trust models
play

Trust Models CS461/ECE422 1 Reading Chapter 5.1 5.3 (stopping - PowerPoint PPT Presentation

Sep 30, 2022 •117 likes •561 views

Trust Models CS461/ECE422 1 Reading Chapter 5.1 5.3 (stopping at Models Proving Theoretical Limitations) in Security in Computing 2 Outline Trusted System Basics Specific Policies and models Military Policy

  1. Trust Models CS461/ECE422 1

  2. Reading • Chapter 5.1 – 5.3 (stopping at “Models Proving Theoretical Limitations”) in Security in Computing 2

  3. Outline • Trusted System Basics • Specific Policies and models – Military Policy • Bell-LaPadula Model – Commercial Policy • Biba Model • Separation of Duty • Clark-Wilson • Chinese Wall 3

  4. What is a Trusted System? • Correct implementation of critical features – Features (e.g.) • Separation of users, security levels • Strict enforcement of access control policies – Assurance (?) • Personal evaluation • Review in the paper or on key web site • Friend's recommendation • Marketing literature 4

  5. Some Key Characteristics of Trusted Systems • Functional Correctness • Enforcement of Integrity • Limited Privilege • Appropriate Confidence 5

  6. DAC vs MAC • Discretionary Access Control (DAC) – Normal users can change access control state directly assuming they have appropriate permissions – Access control implemented in standard OS’s, e.g., Unix, Linux, Windows – Access control is at the discretion of the user • So users can cause Bad Things to happen • Mandatory Access Control (MAC) – Access decisions cannot be changed by normal rules – Generally enforced by system wide set of rules – Normal user cannot change access control schema • “Strong” system security requires MAC – Normal users cannot be trusted 6

  7. Military or Confidentiality Policy • Goal: prevent the unauthorized disclosure of information – Need-to-Know – Deals with information flow – Integrity incidental • Multi-level security models are best-known examples – Bell-LaPadula Model basis for many, or most, of these 7

  8. Bell-LaPadula Model, Step 1 • Security levels arranged in linear ordering – Top Secret: highest – Secret – Confidential – Unclassified: lowest • Levels consist of – security clearance L ( s ) for subjects – security classification L ( o ) for objects 8 Bell, LaPadula 73

  9. Example security level subject object Top Secret Tamara Personnel Files Secret Samuel E-Mail Files Confidential Claire Activity Logs Unclassified Ulaley Telephone Lists • Tamara can read all files • Claire cannot read Personnel or E-Mail Files • Ulaley can only read Telephone Lists 9

  10. Reading Information • “Reads up” (of object at higher classification than a subjects clearance) disallowed, “reads down” (of object at classification no higher than subject’s clearance) allowed – Information flows up , not down • Simple Security Condition (Step 1) – Subject s can read object o iff, L ( o ) ≤ L ( s ) and s has permission to read o • Note: combines mandatory control (relationship of security levels) and discretionary control (the required permission) – Sometimes called “no reads up” rule 10

  11. Writing Information • “Writes up” (subject permitted to write to object at a classification level equal to or higher than subject’s clearance) allowed, “writes down” disallowed • *-Property (Step 1) – Subject s can write object o iff L ( s ) ≤ L ( o ) and s has permission to write o • Note: combines mandatory control (relationship of security levels) and discretionary control (the required permission) • Discretionary control keeps a low level user from over-writing top-secret files – Sometimes called “no writes down” rule 11

  12. Basic Security Theorem, Step 1 • If a system is initially in a secure state, and every transition of the system satisfies the simple security condition (step 1), and the *- property (step 1), then every state of the system is secure – Proof: induct on the number of transitions • Meaning of “secure” is axiomatic – No subject can read information that was ever at a classification level higher than the subject’s classification 12

  13. Bell-LaPadula Model, Step 2 • Expand notion of security level to include categories (also called compartments) • Security level is ( clearance , category set ) • Examples – ( Top Secret, { NUC, EUR, ASI } ) – ( Confidential, { EUR, ASI } ) – ( Secret, { NUC, ASI } ) 13

  14. Levels and Lattices ( A , C ) dom ( A ′ , C ′ ) iff A ′ ≤ A and C ′ ⊆ C • • Examples – (Top Secret, {NUC, ASI}) dom (Secret, {NUC}) – (Secret, {NUC, EUR}) dom (Confidential,{NUC, EUR}) – (Top Secret, {NUC}) ¬ dom (Confidential, {EUR}) – (Secret, {NUC}) ¬ dom (Confidential,{NUC, EUR}) • Let C be set of classifications, K set of categories. Set of security levels L = C × K , dom form lattice – Partially ordered set – Any pair of elements • Has a greatest lower bound (i.e., element dominated by both and is not dominated by another other dominated by both) • Has a least upper bound (i.e. element dominates both, and dominates no other that dominates both) 14

