Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 ISA 562 Information System Security Confidentiality Policies Chapter 5 from Bishop ’ s Book.

Similar presentations


Presentation on theme: "1 ISA 562 Information System Security Confidentiality Policies Chapter 5 from Bishop ’ s Book."— Presentation transcript:

1 1 ISA 562 Information System Security Confidentiality Policies Chapter 5 from Bishop ’ s Book

2 2 Overview Review and background Review - lattices Military systems and Denning ’ s Axioms Bell-LaPadula (BLP) Policy Step 1 – clearance/classification Step 2 – categories Example System – DG/UX Tranquility Controversy

3 3 Definition: POset A Poset (Partially ordered set) is a pair (A,<) where A is a set < is a partial order. Thus < is: reflexive: x { "@context": "http://schema.org", "@type": "ImageObject", "contentUrl": "http://images.slideplayer.com/3250169/11/slides/slide_2.jpg", "name": "3 Definition: POset A Poset (Partially ordered set) is a pair (A,<) where A is a set < is a partial order.", "description": "Thus < is: reflexive: x

4 4 Upper and Lower Bounds of POsets Definition: (A,<) is a POset and B  A b  A is an upper bound of B iff x { "@context": "http://schema.org", "@type": "ImageObject", "contentUrl": "http://images.slideplayer.com/3250169/11/slides/slide_3.jpg", "name": "4 Upper and Lower Bounds of POsets Definition: (A,<) is a POset and B  A b  A is an upper bound of B iff x

5 5 Supremas and Infimas of POsets Definition: (A,<) is a POset and B  A b 0  A is a Least upper bound (aka Supremum) of B iff (1) b 0 is an upper bound and (2) b 0 { "@context": "http://schema.org", "@type": "ImageObject", "contentUrl": "http://images.slideplayer.com/3250169/11/slides/slide_4.jpg", "name": "5 Supremas and Infimas of POsets Definition: (A,<) is a POset and B  A b 0  A is a Least upper bound (aka Supremum) of B iff (1) b 0 is an upper bound and (2) b 0

6 6 Semi-lattices and Lattices An upper semi-lattice is a POset in which every finite subset has a Supremum Notation: Join = /\ A lower semi-lattice is a POset in which every finite subset has an Infimum Notation: Meet = \/ A lattice is a POset that has an upper semi lattice and a lower semi lattice.

7 7 Example Lattices – Power Set Lattice S = {a,b,c} 2 S = { ,{a},{b},{c},{a,b},{b,c},{a,c},{a,b,c} } Arrows mean  (informally, included by) Special case: Total order Partial order Special case: Lattice

8 8 Product Lattices Let (L 1, < 1, /\ 1, \/ 1 ) and (L 2, < 2, /\ 2, \/ 2 ) be two lattices. Then the product lattice is defined as: (L,<,/\,\/) where: L = L1 x L2 That is L ={(x,y): x  L 1 and y  L 2 } (x,y) < (a,b) iff x < 1 a and y < 2 b

9 9 Example Product Lattice Lattice 1 (arrow means  ) Lattice 2  Lattice 1 x,y  x ’,y ’ means y ’  y and x  x ’ Lattice 2 (arrow means  )

10 10 Military-style system Confidentiality is most important Integrity/availability important but incidental Users have clearance / files are classified [labeled] Naturally MAC-centric All information is locked in the system Asssumes: You won ’ t memorize something and go outside to tell others Disclosure is only possible within the system

11 11 Military-style system (Cont.) Denning ’ s Axioms Security classes (clearance and classification) form a lattice  Information can flow dominate

12 12 Information Flow When x reads y, information flows from y to x When x writes y, information flows from x to y

13 13 Overview Review and background Lattices Military systems and Denning ’ s Axioms Bell-LaPadula (BLP) Policy Step 1 – clearance/classification Step 2 – categories Example System – DG/UX Tranquility Controversy at a glance

14 14 The Bell-LaPadula Policy: The Preliminary Version Security levels are linearly ordered (L) Top Secret: highest Secret Confidential Unclassified: lowest Subjects and Objects assigned a level in the linear order Subject: Levels are called security clearance L (s) Object: Levels are called security classification L (o) Formally they are mapping into L: L s : Subjects  L L o : Subjects  L

15 15 An Example security levelsubjectobject Top SecretTamaraPersonnel Files SecretSamuelE-Mail Files ConfidentialClaireActivity Logs UnclassifiedUlaleyTelephone Lists Tamara can read all files Claire cannot read Personnel or E-Mail Files Ulaley can only read Telephone Lists

16 16 The Simple Security Property: The Preliminary version Simple Security Property: Subject s can read object o iff, L(o) ≤ L(s) Information flows up, not down “ Read up ” not allowed, “ read down ” allowed Sometimes called “ no read up ” rule Why?: Otherwise subject can get information above their level Discretionary control may also be present

