Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chap 4. Security Policies

Published byJanel Martin Modified over 6 years ago

Similar presentations

Presentation on theme: "Chap 4. Security Policies"— Presentation transcript:

1 Chap 4. Security Policies
Computational Theory Lab. Kim ki dong

2 Index 4.1 Security Policies 4.2 Types of Security Policies
4.3 The Role of Trust 4.4 Types of Access Control 4.5 Example : Academic Computer Security Policy 4.6 Summary

3 4.1 Security Policies Consider a computer system to be finite-state automaton with a set of transition functions that change state. Definition 41 A security policy is a statement that partitions the states of the system into A set of authorized, or secure, states and A set of unauthorized, or, nonsecure, states. A security policy sets the context in which we can define a secure system. More precisely : Definition 42 A secure system is a system that Starts in an authorized state and cannot enter an unauthorized state.

4 4.1 Security Policies Figure 4-1. A simple finite-state machine. In this example, the authorized states are s1 and s2. This system is not secure. But, if the edge from s1 to s3 were not present, the system would be secure. Definition 43 A breach of security occurs when a system enters an unauthorized state.

5 4.1 Security Policies Three basic properties relevant to security.
Confidentiality Integrity Availability Definition 44 X be a set of entities and I be some information. I has the property of confidentiality with respect to X if no member of X can ontain information about I. Definition 45 X be a set of entities and I be some information or a resource. I has the property of integrity with respect to X if all members of X trust I.

6 4.1 Security Policies Definition 46 Data integrity
The conveyance and storage of I do not changre the information or its trustworthiness. Origin integrity, Authentication If I is information about the origin of something, or about an identity, the member of X trust that the information is correct and unchanged. Assurance If I may be a resource rather than information, integrity means that the resource functions correctly. Definition 46 X be a set of entities and I be a resource. I has the property of availability with respect to X if all members of X can access I.

7 4.1 Security Policies A security policy considers all relevant aspects of Confidentiality The leakage of rights and the illicit transformation of information without leakage of right (information flow). The policy must handle dynamic changes of authentication. Integrity Identifies authorized ways in which information may be altered and entities authorized to alter it. Availability Describes what services must be provided.

8 4.1 Security Policies Definition 47
A security mechanism is an entity or procedure that enforces some part of the security policy. Example Policy : disallows the copying of homework. Machanism : file access control. Security policies are often implicit rather than explict. Causes confusion, especially when the policy is defined in terms of the machanism. If some machanisms pervent a specific action and other allow it.

9 4.2 Types of Security Policies
Definition 49 A military security policy (also called a governmental security policy) is a security policy developed primarily to provide confidentiality. Definition 410 A commercial security policy is a security policy developed primarily to provide integrity. Definition 411 A confidentiality policy is a security policy dealing only with confidentiality. Definition 412 An integrity policy is a security policy dealing only with integrity.

10 4.3 The Role of Trust A system administrator receives and installs a security patch, High level assumption 1. the patch came from the vendor and was not tampered with in transit. 2. the vendor tested the patch thoroughly. 3. the vendor’s test environment corresponds to her environment. 4. the patch is installed correctly. Low level assumption The important aspect is that formal verification provides a formal mathematical proof. Given program P is correct that is, given any set of inputs i, j, k, the program P will produce the output x that its specification requires. S : security-related program, O : operating system.

11 4.3 The Role of Trust 1. the formal verification of S is correct, that is, the proof has no errors. 2. the assumptions made in the formal verification of S are correct. 3. the program will be transformed into an executable whose actions correspond to those indicated by the source code. 4. the hardware will execute the program as intended.

12 4.4 Types of Access Control
A security policy may use two types of access controls, In one, access control is left to the discretion of the owner. In the other, the operating system controls access. Definition 413 If an individual user can set an access constrol machanism to allow or deny access to an object, that machanism is a discretionary access control(DAC), also called an identity-based access control(IBAC). Definition 414 When a system mechanism controls access to an object and an individual user cannot alter that access, the control is a mandatory access control(MAC), occasionally called a rule-based access control.

13 4.4 Types of Access Control
Definition 415 An originator controlled access control (ORCON or ORGCON) bases access on the creator of an object (or the information it contains).

14 4.5 Example : Academic Computer Security Policy
The explicitness of a security policy depends on the environment in which it exists. A research lab of office environment may have an unwritten policy. A bank needs a very explicit policy.

