Security models part 2 Bj orn Victor Fall 2007 Doris Denning - - PowerPoint PPT Presentation

Security models

part 2 Bj¨

• rn Victor

Fall 2007

Denning model Chinese Wall Clark-Wilson Principles

Doris Denning model

BLP: covert channels possible ⋆-property too strong Improvement: analyse actual (and indirect) information flow.

• 2 -

Denning model Chinese Wall Clark-Wilson Principles

Lattice

Lattice: partial order ≤ such that all pairs (x,y) have greatest lower bound (GLB) and least upper bound (LUB), i.e. ∀x,y : ∃z : z ≤ x ∧z ≤ y (i.e. z is a lower bound) and ∀k : k ≤ x ∧k ≤ y ⇒ k ≤ z (i.e. z is the greatest lower bound) vice versa for least upper bound

• 3 -

Denning model Chinese Wall Clark-Wilson Principles

Authorized flows (policy)

An information flow from x to y is authorized (permitted)

• nly if lvl(x) ≤ lvl(y).

explicit flow from xi to y: y := f(x1,...,xn) permitted if LUB(x1,...,xn) ≤ y implicit flow from x to yi: if p(x) then y1:=...;··· ;yn:=. . . ; endif permitted if x ≤ GLB(y1,...,yn) (and each flow in the then part is permitted) Lattice: can always find and compare with LUB/GLB. Transitivity: sequence of flows z0 → ··· → zn permitted if each flow zi → zi+1 is permitted.

• 4 -

Denning model Chinese Wall Clark-Wilson Principles

Authorized flows (policy)

An information flow from x to y is authorized (permitted)

• nly if lvl(x) ≤ lvl(y).

explicit flow from xi to y: y := f(x1,...,xn) permitted if LUB(x1,...,xn) ≤ y implicit flow from x to yi: if p(x) then y1:=...;··· ;yn:=. . . ; endif permitted if x ≤ GLB(y1,...,yn) (and each flow in the then part is permitted) Lattice: can always find and compare with LUB/GLB. Transitivity: sequence of flows z0 → ··· → zn permitted if each flow zi → zi+1 is permitted.

• 4 -

Denning model Chinese Wall Clark-Wilson Principles

Authorized flows (policy)

An information flow from x to y is authorized (permitted)

• nly if lvl(x) ≤ lvl(y).

explicit flow from xi to y: y := f(x1,...,xn) permitted if LUB(x1,...,xn) ≤ y implicit flow from x to yi: if p(x) then y1:=...;··· ;yn:=. . . ; endif permitted if x ≤ GLB(y1,...,yn) (and each flow in the then part is permitted) Lattice: can always find and compare with LUB/GLB. Transitivity: sequence of flows z0 → ··· → zn permitted if each flow zi → zi+1 is permitted.

• 4 -

Denning model Chinese Wall Clark-Wilson Principles

Authorized flows (policy)

An information flow from x to y is authorized (permitted)

• nly if lvl(x) ≤ lvl(y).

explicit flow from xi to y: y := f(x1,...,xn) permitted if LUB(x1,...,xn) ≤ y implicit flow from x to yi: if p(x) then y1:=...;··· ;yn:=. . . ; endif permitted if x ≤ GLB(y1,...,yn) (and each flow in the then part is permitted) Lattice: can always find and compare with LUB/GLB. Transitivity: sequence of flows z0 → ··· → zn permitted if each flow zi → zi+1 is permitted.

