Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mandatory Access Control (MAC)

Published byFlorence Fowler Modified over 5 years ago

Similar presentations

Presentation on theme: "Mandatory Access Control (MAC)"— Presentation transcript:

1 Mandatory Access Control (MAC)
CS 5323 Mandatory Access Control (MAC) Prof. Ravi Sandhu Executive Director and Endowed Chair Lecture 8 © Ravi Sandhu World-Leading Research with Real-World Impact!

2 Denning’s Axioms for Information Flow
© Ravi Sandhu World-Leading Research with Real-World Impact!

3 Denning’s Axioms < SC, ,  > SC set of security classes
SC X SC flow relation (i.e., can-flow)  SC X SC -> SC class-combining operator © Ravi Sandhu World-Leading Research with Real-World Impact! 3

4 Denning’s Axioms < SC, ,  > SC is finite
 is a partial order on SC (i.e., reflexive, transitive, anti-symmetric) SC has a lower bound L such that L  A for all A  SC  is a least upper bound (lub) operator on SC Justification for 1 and 2 is stronger than for 3 and 4. In practice we may have a partially ordered set (poset). © Ravi Sandhu World-Leading Research with Real-World Impact! 4

5 Denning’s Axioms Imply
SC is a universally bounded lattice There exists a Greatest Lower Bound (glb) operator  (also called meet) There exists a highest security class H © Ravi Sandhu World-Leading Research with Real-World Impact! 5

6 reflexive and transitive edges are implied but not shown
Lattice Structures Hierarchical Classes Top Secret Secret Confidential Unclassified can-flow reflexive and transitive edges are implied but not shown © Ravi Sandhu World-Leading Research with Real-World Impact! 6

7 Lattice Structures Compartments and Categories {ARMY, CRYPTO} {ARMY }
{} © Ravi Sandhu World-Leading Research with Real-World Impact! 7

8 Lattice Structures Compartments and Categories {ARMY, NUCLEAR, CRYPTO}
{ARMY, CRYPTO} {NUCLEAR, CRYPTO} {ARMY} {NUCLEAR} {CRYPTO} {} © Ravi Sandhu World-Leading Research with Real-World Impact! 8

9 product of 2 lattices is a lattice
Lattice Structures Hierarchical Classes with Compartments {A,B} TS {A} {B} S {} product of 2 lattices is a lattice © Ravi Sandhu World-Leading Research with Real-World Impact! 9

10 product of 2 lattices is a lattice
Lattice Structures TS, {A,B} Hierarchical Classes with Compartments TS, {A} TS, {B} TS, {} S, {A,B} S, {A} S, {B} product of 2 lattices is a lattice S, {} © Ravi Sandhu World-Leading Research with Real-World Impact! 10

11 Smith’s Lattice TS-AKLQWXYZ TS-KLX TS-KY TS-KQZ TS-KL TS-W TS-X TS-X
TS-Q TS-Z TS-L TS-K TS-Y S-LW S-L TS S-W S-A S C U © Ravi Sandhu World-Leading Research with Real-World Impact! 11

12 Smith’s Lattice With large lattices a vanishingly small fraction of the labels will actually be used Smith's lattice: 4 hierarchical levels, 8 compartments number of possible labels = 4*2^8 = 1024 Only 21 labels are actually used (2%) Consider 16 hierarchical levels, 64 compartments which gives 10^20 labels © Ravi Sandhu World-Leading Research with Real-World Impact! 12

13 Extending a POSET to a Lattice
{A,B,C,D} {A,B,C} {A,B,D} {A,B,C} {A,B,D} {A,B} {A} {B} {A} {B} such extension is always possible {} © Ravi Sandhu World-Leading Research with Real-World Impact! 13

14 BLP Model for Confidentiality
© Ravi Sandhu World-Leading Research with Real-World Impact!

15 BLP Basic Assumptions SUB = {S1, S2, ..., Sm}, a fixed set of subjects
OBJ = {O1, O2, ..., On}, a fixed set of objects R = {r, w}, a fixed set of rights D, an m×n discretionary access matrix with D[i,j] ⊆ R M, an m×n current access matrix with M[i,j] ⊆ R © Ravi Sandhu World-Leading Research with Real-World Impact! 15

16 BLP Model (Liberal -Property)
Lattice of confidentiality labels p Static assignment of confidentiality labels SUB  OBJ  M, an m n current access matrix with r  M[i,j] r  D[i,j](Si) (Oj) simple security w  M[i,j] w  D[i,j](Si)  (Oj) liberal -property © Ravi Sandhu World-Leading Research with Real-World Impact! 16

17 BLP Model (Strict -Property)
Lattice of confidentiality labels p Static assignment of confidentiality labels SUB  OBJ  M, an m n current access matrix with r  M[i,j] r  D[i,j](Si) (Oj) simple security w  M[i,j] w  D[i,j](Si) = (Oj) strict -property © Ravi Sandhu World-Leading Research with Real-World Impact! 17

18 BLP vis a vis Lattices Unclassified Confidential Secret Top Secret
dominance can-flow © Ravi Sandhu World-Leading Research with Real-World Impact! 18