17 17 The *-Property: Preliminary Version *-Property: Subject s can write object o iff L(s) ≤ L(o) “ Write up ” allowed, “ write down ” not allowed [ “ no write down ” rule] Why? Cooperation between foreign agents [spies]

18 18 What is Prevented? Tamara reads personnel files of all spooks working in country X, and then writes them into activity log Claire reads activity log and sells it to country X [exit spooks] security levelsubjectobject Top SecretTamaraPersonnel Files SecretSamuelE-Mail Files ConfidentialClaireActivity Logs UnclassifiedUlaleyTelephone Lists Not possible with *-property

19 19 The Basic Security Theorem: The Preliminary Version If a system is initially in a secure state, and every transition of the system satisfies 1. the simple security condition, and 2. the *-property Then every state of the system is secure To state and prove this theorem formally: 1.Need to formalize secure state 2.Need to formalize state transition

20 20 The BLP Model: Final version Expand notion of security level to include categories Based on the need to know principle Security level is (clearance, category set) Example: ( Top Secret, { NUC, EUR, ASI } ) ( Confidential, { EUR, ASI } ) ( Secret, { NUC, ASI } ) (unclassified {NUC})

21 21 Security Levels as a Product Lattice (A, C) dom (A, C) iff A ≤ A and C  C Examples (Top Secret, {NUC, ASI}) dom (Secret, {NUC}) (Secret, {NUC, EUR}) dom (Confidential,{NUC, EUR}) (Top Secret, {NUC})  dom (Confidential, {EUR}) Let C be set of classifications, K set of categories. Set of security levels L = C  K, dom form lattice Levels are the product lattice

22 22 Levels and Ordering Security levels partially ordered Any pair of security levels may (or may not) be related by dom “ dominates ” serves the role of “ greater than ” in step 1 “ greater than ” is a total ordering, though Total ordering is a special lattice

23 23 The Simple Security Property: The final Version Simple Security Property: Subject s can read object o iff L (s) dom L (o) L(s) dom L(o) iff C(s) > C(o) and K(s) > K(o) Information flows up, not down “ Read up ” not allowed, “ read down ” allowed Sometimes called no read up rule

24 24 The *-Property: The Final Version *-Property: Subject s can write object o iff L(s) dom L(o) Information flows up, not down “ Write up ” allowed, “ write down ” not allowed Sometimes called no write down rule

25 25 The Basic Security Theorem: The Final Version If a system is initially in a secure state, and every transition of the system satisfies (1) the simple security condition, and (2) the *-property Then every state of the system is secure

26 26 Applying BLP: Example 1 Colonel has (Secret, {NUC, EUR}) clearance Major has (Secret, {EUR}) clearance Major can talk to colonel ( “ write up ” or “ read down ” ) Colonel cannot talk to major ( “ read up ” or “ write down ” ) Interferes with functionality! Colonel is a user, and he can login with a different Id (as a different principle) with reduced clearance Alias1 (Secret, {NUC, EUR}) Alias2 (Secret, {EUR})

27 27 BLP: Problem If I can write up, then how about writing files with blanks? Blind writing up may cause integrity problems, but not a confidentiality breach

28 28 Key Points Confidentiality models restrict flow of information Bell-LaPadula (BLP) models multilevel security Cornerstone of much work in computer security Simple security property says no read up and *-property says no write down Both ensure information can only flow up

29 29 DG/UX System A real (and well-regarded) Unix operating system by Data General Provides mandatory access controls MAC label identify security level Initially Subjects assigned MAC label of parent Initial label assigned to user, kept in Authorization and Authentication database Object assigned label at creation Explicit labels stored as (part of the set of) attributes Implicit labels determined from parent directory

30 30 MAC Regions Administrative RegionA&A database, audit User data and applications User Region Hierarchy levels VP1 VP2 VP3 VP4 Site executables Trusted data Executables not part of theTCB Reserved for future use Virus Prevention Region Categories VP5 Executables part of theTCB Admin region no write/read except by administrative process User cannot write to system programs but can read/execute

31 31 A Directory Problem Process p at MAC_A tries to create file /tmp/x If /tmp/x exists but has MAC label MAC_B where MAC_B dom MAC_A Create must fail: Now p knows a file named x with a higher label exists LEAK! Solution: only programs with same MAC label as directory can create files in the directory If this was only way to create files, them /tmp would have problems. For example, compilation, mail won ’ t work Solution: Multi-level directory

32 32 DG B2-Multilevel Directory Directory with a set of subdirectories, one per label Not normally visible to user p creating /tmp/x actually creates /tmp/d/x where d is directory corresponding to MAC_A All p ’ s references to /tmp go to /tmp/d p cd ’ s to /tmp/a, then to.. System call stat( “. ”, &buf) returns inode number of real directory System call dg_stat( “. ”, &buf) returns inode of /tmp

33 33 Using MAC Labels Simple security condition implemented *-property not fully implemented Process MAC must equal object MAC Writing allowed only at same security level Overly restrictive in practice

