Presentation is loading. Please wait.

Presentation is loading. Please wait.

6/22/20161 Computer Security Integrity Policies. 6/22/20162 Integrity Policies Commercial requirement differ from military requirements: the emphasis.

Published byEaster Bailey Modified over 8 years ago

Similar presentations

Presentation on theme: "6/22/20161 Computer Security Integrity Policies. 6/22/20162 Integrity Policies Commercial requirement differ from military requirements: the emphasis."— Presentation transcript:

1 6/22/20161 Computer Security Integrity Policies

2 6/22/20162 Integrity Policies Commercial requirement differ from military requirements: the emphasis is on integrity. – Lipner’s five requirements Users will not write their own programs Programmers will develop and test programs on a non production system. A special process must be followed to install a program from the development system onto the production system. This must be controlled and audited. Managers and auditors must have access to both the system state and log state.

3 6/22/20163 Integrity Policies Goals Separation of duties –If two or more steps are required to perform a critical function at least two people should perform the steps. Separation of function –Developers do not develop new programs on production systems –Developers do not process production data on production systems Auditing –Commercial systems emphasize recovery and accountability –Auditing involves analyzing systems to determine what actions took place and who was involved.

4 6/22/20164 Biba Integrity model Basically a mathematical dual of the Bell-LaPadula model. We have a subject set S, an object set O, a set of integrity levels I, and a relation  on I. Let i : S  O  I return the integrity level, Relations r : ability to read an object w : ability to write an object x : ability to execute a subject

5 6/22/20165 Information transfer path A Information transfer path is a sequence of objects o 1, …, o n+1 and a corresponding sequence of subject s 1, …, s n such that s j r o j and s j w o j+1 for all i

6 6/22/20166 Low-Water-Mark Policy 1.s  S can write to o  O iff i ( s )  i ( o ). 2.If s  S reads o  O then i ’ (s) = min( i ( s ), i ( o )), where i ’ ( s ) is the integrity level of s after the read. 3.s 1  S can execute s 2  S iff i ( s 1 )  i ( s 2 ). So write up is prevented (prevents implanting corrupted data) Integrity level drops on read access to lower level objects (prevents contaminating the subject: relying on less trustworthy data) execute up is prevented. (otherwise a less trusted invoker could control the execution of the invoked subject, corrupting it even though it is more trustworthy.)

7 6/22/20167 Low-Water-Mark Policy Theorem: If there is an information path from o 1  O to o n+1  O, then enforcement of the low-water-mark policy requires that i ( o n+1 )  i ( o 1 ) for all i > n. Proof The integrity level cannot go up. Proof by induction.

8 6/22/20168 Low-Water-Mark Policy Problem The integrity level of a subject is non-increasing, resulting in some subjects being eventually unable to access certain objects.

9 6/22/20169 Ring Policy This ignores indirect modifications and focuses on direct modifications. s  S can write to o  O iff i (s)  i (o). s  S can read any o  O. s 1  S can execute s 2  S iff i (s 1 )  i (s 2 ). Difference: Subjects can read any object.

10 6/22/201610 Biba’s strict integrity Policy 1.s  S can read o  O iff i (s)  i (o). 2.s  S can write to o  O iff i (s)  i (o). 3.s 1  S can execute s 2  S iff i (s 1 )  i ( s 2 ). So write up is prevented read down is prevented (prevents relying on less trustworthy data) execute up is prevented.

11 6/22/201611 Lipner’s Integrity Matrix Model Combines BLP and Biba Two basic Security levels Audit Manager (AM): system and management functions System Low (SL): any process can read info at this level. Five categories Development (D) -- production programs under development and testing, not in use yet Production Code (PC) -- production processes and programs Production Data (PD) – data covered by the integrity policy System Development (SD) – system programs under development / testing, not in use yet Software Tools (T) – programs provided on the production system not related to sensitive or protected data

12 6/22/201612 Lipner’s Integrity Matrix Model Users Clearance levels Ordinary users (SL, {PC,PD}) Application Developers (SL, {D,T}) System Programmers (SL, {SD,T}) System Managers & Auditors (AM, {D,PC,PD,ST,T}) System Controllers (SL, {D,PC,PD,ST,T}) and downgrade privileges.

13 6/22/201613 Reminder:The Bell-LaPadula model ss-property : ( s,o,p )  S  O  P satisfies the ss-property relative to the security level f iff one of the following holds: a.p = e or p = a b.( p = r or p = w ) and f c ( s ) dom f o ( o ) ). Also DAC!

14 6/22/201614 Reminder: The Bell-LaPadula model Define b ( s : p 1,…, p n ) to be the set of objects that s has access to. *-property : For each s  S the following hold: a.b ( s : a ) ≠   [  o  b ( s : a ) [ f c ( o ) dom f c ( s )] ] (write-up) b.b ( s : w ) ≠   [  o  b ( s : w ) [ f c ( o ) = f c ( s )] ] (equality for read) c.b ( s : r ) ≠   [  o  b ( s : r ) [ f c ( s ) dom f o ( o )] ] (read-down) Also DAC!

15 6/22/201615 Lipner’s Integrity Matrix Model Lipner’s model combines Biba and Bell-LaPadula. Bell-LaPadula model: ss - property * - property For example: an ordinary user can execute production code; if he needs to alter production data, the *-property dictates that the data be in (System Low, {Production Code, Production Data}).