19 BLP vis a vis Lattices Unclassified Confidential Secret Top Secret
dominance can-flow it is risky to visualize lattices as total orders but it is ok sometimes © Ravi Sandhu World-Leading Research with Real-World Impact! 19

20 often 2 levels suffice to make the main point
BLP vis a vis Lattices H (High) L (Low) dominance can-flow often 2 levels suffice to make the main point © Ravi Sandhu World-Leading Research with Real-World Impact! 20

21 -Property Applies to subjects not to users
Users are trusted (must be trusted) not to disclose secret information outside of the computer system A user can login (create a subject) with any label dominated by the user’s clearance Subjects are not trusted because they may have Trojan Horses embedded in the code they execute -property prevents deliberate leakage and does not address inference covert channels Simple-security and -Property do not account for encryption © Ravi Sandhu World-Leading Research with Real-World Impact! 21

22 Biba Model for Integrity
© Ravi Sandhu World-Leading Research with Real-World Impact!

23 BLP Revisited HS (High Secrecy) LS (Low Secrecy) dominance  can-flow
© Ravi Sandhu World-Leading Research with Real-World Impact! 23

24 Biba Inverted Flow HI (High Integrity) LI (Low Integrity) dominance 
can-flow © Ravi Sandhu World-Leading Research with Real-World Impact! 24

25 Biba and BLP Aligned: BLP Style
HS (High Secrecy) LI (Low Integrity) LS (Low Secrecy) HI (High Integrity) dominance can-flow One-directional flow is the key point No need for opposite directions for confidentiality and integrity © Ravi Sandhu World-Leading Research with Real-World Impact! 25

26 Biba and BLP Aligned: Biba Style
LS (Low Secrecy) HI (High Integrity) HS (High Secrecy) LI (Low Integrity) dominance can-flow One-directional flow is the key point No need for opposite directions for confidentiality and integrity © Ravi Sandhu World-Leading Research with Real-World Impact! 26

27 BLP-Biba Unified Lattice: BLP Style
HS LS LI HI BLP BIBA HS, LI HS, HI LS, LI LS, HI Unified dominance can-flow © Ravi Sandhu World-Leading Research with Real-World Impact! 27

28 BLP versus Biba BLP and Biba are fundamentally equivalent and interchangeable Lattice-based access control is a mechanism for enforcing one-way information flow, which can be applied to confidentiality or integrity goals We will use the BLP formulation: high confidentiality, low integrity at the top low confidentiality, high integrity at the bottom © Ravi Sandhu World-Leading Research with Real-World Impact! 28

29 The Chinese Wall Lattice
for Separation of Duty © Ravi Sandhu World-Leading Research with Real-World Impact!

30 Mixture of free choice (discretionary) and mandatory controls
Chinese Wall Policy A commercial security policy for separation of duty driven confidentiality Mixture of free choice (discretionary) and mandatory controls Requires some kind of dynamic labelling © Ravi Sandhu World-Leading Research with Real-World Impact! 30

31 CONFLICT OF INTEREST CLASSES
Chinese Wall Policy ALL OBJECTS CONFLICT OF INTEREST CLASSES COMPANY DATASETS A consultant can access information about at most one company in each conflict of interest class INDIVIDUAL OBJECTS © Ravi Sandhu World-Leading Research with Real-World Impact! 31

32 Chinese Wall Example BANKS OIL COMPANIES A B X Y
© Ravi Sandhu World-Leading Research with Real-World Impact! 32

33 Chinese Wall Lattice SYSHIGH A, X A, Y B, X B, Y A, - -, X -, Y B, -
SYSLOW © Ravi Sandhu World-Leading Research with Real-World Impact! 33

34 Conclusion World-Leading Research with Real-World Impact!
© Ravi Sandhu World-Leading Research with Real-World Impact!

35 MAC or LBAC or BLP (or Biba)
BLP enforces one-directional information flow in a lattice of security labels BLP can enforce one-directional information flow policies for Confidentiality Integrity Separation of duty Combinations thereof Enforcement Policy © Ravi Sandhu World-Leading Research with Real-World Impact! 35

36 Covert Channels World-Leading Research with Real-World Impact!
© Ravi Sandhu World-Leading Research with Real-World Impact!

