formal security models
play

Formal Security Models CSM27 Computer Security Dr Hans Georg - PowerPoint PPT Presentation

Nov 06, 2023 •7 likes •717 views

Formal Security Models CSM27 Computer Security Dr Hans Georg Schaathun University of Surrey Autumn 2009 Week 7 Dr Hans Georg Schaathun Formal Security Models Autumn 2009 Week 7 1 / 41 The session Outline The session 1

  1. Formal Security Models CSM27 Computer Security Dr Hans Georg Schaathun University of Surrey Autumn 2009 – Week 7 Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 1 / 41

  2. The session Outline The session 1 Bell-LaPadula 2 Other models 3 Execution Monitors 4 Conclusion 5 Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 2 / 41

  3. The session Session objectives Have an overview of a range of security models Be able to use the principle of finite automata to describe security models. Understand the confidentiality policy of Bell-LaPadula Understand the limitations of Bell-LaPadula Be able to choose an appropriate model for a given scenario Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 3 / 41

  4. The session Session Overview BLP the pioneer in security models (confidentiality) Biba a BLP analogue for integrity Chinese Wall Resolve Conflicts of interest. Scenario: consultancy firm with competing clients. Clark-Wilson Integrity is the primary concern in commercial business. (Contrary to the secrecy requirement in military applications.) Harrison-Ruzzo-Ullman Managing Access Rights Information Flow Models Measuring the exact leak of information (or misinformation in an integrity scenario). Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 4 / 41

  5. Bell-LaPadula Outline The session 1 Bell-LaPadula 2 Finite Automata Bell-LaPadula Security Properties Limitations Other models 3 Execution Monitors 4 Conclusion 5 Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 5 / 41

  6. Bell-LaPadula Finite Automata A finite automata state-machine ≈ automata 1 0 1 A set of states , Q An input alphabet Σ 0 1 1 0 labels for the state transitions 2 3 0 inital state q 0 ∈ Q 0 accepting states A ⊂ Q 0 1 1 transition function δ : Q × Σ → Q 5 4 1 0 equivalent to the edges (arrows) Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 6 / 41

  7. Bell-LaPadula Finite Automata A finite automata 1 A state can be good or bad 0 1 secure or insecure 0 1 1 Transitions from good to bad 0 states are dangerous. 2 3 0 Two criteria 0 0 1 1 Start state be secure No transition from secure to 5 4 1 0 insecure Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 7 / 41

  8. Bell-LaPadula Finite Automata A finite automata 1 A state can be good or bad 0 1 secure or insecure 0 1 1 Transitions from good to bad 0 states are dangerous. 2 3 0 Two criteria 0 0 1 1 Start state be secure No transition from secure to 5 4 1 0 insecure Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 7 / 41

  9. Bell-LaPadula Finite Automata A finite automata 1 A state can be good or bad 0 1 secure or insecure 0 1 1 Transitions from good to bad 0 1 states are dangerous. 2 3 0 Two criteria 0 0 1 1 Start state be secure No transition from secure to 5 4 1 0 insecure Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 7 / 41

  10. Bell-LaPadula Bell-LaPadula The principle of an automata model Describe all secure states 1 Describe transitions from secure states 2 Prove that no transition leads from secure to insecure 3 If this is possible, the system is provably secure. Bell-LaPadula is one description of secure states. Similar principles apply to e.g. database development Database has to be maintained in a consistent state No operation (transition) allowed to bring the database to an inconsistent state Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 8 / 41

  11. Bell-LaPadula Bell-LaPadula Elements of Access Control a set of subjects S a set of objects O set of access operations A = { execute , read , append , write } A set of security levels L , with a partial ordering ≤ Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 9 / 41

  12. Bell-LaPadula Bell-LaPadula The State Set A state : ( b , M , f ) , includes Access operations currently in use b List of tuples ( s , o , a ) , s ∈ S , o ∈ O , a ∈ A . Access permission matrix M = ( M s , o ) s ∈ S , o ∈ O , where M s , o ⊂ A Clearance and classification f = ( f S , f C , f O ) f S : S → L maximal security level of a subject f C : S → L current security level of a subject ( f C ≤ f S ) f O : O → L classification of an object Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 10 / 41

  13. Bell-LaPadula Security Properties Simple Security Property (SS-property) A state ( b , M , f ) satisfies the SS-property if ∀ ( s , o , a ) ∈ b , such that a ∈ { read , write } f O ( o ) ≤ f S ( s ) I.e. a subject can only observe objects of lower classification Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 11 / 41

