Presentation is loading. Please wait.

Presentation is loading. Please wait.

Confidentiality Models

Published byJemimah Allison Modified over 5 years ago

Similar presentations

Presentation on theme: "Confidentiality Models"— Presentation transcript:

1 Confidentiality Models
CSCI Fall 2006 GWU Draws extensively from: Memon’s notes, Brooklyn Poly Pfleeger Text, Chapter 5 Bishop’s text, Chapter 5, Bishop’s slides, Chapter 5

2 Types of Security Policies
A military security policy (also called government security policy) is a security policy developed primarily to provide confidentiality. Not worrying about trusting the object as much as disclosing the object A commercial security policy is a security policy developed primarily to provide a combination of confidentiality and integrity. Focus on how much the object can be trusted. Also confidentiality policy and integrity policy. 1/16/2019 CS /Fall06/GWU/Vora Some slides from Bishop's slide set

3 CS283-172/Fall06/GWU/Vora Some slides from Bishop's slide set
Security Models To formulate a security policy you have to describe entities it governs and what rules constitute it – a security model does just that! A security model is a model that represents a particular policy or set of policies. Used to: Describe or document a policy Test a policy for completeness and consistency Help conceptualize and design an implementation Check whether an implementation meets requirements. 1/16/2019 CS /Fall06/GWU/Vora Some slides from Bishop's slide set

4 Military Security Policy
Heirarchy of sensitivities, e.g.: top secret > secret > confidential > restricted > unclassified Compartments, e.g: Iraq, WMDs, Crypto, non-proliferation, RSA, India, Israel Pieces of Information held by US military, e.g.: Saddam’s location, India’s and Israels’ nuclear capability, security of RSA, published information on RSA, the names of Israel’s cabinet ministers Classify above pieces of information into their classes: <rank; compartments> 1/16/2019 CS /Fall06/GWU/Vora Some slides from Bishop's slide set

5 CS283-172/Fall06/GWU/Vora Some slides from Bishop's slide set
Example from Pfleeger User cleared for: <secret: {dog, cat, pig}> has access to? <top secret; {dog}> <secret; {dog}> <secret; {dog, cow}> <secret; {moose}> <confidential; {dog, pig, cat}> <confidential; {moose}> 1/16/2019 CS /Fall06/GWU/Vora Some slides from Bishop's slide set

6 CS283-172/Fall06/GWU/Vora Some slides from Bishop's slide set
Example Top Secret (TS) | Secret (S) Confidential (C) Unclassified (UC) John Flynn | Monique Tronchin Dianne Martin Bhagi Narahari Strategic Files | Personnel Files Student Files Class Files A basic confidentiality classification system. Security Levels, Subjects, Objects What is the Information Flow? 1/16/2019 CS /Fall06/GWU/Vora Some slides from Bishop's slide set

7 CS283-172/Fall06/GWU/Vora Some slides from Bishop's slide set
Domination Subject s cleared for class <ranks; compartmentss> and Object o is in class <ranko; compartmentso> o dom s iff ranks  ranko and compartmentss  compartmentso o dominates s Military Security Policy: Subject has access to Object iff Subject dominates Object 1/16/2019 CS /Fall06/GWU/Vora Some slides from Bishop's slide set

8 The Bell-La Padula (BLP) Model
Formal description of allowable paths of information flow in a secure system, in particular, military security policy – confidentiality. Set of subjects S and objects O. Each subject s in S and o in O has a fixed security class Security classes are ordered by a relation dom Combines mandatory and discretionary access control. 1/16/2019 CS /Fall06/GWU/Vora Some slides from Bishop's slide set

9 CS283-172/Fall06/GWU/Vora Some slides from Bishop's slide set
Examples Consider the subjects: President of the USA Prime Minister of Israel Saddam Hussein Bin Laden Assess their Domination Access wrt the previous examples 1/16/2019 CS /Fall06/GWU/Vora Some slides from Bishop's slide set

