Security models Bj orn Victor Security models p.1/14 - - PowerPoint PPT Presentation

security models
SMART_READER_LITE
LIVE PREVIEW

Security models Bj orn Victor Security models p.1/14 - - PowerPoint PPT Presentation

Sep 01, 2022 221 likes •374 views

Information Technology Security models Bj orn Victor Security models p.1/14 Harrison-Ruzzo-Ullman (HRU) Information Technology Subjects S , objects O , access matrix M , access rights A : enforcement: read, write, execute, append,. .

slide-1
SLIDE 1

Information Technology

Security models

Bj¨

  • rn Victor

Security models – p.1/14

slide-2
SLIDE 2

Information Technology

Harrison-Ruzzo-Ullman (HRU)

Subjects S, objects O, access matrix M, access rights A:

  • enforcement: read, write, execute, append,. . .
  • rights movement: own, control, a⋆, a+
  • domain change: enter

Primitive operations:

  • enter a into M(s, o)
  • delete a from M(s, o)
  • create/delete subject/object s/o

Security models – p.2/14

slide-3
SLIDE 3

Information Technology

HRU: Command examples

Process p creates file f with default permissions: command create_file(p,f) create object f enter "own" into M(p,f) enter "read" into M(p,f) enter "write" into M(p,f) end Owner p can give read rights on f to q: command grant_read(p,q,f) if "own" in M(p,f) then enter "read" into M(q,f) end

Security models – p.3/14

slide-4
SLIDE 4

Information Technology

HRU: Command examples 2

Transferrable permissions: ⋆-marked permissions can be copied (without the ⋆) to others command copy_read(p,q,f) if "read*" in M(p,f) then enter "read" into M(q,f) end

+-marked permissions can be transferred to others,

losing the permission command transfer_read(p,q,f) if "read+" in M(p,f) then delete "read+" from M(p,f) enter "read+" into M(q,f) end

Security models – p.4/14

slide-5
SLIDE 5

Information Technology

HRU: States and Transitions

The state of the access control system is the current values of (S, O, M). Transitions are defined by the commands and their effects on (S, O, M). Write P

c

− → Q if the command c takes the state P to the

state Q.

Security models – p.5/14

slide-6
SLIDE 6

Information Technology

HRU: Properties

Leaking rights:

A state P = (S1, O1, M1) leaks the right

r if there is a transition from P to a state Q = (S2, O2, M2)

such that for some s ∈ S1 and o ∈ O1,

r ∈ M1(s, o) and r ∈ M2(s, o)

(i.e: the transition adds r to a place where it wasn’t)

Safe states:

A state P is safe with respect to r if no sequence of transitions from P leaks r.

Security models – p.6/14

slide-7
SLIDE 7

Information Technology

HRU: Policy example

"For each buffer b, there is exactly one process p which can write to it, and only one process q which can read from it" A state Q = (S, O, M) is authorised only if for every buffer b in O:

  • the set {p : p ∈ S and "read" ∈ M(p, b)} is a

singleton and

  • the set {p : p ∈ S and "write" ∈ M(p, b)} is a

singleton

Security models – p.7/14

slide-8
SLIDE 8

Information Technology

HRU: Policy example 2

"No subject can get access to a file f unless that right has been granted by the owner of f" if Q = (S, O, M) is an authorised state, and for some file f and subject s, "read" ∈ M(s, f) and

Q

c

− → (S1, O1, M1) such that "read" ∈ M1(s, f)

then (S1, O1, M1) is authorised only if for some p ∈ S, "own" ∈ M(p, f) and c = grant_read(p, s, f)

Security models – p.8/14

slide-9
SLIDE 9

Information Technology

Bell-LaPadula (BLP)

S, O, A, + a set L of security levels, partially ordered.

A state is a triple (b, M, f) where

b : currently active accesses: set of (s, o, a) triples M : current access control matrix (permissions) f : current security level assignment:

three functions (fs, fc, fo) where

fs(s) : maximal security level the subject s can have

(clearance)

fc(s) : current security level of the subject s fo(o) : classification of the object o

and fc(s) ≤ fs(s) (fs dominates fc) Transitions change b and f.

Security models – p.9/14

slide-10
SLIDE 10

Information Technology

BLP: Simple Security property

A state (b, M, f) satisfies the ss-property if

∀(s, o, a) ∈ b: if a is read or write, fo(o) ≤ fs(s).

(a subject may read or write only if it has at least as high security clearance as the object)

Security models – p.10/14

slide-11
SLIDE 11

Information Technology

BLP: Star property

A state (b, M, f) satisfies the ⋆-property if

∀(s, o, a)∈ b: if a is write or append, fc(s) ≤ fo(o) (no write down) and ∀ other (s, o1, a1) ∈ b such that a1 is read or write: fo(o1) ≤ fo(o)

(can’t be reading a higher level object while writing a lower)

Security models – p.11/14

slide-12
SLIDE 12

Information Technology

BLP: Discretionary security prop.

A state (b, M, f) satisfies the ds-property if

∀(s, o, a) ∈ b : a ∈ M(s, o)

(only permitted accesses are allowed)

Security models – p.12/14

slide-13
SLIDE 13

Information Technology

BLP: Secure states

A state is secure if all of the ss-property, ⋆-property, and ds-property hold.

Security models – p.13/14

slide-14
SLIDE 14

Information Technology

BLP: Basic security theorem

A transition between states, (b1, M1, f1) −

→ (b2, M2, f2), is

secure if both states are secure. If the initial state is secure, and all transitions are secure, the system is secure. Prove by showing transitions preserve the properties. Example: the ss-property is preserved if and only if: for b = b2 \ b1:

(b, _, f2) satisfies ss-property and

if (s, o, a) ∈ b1 does NOT satisfy the ss-property with respect to f2, then (s, o, a) ∈ b2

Security models – p.14/14