37 Covert Channels A covert channel is a communication channel based on the use of system resources not normally intended for communication between subjects (processes) © Ravi Sandhu World-Leading Research with Real-World Impact! 37

38 Information is leaked unknown to the high user
Covert Channels High Trojan Horse Infected Subject High User Information is leaked unknown to the high user COVERT CHANNEL Low Trojan Horse Infected Subject Low User © Ravi Sandhu World-Leading Research with Real-World Impact! 38

39 Information is leaked unknown to the high user
Covert Channels High Trojan Horse Infected Subject High User Information is leaked unknown to the high user COVERT CHANNEL Low Trojan Horse Infected Subject Low User -property prevents overt leakage of information and does not address covert channels © Ravi Sandhu World-Leading Research with Real-World Impact! 39

40 Information is leaked unknown to the User 1
Side Channels User 1’s Subject User 1 Information is leaked unknown to the User 1 SIDE CHANNEL User 2’s Trojan Horse Infected Subject User 2 © Ravi Sandhu World-Leading Research with Real-World Impact! 40

41 Covert Channels versus Side Channels
Covert channels require a cooperating sender and receiver Side channels do not require a sender but nevertheless information is leaked to a receiver © Ravi Sandhu World-Leading Research with Real-World Impact! 41

42 Coping with Covert/Side Channels
Identify the channel close the channel or slow it down detect attempts to use the channel tolerate its existence © Ravi Sandhu World-Leading Research with Real-World Impact! 42

43 Storage Channels Also known as Resource Exhaustion Channels
Given 5GB pool of dynamically allocated memory HIGH PROCESS (sender) bit = 1 Þ request 5GB of memory bit = 0 Þ request 0GB of memory LOW PROCESS (receiver) request 5GB of memory if allocated then bit = 0 otherwise bit = 1 © Ravi Sandhu World-Leading Research with Real-World Impact! 43

44 Timing Channels Also known as Load Sensing Channels
Given 5GB pool of dynamically allocated memory HIGH PROCESS (sender) bit = 1 Þ enter computation intensive loop bit = 0 Þ go to sleep LOW PROCESS (receiver) perform a task with known computational requirement if completed promptly then bit = 0 otherwise bit = 1 © Ravi Sandhu World-Leading Research with Real-World Impact! 44

Download ppt "Mandatory Access Control (MAC)"

Similar presentations

Access Control Prof. Ravi Sandhu Executive Director and Endowed Chair

Access Control Prof. Ravi Sandhu Executive Director and Endowed Chair
George Mason University

George Mason University
ACCESS-CONTROL MODELS

ACCESS-CONTROL MODELS
LECTURE 1 ACCESS CONTROL Ravi Sandhu.

LECTURE 1 ACCESS CONTROL Ravi Sandhu.
11 World-Leading Research with Real-World Impact! A Lattice Interpretation of Group-Centric Collaboration with Expedient Insiders Khalid Zaman Bijon, Tahmina.

11 World-Leading Research with Real-World Impact! A Lattice Interpretation of Group-Centric Collaboration with Expedient Insiders Khalid Zaman Bijon, Tahmina.
Information Flow and Covert Channels November, 2006.

Information Flow and Covert Channels November, 2006.
Multilevel Security (MLS) Database Security and Auditing.

Multilevel Security (MLS) Database Security and Auditing.
Lecture 8 Access Control (cont)

Lecture 8 Access Control (cont)
Vinay Kumar Madhadi 10/28/2009 CSC-8320. Outline  Part 1 : Mandatory Flow Control Models? MAC vs. DAC Information Flow Control  Part 2 : Different Models-Lattice.

Vinay Kumar Madhadi 10/28/2009 CSC Outline  Part 1 : Mandatory Flow Control Models? MAC vs. DAC Information Flow Control  Part 2 : Different Models-Lattice.
1 Access Control Models Prof. Ravi Sandhu Executive Director and Endowed Chair January 25, 2013 & February 1, 2013

1 Access Control Models Prof. Ravi Sandhu Executive Director and Endowed Chair January 25, 2013 & February 1, 2013
1 COVERT CHANNELS Ravi Sandhu. 2 COVERT CHANNELS A covert channel is a communication channel based on the use of system resources not normally intended.

1 COVERT CHANNELS Ravi Sandhu. 2 COVERT CHANNELS A covert channel is a communication channel based on the use of system resources not normally intended.
COEN 150: Intro to IA Authorization.

COEN 150: Intro to IA Authorization.
Access Control Intro, DAC and MAC System Security.

Access Control Intro, DAC and MAC System Security.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
Verifiable Security Goals

Verifiable Security Goals
Sicurezza Informatica Prof. Stefano Bistarelli

Sicurezza Informatica Prof. Stefano Bistarelli
User Domain Policies.

User Domain Policies.
1 TOPIC THE CHINESE WALL LATTICE Ravi Sandhu. 2 CHINESE WALL POLICY Example of a commercial security policy for confidentiality Mixture of free choice.

1 TOPIC THE CHINESE WALL LATTICE Ravi Sandhu. 2 CHINESE WALL POLICY Example of a commercial security policy for confidentiality Mixture of free choice.
7/15/2015 5:04 PM Lecture 4: Bell LaPadula James Hook CS 591: Introduction to Computer Security.

7/15/2015 5:04 PM Lecture 4: Bell LaPadula James Hook CS 591: Introduction to Computer Security.
Mandatory Flow Control Bismita Srichandan. Outline Mandatory Flow Control Models Information Flow Control Lattice Model Multilevel Models –The Bell-LaPadula.

Mandatory Flow Control Bismita Srichandan. Outline Mandatory Flow Control Models Information Flow Control Lattice Model Multilevel Models –The Bell-LaPadula.

Similar presentations

Ads by Google