  15. Example Lattice TS, {ASI,NUC,EUR} TS, {ASI,NUC} TS,{ASI,EUR} TS,{NUC,EUR} TS,EUR TS,ASI TS,NUC C,EUR S,NUC empty 15

  16. Levels and Ordering • Security levels partially ordered – Any pair of security levels may (or may not) be related by dom • “dominates” serves the role of “greater than” in step 1 – “greater than” is a total ordering, though 16

  17. Reading Information • Information flows up , not down – “Reads up” disallowed, “reads down” allowed • Simple Security Condition (Step 2) – Subject s can read object o iff L ( s ) dom L ( o ) and s has permission to read o • Note: combines mandatory control (relationship of security levels) and discretionary control (the required permission) – Sometimes called “no reads up” rule 17

  18. Writing Information • Information flows up, not down – “Writes up” allowed, “writes down” disallowed • *-Property (Step 2) – Subject s can write object o iff L ( o ) dom L ( s ) and s has permission to write o • Note: combines mandatory control (relationship of security levels) and discretionary control (the required permission) – Sometimes called “no writes down” rule 18

  19. Basic Security Theorem, Step 2 • If a system is initially in a secure state, and every transition of the system satisfies the simple security condition (step 2), and the *-property (step 2), then every state of the system is secure – Proof: induct on the number of transitions – In actual Basic Security Theorem, discretionary access control treated as third property, and simple security property and *-property phrased to eliminate discretionary part of the definitions — but simpler to express the way done here. 19

  20. Problem • Colonel has (Secret, {NUC, EUR}) clearance • Major has (Secret, {EUR}) clearance • Can Major write data that Colonel can read? • Can Major read data that Colonel wrote? 20

  21. Solution • Define maximum, current levels for subjects – maxlevel ( s ) dom curlevel ( s ) • Example – Treat Major as an object (Colonel is writing to him/her) – Colonel has maxlevel (Secret, { NUC, EUR }) – Colonel sets curlevel to (Secret, { EUR }) – Now L (Major) dom curlevel (Colonel) • Colonel can write to Major without violating “no writes down” – Does L ( s ) mean curlevel ( s ) or maxlevel ( s )? • Formally, we need a more precise notation 21

  22. Adjustments to “write up” • General write permission is both read and write – So both simple security condition and *-property apply – S dom O and O dom S means S=O • BLP discuss append as a “pure” write so write up restriction still applies 22

  23. Principle of Tranquillity • Raising object’s security level – Information once available to some subjects is no longer available – Usually assume information has already been accessed, so this does nothing • Lowering object’s security level – The declassification problem – Essentially, a “write down” violating *-property – Solution: define set of trusted subjects that sanitize or remove sensitive information before security level lowered 23

  24. Types of Tranquillity • Strong Tranquillity – The clearances of subjects, and the classifications of objects, do not change during the lifetime of the system • Weak Tranquillity – The clearances of subjects, and the classifications of objects change in accordance with a specified policy. 24

  25. Example • DG/UX System (Data General Unix, 1985) – Only a trusted user (security administrator) can lower object’s security level – In general, process MAC labels cannot change • If a user wants a new MAC label, needs to initiate new process • Cumbersome, so user can be designated as able to change process MAC label within a specified range • Other systems allow multiple labeled windows to address users operating a multiple levels 25

  26. Commercial Policies • Less hierarchical than military – More dynamic • Concerned with integrity and availability in addition to confidentiality 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

May 3: Trust and Hybrid Models Trust models Chinese Wall model Aggressive Chinese Wall

May 3: Trust and Hybrid Models Trust models Chinese Wall model Aggressive Chinese Wall

May 3: Trust and Hybrid Models Trust models Chinese Wall model Aggressive Chinese Wall model May 3, 2017 ECS 235B Spring Quarter 2017 Slide #1 Types of Trust Models Policy-based trust management Recommendation-based trust

714 views • 37 slides
Towards a Swiss Trust : Pondering Models Prof. Luc Thvenoz Swiss trust: who for? what

Towards a Swiss Trust : Pondering Models Prof. Luc Thvenoz Swiss trust: who for? what

www.cdbf.ch STEPSATC Lausanne Conference 2015 Towards a Swiss Trust : Pondering Models Prof. Luc Thvenoz Swiss trust: who for? what for? Promoting a Swiss trust requires clear choices: n family planning or commercial

271 views • 14 slides
The Ambiguity of Trust Maj Bishane Doc Whitmore Definitions/Relevant Models