34 34 Overview Review and background Review - lattices Military systems and denning ’ s Axioms Bell-LaPadula (BLP) Policy Step 1 – clearance/classification Step 2 – categories Example System – DG/UX Tranquility Controversy at a glance

35 35 Principle of Tranquility Raising object ’ s security level Information once available to some subjects is no longer available Usually assume information has already been accessed, so this does nothing Lowering object ’ s security level The declassification problem Essentially, a “ write down ” violating *-property Solution: define set of trusted subjects that sanitize or remove sensitive information before security level is lowered

36 36 Types of Tranquility Strong Tranquility The clearances of subjects, and the classifications of objects, do not change during the lifetime of the system Weak Tranquility The clearances of subjects, and the classifications of objects, do not change in a way that violates the simple security condition or the *-property during the lifetime of the system Pros and Cons: Strong tranquility enforces MLS principles, but is inflexible Weak tranquility moderates restrictions

37 37 Example DG/UX System Only a trusted user (security administrator) can lower object ’ s security level In general, process MAC labels cannot change If a user wants a new MAC label, needs to initiate new process Cumbersome, so user can be designated as able to change process MAC label within a specified range

38 38 Controversy McLean: “ value of the BLP is much overrated since there is a great deal more to security than it captures. Further, what is captured by the BST is so trivial that it is hard to imagine a realistic security model for which it does not hold. ” given assumptions known to be non-secure, BST can prove a non-secure system to be secure He invented a completely reversed version of BLP, which is non-secure and yet self-consistent

39 39 Discussion The Basic Security Theorem show that obeying stated rules preserve security Key question: what is security? Bell-LaPadula defines it in terms of 3 properties (simple security condition, *-property, discretionary security property) Theorems are assertions about these properties Rules describe changes to a particular system instantiating the model Showing system is secure requires proving that rules preserve these 3 properties

40 40 Rules and Model Nature of rules is irrelevant to model Model treats “ security ” as axiomatic Policy defines “ security ” This instantiates the model Policy reflects the requirements of the systems McLean ’ s definition differs from BLP and is not suitable for a confidentiality policy Analysts cannot prove “ security ” definition is appropriate through the model

41 41 What Is Modeling? Two types of models 1. Abstract physical phenomenon to fundamental properties 2. Begin with axioms and construct a structure to examine the effects of the axioms BLP Model was developed as a model of the first type McLean assumed it was developed as a model of the second type

42 42 Towards Proving the Basic Security Theorem System security state: (b,m,f,h) b  P(SxOxP): Rights that may be exercised m  M: AC Matrix of the current state f  F: Current subject and object clearances + categories h  H: Current hierarchy of objects R: Requests D = {y, n, I (illegal) e (error)} : outputs V: set of states W  R x D x V x V : set of runs R N, D N, V N : sequences of requests, answers, states  (R,D,W,z 0 ): a run of the system

43 43 Example: State 1, and transition L ={high, low}, K={all} S={s}, O={o}, P={r, w} For every f  F, f c (s)=(high,{all}) or (low,{all}) For every f  F, f o (o)=(high,{all}) or (low,{all}) Changes to S={s,s ’ }, (s ’,w,o)  m 1 Before writing s’ writing, b 1 does not change

44 44 Example: processing requests Suppose s’ requests r 1 to write to o: succeed Transition from v 0 to v 1 =(b 2,m 1,f 1 ) where b 2 ={(s,o,r),(s’,o,w)} so x=r1,y=yes,z-(v o,v 1 ) S request r 2, writing to o: denied, so x=(r 1,r 2 ) Y=(yes, no) Z=(v 0,v 1,v 2 ) where v 2 =v 1

45 45 The Simple Security Property Simple Security Property: (s,o,p)  SxOxP satisfies the simple security property relative to f (written scc REL f ) iff P=e or p=a /* asking for empty or read */ R=r or p=w and f s (s) dom f o (o) /*asking for read or read/write and the subjects level dominates that of the object */

46 46 More notation A state satisfies the simple security condition if all elements of B satisfy the simple security condition Define b(s:p 1,..,p n ) the set of all objects that have access to p 1, … p n. That is: b(s:p 1,..,p n )={o  O| (s,o,p 1 )  b\/ … \/(s,o,p n )  b}

47 47 The *- Property *-Property: (b,m,f,h) satisfy  s  S b(s:a)≠ø   o  O b(s:a) f o (o) dom f c (s) b(s:w)≠ø   o  O b(s:w) f o (o) = f c (s) b(s:r)≠ø   o  O b(s:r) f c (s) dom f o (s) Says: If a subject can write an object, then the objects classification dominates that of the subject clearance (write up) If a subject can also read then they must be the same If a subject can read then subject clearance must dominate objects classification


Download ppt "1 ISA 562 Information System Security Confidentiality Policies Chapter 5 from Bishop ’ s Book."

Similar presentations


Ads by Google