Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 FM and Security-Overview FM Formal Security Models Based on Slides prepared by A. Jones and Y. Lin. Material based on C. Landwehr paper.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "1 FM and Security-Overview FM Formal Security Models Based on Slides prepared by A. Jones and Y. Lin. Material based on C. Landwehr paper."— Presentation transcript:

1 1 FM and Security-Overview FM Formal Security Models Based on Slides prepared by A. Jones and Y. Lin. Material based on C. Landwehr paper

2 2 FM and Security-Overview FM Why Formal Models? u Regulations are generally descriptive rather than prescriptive, so they don’t tell you how to implement u Systems must be secure security must be demonstrable --> proofs therefore, formal security models

3 3 FM and Security-Overview FM Military Security u Classification levels unclassified classified: confidential, secret, top secret u Compartments topic specific u Clearance - ability to access a certain level/compartment of sensitive information

4 4 FM and Security-Overview FM Formal Models - Basic Concepts u Finite state machine model this structure is the basis for all models in this paper u Lattice model u Access matrix model u Security kernel (small enough for verification) u Information-flow model

5 5 FM and Security-Overview FM Lattice Model (for military application) u Sensitivity levels a, b u Compartments c, d (a,c) >= (b,d) u iff a >= b and c contains d u Implies greatest lower bound -- (unclass, no compartments u least upper bound -- (top secret, all compartments)

6 6 FM and Security-Overview FM Access Matrix Model u Three principal components: object, subject, rules u Access matrix (subject X object) read, write, append, and execute u Reference monitor - checks each access u Two approaches capability list (row-wise) access control list (column-wise)

7 7 FM and Security-Overview FM Access Matrix Objects SubjectsO1O2O3O4S1S2… S1rrrrxkill S2rwx S3rrx S4rr …

8 8 FM and Security-Overview FM Take-Grant Model u Use graphs to model access control u Access right: read, write, take, grant u Each directed arc represents a capability arc from one object to another labeled with access right u Compact representation of sparse access matrix

9 9 FM and Security-Overview FM Take-Grant Model (cont) u Set of rules for rewriting graph E.g. take rule: A has take right to B, then A can acquire all rights to any object that B has u Rules control deletion & creation of arcs, objects

10 take read,grant take read,grant A A B B C C

11 grant write A B C grant write A B C

12 12 FM and Security-Overview FM Take Grant Model (cont) u Question asked of model: given initial graph plus rules, can A ever get right R to object X? u I.e. question of graph transformation u Undecidable for general graphs u But decidable for specific graphs & rules u Defined predicates: “can know”, “can tell”, “ can steal”

13 13 FM and Security-Overview FM Bell & LaPadula Model u Captures military classification u Use finite state machine u Formally define a state to be secure, then consider transitions (that maintain security) u Uses subjects & objects of access matrix u Adds military security subject has clearance & current class.n level each object has a classification

14 14 FM and Security-Overview FM Bell & LaPadula Model (cont) u Four modes of access read-only, append, execute, and read-write u Ownership -- owner can pass access modes to owned object to other subjects u Core of operating system is a monitor (security kernel) that checks all accesses u Minimum code; prove its properties u In practice, it is difficult to isolate all security- relevant functions to a small kernel

15 15 FM and Security-Overview FM Bell & LaPadula Model (cont’d) u Properties for a state to be secure simple security property (restricts “reading up”) the star-property (prohibits “writing down”) u Tranquility principle no operation may change the classification of an active object

16 16 FM and Security-Overview FM Bell and LaPadula Model (cont’d) u Rules of transition: create object, change security level, rescind access, give access, etc u Trusted subjects not to compromise security even if some accesses violate the star-property u “Flat” set of objects atomic objects, each with a single classification no hierarchy

17 17 FM and Security-Overview FM Problems of B-L Model u Static representation is restrictive u Although hierarchies of objects are added in later version, no corresponding appropriate set of axioms u No clear guidance to determine trusted processes u In practice, declassification is a problem

18 18 FM and Security-Overview FM Problems of B-L Model (cont’d) u Allow information to be transmitted improperly through control variables (storage channels) u Their final forms don’t contain storage channels, but timing channels can exist u Many operations that are in fact secure will be disallowed by the model

19 19 FM and Security-Overview FM u Focus on operations that transfer information between objects u Five components objects -- hold information processes -- active agents security classes -- disjoint classes of information flow relation -- given 2 classes, determine if information is allowed to flow from one to other Information-Flow Model

20 20 FM and Security-Overview FM Information-Flow Model (cont’d) u Flow relation forms a lattice u Information flow (x->y) explicit -- opn.s causing flow are independent of value of x, e.g. assignment operation, x=y implicit -- conditional assignment (if x then y=z) u A program is secure if it does not specify any information flows that violate the given flow relation

21 21 FM and Security-Overview FM Information-Flow Model (cont’d) u Program is secure if it does not specify any information flows that violate the given flow relation u Consider static binding vs dynamic binding

22 22 FM and Security-Overview FM Programs as Channels for Information Transmission u Each of the models views a program as a medium for information transmission u Key question what information is conveyed by the execution of a program? what deductions about protected information are possible?