16 6/22/201616 Lipner’s Integrity Matrix Model Objects Class Development code/test data (SL, {D,T}) Production code (SL, {PC}) Production data (SL, {PC,PD}) Software tools (SL, {T}) System programs (SL, {  }) System programs in modification (SL, {SD,T}) System and application logs (AM, {appropriate categories}) Logs are append only. By the *-property their class must dominate those of the subjects that write to them

17 6/22/201617 The Clark-Wilson (CW) Model This model addresses data integrity requirements for commercial applications, e.g. bank transactions. Integrity requirements are divided into, internal consistency: properties of the internal state that can be enforced by the computer system. external consistency: the relation of the internal state to the real world: enforced by means outside the system, e.g. auditing.

18 6/22/201618 The CW Model Integrity is enforced by, well formed transactions : data items can be manipulated only by a specific set of programs; users have access to programs rather than data items. separation of duties : users have to collaborate to manipulate data and collude to penetrate the system.

19 6/22/201619 The CW Model In the Clark-Wilson model Subjects must be identified and authenticated Objects can be manipulated only by a restricted set of programs Subjects can execute only a restricted set of programs, A proper audit log has to be maintained The system must be certified to work properly

20 6/22/201620 The CW Model In the Clark-Wilson model Data items are called Constrained Data Items (CDIs) Data items not subject to integrity controls are Unconstrained Data Items (UDIs) A set of integrity constraints constrain the values CDIs CDIs can only be manipulated by Transformation Procedures (TPs) The integrity of a state is checked by Integrity Verification Procedure (IVPs)

21 6/22/201621 The CW Model Security procedures are defined by five certification rules 1.Integrity Verification Procedures must ensure that all Constrained Data Items are in a valid state when the IVP is run. 2.Transformation Procedures must transform valid CDIs into valid CDIs. 3.The “allowed” access relations must meet the requirements imposed by the principle of separation of duty. 4. All TPs must write to an append-only CDI log. 5. Any TP that takes a UDI as input must either convert it into a CDI or reject it.

22 6/22/201622 The CW Model Integrity is enforced by four enforcement rules 1.The system must maintain and protect the certified relations: (TPi:CDIa,CDIb, … ) and ensure that only Transformation Procedures certified to run on a Constrained Data Item manipulate that CDI. 2.The system must maintain and protect the list of entries: (User,TPi:CDIa,CDIb, … ) specifying the TPs that users can execute. 3.The system must authenticate each user requesting to execute a TP. 4.Only the certifier of a TP may modify the respective entities associated with that TP. No certifier of a TP may have execute permission with respect to that entity.

Download ppt "6/22/20161 Computer Security Integrity Policies. 6/22/20162 Integrity Policies Commercial requirement differ from military requirements: the emphasis."

Similar presentations

TOPIC CLARK-WILSON MODEL Ravi Sandhu.

TOPIC CLARK-WILSON MODEL Ravi Sandhu.
CSC 405 Introduction to Computer Security

CSC 405 Introduction to Computer Security
CS691 – Chapter 6 of Matt Bishop

CS691 – Chapter 6 of Matt Bishop
Dan Fleck CS 469: Security Engineering

Dan Fleck CS 469: Security Engineering
CMSC 414 Computer (and Network) Security Lecture 12 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 12 Jonathan Katz.
Security Models and Architecture

Security Models and Architecture
Access Control Intro, DAC and MAC System Security.

Access Control Intro, DAC and MAC System Security.
Chapter 2.  CIA Model  Host Security VS Network Security  Least Privileges  Layered Security  Access Controls Prepared by Mohammed Saher2.

Chapter 2.  CIA Model  Host Security VS Network Security  Least Privileges  Layered Security  Access Controls Prepared by Mohammed Saher2.
Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson model Introduction to Computer Security ©2004 Matt Bishop.

Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson model Introduction to Computer Security ©2004 Matt Bishop.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
June 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #6-1 Chapter 6: Integrity Policies Overview Requirements Biba’s models Lipner’s.

June 1, 2004Computer Security: Art and Science © Matt Bishop Slide #6-1 Chapter 6: Integrity Policies Overview Requirements Biba’s models Lipner’s.
May 4, 2004ECS 235Slide #1 Biba Integrity Model Basis for all 3 models: Set of subjects S, objects O, integrity levels I, relation ≤  I  I holding when.

May 4, 2004ECS 235Slide #1 Biba Integrity Model Basis for all 3 models: Set of subjects S, objects O, integrity levels I, relation ≤  I  I holding when.
Verifiable Security Goals

Verifiable Security Goals
Courtesy of Professors Chris Clifton & Matt Bishop INFSCI 2935: Introduction of Computer Security1 September 18, 2003 Introduction to Computer Security.

Courtesy of Professors Chris Clifton & Matt Bishop INFSCI 2935: Introduction of Computer Security1 September 18, 2003 Introduction to Computer Security.
Courtesy of Professors Chris Clifton & Matt Bishop INFSCI 2935: Introduction of Computer Security1 October 7, 2004 Introduction to Computer Security Lecture.

Courtesy of Professors Chris Clifton & Matt Bishop INFSCI 2935: Introduction of Computer Security1 October 7, 2004 Introduction to Computer Security Lecture.
1 Clark Wilson Implementation Shilpa Venkataramana.

1 Clark Wilson Implementation Shilpa Venkataramana.
1 Integrity Policies CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 22, 2004.

1 Integrity Policies CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 22, 2004.
6/26/2015 6:12 PM Lecture 5: Integrity Models James Hook (Some materials from Bishop, copyright 2004) CS 591: Introduction to Computer Security.

6/26/2015 6:12 PM Lecture 5: Integrity Models James Hook (Some materials from Bishop, copyright 2004) CS 591: Introduction to Computer Security.
Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson model Introduction to Computer Security ©2004 Matt Bishop.

Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson model Introduction to Computer Security ©2004 Matt Bishop.

Similar presentations

Ads by Google