Presentation is loading. Please wait.

Presentation is loading. Please wait.

ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang."— Presentation transcript:

1 ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang

2 2 Chap 6: Integrity Policies More details about two types of policies –In previous chapter, we say that there are two types of policies: confidentiality and integrity policies. Here we will provide more details for integrity policies –There are many applications in which the integrity is more important than confidentiality

3 3 Chapter 6: Integrity Policies Overview Requirements –Very different from confidentiality policies Biba’s models Clark-Wilson model

4 4 Requirements of Integrity Commercial systems focus on development, test, and switch: Users will not write their own programs, but will use existing production programs and databases. Programmers will develop and test programs on a non-production system; if they need access to actual data, they will be given production data via a special process, but will use it on their development system. A special process must be followed to install a program from the development system onto the production system. The special process in requirement 3 must be controlled and audited. The managers and auditors must have access to both the system state and the system logs that are generated.

5 5 The requirements suggest several operation principles –Separation of duty: multiple steps of a critical function should be performed by different people. (SDE, SDET, STE) –Separation of function: the development system and production system Both system development and data manipulation –Auditing: enable recovery and accountability (checkpoint, and who has caused the problem)

6 6 Biba Integrity Model: –If you remember, the B-L confidentiality model says “no read up” and “no write down” –The basic idea of Biba model is No read down: a subject should not be mislead by data with a low integrity level No write up: a low integrity subject should not corrupt a trustworthy data The information flow is always downward

7 7 Example: Pres. O is planning to attack Mars –His plan should be based on verified information but not some Internet gossip (no read down) –A terrorist should not be granted the right to change the plan (no write up)

8 8 Intuition for Integrity Levels The higher the level, the more confidence –That a program will execute correctly –That data is accurate and/or reliable Note relationship between integrity and trustworthiness Important point: integrity levels are not security levels

9 9 Biba Integrity Model Set of subjects S, objects O, integrity levels I (the levels are ordered) The relation “≤” is defined b/w two integrity levels: the second dominates the first i(s) or i(o) will return the integrity level of a subject or an object

10 10 Biba’s Model The rules of Biba: 1. s  S can read o  O iff i(s) ≤ i(o) 2. s  S can write to o  O iff i(o) ≤ i(s) 3. s 1  S can execute s 2  S iff i(s 2 ) ≤ i(s 1 ) What we get from the three rules: –s can read only more trustworthy data: s will not be misled by low integrity information –s cannot mess up high integrity data –Prevent a less trusted invoker to control the execution of more trusted subjects

11 11

12 12 Clark-Wilson Integrity Model Focus on transactions instead of access rights: closer to the real operations of commercial systems Integrity defined by a set of constraints –Example: Bank D today’s deposits, W withdrawals, YB yesterday’s balance, TB today’s balance Integrity constraint: YB + D – W ?= TB Integrity of data: well-formed transactions move a system from one consistent state to another Integrity of operations: who examines and certifies that transactions are performed correctly?

13 13 Clark-Wilson contains two sets of rules: –Certification rules: security requirements that the system should uphold –Enforcement rules: security requirements that should be supported by the protection mechanisms

14 14 Entities CDIs: constrained data items –Data subject to integrity controls UDIs: unconstrained data items –Data not subject to integrity controls IVPs: integrity verification procedures –Procedures that test the CDIs conform to the integrity constraints TPs: transformation procedures –Procedures that take the system from one valid state to another

15 15 Certification Rules 1 and 2 CR1When any IVP is run, it must ensure all CDIs are in a valid state CR2For some associated set of CDIs, a TP must transform those CDIs in a valid state into a (possibly different) valid state –Defines relation certified that associates a set of CDIs with a particular TP –A TP can corrupt a CDI if it is not certified to work on that CDI –Example: TP balance, CDIs accounts, in bank example

16 16 Enforcement Rules 1 and 2 ER1The system must maintain the certified relations and must ensure that only TPs certified to run on a CDI manipulate that CDI. ER2The system must associate a user with each TP and set of CDIs. The TP may access those CDIs on behalf of the associated user. The TP cannot access that CDI on behalf of a user if she/he is not associated with that TP and CDI. –System must maintain, enforce certified relation –System must also restrict access based on user ID (allowed relation) –Now we have human, and we have to enforce separation of duty and authentication

17 17 Users and Rules CR3The allowed relations must meet the requirements imposed by the principle of separation of duty. ER3The system must authenticate each user attempting to execute a TP –Type of authentication undefined, and depends on the instantiation –Authentication not required before use of the system, but is required before manipulation of CDIs –User can manipulate CDI only through TP

18 18 Logging CR4All TPs must append enough information to reconstruct the operation to an append-only CDI. –This CDI is the log –Auditor needs to be able to determine what happened during reviews of transactions