  14. Bell-LaPadula Security Properties What about write access? What policy do we need for write access? Integrity: no write-up (to higher security levels) Confidentiality: no write-down (to lower security levels) Bell-LaPadula concerns confidentiality Subject must not transmit messages to subjects at lower levels Current security level allows communications A subject has to be downgraded to send messages Because subjects are computer programs they can be made to forget their knowledge when downgraded Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 12 / 41

  15. Bell-LaPadula Security Properties What about write access? What policy do we need for write access? Integrity: no write-up (to higher security levels) Confidentiality: no write-down (to lower security levels) Bell-LaPadula concerns confidentiality Subject must not transmit messages to subjects at lower levels Current security level allows communications A subject has to be downgraded to send messages Because subjects are computer programs they can be made to forget their knowledge when downgraded Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 12 / 41

  16. Bell-LaPadula Security Properties What about write access? What policy do we need for write access? Integrity: no write-up (to higher security levels) Confidentiality: no write-down (to lower security levels) Bell-LaPadula concerns confidentiality Subject must not transmit messages to subjects at lower levels Current security level allows communications A subject has to be downgraded to send messages Because subjects are computer programs they can be made to forget their knowledge when downgraded Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 12 / 41

  17. Bell-LaPadula Security Properties What about write access? What policy do we need for write access? Integrity: no write-up (to higher security levels) Confidentiality: no write-down (to lower security levels) Bell-LaPadula concerns confidentiality Subject must not transmit messages to subjects at lower levels Current security level allows communications A subject has to be downgraded to send messages Because subjects are computer programs they can be made to forget their knowledge when downgraded Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 12 / 41

  18. Bell-LaPadula Security Properties What about write access? What policy do we need for write access? Integrity: no write-up (to higher security levels) Confidentiality: no write-down (to lower security levels) Bell-LaPadula concerns confidentiality Subject must not transmit messages to subjects at lower levels Current security level allows communications A subject has to be downgraded to send messages Because subjects are computer programs they can be made to forget their knowledge when downgraded Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 12 / 41

  19. Bell-LaPadula Security Properties What about write access? What policy do we need for write access? Integrity: no write-up (to higher security levels) Confidentiality: no write-down (to lower security levels) Bell-LaPadula concerns confidentiality Subject must not transmit messages to subjects at lower levels Current security level allows communications A subject has to be downgraded to send messages Because subjects are computer programs they can be made to forget their knowledge when downgraded Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 12 / 41

  20. Bell-LaPadula Security Properties *-property A state ( b , M , f ) satisfies the *-property if ∀ ( s , o , a ) ∈ b , such that a ∈ { append , write } f C ( s ) ≤ f O ( o ) and if ∃ ( s , o , a ) ∈ b where a ∈ { append , write } , then ∀ o ′ , a ′ ∈ { read , write } , such that ( s , o ′ , a ′ ) ∈ b f O ( o ′ ) ≤ f O ( o ) I.e. a subject can only alter objects of higher classification, and cannot read a high-level object while writing to a low-level object. Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 13 / 41

  21. Bell-LaPadula Security Properties Discretionary Security Property Previous security properties provide Mandatory Access Control i.e. a centrally defined access policy The security levels are defined by a central policy Discreationary Access Control (DAC) decentralises the control The access control matrix M allows DAC in Bell-LaPadula A state ( b , M , f ) satisfies the DS-property if ∀ ( s , o , a ) ∈ b a ∈ M s , o . Dr Hans Georg Schaathun Formal Security Models Autumn 2009 – Week 7 14 / 41

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Introduction to Computer Security Formal Security Models Pavel Laskov Wilhelm Schickard

Introduction to Computer Security Formal Security Models Pavel Laskov Wilhelm Schickard

Introduction to Computer Security Formal Security Models Pavel Laskov Wilhelm Schickard Institute for Computer Science Security instruments learned so far Symmetric and asymmetric cryptography confidentiality, integrity, non-repudiation

319 views • 29 slides
Formal analysis of security models for critical systems: Virtualization platforms and mobile

Formal analysis of security models for critical systems: Virtualization platforms and mobile

Formal analysis of security models for critical systems: Virtualization platforms and mobile devices Carlos Luna Grupo de Seguridad Inform atica, InCo Facultad de Ingenier a, Universidad de la Rep ublica, Uruguay Formal analysis

751 views • 56 slides
Communication security: Formal models and proofs Hubert Comon September 1, 2016 1 Introduction

Communication security: Formal models and proofs Hubert Comon September 1, 2016 1 Introduction

Communication security: Formal models and proofs Hubert Comon September 1, 2016 1 Introduction to protocol security The context (I) credit cards contactless cards telephones online transactions cars, fridges,... Internet of