The Ambiguity of Trust Maj Bishane Doc Whitmore Definitions/Relevant Models

The Ambiguity of Trust Maj Bishane Doc Whitmore Definitions/Relevant Models Background/Purpose/Research Question(s) - Trust is defined as assured reliance on the - Lack of fidelity regarding trust. character, ability, strength, or

676 views • 5 slides
May 1: Integrity Models Biba Clark-Wilson Comparison Trust models May 1, 2017 ECS

May 1: Integrity Models Biba Clark-Wilson Comparison Trust models May 1, 2017 ECS

May 1: Integrity Models Biba Clark-Wilson Comparison Trust models May 1, 2017 ECS 235B Spring Quarter 2017 Slide #1 Integrity Overview Requirements Very different than confidentiality policies Biba s models

514 views • 33 slides
Bayesian Trust Models and Information Security Mozhgan Tavakolifard Trial Lecture 30 August 2012

Bayesian Trust Models and Information Security Mozhgan Tavakolifard Trial Lecture 30 August 2012

Bayesian Trust Models and Information Security Mozhgan Tavakolifard Trial Lecture 30 August 2012 Centre for Quantifiable Quality of Service in Communication Systems Centre of Excellence NTNU, Norway www.q2s.ntnu.no Bayesian Trust Models and

1.05k views • 58 slides
Can you trust your models uncertainty? Evaluating Predictive Uncertainty Under Dataset Shift

Can you trust your models uncertainty? Evaluating Predictive Uncertainty Under Dataset Shift

Can you trust your models uncertainty? Evaluating Predictive Uncertainty Under Dataset Shift Yaniv Ovadia*, Emily Feruig*, Jie Ren, Zachary Nado, D Sculley, Sebastian Nowozin, Joshua Dillon, Balaji Lakshminarayanan, Jasper Snoek Uncertainty?

677 views • 19 slides
FT Consultation An NHS Foundation Trust The Trust is applying to become an NHS Foundation Trust

FT Consultation An NHS Foundation Trust The Trust is applying to become an NHS Foundation Trust

FT Consultation An NHS Foundation Trust The Trust is applying to become an NHS Foundation Trust Your Local Mental Health NHS Trust Implementation of Involvement Agenda National accreditation for Memory Service Team (Bloxwich Hospital)

763 views • 14 slides
PGP web of trust Web of trust From:

PGP web of trust Web of trust From:

PGP web of trust Web of trust From: h2p://pgp.cs.uu.nl/plot/ The PGP web of trust can be viewed as a directed graph where the points are

558 views • 10 slides
Ethical issues in online trust May 2014 Robin Wilton Technical Outreach Director Trust and

Ethical issues in online trust May 2014 Robin Wilton Technical Outreach Director Trust and

Ethical issues in online trust May 2014 Robin Wilton Technical Outreach Director Trust and Identity wilton@isoc.org www.internetsociety.org Topics Four problem areas in online trust Three standard ethical models Discussion

390 views • 13 slides
4. Multiagent Systems Design Part 3: Coordination models (I): Social Models Social Models ems

4. Multiagent Systems Design Part 3: Coordination models (I): Social Models Social Models ems

4. Multiagent Systems Design Part 3: Coordination models (I): Social Models Social Models ems (SMA-UPC) Introduction to Coordination. Trust and Reputation Multiagent Syste Javier Vzquez-Salceda SMA-UPC https://kemlg.upc.edu ems

448 views • 24 slides
4. Coordination and Social Models Part 2: Coordination models (I): ( ) D) ems Design (MASD

4. Coordination and Social Models Part 2: Coordination models (I): ( ) D) ems Design (MASD

4. Coordination and Social Models Part 2: Coordination models (I): ( ) D) ems Design (MASD Social Models Trust and Reputation Multiagent Syste Javier Vzquez-Salceda MASD https://kemlg.upc.edu Coordination Social Models for

937 views • 18 slides
Building Trust in Groups FOCUS ON FACILITATION COMMUNITY OF PRACTICE MAY 15, 2019 BARB BICKFORD

Building Trust in Groups FOCUS ON FACILITATION COMMUNITY OF PRACTICE MAY 15, 2019 BARB BICKFORD

Building Trust in Groups FOCUS ON FACILITATION COMMUNITY OF PRACTICE MAY 15, 2019 BARB BICKFORD Introductions Your name Your affiliation One way you foster trust in groups Todays objectives Share models of trust Be aware

341 views • 22 slides
NSF Activities in Cyber Trust NSF Activities in Cyber Trust NSF Activities in Cyber Trust For

NSF Activities in Cyber Trust NSF Activities in Cyber Trust NSF Activities in Cyber Trust For

NSF Activities in Cyber Trust NSF Activities in Cyber Trust NSF Activities in Cyber Trust For ACM CCS I ndustry/ Govt Track Oct. 26, 2004 Carl Landwehr ( clandweh@nsf.gov ) Cyber Trust Coordinator National Science Foundation What s the

