1. MANDATORY FLOW CONTROL Xiao Chen Fall2009 CSc 8320

2. INDEX Section One: Basic Introduction Mandatory Flow Control Models Information Flow Control Lattice Model Multilevel Models Section Two: Contemporary Application Windows Vista IE7 Implements Biba Model Section Three: Future Prospect Improvement of P2P References

3. S ECTION O NE : B ASIC I NTRODUCTION

4. MANDATORY FLOW CONTROL MODELS Definition : Mandatory access control refers to a type of access control by which the operating system constrains the ability of a subject to access or generally perform some sort of operation on an object or target.

5. MANDATORY FLOW CONTROL MODELS Why is it necessary since we have discretionary security model? With the advances in networks and distributed systems, it is necessary to broaden the scope to include the control of information flow between distributed nodes on a system wide basis rather than only individual basis like discretionary control.

6. D IFFERENCE BETWEEN D ISCRETIONARY AND M ANDATORY ACCESS CONTROL [4] Mandatory access control, this security policy is centrally controlled by a security policy administrator; users do not have the ability to override the policy and, for example, grant access to files that would otherwise be restricted. By contrast, discretionary access control (DAC), which also governs the ability of subjects to access objects, allows users the ability to make policy decisions and/or assign security attributes.discretionary access control

7. I NFORMATION F LOW C ONTROL [1] Definition Information Flow control is concerned with how information is disseminated or propagated from one object to another. The security classes of all entities must be specified explicitly and the class of an entity seldom changes after it has been created

8. T HE L ATTICE M ODEL The best-known Information Flow Model Based upon the concept of lattice whose mathematical meaning is a structure consisting of a finite partially ordered set together with a least upper bound and greatest lower bound operator on the set.

9. THE LATTICE MODEL Lattice is a Directed Acyclic Graph(DAG) with a single source and sink. Information is permitted to flow from a lower class to upper class.

10. M ULTILEVEL S ECURITY Multilevel Security is a special case of the lattice- based information flow model. There are two well-known multilevel security models: The Bell-LaPadula Model focuses on confidentiality of information The Biba Model focuses on system integrity

11. B ELL -L A P ADULA M ODEL Need-to-know principle: A subject is given access only to the objects that it requires to perform its jobs. Security with respect to confidentiality in the Bell-LaPadula model is described by the following two axioms: Simple security property : Reading information from an object o by a subject s requires that SC(s) dominates SC(o) ”no read up”). The *-property : Writing information to an object o by a subject s requires that SC(o) dominates SC(s).

12. B IBA M ODEL Contrary to Bell-LaPadula model, in Biba model information can only flow from a higher integrity class to a lower integrity class. Integrity levels form a linear lattice in which each level represents the classification of integrity of information an object can contain or the clearance of a subject for modifying an object. Integrity categories form a subset lattice and are used to enforce the need-to-have principle.

13. C OMPARISON OF TWO M ULTILEVEL M ODELS The Bell-LaPadula Model is concerned with information confidentiality subjects reading from an object must have higher security class than the object. objects being written to by a subject must have higher security class than the subject. The Biba model emphasizes information integrity subjects writing information to an object must have higher security class than the object. objects being read from by a subject must have higher security class than the subject.

14. SECTION TWO: CONTEMPORARY APPLICATION

15. IE7 IMPLEMENTS BIBA MODEL[2] According to the 2 rules of Biba Integrity Model : Simple Security Axiom – A subject at a particular integrity level must not be able to read from an object of a lower integrity level. i.e. "No Read Down". Star Property Axiom – A subject at a particular level of integrity must not be able to write on to an object of higher integrity level. i.e. "No Write Up".

16. IE7 IMPLEMENTS BIBA MODEL [2] Keeping the integrity level of IE7 (Protected Mode) at low makes sure that any thread started by IE 7 will bear the same integrity level and thus would not be able to write to any folder/application in the system, which is at a higher integrity level (Star Property Axiom). Therefore the only folders where IE7 based programs can write into are the following, as they are assigned the same integrity level as IE7: Temporary Internet Files Cookies Recycle Bin Various Registry keys, including ones under : HKCU\Software\Microsoft\Internet Explorer

17. IE7 IMPLEMENTS BIBA MODEL[2] On the other hand, if you want to save a file downloaded through IE7 on a local folder like "My Documents", the application warns the user and informs him that this will require elevating the privileges to save the file on an alternate location. If it's a.exe file that needs to be installed, IE 7 prompts for further elevation by asking for admin privilege password.

18. SECTION THREE: FUTURE PROSPECT

19. FUTURE WORK Multilevel models have been used mostly in military systems, although as we will see later, they are useful to control attacks to different parts of a system. In particular, Joshi et al. [Jos01] discuss the improvement of these models for web-based applications. They consider Role-based access control as the most suitable model but think that in the future it needs to be extended to consider dynamic and task-based aspects. This is a good direction for future work.[3]

20. REFERENCE [1]Distributed Operating Systems & Algorithms, Randy Chow and Theodore Johnson, Addison Wesley, 1997. [2] IE7 Implements Biba Model http://ranjanajain.spaces.live.com/blog/cns!5F09EF6281DD 4DB0!221.entry?sa=390277086 http://ranjanajain.spaces.live.com/blog/cns!5F09EF6281DD 4DB0!221.entry?sa=390277086 [3]Eduardo B.Fernandez, Chapter 4. Security models, http://www.cse.fau.edu/~ed/Ch4SecModels.pdf http://www.cse.fau.edu/~ed/Ch4SecModels.pdf [4] http://en.wikipedia.org/wiki/Mandatory_access_control http://en.wikipedia.org/wiki/Mandatory_access_control