Formal Security Models CSM27 Computer Security Dr Hans Georg - - PowerPoint PPT Presentation

Formal Security Models

CSM27 Computer Security Dr Hans Georg Schaathun

University of Surrey

Autumn 2009 – Week 7

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 1 / 41

The session

Outline

1

The session

2

Bell-LaPadula

3

Other models

4

Execution Monitors

5

Conclusion

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 2 / 41

The session

Session objectives

Have an overview of a range of security models Be able to use the principle of finite automata to describe security models. Understand the confidentiality policy of Bell-LaPadula Understand the limitations of Bell-LaPadula Be able to choose an appropriate model for a given scenario

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 3 / 41

The session

Session Overview

BLP the pioneer in security models (confidentiality) Biba a BLP analogue for integrity Chinese Wall Resolve Conflicts of interest. Scenario: consultancy firm with competing clients. Clark-Wilson Integrity is the primary concern in commercial business. (Contrary to the secrecy requirement in military applications.) Harrison-Ruzzo-Ullman Managing Access Rights Information Flow Models Measuring the exact leak of information (or misinformation in an integrity scenario).

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 4 / 41

Bell-LaPadula

Outline

1

The session

2

Bell-LaPadula Finite Automata Bell-LaPadula Security Properties Limitations

3

Other models

4

Execution Monitors

5

Conclusion

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 5 / 41

Bell-LaPadula Finite Automata

A finite automata

state-machine ≈ automata A set of states, Q An input alphabet Σ

labels for the state transitions

inital state q0 ∈ Q accepting states A ⊂ Q transition function δ : Q × Σ → Q

equivalent to the edges (arrows)

1 2 3 4 5 1 1 1 1 1 1

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 6 / 41

Bell-LaPadula Finite Automata

A finite automata

A state can be good or bad

secure or insecure

Transitions from good to bad states are dangerous. Two criteria

Start state be secure No transition from secure to insecure

1 2 3 4 5 1 1 1 1 1 1

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 7 / 41

Bell-LaPadula Finite Automata

A finite automata

A state can be good or bad

secure or insecure

Transitions from good to bad states are dangerous. Two criteria

Start state be secure No transition from secure to insecure

1 2 3 4 5 1 1 1 1 1 1

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 7 / 41

Bell-LaPadula Finite Automata

A finite automata

A state can be good or bad

secure or insecure

Transitions from good to bad states are dangerous. Two criteria

Start state be secure No transition from secure to insecure

1 2 3 4 5 1 1 1 1 1 1 1

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 7 / 41

Bell-LaPadula Bell-LaPadula

The principle of an automata model

1

Describe all secure states

2

Describe transitions from secure states

3

Prove that no transition leads from secure to insecure If this is possible, the system is provably secure. Bell-LaPadula is one description of secure states. Similar principles apply to e.g. database development

Database has to be maintained in a consistent state No operation (transition) allowed to bring the database to an inconsistent state

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 8 / 41

Bell-LaPadula Bell-LaPadula

Elements of Access Control

a set of subjects S a set of objects O set of access operations A = {execute, read, append, write} A set of security levels L, with a partial ordering ≤

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 9 / 41

Bell-LaPadula Bell-LaPadula

The State Set

A state : (b, M, f), includes Access operations currently in use b

List of tuples (s, o, a), s ∈ S, o ∈ O, a ∈ A.

Access permission matrix

M = (Ms,o)s∈S,o∈O, where Ms,o ⊂ A

Clearance and classification f = (fS, fC, fO)

fS : S → L maximal security level of a subject fC : S → L current security level of a subject (fC ≤ fS) fO : O → L classification of an object

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 10 / 41

Bell-LaPadula Security Properties

Simple Security Property (SS-property)

A state (b, M, f) satisfies the SS-property if

∀(s, o, a) ∈ b, such that a ∈ {read, write} fO(o) ≤ fS(s)

I.e. a subject can only observe objects of lower classification

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 11 / 41

Bell-LaPadula Security Properties

What about write access?

