Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 6 Integrity Policies

Published byDavid Nelson Modified over 6 years ago

Similar presentations

Presentation on theme: "Chapter 6 Integrity Policies"— Presentation transcript:

1 Chapter 6 Integrity Policies
An, Eunju Database Lab.

2 Requirement Lipner identifies five requirements :
Users will not write their own programs, but will use existing production programs and databases. separation of duty Programmers will develop and test programs on a nonproduction system. separation of function A special process must be followed to install a program from the development system onto the production system. Auditing The special process in requirement 3 must be controlled and audited. The managers and auditors must have access to both the system state and the system logs that are generated. Separation of duty. 예)개발장비에서 운영장비로 프로그램을 이관하는 경우 개발자가 프로그램을 개발하는 과정에서 타당하지 않은 코드를 생성했다고 가정하자 설치 과정에서는 이 프로그램이 정확하게 동작하는지를 증명할 필요가 있다 이 때 설치자가 개발자가 아닌 다른 사람일 경우에 에러가 더 잘 발견되는 경향이 있다 게빌자가 잘못된 프로그램으로 운영장비의 데이터를 파괴하고자 하는 경우 certifier가 corruption하는 코드를 발견하지 못하거나 개발자가 certifier여야 한다. 따라서 개발자와 certifier를 분리시키면 이의 위험이 줄어들 수 있다. Separation of function 예) 1.개발자는 운영환경에서 새로운 프로그램을 개발하지 않는다. 이는 운영되고 있는 데이터에 대해 가능한 threat 때문이다. 2.개발자는 개발환경에서 운영환경의 데이터에 접근할 수 없다. 데이터의 민감성 때문에 개발자나 테스터는 운영환경에서의 데이터를 받아야 한다. 그리고 개발환경은 실제 운영환경과 최대한 비슷해야 한다. Auditing

3 Biba Integrity Model Nature of the integrity of systems (in 1977, Biba) Basis for all 3 models: subjects S, objects O, integrity levels I min(I, I) → I returns lesser of integrity levels i(S or O) → I gives integrity level of object, subject r(S, O) : S can read O w(S, O) : S can write O x(S, S’) : S can execute S’

4 Rules Idea: only read-up and write-down
Dual of the Bell-Lapadula Model 1. s ∈ S can read o ∈ O iff i(s)≤i(o) 2. s ∈ S can write to o ∈ O iff i(o)≤i(s) 3. s1 ∈ S can execute s2 ∈ S iff i(s1)≤i(s2)

5 Intuition for Integrity Levels
The higher the level, the more confidence Program will execute correctly Data is accurate and/or reliable Relationship between integrity and trustworthiness ex) a higher level process is considered more “trustworthy” than lower level object Integrity levels are not security levels Limit the flow of information inhibit modification

6 Biba Integrity Model(Example)
LOCUS and Biba Goal: prevent untrusted software from altering data or other software Approach: make levels of trust explicit credibility rating based on estimate of software’s trustworthiness (0 untrusted, n highly trusted) trusted file systems contain executable files with the same credibility level Process has risk level or highest credibility level at which process can execute To execute programs at lower credibility level, must use run-untrusted command

7 Clark-Wilson Integrity Model
Integrity defined by a set of constraints Data in a consistent or valid state when it satisfies these Example: Bank D today’s deposits, W withdrawals, YB yesterday’s balance, TB today’s balance Integrity constraint: D + YB – W = TB Well-formed transaction move system from one consistent state to another

8 Entities CDIs: constrained data items UDIs: unconstrained data items
Data subject to integrity controls UDIs: unconstrained data items Data not subject to integrity controls IVPs: integrity verification procedures Procedures that test the CDIs conform to the integrity constraints TPs: transaction procedures Procedures that take the system from one valid state to another

9 Certification Rules 1 and 2
Defines relation certified that associates a set of CDIs with a particular TP Example: TP balance, CDIs accounts CR1 : When any IVP is run, it must ensure that all CDIs are in a valid state. CR2 : For some associated set of CDIs, a TP must transform those CDIs in a valid state into a (possibly different) valid state

10 Enforcement Rules 1 and 2 System must maintain, enforce certified relation System must also restrict access based on user ID (allowed relation) ER1 : The system must maintain the certified relations and must ensure that only TPs certified to run on a CDI manipulate that CDI. ER2 : The system must associate a user with each TP and set of CDIs. The TP may access those CDIs on behalf of the associated user. The TP cannot access that CDI on behalf of a user not associated with that TP and CDI.

11 Users and Rules Authentication not required before use of the system, but is required before manipulation of CDIs (requires using TPs) CR3 : The allowed relations must meet the requirements imposed by the principle of separation of duty. ER3 : The system must authenticate each user attempting to execute a TP

12 Logging This CDI is the log Auditor needs to be able to determine what happened during reviews of transactions CR4 : All TPs must append enough information to reconstruct the operation to an append-only CDI.

13 Handling Untrusted Input
In bank, numbers entered at keyboard are UDIs, so cannot be input to TPs. TPs must validate numbers (to make them a CDI) before using them; if validation fails, TP rejects UDI CR5 : Any TP that takes as input a UDI may perform only valid transformations, or no transformations, for all possible values of the UDI. The transformation either rejects the UDI or transforms it into a CDI.