680 views • 11 slides
Security protocols: formal models and verification Sergiu Bursuc School of Computer Science,

Security protocols: formal models and verification Sergiu Bursuc School of Computer Science,

Security protocols: formal models and verification Sergiu Bursuc School of Computer Science, University of Bristol Finse Winter School, 7 May 2015 Security protocols: roles and goals Roles: P 1 , . . . , P n (e.g. clients, servers, devices,

1.43k views • 127 slides
Formal Formal Component Component Models Models for for Context Context

Formal Formal Component Component Models Models for for Context Context

Formal Formal Component Component Models Models for for Context Context Awareness Awareness Deploy FP7 MatsNeovius andKaisaSere FMCO2008 boAkademi FacultyofTechnology, 1 22.10.2008

431 views • 22 slides
Executable Formal Models in Rewriting Logic Carolyn Talcott RTA 2015 1 Formal Executable Models

Executable Formal Models in Rewriting Logic Carolyn Talcott RTA 2015 1 Formal Executable Models

Executable Formal Models in Rewriting Logic Carolyn Talcott RTA 2015 1 Formal Executable Models For design, prototyping, analysis. To clarify ideas, squash insidious bugs early on many bugs / flaws can be found by just formalizing

669 views • 50 slides
Models are the M in JML Using ADT Models in Formal Specification with JML Joseph Kiniry

Models are the M in JML Using ADT Models in Formal Specification with JML Joseph Kiniry

Models are the M in JML Using ADT Models in Formal Specification with JML Joseph Kiniry Department of Computer Science University College Dublin Models, not Modeling the M in JML is not the same as the M in UML, even if

381 views • 11 slides
= Id The basic type Id is simply an unbounded set of values to be used as identifiers. For a

= Id The basic type Id is simply an unbounded set of values to be used as identifiers. For a

3BA31 Formal Methods 1 How To Build ( VDM ) Models We are now going to explore how to go about building good formal models of systems of interest. The key notions are: Entities things, concepts, individuals, . . . Collections groups, birds

630 views • 24 slides
Algebraic Decomposition of Finite State Automata and Formal Models of Understanding University

Algebraic Decomposition of Finite State Automata and Formal Models of Understanding University

Attila Egri-Nagy, Chrystopher L. Nehaniv Algebraic Decomposition of Finite State Automata and Formal Models of Understanding University of Hertfordshire, United Kingdom Outline Krohn-Rhodes Theory Formal models of understanding,

193 views • 16 slides
Causality in Econometrics and Statistics: Structural Models are Causal Models Some Formal

Causality in Econometrics and Statistics: Structural Models are Causal Models Some Formal

Do-Calculus Conclusion DAG Limitations Comparing Causality in Econometrics and Statistics: Structural Models are Causal Models Some Formal Statements Part III on Causality by Rodrigo Pinto & James J. Heckman James J. Heckman Econ 312,

1.86k views • 162 slides
Formal Models and Analysis for Self-Adaptive Cyber- Physical Systems International Conference on

Formal Models and Analysis for Self-Adaptive Cyber- Physical Systems International Conference on

Formal Models and Analysis for Self-Adaptive Cyber- Physical Systems International Conference on Formal Aspects of Component Software, Besanon, France, 19 th October 2016. Prof. Dr. Holger Giese Head of the System Analysis & Modeling

704 views • 47 slides
Security models Bj orn Victor Security models p.1/14 Harrison-Ruzzo-Ullman (HRU)

Security models Bj orn Victor Security models p.1/14 Harrison-Ruzzo-Ullman (HRU)

Information Technology Security models Bj orn Victor Security models p.1/14 Harrison-Ruzzo-Ullman (HRU) Information Technology Subjects S , objects O , access matrix M , access rights A : enforcement: read, write, execute, append,. .

371 views • 14 slides
Formal Models of Language Paula Buttery Dept of Computer Science & Technology, University of

Formal Models of Language Paula Buttery Dept of Computer Science & Technology, University of

Formal Models of Language Paula Buttery Dept of Computer Science & Technology, University of Cambridge Paula Buttery (Computer Lab) Formal Models of Language 1 / 31 Regular grammars give us linear trees guard start S the A B girl

476 views • 31 slides
Formal Behavioural Models and Compliance Analysis for Service Oriented Systems Natallia Kokash

Formal Behavioural Models and Compliance Analysis for Service Oriented Systems Natallia Kokash

Formal Behavioural Models and Compliance Analysis for Service Oriented Systems Natallia Kokash and Farhad Arbab 21/10/2008 FMCO Sophia-Antipolis 1 Introduction Role of Formal Methods in SOA COMPAS Project Reo Coordination

