Information Technology Security models Bj¨ orn Victor Security models – p.1/14
Harrison-Ruzzo-Ullman (HRU) Information Technology Subjects S , objects O , access matrix M , access rights A : • enforcement: read, write, execute, append,. . . • rights movement: own, control, a⋆ , a + • domain change: enter Primitive operations: • enter a into M ( s, o ) • delete a from M ( s, o ) • create/delete subject/object s/o Security models – p.2/14
HRU: Command examples Information Technology Process p creates file f with default permissions: command create_file(p,f) create object f enter "own" into M(p,f) enter "read" into M(p,f) enter "write" into M(p,f) end Owner p can give read rights on f to q : command grant_read(p,q,f) if "own" in M(p,f) then enter "read" into M(q,f) end Security models – p.3/14
HRU: Command examples 2 Information Technology Transferrable permissions: ⋆ -marked permissions can be copied (without the ⋆ ) to others command copy_read(p,q,f) if "read*" in M(p,f) then enter "read" into M(q,f) end + -marked permissions can be transferred to others, losing the permission command transfer_read(p,q,f) if "read+" in M(p,f) then delete "read+" from M(p,f) enter "read+" into M(q,f) end Security models – p.4/14
HRU: States and Transitions Information Technology The state of the access control system is the current values of ( S, O, M ) . Transitions are defined by the commands and their effects on ( S, O, M ) . c Write P − → Q if the command c takes the state P to the state Q . Security models – p.5/14
HRU: Properties Information Technology A state P = ( S 1 , O 1 , M 1 ) leaks the right Leaking rights: r if there is a transition from P to a state Q = ( S 2 , O 2 , M 2 ) such that for some s ∈ S 1 and o ∈ O 1 , r �∈ M 1 ( s, o ) and r ∈ M 2 ( s, o ) (i.e: the transition adds r to a place where it wasn’t) A state P is safe with respect to r if no Safe states: sequence of transitions from P leaks r . Security models – p.6/14
HRU: Policy example Information Technology "For each buffer b , there is exactly one process p which can write to it, and only one process q which can read from it" A state Q = ( S, O, M ) is authorised only if for every buffer b in O : • the set { p : p ∈ S and "read" ∈ M ( p, b ) } is a singleton and • the set { p : p ∈ S and "write" ∈ M ( p, b ) } is a singleton Security models – p.7/14
HRU: Policy example 2 Information Technology "No subject can get access to a file f unless that right has been granted by the owner of f " if Q = ( S, O, M ) is an authorised state, and for some file f and subject s , "read" �∈ M ( s, f ) and c → ( S 1 , O 1 , M 1 ) such that "read" ∈ M 1 ( s, f ) Q − then ( S 1 , O 1 , M 1 ) is authorised only if for some p ∈ S , "own" ∈ M ( p, f ) and c = grant_read ( p, s, f ) Security models – p.8/14
Bell-LaPadula (BLP) Information Technology S , O , A , + a set L of security levels, partially ordered. A state is a triple ( b, M, f ) where b : currently active accesses: set of ( s, o, a ) triples M : current access control matrix (permissions) f : current security level assignment: three functions ( f s , f c , f o ) where f s ( s ) : maximal security level the subject s can have (clearance) f c ( s ) : current security level of the subject s f o ( o ) : classification of the object o and f c ( s ) ≤ f s ( s ) ( f s dominates f c ) Transitions change b and f . Security models – p.9/14
BLP: Simple Security property Information Technology A state ( b, M, f ) satisfies the ss-property if ∀ ( s, o, a ) ∈ b : if a is read or write, f o ( o ) ≤ f s ( s ) . (a subject may read or write only if it has at least as high security clearance as the object) Security models – p.10/14
BLP: Star property Information Technology A state ( b, M, f ) satisfies the ⋆ -property if ∀ ( s, o, a ) ∈ b : if a is write or append, fc ( s ) ≤ fo ( o ) (no write down) and ∀ other ( s, o 1 , a 1 ) ∈ b such that a 1 is read or write: f o ( o 1 ) ≤ f o ( o ) (can’t be reading a higher level object while writing a lower) Security models – p.11/14
BLP: Discretionary security prop. Information Technology A state ( b, M, f ) satisfies the ds-property if ∀ ( s, o, a ) ∈ b : a ∈ M ( s, o ) (only permitted accesses are allowed) Security models – p.12/14
BLP: Secure states Information Technology A state is secure if all of the ss-property, ⋆ -property, and ds-property hold. Security models – p.13/14
BLP: Basic security theorem Information Technology A transition between states, ( b 1 , M 1 , f 1 ) − → ( b 2 , M 2 , f 2 ) , is secure if both states are secure. If the initial state is secure, and all transitions are secure, the system is secure. Prove by showing transitions preserve the properties. Example: the ss-property is preserved if and only if: for b = b 2 \ b 1 : ( b, _ , f 2 ) satisfies ss-property and if ( s, o, a ) ∈ b 1 does NOT satisfy the ss-property with respect to f 2 , then ( s, o, a ) �∈ b 2 Security models – p.14/14
Recommend
More recommend
