Presentation on theme: "Vinay Kumar Madhadi 10/28/2009 CSC-8320. Outline Part 1 : Mandatory Flow Control Models? MAC vs. DAC Information Flow Control Part 2 : Different Models-Lattice."— Presentation transcript:
Outline Part 1 : Mandatory Flow Control Models? MAC vs. DAC Information Flow Control Part 2 : Different Models-Lattice & Multi- Level Recent Studies Part 3 : Future work
Part 1: What is Mandatory Flow Control Model? The Mandatory Flow Control Models are the subset of computer security models that require access control of all subjects and objects under its control on a system wide basis. (Chow et al, 1997) How is it different from Discretionary Security Model and why is it needed?
DISCRETIONARY AC VS MANDATORY AC DAC MAC Determined by owner of the object. The owner decides who is allowed to access the object and what privileges they have. It is discretionary by nature MAC is an access policy determined by the system. It is used in multi-level systems that process highly sensitive data. It is non discretionary
Problem with Access Control Matrix Model Confinement problem: How to determine whether there is any mechanism by which a subject authorized to access an object may leak information contained in that object to some other subjects not authorized to access that object. Another disadvantage is that no semantics of information in the objects are considered; thus the security sensitivity of an object is hardly expressed by that model. Security Control should be applied to the information in addition to the subject holding the information
Information Flow Control: Information Flow control is concerned with how information is propagated from one object to another. System entities are partitioned into security classes. The security classes of all entities must be specified explicitly and the class of an entity seldom changes after it has been created( changes sometimes made by the system administration).
Part 2: Different Models There are three different models employed namely: 1. Lattice Model 2. Bell-LaPadula Model 3. Biba Model
Lattice Model It is the best known information flow control model. Based upon the concept of a lattice from mathematics. Lattice is a Directed Acyclic Graph(DAG) with a single source and sink. Information is permitted to flow from a lower class to upper class.
Flow Properties of lattice The relation → is reflexive, transitive and anti-symmetric for all A,B,C Ɛ SC. 1. Reflexive: A → A 2. Transitive: A → B and B → C implies A → C. 3. Anti-symmetric: A → B and B → A implies A=B In addition, the other two properties of lattice include 1. Aggregation: A → C and B → C implies A U B → C 2. Separation: A U B → C implies A → C and B → C
Multi-Level Security Models Multilevel Security is a special case of the lattice-based information flow model. There are two well-known multilevel security models: 1. The Bell-LaPadula Model 2. The Biba Model
Bell LaPadula Model: L is a linearly ordered set of security levels C is a lattice of security categories The security class assigned to a subject or an object includes two components: a hierarchical security level and a nonhierarchical security category. The security level is called the clearance if applied to subjects, and classification if applied to objects. Each security category is a set of compartments that represent natural or artificial characteristics of subjects and objects and is used to enforce the need-to-know principle.
Bell-LaPadula Model contd.. The lattice of security classes is L × C. If AB Ɛ F, A dominates B if A’s level is higher than B’s level and B’s category is a subset of A’s category Security with respect to confidentiality in the Bell- LaPadula model is described by the following two axioms: Simple security property: Reading information from an object o by a subject s requires that F(s) dominates F(o) ”no read up”). The *-property: Writing information to an object o by a subject s requires that F(o) dominates F(s).
Biba Model: In Biba model information can only flow from a higher integrity class to a lower integrity class. L is a linearly ordered set of integrity levels C is a lattice of integrity categories Integrity levels form a linear lattice in which each level represents the classification of integrity of information an object can contain or the clearance of a subject for modifying an object. Integrity categories form a subset lattice and are used to enforce the need-to-have principle. The lattice of security classes is L × C.
Biba Model Contd.. Security with respect to integrity in the Biba model is described by the following two axioms: Simple security property: Writing information to an object o by a subject s requires that F(s) dominates F(o) (“no write up”). The*-property: Reading information from an object o by a subject s requires that F(o) dominates F(s) ( “no read down”).
BLP Model VS Biba Model BLP Model Biba Model Emphasizes on information integrity S ubjects that are writing information to an object must have a higher security class than the object. Objects being read from by a subject must have higher security class than the subject. Emphasizes on information confidentiality S ubjects reading from an object must have a higher security class than the object. Objects being written to by a subject must have higher security class than the subject.
Part 2: Recent Studies A) INFORMATION FLOW ENHANCED DISCRETIONARY ACCESS CONTROL( IFEDAC): Generally DAC mechanisms are more user-friendly than Mandatory Access Control (MAC) systems, but are vulnerable to attacks that use Trojan horse or exploit buggy software. The IFEDAC Model combines the best of both DAC(ease-to-use) and MAC(defense against Trojan horse and buggy problems) Advantage: Combines the best of DAC and MAC Disadvantage: Can be implemented only on Linux OS. (Jiang, Ziqing, Chen 2009)
Recent Studies contd.. B) PROTECTING CONFIDENTIALITY AGAINST TROJAN HORSE PROGRAMS IN DAC PROGRAMS: A modified DAC is proposed with the central idea of separation of management of rights from other activities of user. The resulting system offers flexibility of DAC and protection of MAC Advantage: The lack of flexibility of MAC systems is eliminated. (Adrian, Armin, Hartmut 2008)
Part 3: Future Work The Mandatory flow Control Models do not solve the Trojan Horse problem completely. If there are any covert channels present, then enforcement of information flow policies will be difficult. Research must be done to develop a type of model which solves this Trojan Horse problem completely even with secret channels present. A model must be developed which can function on all the operating systems unlike the IEPDA model which can function only on the Linux Machine. (Jiang, Ziqing, Chen 2009)
Future Work contd.. A new model combining the advantages of discretionary, mandatory and role-based access models must be developed. This should avoid all the shortcomings that these models faced. Research if done in this field will contribute a lot to the field of computer security. (Sylvia, Qamar, Ravi 2000) Since newer operating systems keep emerging, it is important to constantly update the models developed so that they function on the latest operating systems too. Example: Biba Model is implemented in Vista OS
References: Xuxian Jiang, Mao J., Li., Hong Chen.: Trojan Horse Resistant Discretionary Access Control. In: ACM 2009, pp. 237–246 (2009) Adrian S., Armin B., Hartmut L.: protecting confidentiality against Trojan Horse Programs in Discretionary Access Control Systems(2008) Tanenbaum, S., Steen, M.V.: DISTRIBUTED SYSTEMS: Principles and Paradigms, p.2e. Prentice Hall, Inc, Englewood Cliffs (2007) Alexander Brodsky, Csilla F., Sushil J.,Database Security— Concepts, Approaches, and Challenges IEEE Transactions on Dependable and Secure Computing-(March 2005) Yixin Jiang, Chuang Lin, Zhen Chen, Hao Yin 2004 IEEE International Conference on Systems, Man and Cybernetics Security Analysis of Mandatory Access Control Model(2004) Distributed Systems principles and paradigms by Andrew S. Tanenbaum, Maarten van Steen, (2002)
References: G. Tel. Introduction to Distributed Algorithms. Cambridge University Press Second Edition, 2000. Sylvia O., Qamar M., Ravi S..Configuring role-based access control to enforce mandatory and discretionary access control policies, ACM, 85-106 (March 2000) Distributed Operating Systems & Algorithms, Randy Chow and Theodore Johnson, Addison Wesley, 1997.