• 4 -

Denning model Chinese Wall Clark-Wilson Principles

Examples

z := x; y := z; Flow x → y allowed if x → z and z → y allowed. z := 0; if (x == 1) then z := 1; endif; y := z x ∈ {0,1}. Which flows exist? x → z (implicit) z → y (explicit) x → y (indirect, transitivity)

• 5 -

Denning model Chinese Wall Clark-Wilson Principles

Examples

z := x; y := z; Flow x → y allowed if x → z and z → y allowed. z := 0; if (x == 1) then z := 1; endif; y := z x ∈ {0,1}. Which flows exist? x → z (implicit) z → y (explicit) x → y (indirect, transitivity)

• 5 -

Denning model Chinese Wall Clark-Wilson Principles

Examples

z := x; y := z; Flow x → y allowed if x → z and z → y allowed. z := 0; if (x == 1) then z := 1; endif; y := z x ∈ {0,1}. Which flows exist? x → z (implicit) z → y (explicit) x → y (indirect, transitivity)

• 5 -

Denning model Chinese Wall Clark-Wilson Principles

Examples

z := x; y := z; Flow x → y allowed if x → z and z → y allowed. z := 0; if (x == 1) then z := 1; endif; y := z x ∈ {0,1}. Which flows exist? x → z (implicit) z → y (explicit) x → y (indirect, transitivity)

• 5 -

Denning model Chinese Wall Clark-Wilson Principles

More examples

y := x1 + x2 * x3 if x then y1 := 0; y2 := 42; y3 := 17; endif; Constants have bottom element of lattice as level (by policy).

• 6 -

Denning model Chinese Wall Clark-Wilson Principles

More examples

y := x1 + x2 * x3 if x then y1 := 0; y2 := 42; y3 := 17; endif; Constants have bottom element of lattice as level (by policy).

• 6 -

Denning model Chinese Wall Clark-Wilson Principles

Quantitative information flow

How much information flows? Here: information flows from x to y by program p if after executing p, the value of y gives more information about the value of x before executing p.

Example:

z := x; y := z direct flow x → z, indirect flow x → y, but no flow z → y since y does not tell anything about the initial value of z!

• 7 -

Denning model Chinese Wall Clark-Wilson Principles

Quantitative information flow

How much information flows? Here: information flows from x to y by program p if after executing p, the value of y gives more information about the value of x before executing p.

Example:

z := x; y := z direct flow x → z, indirect flow x → y, but no flow z → y since y does not tell anything about the initial value of z!

• 7 -

Denning model Chinese Wall Clark-Wilson Principles

Quantitative information flow

How much information flows? Here: information flows from x to y by program p if after executing p, the value of y gives more information about the value of x before executing p.

Example:

z := x; y := z direct flow x → z, indirect flow x → y, but no flow z → y since y does not tell anything about the initial value of z!

• 7 -

Denning model Chinese Wall Clark-Wilson Principles

How much information flows?

Mathematically: the flow from x to y is calculated using the uncertainty of the value of a variable x given y (its equivocation or conditional entropy). y := 0 if odd(x) then y := 1; endif Implicit flow x → y. How much? One bit. y := 0 if x == 1 then y := x-1; endif How much information flows from x to y? Zero bits!

• 8 -

Denning model Chinese Wall Clark-Wilson Principles

How much information flows?

Mathematically: the flow from x to y is calculated using the uncertainty of the value of a variable x given y (its equivocation or conditional entropy). y := 0 if odd(x) then y := 1; endif Implicit flow x → y. How much? One bit. y := 0 if x == 1 then y := x-1; endif How much information flows from x to y? Zero bits!

• 8 -

Denning model Chinese Wall Clark-Wilson Principles

How much information flows?

Mathematically: the flow from x to y is calculated using the uncertainty of the value of a variable x given y (its equivocation or conditional entropy). y := 0 if odd(x) then y := 1; endif Implicit flow x → y. How much? One bit. y := 0 if x == 1 then y := x-1; endif How much information flows from x to y? Zero bits!

• 8 -

Denning model Chinese Wall Clark-Wilson Principles

How much information flows?

Mathematically: the flow from x to y is calculated using the uncertainty of the value of a variable x given y (its equivocation or conditional entropy). y := 0 if odd(x) then y := 1; endif Implicit flow x → y. How much? One bit. y := 0 if x == 1 then y := x-1; endif How much information flows from x to y? Zero bits!

