Presentation is loading. Please wait.

Presentation is loading. Please wait.

George Mason University

Published byAllison Willis Modified over 10 years ago

Similar presentations

Presentation on theme: "George Mason University"— Presentation transcript:

1 George Mason University
SESSION LATTICE-BASED ACCESS CONTROL MODELS Ravi Sandhu George Mason University Fairfax, Virginia USA

2 LATTICE-BASED MODELS Denning's axioms and lattices
Bell-LaPadula model (BLP) Integrity and information flow The Chinese Wall lattice

3 DENNING'S AXIOMS < SC, ,  > SC set of security classes
SC X SC flow relation (i.e., can-flow)  SC X SC -> SC class-combining operator

4 DENNING'S AXIOMS < SC, ,  > SC is finite
 is a partial order on SC SC has a lower bound L such that L  A for all A  SC  is a least upper bound (lub) operator on SC Justification for 1 and 2 is stronger than for 3 and 4. In practice we may therefore end up with a partially ordered set (poset) rather than a lattice.

5 LATTICE STRUCTURES Compartments and Categories {ARMY, NUCLEAR, CRYPTO}
{ARMY, CRYPTO} {NUCLEAR, CRYPTO} {ARMY} {NUCLEAR} {CRYPTO} {}

6 product of 2 lattices is a lattice
LATTICE STRUCTURES Hierarchical Classes with Compartments {A,B} TS {A} {B} S {} product of 2 lattices is a lattice

7 LATTICE STRUCTURES TS, {A,B} Hierarchical Classes with Compartments
{} S, {A,B} S, {A} S, {B} S, {}

8 SMITH'S LATTICE TS-AKLQWXYZ TS-KLX TS-KY TS-KQZ TS-KL TS-W TS-X TS-X
TS-Q TS-Z TS-L TS-K TS-Y S-LW S-L TS S-W S-A S SMITH'S LATTICE C U

9 SMITH'S LATTICE With large lattices a vanishingly small fraction of the labels will actually be used Smith's lattice: 4 hierarchical levels, 8 compartments, therefore number of possible labels = 4*2^8 = 1024 Only 21 labels are actually used (2%) Consider 16 hierarchical levels, 64 compartments which gives 10^20 labels

10 EMBEDDING A POSET IN A LATTICE
{A,B,C,D} {A,B,C} {A,B,D} {A,B,C} {A,B,D} {A,B} {A} {B} {A} {B} such embedding is always possible {}

11 BELL LAPADULA (BLP) MODEL
SIMPLE-SECURITY Subject S can read object O only if label(S) dominates label(O) information can flow from label(O) to label(S) STAR-PROPERTY Subject S can write object O only if label(O) dominates label(S) information can flow from label(S) to label(O)

12 BLP MODEL Top Secret Secret Confidential Unclassified dominance 
can-flow

13 DYNAMIC LABELS IN BLP Tranquility (most common): SECURE
label is static for subjects and objects High water mark on subjects: SECURE label is static for objects label may increase but not decrease for subjects High water mark on objects: INSECURE label is static for subjects label may increase but not decrease for objects

14 BIBA MODEL High Integrity Some Integrity Suspicious Garbage dominance
can-flow

15 BIBA MODEL SIMPLE-INTEGRITY STAR-PROPERTY
Subject S can read object O only if label(O) dominates label(S) information can flow from label(O) to label(S) STAR-PROPERTY Subject S can write object O only if label(S) dominates label(O) information can flow from label(S) to label(O)

16 EQUIVALENCE OF BLP AND BIBA
HI (High Integrity) LI (Low Integrity) LI (Low Integrity) HI (High Integrity) BIBA LATTICE EQUIVALENT BLP LATTICE

17 EQUIVALENCE OF BLP AND BIBA
HS (High Secrecy) LS (Low Secrecy) LS (Low Secrecy) HS (High Secrecy) BLP LATTICE EQUIVALENT BIBA LATTICE

18 COMBINATION OF DISTINCT LATTICES
HS HI HS, LI HS, HI LS, LI LS LI LS, HI BLP BIBA GIVEN EQUIVALENT BLP LATTICE

19 BLP AND BIBA BLP and Biba are fundamentally equivalent and interchangeable Lattice-based access control is a mechanism for enforcing one-way information flow, which can be applied to confidentiality or integrity goals We will use the BLP formulation with high confidentiality at the top of the lattice, and high integrity at the bottom

20 LIPNER'S LATTICE S: System Managers O: Audit Trail S: System Control
S: Application Programmers O: Development Code and Data S: Repair S: Production Users O: Production Data S: System Programmers O: System Code in Development O: Repair Code O: Production Code O: Tools LEGEND S: Subjects O: Objects O: System Programs

21 LIPNER'S LATTICE Uses 9 labels from a possible space of 192 labels
Audit trail is at lowest integrity Production users are only allowed to execute production code System control subjects are allowed to write down (with respect to confidentiality) or equivalently write up (with respect to integrity)

22 CHINESE WALL POLICY Example of a commercial security policy for confidentiality Mixture of free choice (discretionary) and mandatory controls Introduced by Brewer-Nash in Oakland '89

23 CONFLICT OF INTEREST CLASSES
CHINESE WALL EXAMPLE ALL OBJECTS CONFLICT OF INTEREST CLASSES OIL COMPANIES BANKS A B X Y COMPANY DATASETS A consultant can access information about at most one company in each conflict of interest class