439 views • 17 slides
Introduction Out Outline e Imagine an Ad-hoc network Introduction Security techniques

Introduction Out Outline e Imagine an Ad-hoc network Introduction Security techniques

Wireless Ad Hoc and Sensor Networks Outline Out e - Trust and Soft Security Introduction Security techniques Trust and reputation systems Generic Trust and Reputation Model Scheme Proposed models for ad hoc and sensor

161 views • 12 slides
Charter of Trust on Cybersecurity charter-of-trust.com | #Charter of Trust Digitalization

Charter of Trust on Cybersecurity charter-of-trust.com | #Charter of Trust Digitalization

Charter of Trust on Cybersecurity charter-of-trust.com | #Charter of Trust Digitalization creates opportunities and risks Page 2 And its common truth We cant expect people to actively support the digital transformation if we cannot

499 views • 11 slides
Multivariate models of inter-subject anatomical variability John Ashburner Wellcome Trust Centre

Multivariate models of inter-subject anatomical variability John Ashburner Wellcome Trust Centre

Introduction Geometric Variability Similarity Measures Real data Multivariate models of inter-subject anatomical variability John Ashburner Wellcome Trust Centre for Neuroimaging, UCL Institute of Neurology, 12 Queen Square, London WC1N

690 views • 46 slides
OS Security Basics CS642: Computer Security Professor

OS Security Basics CS642: Computer Security Professor

OS Security Basics CS642: Computer Security Professor Ristenpart h9p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot edu University of Wisconsin CS 642

630 views • 51 slides
Com puter Security Part Tw o Previously Introduction Threat analysis Threats

Com puter Security Part Tw o Previously Introduction Threat analysis Threats

Com puter Security Part Tw o Previously Introduction Threat analysis Threats Policy Specification Design Implementation Operation and Maintenance Now Multilateral and Multilevel security Security policies

355 views • 24 slides
Distributed Enforcement of Unlinkability Policies: Looking Beyond the Chinese Wall Apu Kapadia,

Distributed Enforcement of Unlinkability Policies: Looking Beyond the Chinese Wall Apu Kapadia,

Distributed Enforcement of Unlinkability Policies: Looking Beyond the Chinese Wall Apu Kapadia, Prasad Naldurg, Roy H. Campbell Dartmouth College (ISTS) Microsoft Research, India University of Illinois at Urbana-Champaign Policy 2007 Lack

369 views • 15 slides
Security models part 2 Bj orn Victor Fall 2007 Doris Denning model Denning model Chinese

Security models part 2 Bj orn Victor Fall 2007 Doris Denning model Denning model Chinese

Security models part 2 Bj orn Victor Fall 2007 Doris Denning model Denning model Chinese Wall Clark-Wilson Principles BLP: covert channels possible -property too strong Improvement: analyse actual (and indirect) information flow.

676 views • 45 slides
Breaking Down Walls Improving Healthcare for Resilient Populations through Stakeholder

Breaking Down Walls Improving Healthcare for Resilient Populations through Stakeholder

2/28/2019 Breaking Down Walls Improving Healthcare for Resilient Populations through Stakeholder Engagement? Tung Nguyen, MD Professor of Medicine, UCSF Medical Care of Vulnerable and Underserved Populations February 28, 2019 Disclosures

447 views • 20 slides
Information flow control 1 D. Denning and P. Denning Certification of Programs for Secure

Information flow control 1 D. Denning and P. Denning Certification of Programs for Secure

Secure Architecture Principles Information flow control 1 D. Denning and P. Denning Certification of Programs for Secure Information Flow (CACM 1976) Review Access Control Discretionary access control (DAC) Philosophy: users have

321 views • 16 slides
Electric Vehicles in China: A Nexus of Consumer Preferences, Policy, Innovation, and the

Electric Vehicles in China: A Nexus of Consumer Preferences, Policy, Innovation, and the

Electric Vehicles in China: A Nexus of Consumer Preferences, Policy, Innovation, and the Environment John Paul Helveston Ph.D. Candidate November 17, 2014 h?p://www.jhelvy.com/handouts Department of Engineering

830 views • 51 slides
Economics 2 Professor Christina Romer Spring 2016 Professor David Romer LECTURE 24 INFLATION

Economics 2 Professor Christina Romer Spring 2016 Professor David Romer LECTURE 24 INFLATION

Economics 2 Professor Christina Romer Spring 2016 Professor David Romer LECTURE 24 INFLATION AND THE RETURN OF OUTPUT TO POTENTIAL April 21, 2016 I. K EY I DEAS II. T HE B EHAVIOR OF I NFLATION A. Nominal rigidities and the behavior of

970 views • 56 slides

More recommend