• 8 -

Denning model Chinese Wall Clark-Wilson Principles

Imprecise flows

z := x + y where x,y ∈ {0,...,15} with equal probability. How much info flows x,y → z? ≤ 4 bits. z := x xor y If x,y have same range/size, and all values of y equally probable, no flow to z – can’t tell anything about x or y from z.

• Cf. one-time-pad: no additional information about the

plaintext is gained by having the ciphertext, if. . .

• 9 -

Denning model Chinese Wall Clark-Wilson Principles

Imprecise flows

z := x + y where x,y ∈ {0,...,15} with equal probability. How much info flows x,y → z? ≤ 4 bits. z := x xor y If x,y have same range/size, and all values of y equally probable, no flow to z – can’t tell anything about x or y from z.

• Cf. one-time-pad: no additional information about the

plaintext is gained by having the ciphertext, if. . .

• 9 -

Denning model Chinese Wall Clark-Wilson Principles

Imprecise flows

z := x + y where x,y ∈ {0,...,15} with equal probability. How much info flows x,y → z? ≤ 4 bits. z := x xor y If x,y have same range/size, and all values of y equally probable, no flow to z – can’t tell anything about x or y from z.

• Cf. one-time-pad: no additional information about the

plaintext is gained by having the ciphertext, if. . .

• 9 -

Denning model Chinese Wall Clark-Wilson Principles

Imprecise flows

z := x + y where x,y ∈ {0,...,15} with equal probability. How much info flows x,y → z? ≤ 4 bits. z := x xor y If x,y have same range/size, and all values of y equally probable, no flow to z – can’t tell anything about x or y from z.

• Cf. one-time-pad: no additional information about the

plaintext is gained by having the ciphertext, if. . .

• 9 -

Denning model Chinese Wall Clark-Wilson Principles

Info flow analysis

Can give good information and more precise protection than e.g. BLP , but requires program analysis (e.g. partial evaluation, type systems, . . . ).

• 10 -

Denning model Chinese Wall Clark-Wilson Principles

Chinese Wall model

Intended for consultancy business handling many clients, but also court cases, stock exchanges, etc. Basic policy: there must be no information flow that causes a conflict of interest. S subjects (consultants), O objects (information), C set of companies (clients) y(o) company dataset – which company does o belong to? x(o) conflict-of-interest class of o – companies which may not learn o (e.g. in competition with y(o)) security label: pair x(o),y(o)

• 11 -

Denning model Chinese Wall Clark-Wilson Principles

CW: history generates conflicts

History of accessed company datasets also generates conflicts ⇒ access rights change with accesses! N(s,o) true iff s has had access to o sanitised info contains no sensitive details: x(o) = / Initially N(s,o) is false everywhere.

• 12 -

Denning model Chinese Wall Clark-Wilson Principles

CW: ss-property

Control direct information flow, only allow s to access o if ∀o1 s.t. N(s,o1) is true (previously accessed), y(o) = y(o1) (o belongs to a dataset which s has already accessed)

• r y(o) ∈ x(o1)

(o is not in conflict of interest with an object previously accessed)

• 13 -

Denning model Chinese Wall Clark-Wilson Principles

CW: ⋆-property

Prevent indirect information flows: only allow write access to an object if no other object can be read which is in a different company dataset and contains unsanitized information. A subject s is granted write access to an object o only if s has no read access to an object o1 such that y(o) = y(o1) (different company) and x(o1) not empty (o1 not sanitized)

• 14 -

Denning model Chinese Wall Clark-Wilson Principles

CW: intuition

ss-property: You can’t access information which has a conflict of interest with something you have read from a different company’s information ⋆-property: if you can read unsanitized objects, you cannot write things to a different company As soon as you read unsanitized objects, a (chinese) wall is built around you: you cannot write (⋆-prop) and you cannot read (ss-prop).