What policy do we need for write access? Integrity: no write-up (to higher security levels) Confidentiality: no write-down (to lower security levels) Bell-LaPadula concerns confidentiality Subject must not transmit messages to subjects at lower levels Current security level allows communications

A subject has to be downgraded to send messages

Because subjects are computer programs

they can be made to forget their knowledge when downgraded

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 12 / 41

Bell-LaPadula Security Properties

What about write access?

What policy do we need for write access? Integrity: no write-up (to higher security levels) Confidentiality: no write-down (to lower security levels) Bell-LaPadula concerns confidentiality Subject must not transmit messages to subjects at lower levels Current security level allows communications

A subject has to be downgraded to send messages

Because subjects are computer programs

they can be made to forget their knowledge when downgraded

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 12 / 41

Bell-LaPadula Security Properties

What about write access?

What policy do we need for write access? Integrity: no write-up (to higher security levels) Confidentiality: no write-down (to lower security levels) Bell-LaPadula concerns confidentiality Subject must not transmit messages to subjects at lower levels Current security level allows communications

A subject has to be downgraded to send messages

Because subjects are computer programs

they can be made to forget their knowledge when downgraded

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 12 / 41

Bell-LaPadula Security Properties

What about write access?

What policy do we need for write access? Integrity: no write-up (to higher security levels) Confidentiality: no write-down (to lower security levels) Bell-LaPadula concerns confidentiality Subject must not transmit messages to subjects at lower levels Current security level allows communications

A subject has to be downgraded to send messages

Because subjects are computer programs

they can be made to forget their knowledge when downgraded

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 12 / 41

Bell-LaPadula Security Properties

What about write access?

What policy do we need for write access? Integrity: no write-up (to higher security levels) Confidentiality: no write-down (to lower security levels) Bell-LaPadula concerns confidentiality Subject must not transmit messages to subjects at lower levels Current security level allows communications

A subject has to be downgraded to send messages

Because subjects are computer programs

they can be made to forget their knowledge when downgraded

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 12 / 41

Bell-LaPadula Security Properties

What about write access?

What policy do we need for write access? Integrity: no write-up (to higher security levels) Confidentiality: no write-down (to lower security levels) Bell-LaPadula concerns confidentiality Subject must not transmit messages to subjects at lower levels Current security level allows communications

A subject has to be downgraded to send messages

Because subjects are computer programs

they can be made to forget their knowledge when downgraded

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 12 / 41

Bell-LaPadula Security Properties

*-property

A state (b, M, f) satisfies the *-property if

∀(s, o, a) ∈ b, such that a ∈ {append, write} fC(s) ≤ fO(o)

and

if ∃(s, o, a) ∈ b where a ∈ {append, write}, then ∀o′, a′ ∈ {read, write}, such that (s, o′, a′) ∈ b fO(o′) ≤ fO(o)

I.e. a subject can only alter objects of higher classification, and cannot read a high-level object while writing to a low-level

• bject.

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 13 / 41

Bell-LaPadula Security Properties

Discretionary Security Property

Previous security properties provide Mandatory Access Control

i.e. a centrally defined access policy

The security levels are defined by a central policy Discreationary Access Control (DAC) decentralises the control The access control matrix M allows DAC in Bell-LaPadula A state (b, M, f) satisfies the DS-property if

∀(s, o, a) ∈ b a ∈ Ms,o.

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 14 / 41

Bell-LaPadula Security Properties

Discretionary Security Property

Previous security properties provide Mandatory Access Control

i.e. a centrally defined access policy

The security levels are defined by a central policy Discreationary Access Control (DAC) decentralises the control The access control matrix M allows DAC in Bell-LaPadula A state (b, M, f) satisfies the DS-property if

∀(s, o, a) ∈ b a ∈ Ms,o.