584 views • 29 slides
Formal Models of Language Paula Buttery Dept of Computer Science & Technology, University of

Formal Models of Language Paula Buttery Dept of Computer Science & Technology, University of

Formal Models of Language Paula Buttery Dept of Computer Science & Technology, University of Cambridge Paula Buttery (Computer Lab) Formal Models of Language 1 / 30 Course Admin What is this course about? - What can formal models of

818 views • 30 slides
Formal Models of Language Paula Buttery Dept of Computer Science & Technology, University of

Formal Models of Language Paula Buttery Dept of Computer Science & Technology, University of

Formal Models of Language Paula Buttery Dept of Computer Science & Technology, University of Cambridge Paula Buttery (Computer Lab) Formal Models of Language 1 / 26 Recap: We said LR shift-reduce parser wasnt a good fit for natural

791 views • 26 slides
CS333 Intro to Operating Systems Jonathan Walpole Page Replacement Page Replacement Assume a

CS333 Intro to Operating Systems Jonathan Walpole Page Replacement Page Replacement Assume a

CS333 Intro to Operating Systems Jonathan Walpole Page Replacement Page Replacement Assume a normal page table (e.g., BLITZ) User-program is executing A PageInvalidFault occurs! - The page needed is not in memory Select some frame and remove

735 views • 56 slides
What does neighbourhood mean for people living with dementia? Andrew Clark (University of

What does neighbourhood mean for people living with dementia? Andrew Clark (University of

What does neighbourhood mean for people living with dementia? Andrew Clark (University of Salford) a.clark@salford.ac.uk Sarah Campbell (University of Manchester) Richard Ward (University of Stirling), Agneta Kullberg (Linkoping University),

340 views • 13 slides
Judges 6:3-13 Bibles Are Available On The Back Table Download This Presentation At

Judges 6:3-13 Bibles Are Available On The Back Table Download This Presentation At

Open Your Bible To: Judges 6:3-13 Bibles Are Available On The Back Table Download This Presentation At LivingWaterCorona.com/slides Read the Bible In 3 Years with us! Sign up for daily reminders on MyBibleReading.com Judges 6-7 Where Are

274 views • 15 slides
PU! Setting up parallel universe in your pool and when (not!) to use it HTCondor Week 2018

PU! Setting up parallel universe in your pool and when (not!) to use it HTCondor Week 2018

PU! Setting up parallel universe in your pool and when (not!) to use it HTCondor Week 2018 Madison, WI Jason Patton (jpatton@cs.wisc.edu) Center for High Throughput Computing Department of Computer Sciences University of Wisconsin-Madison

671 views • 27 slides
FSILG Housing Update AILG Special Meeting December 2, 2020 Akil Middleton 08, AILG Board

FSILG Housing Update AILG Special Meeting December 2, 2020 Akil Middleton 08, AILG Board

FSILG Housing Update AILG Special Meeting December 2, 2020 Akil Middleton 08, AILG Board Chair Suzy Nelson, MIT Vice President and Dean for Student Life MIT Spring Housing Update ~2,800 indicated they want to return to campus housing .

263 views • 10 slides
Resources & Contacts Melissa Friedland EPA Superfund Redevelopment Initiative SRI

Resources & Contacts Melissa Friedland EPA Superfund Redevelopment Initiative SRI

Resources & Contacts Melissa Friedland EPA Superfund Redevelopment Initiative SRI Coordinators by Region https://www.epa.gov/superfund-redevelopment-initiative/regional- redevelopment-contacts Region Name Phone Email Joe LeMay 617-918-1323

148 views • 3 slides
BMCMT Bounded Model Checking of TLA + Specifications with SMT Jure Kukovec Igor Konnov Thanh

BMCMT Bounded Model Checking of TLA + Specifications with SMT Jure Kukovec Igor Konnov Thanh

BMCMT Bounded Model Checking of TLA + Specifications with SMT Jure Kukovec Igor Konnov Thanh Hai Tran work in progress TLA + Community Event Oxford, UK, July 2018 APALACHE Abstraction-based Parameterized TLA + Checker A.1 TLA + patterns

864 views • 58 slides
A Logical Characterization of Individual-Based Models James F . Lynch Department of Computer

A Logical Characterization of Individual-Based Models James F . Lynch Department of Computer

A Logical Characterization of Individual-Based Models James F . Lynch Department of Computer Science Clarkson University June 26, 2008 James F. Lynch A Logical Characterization of Individual-Based Models What Is an Individual-Based Model?

501 views • 33 slides

More recommend