Presentation is loading. Please wait.

Presentation is loading. Please wait.

I NFORMATION S ECURITY : C ONFIDENTIALITY P OLICIES (C HAPTER 4) Dr. Shahriar Bijani Shahed University.

Published byJerome Turner Modified over 9 years ago

Similar presentations

Presentation on theme: "I NFORMATION S ECURITY : C ONFIDENTIALITY P OLICIES (C HAPTER 4) Dr. Shahriar Bijani Shahed University."— Presentation transcript:

1 I NFORMATION S ECURITY : C ONFIDENTIALITY P OLICIES (C HAPTER 4) Dr. Shahriar Bijani Shahed University

2 S LIDES R EFERENCES Matt Bishop, Computer Security: Art and Science, the author homepage, 2002-2004. Chris Clifton, CS 526: Information Security course, Purdue university, 2010. 2

3 C HAPTER 5: C ONFIDENTIALITY P OLICIES Overview What is a confidentiality model Bell-LaPadula Model General idea Informal description of rules Formal description of rules Tranquility Controversy †-property System Z 3

4 O VERVIEW Bell-LaPadula Informally Formally Example Instantiation Tranquility Controversy System Z 4

5 C ONFIDENTIALITY P OLICY Goal: prevent the unauthorized disclosure of information Deals with information flow Multi-level security models are best-known examples Bell-LaPadula Model basis for many, or most, of these 5

6 B ACKGROUND Clearance levels Top Secret In-depth background check; highly trusted individual Secret Routine background check; trusted individual For Official Use Only/Sensitive No background check, but limited distribution; minimally trusted individuals May be exempt from disclosure Unclassified Unlimited distribution Untrusted individuals 6

7 B ELL -L A P ADULA M ODEL (S TEP 1) Security levels arranged in linear ordering Top Secret: highest Secret Confidential Unclassified: lowest Levels consist of: Subject has security clearance L(s) = l s Object has security classification L(o) = l o Clearance/Classification ordered: l i < l i+1 Mandatory access control 7

8 E XAMPLE security levelsubjectobject l 4: Top Secret BillPersonnel Files l 3: Secret SamuelE-Mail Files l 2: Confidential ClaireActivity Logs l 1: Unclassified JohnTelephone Lists Bill can read all files Claire cannot read Personnel or E-Mail Files John can only read Telephone Lists

9 R EADING I NFORMATION Information flows up, not down “Reads up” disallowed, “ reads down ” allowed Simple Security Condition (Step 1) Subject s can read object o iff, L ( o ) ≤ L ( s ) and s has permission to read o Note: combines mandatory control (relationship of security levels) and discretionary control (the required permission) Sometimes called “no reads up” rule 9

10 W RITING I NFORMATION Information flows up, not down “ Writes up ” allowed, “writes down” disallowed *-Property (Step 1) Subject s can write object o iff L ( s ) ≤ L ( o ) and s has permission to write o Note: combines mandatory control (relationship of security levels) and discretionary control (the required permission) Sometimes called “no writes down” rule 10

11 B ASIC S ECURITY T HEOREM, S TEP 1 If a system is initially in a secure state, and every transition of the system satisfies the simple security condition, step 1, and the *-property, step 1, then every state of the system is secure Proof: induct on the number of transitions 11

12 B ASICS : P ARTIALLY O RDERED S ET A Set S with relation  (written (S,  ) is called a partially ordered set if  is Anti-symmetric If a  b and b  a then a = b Reflexive For all a in S, a  a Transitive For all a, b, c. a  b and b  c implies a  c 12

13 B ACKGROUND : P OSET EXAMPLES Natural numbers with less than (total order) Sets under the subset relation (not a total order) Natural numbers ordered by divisibility 13

14 B ACKGROUND : L ATTICE Partially ordered set (S,  ) and two operations: greatest lower bound (glb X) Greatest element less than all elements of set X least upper bound (lub X) Least element greater than all elements of set X Every lattice has bottom (glb L) a least element top (lub L) a greatest element 14

15 B ACKGROUND : L ATTICE EXAMPLES Natural numbers in an interval (0.. n) with less than Also the linear order of clearances (U  FOUO  S  TS) The powerset of a set of generators under inclusion E.g. Powerset of security categories {NUC, Crypto, ASI, EUR} The divisors of a natural number under divisibility 15

16 B ELL -L A P ADULA M ODEL (S TEP 2) Total order of classifications not flexible enough Solution: Categories S can access O if C(O)  C(S) Combining with clearance: ( L,C) dominates (L’,C’) L’ = L and C’  C Induces lattice instead of levels Expand notion of security level to include categories Security level is ( clearance, category set ) 16

17 B ELL -L A P ADULA M ODEL ( BLP ) 17 Lattice Example1 Lattice Example2 ( Top Secret, { NUC, EUR, ASI } ) ( Confidential, { EUR, ASI } ) ( Secret, { NUC, ASI } ) {NUC, EUR, US} {NUC, EUR}{NUC, US}{EUR, US} {NUC} {EUR}{US} 

18 L EVELS AND L ATTICES dom (dominates) relation ( L, C ) dom ( L, C ) iff L ≤ L and C  C Examples (Top Secret, {NUC, ASI}) dom (Secret, {NUC}) (Secret, {NUC, EUR}) dom (Confidential,{NUC, EUR}) (Top Secret, {NUC})  dom (Confidential, {EUR}) Let C be set of clearances, K set of categories. Set of security levels L = C  K, dom form lattice lub ( L ) = ( max ( L ), C ) glb ( L ) = ( min ( L ),  ) 18