14 Separation of Duty Enforces separation of duty with respect to certified and allowed relations ER4 : Only the certifier of a TP may change the list of entities associated with that TP. No certifier of a TP, or of an entity associated with that TP, may ever have execute permission with respect to that entity.

15 UNIX Implementation phantom user Consider “allowed” relation (user, TP, { CDI set }) Each TP is owned by a different user These “users” are actually locked accounts, so no real users can log into them; but this provides each TPs a unique UID for controlling access rights TP is setuid to that user Each TP’s group contains set of users authorized to execute TP Each TP is executable by group, not by world

16 CDI Arrangement CDIs owned by root or some other unique user
Again, no logins to that user’s account allowed CDI’s group contains users of TPs allowed to manipulate CDI Now each TP can manipulate CDIs for single user

17 Examples Access to CDI constrained by user
– In “allowed” triple, TP can be any TP – Put CDIs in a group containing all users authorized to modify CDI Access to CDI constrained by TP – In “allowed” triple, user can be any user – CDIs allow access to the owner, the user owning the TP – Make the TP world executable

18 Problems 2 different users cannot use same copy of TP to access 2 different CDIs Need 2 separate copies of TP (one for each user and CDI set) TPs are setuid programs As these change privileges, want to minimize their number root can assume identity of users owning TPs, and so cannot be separated from certifiers No way to overcome this without changing nature of root

19 Satisfy the Requirements
Users can’t certify TPs, so CR5 and ER4 enforce this Procedural, so model doesn’t directly cover it; but special process corresponds to using TP No technical controls can prevent programmer from developing program on production system; usual control is to delete software tools

20 Comparison with the Requirements
TP does the installation, trusted personnel do certification CR4 provides logging; ER3 authenticates trusted personnel doing installation; CR5, ER4 control installation procedure New program UDI before certification, CDI (and TP) after Log is CDI, so appropriate TP can provide managers, auditors access Access to state handled similarly

21 Comparison with Biba Biba Clark-Wilson
Attaches Integrity level to objects, subjects objects : CDIs, UDIs Subjects : TPs, all others No certification rules: trusted subjects ensure actions obey rules Explicit rules: requirements that actions must meet Untrusted data examined before being made trusted Trusted entity must certify method to upgrade untrusted data (and not certify the data itself)

Download ppt "Chapter 6 Integrity Policies"

Similar presentations

TOPIC CLARK-WILSON MODEL Ravi Sandhu.

TOPIC CLARK-WILSON MODEL Ravi Sandhu.
CS691 – Chapter 6 of Matt Bishop

CS691 – Chapter 6 of Matt Bishop
Dan Fleck CS 469: Security Engineering

Dan Fleck CS 469: Security Engineering
CMSC 414 Computer (and Network) Security Lecture 12 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 12 Jonathan Katz.
Chapter 2.  CIA Model  Host Security VS Network Security  Least Privileges  Layered Security  Access Controls Prepared by Mohammed Saher2.

Chapter 2.  CIA Model  Host Security VS Network Security  Least Privileges  Layered Security  Access Controls Prepared by Mohammed Saher2.
Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson model Introduction to Computer Security ©2004 Matt Bishop.

Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson model Introduction to Computer Security ©2004 Matt Bishop.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
June 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #6-1 Chapter 6: Integrity Policies Overview Requirements Biba’s models Lipner’s.

June 1, 2004Computer Security: Art and Science © Matt Bishop Slide #6-1 Chapter 6: Integrity Policies Overview Requirements Biba’s models Lipner’s.
May 4, 2004ECS 235Slide #1 Biba Integrity Model Basis for all 3 models: Set of subjects S, objects O, integrity levels I, relation ≤  I  I holding when.

May 4, 2004ECS 235Slide #1 Biba Integrity Model Basis for all 3 models: Set of subjects S, objects O, integrity levels I, relation ≤  I  I holding when.
Verifiable Security Goals

Verifiable Security Goals
Courtesy of Professors Chris Clifton & Matt Bishop INFSCI 2935: Introduction of Computer Security1 October 7, 2004 Introduction to Computer Security Lecture.

Courtesy of Professors Chris Clifton & Matt Bishop INFSCI 2935: Introduction of Computer Security1 October 7, 2004 Introduction to Computer Security Lecture.
1 Clark Wilson Implementation Shilpa Venkataramana.

1 Clark Wilson Implementation Shilpa Venkataramana.
1 Integrity Policies CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 22, 2004.

1 Integrity Policies CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 22, 2004.
6/26/2015 6:12 PM Lecture 5: Integrity Models James Hook (Some materials from Bishop, copyright 2004) CS 591: Introduction to Computer Security.

6/26/2015 6:12 PM Lecture 5: Integrity Models James Hook (Some materials from Bishop, copyright 2004) CS 591: Introduction to Computer Security.
Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson model Introduction to Computer Security ©2004 Matt Bishop.

Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson model Introduction to Computer Security ©2004 Matt Bishop.
CS526Topic 21: Integrity Models1 Information Security CS 526 Topic 21: Integrity Protection Models.

CS526Topic 21: Integrity Models1 Information Security CS 526 Topic 21: Integrity Protection Models.
User Domain Policies.

User Domain Policies.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #6-1 Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #6-1 Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson.
Sicurezza Informatica Prof. Stefano Bistarelli

Sicurezza Informatica Prof. Stefano Bistarelli
Lecture 7 Access Control

Lecture 7 Access Control

Similar presentations

Ads by Google