23 23 FM and Security-Overview FM Programs as Channels for Information Transmission (cont’d) u Filters (Jones and Lipton) views policy as function that maps from input domain of program to some subset of that domain protection mechanism as a filter that assures that policy is followed

24 24 FM and Security-Overview FM Discussion and Conclusion u Each model defines its own world and its own concept of security in that world u Appropriateness of a particular model depends on the application for which it is to be used

25 25 FM and Security-Overview FM Discussion & Conclusion (cont’d) u Common problem: an operation is either secure or not not helpful in making trade-offs between security and performance not true in the physical world, e.g. “safes’ u Formal verification or security properties of systems is an active research topic u Most assume a security kernel

26 26 FM and Security-Overview FM Discussion & Conclusion (cont’d) u Models can be divided into three groups controlling direct access to objects information flows among objects an observer’s ability to make inference u Formal models of computer security are needed in order to ask or answer whether a computer system is secure

27 27 FM and Security-Overview FM Relevant Specification Languages Based on materials from I. Cervesato, NRL

28 28 FM and Security-Overview FM Languages to Specify What? u Message flow u Message constituents u Operating environment u Protocol goals

29 29 FM and Security-Overview FM Desirable Properties u Unambiguous u Simple u Flexible Adapts to protocols u Powerful Applies to a wide class of protocols u Insightful Gives insight about protocols

30 30 FM and Security-Overview FM Language Families u “Usual notation” (user interfaces) u Knowledge logic BAN u Process theory Spi-calculus Strands MSR FDR, Casper Petri nets u Inductive methods  Temporal logic  Automata  CAPSL  NRL Protocol Analyzer  Mur   … Why so many?  Experience from mature fields  Unifying problem  Scientifically intriguing  Funding opportunities Convergence of approaches

Download ppt "1 FM and Security-Overview FM Formal Security Models Based on Slides prepared by A. Jones and Y. Lin. Material based on C. Landwehr paper."

Similar presentations

ACCESS-CONTROL MODELS

ACCESS-CONTROL MODELS
Information Flow and Covert Channels November, 2006.

Information Flow and Covert Channels November, 2006.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality model Bell-LaPadula Model –General idea –Informal description of rules.

Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality model Bell-LaPadula Model –General idea –Informal description of rules.
Access Control Intro, DAC and MAC System Security.

Access Control Intro, DAC and MAC System Security.
Secure Operating Systems Lesson 0x11h: Systems Assurance.

Secure Operating Systems Lesson 0x11h: Systems Assurance.
CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.
Security Fall 2009McFadyen ACS-49021 How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.

Security Fall 2009McFadyen ACS How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.
Security Fall 2006McFadyen ACS-49021 How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.

Security Fall 2006McFadyen ACS How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.

1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality.
Ch5: Software Specification. 1 Overview  Use of specifications  Specification qualities  Classification of specification styles  Verification of specifications.

Ch5: Software Specification. 1 Overview  Use of specifications  Specification qualities  Classification of specification styles  Verification of specifications.
Describing Syntax and Semantics

Describing Syntax and Semantics
User Domain Policies.

User Domain Policies.
Mandatory Flow Control Bismita Srichandan. Outline Mandatory Flow Control Models Information Flow Control Lattice Model Multilevel Models –The Bell-LaPadula.

Mandatory Flow Control Bismita Srichandan. Outline Mandatory Flow Control Models Information Flow Control Lattice Model Multilevel Models –The Bell-LaPadula.
Lecture 7 Access Control

Lecture 7 Access Control
Dr. Kalpakis CMSC 621, Advanced Operating Systems. Fall 2003 URL: Security & Protection.

Dr. Kalpakis CMSC 621, Advanced Operating Systems. Fall 2003 URL: Security & Protection.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
CS-550 (M.Soneru): Protection and Security - 2 [SaS] 1 Protection and Security - 2.

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 1 Protection and Security - 2.
Dr. Kalpakis CMSC 621, Advanced Operating Systems. Security & Protection.

Dr. Kalpakis CMSC 621, Advanced Operating Systems. Security & Protection.

Similar presentations

Ads by Google