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 14 / 41

Bell-LaPadula Security Properties

Discretionary Security Property

Previous security properties provide Mandatory Access Control

i.e. a centrally defined access policy

The security levels are defined by a central policy Discreationary Access Control (DAC) decentralises the control The access control matrix M allows DAC in Bell-LaPadula A state (b, M, f) satisfies the DS-property if

∀(s, o, a) ∈ b a ∈ Ms,o.

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 14 / 41

Bell-LaPadula Security Properties

Discretionary Security Property

Previous security properties provide Mandatory Access Control

i.e. a centrally defined access policy

The security levels are defined by a central policy Discreationary Access Control (DAC) decentralises the control The access control matrix M allows DAC in Bell-LaPadula A state (b, M, f) satisfies the DS-property if

∀(s, o, a) ∈ b a ∈ Ms,o.

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 14 / 41

Bell-LaPadula Limitations

The Criticism of McLean

What happens if we . . .

downgrade all subjects to lowest security level downgrade all objects to lowest security level enter all access rights in the ACM M

Is the system secure? It satisfies every security property of BLP!

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 15 / 41

Bell-LaPadula Limitations

The Criticism of McLean

What happens if we . . .

downgrade all subjects to lowest security level downgrade all objects to lowest security level enter all access rights in the ACM M

Is the system secure? It satisfies every security property of BLP!

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 15 / 41

Bell-LaPadula Limitations

The sides of the conflict

A system which can be brought to a state with no restrictions cannot be secure. McLean This is application dependent. If the users need it, it should be possible. Otherwise it should not be implemented. Bell

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 16 / 41

Bell-LaPadula Limitations

Tranquility

McLean’s scenario is really out of scope for BLP BLP considered tranquil systems,

where permissions do not change

Either a system or an operation may be tranquil

A tranquil operation does not change access rights. A tranquil system has no non-tranquil operations.

Tranquility is a particular concern when

• peration tries to remove an access right currently in use

How should this be resolved?

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 17 / 41

Bell-LaPadula Limitations

Covert Channels

Low-level subject sl creates object o High-level accomplice sh either

reclassifies o to its own level (Message 1) leaves o unchanged (Message 0)

sl tries to access o, which is either

success (Message 0) access denied (Message 1)

One bit of information is transmitted sh → sl

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 18 / 41

Bell-LaPadula Limitations

Covert Channels

Low-level subject sl creates object o High-level accomplice sh either

reclassifies o to its own level (Message 1) leaves o unchanged (Message 0)

sl tries to access o, which is either

success (Message 0) access denied (Message 1)

One bit of information is transmitted sh → sl

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 18 / 41

Bell-LaPadula Limitations

Covert Channels

Low-level subject sl creates object o High-level accomplice sh either

reclassifies o to its own level (Message 1) leaves o unchanged (Message 0)

sl tries to access o, which is either

success (Message 0) access denied (Message 1)

One bit of information is transmitted sh → sl

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 18 / 41

Bell-LaPadula Limitations

Covert Channels

Low-level subject sl creates object o High-level accomplice sh either

reclassifies o to its own level (Message 1) leaves o unchanged (Message 0)

sl tries to access o, which is either

success (Message 0) access denied (Message 1)

One bit of information is transmitted sh → sl

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 18 / 41

Bell-LaPadula Limitations

Limitations

BLP’s concern is confidentiality

limits the access and sharing of information no integrity policy no availability policy

BLP assumes a fixed rights

assumes tranquility no model for access management no model for policy making

Allows Covert Channels

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 19 / 41

Bell-LaPadula Limitations

Multics

Massive research project in early 70-s Objective: Secure, reliable, etc multiuser OS

i.e. Multics

The Bell-LaPadula model was a result of the research The ambitions made Multics too heavy-weight for most