• 15 -

Denning model Chinese Wall Clark-Wilson Principles

Clark-Wilson model

“Real-world” model/framework: handles more of real systems, much more complex. Higher-level framework/guidelines/“model” dealing with data integrity: internal consistency (system can enforce) external consistency (real-world related, need humans/audit logs/validation)

• 16 -

Denning model Chinese Wall Clark-Wilson Principles

Clark-Wilson operations

Access operations are “programs” (complex, application-specific). Objects can only be accessed/manipulated by a restricted set of programs (using well-formed transactions), not directly (cf. abstract data types/object oriented programming:

• nly accessors/methods etc.)

Sepatation of duties: more than one user (may be) needed to perform sensitive operations (e.g. develop, test, certify, operate the system; open accounts and transfer money between accounts) Subjects must be authenticated, audit log must be maintained, the system must be certified.

• 17 -

Denning model Chinese Wall Clark-Wilson Principles

Clark-Wilson operations

Access operations are “programs” (complex, application-specific). Objects can only be accessed/manipulated by a restricted set of programs (using well-formed transactions), not directly (cf. abstract data types/object oriented programming:

• nly accessors/methods etc.)

Sepatation of duties: more than one user (may be) needed to perform sensitive operations (e.g. develop, test, certify, operate the system; open accounts and transfer money between accounts) Subjects must be authenticated, audit log must be maintained, the system must be certified.

• 17 -

Denning model Chinese Wall Clark-Wilson Principles

Clark-Wilson operations

Access operations are “programs” (complex, application-specific). Objects can only be accessed/manipulated by a restricted set of programs (using well-formed transactions), not directly (cf. abstract data types/object oriented programming:

• nly accessors/methods etc.)

Sepatation of duties: more than one user (may be) needed to perform sensitive operations (e.g. develop, test, certify, operate the system; open accounts and transfer money between accounts) Subjects must be authenticated, audit log must be maintained, the system must be certified.

• 17 -

Denning model Chinese Wall Clark-Wilson Principles

Clark-Wilson data

Data items: unconstrained data items (UDI): input to system constrained data items (CDI): consistent, well-formed transformation procedures (TP): only way to manipulate CDI, can convert UDI to CDI integrity verification procedures (IVP): checks integrity

• f a state

Certification rules regulate IVPs and TPs. Enforcement rules regulate mechanisms.

• 18 -

Denning model Chinese Wall Clark-Wilson Principles

Clark-Wilson data

Data items: unconstrained data items (UDI): input to system constrained data items (CDI): consistent, well-formed transformation procedures (TP): only way to manipulate CDI, can convert UDI to CDI integrity verification procedures (IVP): checks integrity

• f a state

Certification rules regulate IVPs and TPs. Enforcement rules regulate mechanisms.

• 18 -

Denning model Chinese Wall Clark-Wilson Principles

Clark-Wilson data

Data items: unconstrained data items (UDI): input to system constrained data items (CDI): consistent, well-formed transformation procedures (TP): only way to manipulate CDI, can convert UDI to CDI integrity verification procedures (IVP): checks integrity

• f a state

Certification rules regulate IVPs and TPs. Enforcement rules regulate mechanisms.

• 18 -

Denning model Chinese Wall Clark-Wilson Principles

Design principles for mechanisms

Least privilege (need-to-know): each subject should have the least rights necessary. Economy of mechanism: small and simple design gives easier verification and implementation (at low level) Complete mediation: every access should be checked, efficiently. Open design: no security by obscurity Separation of privilege: when possible, access should depend on more than one condition being satisfied. Least common mechanism: minimise mechanisms shared between users, to hinder information flow Permission based: default should be to deny access Psychological acceptance: mechanisms should be easy to use: not much more trouble than to leave unrestricted access

