) = lo : security classification of object O

• Linear ordering

–

For all security classifications li, i = 0, ..., k – 1, li < li+1

Simple Security Condition (prel): S can read O iff lo ≤ ls and S has discretionary read access to O. *-property (prel): S can write O iff ls ≤ lo and S has discretionary write access to O.

Criticism of the Bell-LaPadula Model

• The principle of tranquility states that subjects

and objects may not change their security levels

• nce they have been instantiated
• The Bell-LaPadula model (as presented) says

nothing about changing security levels

• Strong and weak tranquility
• There are other controversies also
• But still the simplest, and yet so hard to

implement

I ntegrity Policies

• Commercial requirements differ from military
• 1. Users will not write their own programs, but will

use existing production programs and databases

• 2. Programmers will develop and test programs on a

nonproduction system

• 3. A special process must be followed to install a

program from the development system onto the production system

• 4. The special process in (3) must be controlled and

audited

• 5. The managers and auditors must have access to

both the system state and the system logs that are generated

• Accuracy is much more important than disclosure

I ntegrity Policies

• Principles of Operation

– Separation of duty – Separation of function – Auditing

• Models

– Biba Integrity Model – Lipner’s Integrity Matrix Model – Clark-Wilson Integrity Model

The Biba I ntegrity Model

• Bell-LaPadula upside down
• Handles integrity and ignores confidentiality
• Read-up, write-down
• Many ”real” systems use this model

The Biba I ntegrity Model

• A system consists of a set S of subjects, a set O of
• bjects, and a set I of integrity levels

–

The integrity levels are ordered

–

The higher the level, the more confidence that a program will execute correctly

–

Data at a higher level is more accurate and/ or reliable than data at a lower level

Hybrid Policies

• Many organizations desire both confidentiality and

integrity

• Conflict of interest

–

Chinese Wall Model

• Medical ethics and laws about dissemination of patient

data

–

Clinical Information Systems

• Originator controlled access control

–

Lets the creator determine (or assign) who should access the data and how

• Role-based access control

–

The ability, or need, to access information may depend on one’s job functions

The Chinese W all Model

• To prevent a conflict of interest

– Example: Investment house

–

Information about companies is stored in a database

• Definitions

–

The objects of the database are items of information related to a company.

–

A company dataset (CD) contains objects related to a single company.

–

A conflict of interest (COI) class contains the datasets

• f companies in competition.

The Chinese W all Model

• COI Example

The Chinese W all Model

• History is important
• PR(S) is a set of objects that S has read

CW-Simple Security Condition. S can read O iff any

• f the following holds.
• 1. There is an object O' such that S has accessed

O' and CD(O') = CD(O).

• 2. For all objects O', O' ∈ PR(S) ⇒ COI(O') ≠

COI(O).

• 3. Object O is a sanitized object.

Sum m ary

• Multilevel and multilateral security
• Security policies
• Confidentiality Policies

– The Bell-LaPadula Model

• Integrity Policies

– The Biba Integrity Model

• Hybrid Policies

– The Chinese Wall Model