Unix is a spin-off by some project members simpler and more user-friendly,

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 20 / 41

Other models

Outline

1

The session

2

Bell-LaPadula

3

Other models Biba : Integrity Chinese Wall : Conflict of interest Clark-Wilson : Integrity and Consistency Harrison-Ruzzo-Ullman : Managing Access Rights

4

Execution Monitors

5

Conclusion

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 21 / 41

Other models Biba : Integrity

Ensuring Integrity

Biba uses a state-machine

states similar to those of Bell-LaPadula

Definition (Simple Integrity Property) If s can alter o, then fS(s) ≥ fO(o). Definition (Integrity *-property) If subject s can observe object o and alter object a, then fO(a) ≤ fO(o). These are duals of corresponding BLP policies Integrity dual of confidentiality (arguably)

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 22 / 41

Other models Biba : Integrity

Different paradigms

Biba does not give a single high-level policy Different approaches

The one given is one example

Different approaches may be incompatible

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 23 / 41

Other models Biba : Integrity

Dynamic Integrity Level

Subjects can read any object, but the subject is demoted. Subject Low Watermark Property

fS(s) := min(fS(s), fO(o))

Subjects can alter any object, but the object is demoted. Object Low Watermark Property

fO(o) := min(fS(s), fO(o))

What is the rationale?

Read the integrity level as trustworthyness. An object cannot be more trustworthy than the subject which created it. A subject reading untrusted data is contaminated.

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 24 / 41

Other models Biba : Integrity

Dynamic Integrity Level

Subjects can read any object, but the subject is demoted. Subject Low Watermark Property

fS(s) := min(fS(s), fO(o))

Subjects can alter any object, but the object is demoted. Object Low Watermark Property

fO(o) := min(fS(s), fO(o))

What is the rationale?

Read the integrity level as trustworthyness. An object cannot be more trustworthy than the subject which created it. A subject reading untrusted data is contaminated.

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 24 / 41

Other models Biba : Integrity

Dynamic Integrity Level

Subjects can read any object, but the subject is demoted. Subject Low Watermark Property

fS(s) := min(fS(s), fO(o))

Subjects can alter any object, but the object is demoted. Object Low Watermark Property

fO(o) := min(fS(s), fO(o))

What is the rationale?

Read the integrity level as trustworthyness. An object cannot be more trustworthy than the subject which created it. A subject reading untrusted data is contaminated.

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 24 / 41

Other models Chinese Wall : Conflict of interest

Conflicts of Interest

Consultancy business

Conflicts of interest different clients

Information must not leak from one client to its competitors. There must be no information flow that causes a conflict of interest.

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 25 / 41

Other models Chinese Wall : Conflict of interest

Conflicts of Interest

Consultancy business

Conflicts of interest different clients

Information must not leak from one client to its competitors. There must be no information flow that causes a conflict of interest.

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 25 / 41

Other models Chinese Wall : Conflict of interest

Conflicts of Interest

Consultancy business

Conflicts of interest different clients

Information must not leak from one client to its competitors. There must be no information flow that causes a conflict of interest.

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 25 / 41

Other models Chinese Wall : Conflict of interest

Diagram

HSBC Natwest Barclays Banking COI class IBM SUN Adobe IT COI class

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 26 / 41

Other models Chinese Wall : Conflict of interest

Diagram

HSBC Natwest Barclays Banking COI class IBM SUN Adobe IT COI class John Analyst Jane Analyst

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 26 / 41

Other models Chinese Wall : Conflict of interest

Diagram

HSBC Natwest Barclays Banking COI class IBM SUN Adobe IT COI class John Analyst Jane Analyst

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 26 / 41

Other models Chinese Wall : Conflict of interest

Diagram

HSBC Natwest Barclays Banking COI class IBM SUN Adobe IT COI class John Analyst Jane Analyst

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 26 / 41

Other models Chinese Wall : Conflict of interest

Diagram

HSBC Natwest Barclays Banking COI class IBM SUN Adobe IT COI class John Analyst Jane Analyst Conflict