15 4.5.1 General University Policy
This policy is an “Acceptable Use Policy”(AUP) for the Davis campus of the University of California. The policy Present the goals of campus computing. States the responsibilities associated with the privilege of using campus computers. States the intent underlying the rules. The enforcement mechanisms For minor violations, Either the unit itself resolves the problem or formal warnings are given. For more serious infractions, The administration may take stronger action such as denying access to campus computer system.

16 4.5.1 General University Policy
In very serious cases, The university may invoke disciplinary action.

17 4.5.2 Electronic Mail Policy
The university has several auxiliary policies, which are subordinate to the general university policy. Describes the constraints imposed on access to, ans use of, electronic mail. The electronic mail policy consists of three parts. The electronic mail policy summary The full policy Implementation at UC Davis

18 4.5.2.1 Electronic Mail Policy Summary
Section 1 Warns users that their electronic mail is not private. Warns users that electronic mail can be forged or altered as well as forwarded. Section 2 “think before you send; be courteous and respectful of others; and don’t interfere with other’ use of electronic mail.” They emphasize that supervisors have the right to examine employees’ electronic mail that relates to the job. Section 3 The policy concludes with a statement about its application.

19 The Full Policy Begins with a description of the context of the policy, as well as its purpose and scope. The scope here is far more explict than that in the summary. This policy does not apply to printed copies of . The general provisions They state that services and infrastructure are university property. The policy reiterates that the university will apply principles of academic freedom and freedom of speech in its handling of . If this us infeasible, the may be read only as is needed to resolve the emergency, and then authorization must be secured after the fact.

20 The Full Policy Legitimate and illegitimate use of the university’s . Anonymity to senders provided that it does not violate laws or dther policies. It also expressly permits the use of university facilities for sending personal .

21 4.5.2.3 Implementation at UC Davis
Adds campers-specific requirements and procedures e.g., "incidental personal use" not allowed if it benefits a non-university organization. Allows implementation to take into account differences between campuses, such as self-governmance by Academic Senate. Procedures for inspecting, monitoring, disclosing contents. Backups.

Download ppt "Chap 4. Security Policies"

Similar presentations

Information Flow and Covert Channels November, 2006.

Information Flow and Covert Channels November, 2006.
Operating System Security

Operating System Security
Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.

1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.
Access Control Methodologies

Access Control Methodologies
Chapter 4: Security Policies Overview The nature of policies What they cover Policy languages The nature of mechanisms Types Secure vs. precise Underlying.

Chapter 4: Security Policies Overview The nature of policies What they cover Policy languages The nature of mechanisms Types Secure vs. precise Underlying.
April 13, 2004ECS 235Slide #1 Expressive Power How do the sets of systems that models can describe compare? –If HRU equivalent to SPM, SPM provides more.

April 13, 2004ECS 235Slide #1 Expressive Power How do the sets of systems that models can describe compare? –If HRU equivalent to SPM, SPM provides more.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #4-1 Chapter 4: Security Policies Overview The nature of policies –What they.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #4-1 Chapter 4: Security Policies Overview The nature of policies –What they.
1 Security Policies CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 15, 2004.

1 Security Policies CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 15, 2004.
CMSC 414 Computer (and Network) Security Lecture 10 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 10 Jonathan Katz.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #6-1 Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #6-1 Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson.
7/15/2015 7:56 AM Lecture 3: Policy James Hook CS 591: Introduction to Computer Security.

7/15/2015 7:56 AM Lecture 3: Policy James Hook CS 591: Introduction to Computer Security.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
I NFORMATION S ECURITY : S ECURITY P OLICIES (C HAPTER 4) Dr. Shahriar Bijani Shahed University.

I NFORMATION S ECURITY : S ECURITY P OLICIES (C HAPTER 4) Dr. Shahriar Bijani Shahed University.
1 September 14, 2006 Lecture 3 IS 2150 / TEL 2810 Introduction to Security.

1 September 14, 2006 Lecture 3 IS 2150 / TEL 2810 Introduction to Security.
HIPAA PRIVACY AND SECURITY AWARENESS.

HIPAA PRIVACY AND SECURITY AWARENESS.
Security Policy What is a security policy? –Defines what it means for a system to be secure Formally: Partition system into –Secure (authorized) states.

Security Policy What is a security policy? –Defines what it means for a system to be secure Formally: Partition system into –Secure (authorized) states.
Lecture 7 Integrity & Veracity UFCE8K-15-M: Data Management.

Lecture 7 Integrity & Veracity UFCE8K-15-M: Data Management.
Security Architecture and Design Chapter 4 Part 3 Pages 357 to 377.

Security Architecture and Design Chapter 4 Part 3 Pages 357 to 377.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

Similar presentations

Ads by Google