19 19 Handling Untrusted Input CR5Any TP that takes as input a UDI may perform only valid transformations, or no transformations, for all possible values of the UDI. The transformation either rejects the UDI or transforms it into a CDI. –In bank, numbers entered at keyboard are UDIs, so cannot be input to TPs. TPs must validate numbers (to make them a CDI) before using them; if validation fails, TP rejects UDI –Now we can communicate with outside world

20 20 Separation of Duty In Model ER4Only the certifier of a TP may change the list of entities associated with that TP. No certifier of a TP, or of an entity associated with that TP, may ever have execute permission with respect to that entity. –Enforces separation of duty with respect to certified and allowed relations –You can not be player and rule-maker at the same time

21 21 Comparison to Biba Biba –No notion of certification rules. Therefore, we have to make sure that magically trusted subjects ensure actions obey rules untrusted data examined before being made trusted Clark-Wilson –Explicit requirements that actions must meet –Trusted entity must certify method to upgrade untrusted data (and not certify the data itself)

22 22 Key Points Integrity policies deal with trust –As trust is hard to quantify, these policies are hard to evaluate completely –Look for assumptions and trusted users to find possible weak points in their implementation Biba based on multilevel integrity Clark-Wilson focuses on separation of duty and transactions

Download ppt "ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang."

Similar presentations

TOPIC CLARK-WILSON MODEL Ravi Sandhu.

TOPIC CLARK-WILSON MODEL Ravi Sandhu.
Operating System Security

Operating System Security
CS691 – Chapter 6 of Matt Bishop

CS691 – Chapter 6 of Matt Bishop
Dan Fleck CS 469: Security Engineering

Dan Fleck CS 469: Security Engineering
Access Models and Integrity Trent Jaeger January 14, 2004.

Access Models and Integrity Trent Jaeger January 14, 2004.
CMSC 414 Computer (and Network) Security Lecture 12 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 12 Jonathan Katz.
Security Models and Architecture

Security Models and Architecture
Hybrid Policies Overview Chinese Wall Model Clinical Information Systems Security Policy ORCON RBAC Introduction to Computer Security ©2004 Matt Bishop.

Hybrid Policies Overview Chinese Wall Model Clinical Information Systems Security Policy ORCON RBAC Introduction to Computer Security ©2004 Matt Bishop.
Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson model Introduction to Computer Security ©2004 Matt Bishop.

Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson model Introduction to Computer Security ©2004 Matt Bishop.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
June 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #6-1 Chapter 6: Integrity Policies Overview Requirements Biba’s models Lipner’s.

June 1, 2004Computer Security: Art and Science © Matt Bishop Slide #6-1 Chapter 6: Integrity Policies Overview Requirements Biba’s models Lipner’s.
May 4, 2004ECS 235Slide #1 Biba Integrity Model Basis for all 3 models: Set of subjects S, objects O, integrity levels I, relation ≤  I  I holding when.

May 4, 2004ECS 235Slide #1 Biba Integrity Model Basis for all 3 models: Set of subjects S, objects O, integrity levels I, relation ≤  I  I holding when.
Verifiable Security Goals

Verifiable Security Goals
Courtesy of Professors Chris Clifton & Matt Bishop INFSCI 2935: Introduction of Computer Security1 September 18, 2003 Introduction to Computer Security.

Courtesy of Professors Chris Clifton & Matt Bishop INFSCI 2935: Introduction of Computer Security1 September 18, 2003 Introduction to Computer Security.
Courtesy of Professors Chris Clifton & Matt Bishop INFSCI 2935: Introduction of Computer Security1 October 7, 2004 Introduction to Computer Security Lecture.

Courtesy of Professors Chris Clifton & Matt Bishop INFSCI 2935: Introduction of Computer Security1 October 7, 2004 Introduction to Computer Security Lecture.
1 Clark Wilson Implementation Shilpa Venkataramana.

1 Clark Wilson Implementation Shilpa Venkataramana.
1 Integrity Policies CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 22, 2004.

1 Integrity Policies CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 22, 2004.
6/26/2015 6:12 PM Lecture 5: Integrity Models James Hook (Some materials from Bishop, copyright 2004) CS 591: Introduction to Computer Security.

6/26/2015 6:12 PM Lecture 5: Integrity Models James Hook (Some materials from Bishop, copyright 2004) CS 591: Introduction to Computer Security.
Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson model Introduction to Computer Security ©2004 Matt Bishop.

Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson model Introduction to Computer Security ©2004 Matt Bishop.
CS526Topic 21: Integrity Models1 Information Security CS 526 Topic 21: Integrity Protection Models.

CS526Topic 21: Integrity Models1 Information Security CS 526 Topic 21: Integrity Protection Models.

Similar presentations

Ads by Google