24 READ ACCESS BREWER-NASH SIMPLE SECURITY S can read O only if
O is in the same company dataset as some object previously read by S (i.e., O is within the wall) or O belongs to a conflict of interest class within which S has not read any object (i.e., O is in the open)

25 WRITE ACCESS BREWER-NASH STAR-PROPERTY S can write O only if
S can read O by the simple security rule and no object can be read which is in a different company dataset to the one for which write access is requested

26 REASON FOR BN STAR-PROPERTY
ALICE'S WALL BOB'S WALL Bank A Bank B Oil Company X Oil Company X cooperating Trojan Horses can transfer Bank A information to Bank B objects, and vice versa, using Oil Company X objects as intermediaries

27 IMPLICATIONS OF BN STAR-PROPERTY
Either S cannot write at all or S is limited to reading and writing one company dataset

28 WHY THIS IMPASSE? Failure to clearly distinguish user labels from subject labels.

29 CHINESE WALL LATTICE SYSHIGH A, X A, Y B, X B, Y
The high water mark of a user's principal can float up so long as it remain below SYSHIGH A, - -, X -, Y B, - SYSLOW

30 USERS, PRINCIPALS, SUBJECTS
ALICE.BANK A & OIL COMPANY X ALICE.OIL COMPANY X ALICE ALICE.BANK A ALICE.nothing USER PRINCIPALS

31 USERS, PRINCIPALS, SUBJECTS
JOE.TOP-SECRET JOE.SECRET JOE JOE.CONFIDENTIAL JOE.UNCLASSIFIED USER PRINCIPALS

32 USERS, PRINCIPALS, SUBJECTS
The Bell-LaPadula star-property is applied not to Joe but rather to Joe's principals Similarly, the Brewer-Nash star-property applies not to Alice but to Alice's principals

33 CONCLUSION So long as Denning’s axioms are satisfied we will get a lattice-based information flow policy One-directional information flow in a lattice can be used for secrecy as well as for integrity but does not solve either problem completely To properly understand and enforce Information Security policies we must distinguish between policy applied to users, and policy applied to principals and subjects

34 REFERENCES Ravi Sandhu, "Lattice-Based Access Control Models."
IEEE Computer, November 1993, pages 9-19

Download ppt "George Mason University"

Similar presentations

TWO STEP EQUATIONS 1. SOLVE FOR X 2. DO THE ADDITION STEP FIRST

TWO STEP EQUATIONS 1. SOLVE FOR X 2. DO THE ADDITION STEP FIRST
Feichter_DPG-SYKL03_Bild-01. Feichter_DPG-SYKL03_Bild-02.

Feichter_DPG-SYKL03_Bild-01. Feichter_DPG-SYKL03_Bild-02.
Access Control Prof. Ravi Sandhu Executive Director and Endowed Chair

Access Control Prof. Ravi Sandhu Executive Director and Endowed Chair
INFS 767 Fall 2003 The RBAC96 Model Prof. Ravi Sandhu George Mason University.

INFS 767 Fall 2003 The RBAC96 Model Prof. Ravi Sandhu George Mason University.
ACCESS-CONTROL MODELS

ACCESS-CONTROL MODELS
ACCESS CONTROL: THE NEGLECTED FRONTIER Ravi Sandhu George Mason University.

ACCESS CONTROL: THE NEGLECTED FRONTIER Ravi Sandhu George Mason University.
LECTURE 1 ACCESS CONTROL Ravi Sandhu.

LECTURE 1 ACCESS CONTROL Ravi Sandhu.
11 World-Leading Research with Real-World Impact! A Lattice Interpretation of Group-Centric Collaboration with Expedient Insiders Khalid Zaman Bijon, Tahmina.

11 World-Leading Research with Real-World Impact! A Lattice Interpretation of Group-Centric Collaboration with Expedient Insiders Khalid Zaman Bijon, Tahmina.
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.

Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
Chapter 1 The Study of Body Function Image PowerPoint

Chapter 1 The Study of Body Function Image PowerPoint
Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.

Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.
Author: Julia Richards and R. Scott Hawley

Author: Julia Richards and R. Scott Hawley
1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.
Properties Use, share, or modify this drill on mathematic properties. There is too much material for a single class, so you’ll have to select for your.

Properties Use, share, or modify this drill on mathematic properties. There is too much material for a single class, so you’ll have to select for your.
UNITED NATIONS Shipment Details Report – January 2006.

UNITED NATIONS Shipment Details Report – January 2006.
Document #07-2I RXQ.11.4.1 Customer Enrollment Using a Registration Agent (RA) Process Flow Diagram (Move-In) (mod 7/25 & clean-up 8/20) Customer Supplier.

Document #07-2I RXQ Customer Enrollment Using a Registration Agent (RA) Process Flow Diagram (Move-In) (mod 7/25 & clean-up 8/20) Customer Supplier.
1 RA I Sub-Regional Training Seminar on CLIMAT&CLIMAT TEMP Reporting Casablanca, Morocco, 20 – 22 December 2005 Status of observing programmes in RA I.

1 RA I Sub-Regional Training Seminar on CLIMAT&CLIMAT TEMP Reporting Casablanca, Morocco, 20 – 22 December 2005 Status of observing programmes in RA I.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Properties of Real Numbers CommutativeAssociativeDistributive Identity + × Inverse + ×

Properties of Real Numbers CommutativeAssociativeDistributive Identity + × Inverse + ×

Similar presentations

Ads by Google