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 26 / 41

Other models Chinese Wall : Conflict of interest

Diagram

HSBC Natwest Barclays Banking COI class IBM SUN Adobe IT COI class John Analyst Jane Analyst

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 26 / 41

Other models Chinese Wall : Conflict of interest

Diagram

HSBC Natwest Barclays Banking COI class IBM SUN Adobe IT COI class John Analyst Jane Analyst

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 26 / 41

Other models Chinese Wall : Conflict of interest

Sanitised Objects

Objects of information can be sanitised

I.e. cleaned for open distribution ‘declassified’ in a sense

For a sanitised object O, we write COI(O) = ∅

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 27 / 41

Other models Chinese Wall : Conflict of interest

Chinese Wall Simple Security Property

Definitions

PR(S) set of objects previously accessed by O CD(O) client associated with object O. COI(O) ‘conflict of interest’ class associated with object O.

S can read O if and only if one of the following holds

1

∃O′ ∈ PR(S) such that CD(O′) = CD(O)

2

∀O′ ∈ PR(S), we have COI(O′) = COI(O)

3

O is a sanitised object

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 28 / 41

Other models Chinese Wall : Conflict of interest

Chinese Wall *-Property

A subject S may write to an object O if and only if both of the following conditions hold.

1

S may read O according to the simple security property

2

For all unsanitised objects O′ which S can read,

CD(O′) = CD(O)

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 29 / 41

Other models Clark-Wilson : Integrity and Consistency

Main problem integrity

Internal Consistency refers to the internal state of the system (its data and information). Non-contradictory information Well-formed data Can be enforced by the computing system Briefly, the information in the system has to make sense External Consistency refers to the relation of the internal state and the

• utside world

The information has to match the real world Requires external control mechanisms, e.g. auditing

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 30 / 41

Other models Clark-Wilson : Integrity and Consistency

Main problem integrity

Internal Consistency refers to the internal state of the system (its data and information). Non-contradictory information Well-formed data Can be enforced by the computing system Briefly, the information in the system has to make sense External Consistency refers to the relation of the internal state and the

• utside world

The information has to match the real world Requires external control mechanisms, e.g. auditing

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 30 / 41

Other models Clark-Wilson : Integrity and Consistency

Main problem integrity

Internal Consistency refers to the internal state of the system (its data and information). Non-contradictory information Well-formed data Can be enforced by the computing system Briefly, the information in the system has to make sense External Consistency refers to the relation of the internal state and the

• utside world

The information has to match the real world Requires external control mechanisms, e.g. auditing

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 30 / 41

Other models Clark-Wilson : Integrity and Consistency

Main problem integrity

Internal Consistency refers to the internal state of the system (its data and information). Non-contradictory information Well-formed data Can be enforced by the computing system Briefly, the information in the system has to make sense External Consistency refers to the relation of the internal state and the

• utside world

The information has to match the real world Requires external control mechanisms, e.g. auditing

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 30 / 41

Other models Clark-Wilson : Integrity and Consistency

Enforcement Mechanisms

Well-formed transactions

A limited, specified set of legal procedures Each procedure well-defined No free access to data

Separation of duties

Transaction requires co-operation E.g. authorising signatures

A single subject cannot both request and authorise

Abuse requires collusion

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 31 / 41

Other models Clark-Wilson : Integrity and Consistency

Restriction

Clark-Wilson restricts access to transaction procedures/programs

as in role-based access control

Is this

confidentiality (limiting access to programs as resources)?

• r integrity (limiting the access to make changes)?

Procedures and programs are complex programs

Contrast to BLP’s basic read, append, and execute

Procedures may read or write, or do both

One mechanism for integrity and confidentiality

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 32 / 41

Other models Clark-Wilson : Integrity and Consistency

Restriction

Clark-Wilson restricts access to transaction procedures/programs

as in role-based access control

Is this

confidentiality (limiting access to programs as resources)?

