Guest Lecture in Acc 661 (Spring 2007) Instructor: Christopher Brown) Security Modeling Jagdish S. Gangolly 2/22/2019 Guest Lecture in Acc 661 (Spring 2007) Instructor: Christopher Brown)

Security Modeling and Information Assurance Security modeling lies at the heart of Information whose objective is to ensure Confidentiality Integrity Availability 2/22/2019 Guest Lecture in Acc 661 (Spring 2007) Instructor: Christopher Brown)

Security Modeling and Information Assurance At a high level, an operating system is an accounting system. It monitors and maintains information indispensable for ensuring the three objectives of Information Assurance 2/22/2019 Guest Lecture in Acc 661 (Spring 2007) Instructor: Christopher Brown)

Designing Trusted Operating Systems An OS is trusted if we have confidence that it provides the four services in a consistent and effective way Memory protection File protection General object access control User authentication 2/22/2019 Guest Lecture in Acc 661 (Spring 2007) Instructor: Christopher Brown)

Trusted vs. Secure Systems Either-or Graded Property of presenter/developer Property of receiver/user Asserted based on product characteristics Judged based on evidence & analysis Absolute Relative A goal A characteristic 2/22/2019 Guest Lecture in Acc 661 (Spring 2007) Instructor: Christopher Brown)

Guest Lecture in Acc 661 (Spring 2007) Instructor: Christopher Brown) Security Policies I Military security policy Top secret, Secret, Confidential, Restricted, Unclassified Compartment: contains information associated with a project Combination <rank, compartments> is called a class or classification of information A person seeking access to information must be cleared 2/22/2019 Guest Lecture in Acc 661 (Spring 2007) Instructor: Christopher Brown)

Guest Lecture in Acc 661 (Spring 2007) Instructor: Christopher Brown) Security Policies II Dominance: For subject s and object o, s  0 if and only if rank s  rank o and compartments s  compartments o We say, o dominates s. 2/22/2019 Guest Lecture in Acc 661 (Spring 2007) Instructor: Christopher Brown)

Guest Lecture in Acc 661 (Spring 2007) Instructor: Christopher Brown) Security Policies III A subject can read an object only if: The clearance level of the subject is at least as high as the clearance level of the information The subject has a need to know about all compartments for which the information is classified Security officer controls clearances and classifications 2/22/2019 Guest Lecture in Acc 661 (Spring 2007) Instructor: Christopher Brown)

Guest Lecture in Acc 661 (Spring 2007) Instructor: Christopher Brown) Security Modeling I Models of Confidentiality Bell- La Padula Model Subjects, Objects, set of access operations, a Set of security levels, Security clearance for subjects, Security classification for objects, Access control matrix. Ss-property (Simple Security Policy)(no read-up policy) A subject s may have read access to an object o only if C(o) ≤ C(s) *-property (no write-down policy) A subject s who has read access to an object o may have write access object p only if C(o) ≤ C(p) ds-property (discretionary security property) (Orangebook) "a means of restricting access to objects based on the identity of subjects and/or groups to which they belong. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject (unless restrained by mandatory access control)." -- TCSEC Access control matrix. A state is secure if the three security properties are satisfied. Basic security theorem: If the initial state is secure and all state transitions are secure, then all subsequent states are secure, no matter what inputs occur. 2/22/2019 Guest Lecture in Acc 661 (Spring 2007) Instructor: Christopher Brown)

Guest Lecture in Acc 661 (Spring 2007) Instructor: Christopher Brown) Security Modeling II Biba Integrity Model: Simple integrity property: a subject can modify a, object only if its integrity classification dominates that of the object Integrity *-property: If a subject has read access to object o, then it can have write access right to an object p only if the integrity classification of o dominates that of p. 2/22/2019 Guest Lecture in Acc 661 (Spring 2007) Instructor: Christopher Brown)

Guest Lecture in Acc 661 (Spring 2007) Instructor: Christopher Brown) Security Modeling III Harrison-Ruzzo-Ullman Model: Commands, conditions, primitive operations. Protection system: subjects, objects, rights, commands If commands are restricted to a single operation each, it is possible to decide if a given subject can ever obtain right to an object. If commands are not restricted to one operations each, it is not always decidable whether a given protection system can confer a given right. 2/22/2019 Guest Lecture in Acc 661 (Spring 2007) Instructor: Christopher Brown)

Guest Lecture in Acc 661 (Spring 2007) Instructor: Christopher Brown) Security Modeling III Clark-Wilson Commercial Security Policy: Well-formed transaction Separation of duty 2/22/2019 Guest Lecture in Acc 661 (Spring 2007) Instructor: Christopher Brown)

Security Features of Trusted Operating Systems User identification & authentication Mandatory access control Discretionary access control Object reuse protection (leakage), remanence Complete mediation Trusted path Audit Audit log reduction Intrusion detection 2/22/2019 Guest Lecture in Acc 661 (Spring 2007) Instructor: Christopher Brown)

Guest Lecture in Acc 661 (Spring 2007) Instructor: Christopher Brown) Orange Book D: Minimal protection C1/C2/B1: requiring security features common to commercial operating systems windows NT/2000 C2 Solaris C2, B1 B2: precise proof of security of the underlying model and a narrative specification of the trusted computing base B3/A1: requiring more precisely proven descriptive and formal designs of the trusted computing base 2/22/2019 Guest Lecture in Acc 661 (Spring 2007) Instructor: Christopher Brown)