19 L EVELS AND O RDERING Security levels partially ordered Any pair of security levels may (or may not) be related by dom “dominates” serves the role of “greater than” in step 1 But “greater than” is a total ordering, 19

20 R EADING I NFORMATION Information flows up, not down “Reads up” disallowed, “reads down” allowed Simple Security Condition (Step 2) Subject s can read object o iff L ( s ) dom L ( o ) and s has permission to read o Note: combines mandatory control (relationship of security levels) and discretionary control (the required permission) Sometimes called “no reads up” rule 20

21 W RITING I NFORMATION Information flows up, not down “Writes up” allowed, “writes down” disallowed *-Property (Step 2) Subject s can write object o iff L ( o ) dom L ( s ) and s has permission to write o Note: combines mandatory control (relationship of security levels) and discretionary control (the required permission) Sometimes called “no writes down” rule 21

22 B ASIC S ECURITY T HEOREM (S TEP 2) If a system is initially in a secure state, and every transition of the system satisfies the simple security condition (step 2) and the *-property (step 2) then every state of the system is secure Proof: induct on the number of transitions 22

23 E XAMPLE George is cleared into security level (SECRET,{NUC, EUR}), DocA is classified as ( CONFIDENTIAL, { NUC } ), DocB is classified as ( SECRET, { EUR, US}), and DocC is classified as (SECRET, { EUR }). Then: George dom DocA as CONFIDENTIAL ≤ SECRET and { NUC }  { NUC, EUR } George ¬dom DocB as { EUR, US }  { NUC, EUR } George dom DocC as SECRET ≤ SECRET and { EUR }  { NUC, EUR } George can read DocA and DocC but not DocB (assuming the discretionary access controls allow such access). Suppose Paul is cleared as (SECRET, { EUR, US, NUC }) and has discretionary read access to DocB. Paul can read DocB; were he to copy its contents to DocA and set its access permissions accordingly. George could then read DocB!? *-property (step 2) prevents this 23

24 P ROBLEM Colonel has (Secret, {NUC, EUR}) clearance Major has (Secret, {EUR}) clearance Major can talk to colonel (“write up” or “read down”) Colonel cannot talk to major (“read up” or “write down”) Not Desired! 24

25 S OLUTION Define maximum, current levels for subjects maxlevel ( s ) dom curlevel ( s ) Example Treat Major as an object (Colonel is writing to him) Colonel has maxlevel (Secret, { NUC, EUR }) Colonel sets curlevel to (Secret, { EUR }) Now L (Major) dom curlevel (Colonel) Colonel can write to Major without violating “no writes down” 25

26 26 S YSTEMS B UILT ON B ELL -L A P ADULA (BLP) BLP was a simple model Intent was that it could be enforced by simple mechanisms File system access control was the obvious choice Multics (1965) implemented BLP Unix inherited its discretionary AC from Multics

Download ppt "I NFORMATION S ECURITY : C ONFIDENTIALITY P OLICIES (C HAPTER 4) Dr. Shahriar Bijani Shahed University."

Similar presentations

ACCESS-CONTROL MODELS

ACCESS-CONTROL MODELS
Information Flow and Covert Channels November, 2006.

Information Flow and Covert Channels November, 2006.
1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.

1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.
June 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #30-1 Chapter 30: Lattices Overview Definitions Lattices Examples.

June 1, 2004Computer Security: Art and Science © Matt Bishop Slide #30-1 Chapter 30: Lattices Overview Definitions Lattices Examples.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality model Bell-LaPadula Model –General idea –Informal description of rules.

Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality model Bell-LaPadula Model –General idea –Informal description of rules.
Access Control Intro, DAC and MAC System Security.

Access Control Intro, DAC and MAC System Security.
1 Confidentiality Policies CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 18, 2004.

1 Confidentiality Policies CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 18, 2004.
Confidentiality Policies  Overview  What is a confidentiality model  Bell-LaPadula Model  General idea  Informal description of rules  Formal description.

Confidentiality Policies  Overview  What is a confidentiality model  Bell-LaPadula Model  General idea  Informal description of rules  Formal description.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #27-1 Chapter 27: Lattices Overview Definitions Lattices Examples.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #27-1 Chapter 27: Lattices Overview Definitions Lattices Examples.
June 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality.

June 1, 2004Computer Security: Art and Science © Matt Bishop Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality.
April 20, 2004ECS 235Slide #1 DG/UX System Provides mandatory access controls –MAC label identifies security level –Default labels, but can define others.

April 20, 2004ECS 235Slide #1 DG/UX System Provides mandatory access controls –MAC label identifies security level –Default labels, but can define others.
1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.

1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality.
Sicurezza Informatica Prof. Stefano Bistarelli

Sicurezza Informatica Prof. Stefano Bistarelli
User Domain Policies.

User Domain Policies.
7/15/2015 5:04 PM Lecture 4: Bell LaPadula James Hook CS 591: Introduction to Computer Security.

7/15/2015 5:04 PM Lecture 4: Bell LaPadula James Hook CS 591: Introduction to Computer Security.
Mandatory Flow Control Bismita Srichandan. Outline Mandatory Flow Control Models Information Flow Control Lattice Model Multilevel Models –The Bell-LaPadula.

Mandatory Flow Control Bismita Srichandan. Outline Mandatory Flow Control Models Information Flow Control Lattice Model Multilevel Models –The Bell-LaPadula.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Assistant Professor, SIS Lecture 5 September 27, 2007 Security Policies Confidentiality Policies.

1 IS 2150 / TEL 2810 Introduction to Security James Joshi Assistant Professor, SIS Lecture 5 September 27, 2007 Security Policies Confidentiality Policies.

Similar presentations

Ads by Google