• 19 -

Denning model Chinese Wall Clark-Wilson Principles

Design principles for mechanisms

Least privilege (need-to-know): each subject should have the least rights necessary. Economy of mechanism: small and simple design gives easier verification and implementation (at low level) Complete mediation: every access should be checked, efficiently. Open design: no security by obscurity Separation of privilege: when possible, access should depend on more than one condition being satisfied. Least common mechanism: minimise mechanisms shared between users, to hinder information flow Permission based: default should be to deny access Psychological acceptance: mechanisms should be easy to use: not much more trouble than to leave unrestricted access

• 19 -

Denning model Chinese Wall Clark-Wilson Principles

Design principles for mechanisms

Least privilege (need-to-know): each subject should have the least rights necessary. Economy of mechanism: small and simple design gives easier verification and implementation (at low level) Complete mediation: every access should be checked, efficiently. Open design: no security by obscurity Separation of privilege: when possible, access should depend on more than one condition being satisfied. Least common mechanism: minimise mechanisms shared between users, to hinder information flow Permission based: default should be to deny access Psychological acceptance: mechanisms should be easy to use: not much more trouble than to leave unrestricted access

• 19 -

Denning model Chinese Wall Clark-Wilson Principles

Design principles for mechanisms

Least privilege (need-to-know): each subject should have the least rights necessary. Economy of mechanism: small and simple design gives easier verification and implementation (at low level) Complete mediation: every access should be checked, efficiently. Open design: no security by obscurity Separation of privilege: when possible, access should depend on more than one condition being satisfied. Least common mechanism: minimise mechanisms shared between users, to hinder information flow Permission based: default should be to deny access Psychological acceptance: mechanisms should be easy to use: not much more trouble than to leave unrestricted access

• 19 -

Denning model Chinese Wall Clark-Wilson Principles

Design principles for mechanisms

Least privilege (need-to-know): each subject should have the least rights necessary. Economy of mechanism: small and simple design gives easier verification and implementation (at low level) Complete mediation: every access should be checked, efficiently. Open design: no security by obscurity Separation of privilege: when possible, access should depend on more than one condition being satisfied. Least common mechanism: minimise mechanisms shared between users, to hinder information flow Permission based: default should be to deny access Psychological acceptance: mechanisms should be easy to use: not much more trouble than to leave unrestricted access

• 19 -

Denning model Chinese Wall Clark-Wilson Principles

Design principles for mechanisms

Least privilege (need-to-know): each subject should have the least rights necessary. Economy of mechanism: small and simple design gives easier verification and implementation (at low level) Complete mediation: every access should be checked, efficiently. Open design: no security by obscurity Separation of privilege: when possible, access should depend on more than one condition being satisfied. Least common mechanism: minimise mechanisms shared between users, to hinder information flow Permission based: default should be to deny access Psychological acceptance: mechanisms should be easy to use: not much more trouble than to leave unrestricted access

• 19 -

Denning model Chinese Wall Clark-Wilson Principles

Design principles for mechanisms

Least privilege (need-to-know): each subject should have the least rights necessary. Economy of mechanism: small and simple design gives easier verification and implementation (at low level) Complete mediation: every access should be checked, efficiently. Open design: no security by obscurity Separation of privilege: when possible, access should depend on more than one condition being satisfied. Least common mechanism: minimise mechanisms shared between users, to hinder information flow Permission based: default should be to deny access Psychological acceptance: mechanisms should be easy to use: not much more trouble than to leave unrestricted access

• 19 -

Denning model Chinese Wall Clark-Wilson Principles

Design principles for mechanisms

Least privilege (need-to-know): each subject should have the least rights necessary. Economy of mechanism: small and simple design gives easier verification and implementation (at low level) Complete mediation: every access should be checked, efficiently. Open design: no security by obscurity Separation of privilege: when possible, access should depend on more than one condition being satisfied. Least common mechanism: minimise mechanisms shared between users, to hinder information flow Permission based: default should be to deny access Psychological acceptance: mechanisms should be easy to use: not much more trouble than to leave unrestricted access

• 19 -