• r integrity (limiting the access to make changes)?

Procedures and programs are complex programs

Contrast to BLP’s basic read, append, and execute

Procedures may read or write, or do both

One mechanism for integrity and confidentiality

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 32 / 41

Other models Clark-Wilson : Integrity and Consistency

Restriction

Clark-Wilson restricts access to transaction procedures/programs

as in role-based access control

Is this

confidentiality (limiting access to programs as resources)?

• r integrity (limiting the access to make changes)?

Procedures and programs are complex programs

Contrast to BLP’s basic read, append, and execute

Procedures may read or write, or do both

One mechanism for integrity and confidentiality

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 32 / 41

Other models Clark-Wilson : Integrity and Consistency

Restriction

Clark-Wilson restricts access to transaction procedures/programs

as in role-based access control

Is this

confidentiality (limiting access to programs as resources)?

• r integrity (limiting the access to make changes)?

Procedures and programs are complex programs

Contrast to BLP’s basic read, append, and execute

Procedures may read or write, or do both

One mechanism for integrity and confidentiality

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 32 / 41

Other models Clark-Wilson : Integrity and Consistency

Considerations in Clark-Wilson

1

Subjects have to be identified and authenticated

2

Objects may be manipulated by a restricted set of programs only

3

Subjects may execute a restricted set of programs only

4

A proper audit log is maintained

5

The system has to be certified to work properly

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 33 / 41

Other models Clark-Wilson : Integrity and Consistency

Implementation and Certification

Constrained Data Items (CDI) are data items stored in the system and governed by the policy. Unconstrained Data Items (UDI) are inputs to the system, from a source which is not governed by the policy. How can you convert UDI → CDI? Can you trust the input? This conversion is the main challenge in the model.

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 34 / 41

Other models Harrison-Ruzzo-Ullman : Managing Access Rights

Access Management

Management is as important as enforcement

How do you define permissions? How do you change permissions? How dynamic is the system

Most models assumes fixed permissions Harrison-Ruzzo-Ullman considers access management

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 35 / 41

Execution Monitors

Outline

1

The session

2

Bell-LaPadula

3

Other models

4

Execution Monitors

5

Conclusion

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 36 / 41

Execution Monitors

Limitations of formal models

Formal models strive for perfection.

As mentioned, some models yield undecidable problems

A different approach

Use practical solutions as a starting point Investigate what the actual solution can achieve

The main mechanisms in current use are all execution monitors

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 37 / 41

Execution Monitors

Safety and Liveness

Safety Property nothing bad can ever happen. Liveness Property something good will eventually happen. Let σ = (σ1, σ2, . . .) be a sequence of execution steps. σ ∈ Γ is a safety property if

σ ∈ Γ ⇒ ∃i, (∀τi+1, τi+2, . . . , (σ1, . . . , σi, τi+1, . . .) ∈ Γ) I.e. if σ is unsafe, then at some point i, it be impossible to revert to safety

The execution monitor has to judge the situation based on the preceding σ-steps A liveness property can make requirement on the future σ-steps I.e. liveness properties are not RM enforceable

safety properties may or may not be RM enforceable

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 38 / 41

Conclusion

Outline

1

The session

2

Bell-LaPadula

3

Other models

4

Execution Monitors

5

Conclusion

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 39 / 41

Conclusion

Multics and security models

The state-machine is an effective model of a computer system Bell-LaPadula describes secure states and transisions If all transitions (and starting state) are secure, the system has to be secure In multics,

data-fields correspond to state parameters kernel primitives correspond to transitions

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 40 / 41

Conclusion

Exercise sheet

Write a short essay stating your position in the Bell vs McLean debate. It is helpful to address as many of the strengths and weeknesses of BLP as possible, in order to build an argument for your view. Suggested length 1

2-2 pages. Longer is not necessarily better.

Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 41 / 41