10 CS283-172/Fall06/GWU/Vora Some slides from Bishop's slide set
BLP – Simple Version Information flows up, not down “Reads up” disallowed, “reads down” allowed Simple Security Property: A subject s may have read access to an object o if and only if s dom o 1/16/2019 CS /Fall06/GWU/Vora Some slides from Bishop's slide set

11 CS283-172/Fall06/GWU/Vora Some slides from Bishop's slide set
BLP – Simple Version Information flows up, not down “Writes down” disallowed, “writes up” allowed *-Property: A subject s who has read access to an object o may have write access to an object p only if p dom o (Contents of a sensitive object can only be written to objects at least as high.). 1/16/2019 CS /Fall06/GWU/Vora Some slides from Bishop's slide set

12 BLP – Simple Version (Contd.)
Basic Security Theorem: Let  be a system with a secure initial state 0 and let T be a set of transformations. If every element of T preserves the simple security property and *-property, then every state i i 0 is secure. 1/16/2019 CS /Fall06/GWU/Vora Some slides from Bishop's slide set

13 CS283-172/Fall06/GWU/Vora Some slides from Bishop's slide set
Problem Colonel has (Secret, {NUC, EUR}) clearance Major has (Secret, {EUR}) clearance Major can talk to colonel (“write up” or “read down”) Colonel cannot talk to major (“read up” or “write down”) Clearly absurd! 1/16/2019 CS /Fall06/GWU/Vora Some slides from Bishop's slide set

14 CS283-172/Fall06/GWU/Vora Some slides from Bishop's slide set
Solution Define maximum, current levels for subjects maxlevel(s) dom curlevel(s) Example Treat Major as an object (Colonel is writing to him/her) Colonel has maxlevel (Secret, { NUC, EUR }) Colonel sets curlevel to (Secret, { EUR }) Now L(Major) dom curlevel(Colonel) Colonel can write to Major without violating “no writes down” Does L(s) mean curlevel(s) or maxlevel(s)? Formally, we need a more precise notation: we won’t go much further 1/16/2019 CS /Fall06/GWU/Vora Some slides from Bishop's slide set

15 CS283-172/Fall06/GWU/Vora Some slides from Bishop's slide set
Partial Ordering A partial ordering is a relation  that is reflexive, transitive and anti-symmetric Reflexive – a  a Transitive – If a  b and b  c, then a  c. Anti-symmetric – If a  b and b  a, then a = b. Example: Child of? Sibling of? Identical genetic content? Subset of  ? Divisor of ? Less than equal to  ? dom? 1/16/2019 CS /Fall06/GWU/Vora Some slides from Bishop's slide set

16 CS283-172/Fall06/GWU/Vora Some slides from Bishop's slide set
Lattices A lattice is a collection of tuples (x, y) from a set X where both x and y belong to set A and x  y. Every tuple in the lattice has a greatest upper bound. Every tuple has a least lower bound. Note that not all tuples that can be formed from elements in X belong to the lattice. That is some elements are not comparable (partial ordering). 1/16/2019 CS /Fall06/GWU/Vora Some slides from Bishop's slide set

17 CS283-172/Fall06/GWU/Vora Some slides from Bishop's slide set
Examples Using the following partial orders, define lattices Subset of  ? Divisor of ? Less than equal to  ? 1/16/2019 CS /Fall06/GWU/Vora Some slides from Bishop's slide set

18 CS283-172/Fall06/GWU/Vora Some slides from Bishop's slide set
Lattice - Example G Is B G? Is B E? E F D A B C H J 1/16/2019 CS /Fall06/GWU/Vora Some slides from Bishop's slide set

19 CS283-172/Fall06/GWU/Vora Some slides from Bishop's slide set
BLP Example: Let NUC, EUR and US be categories. Sets of categories are Null, {NUC}, {EUR}, {US}, {NUC, US}, {NUC, EUR}, {EUR, US} and {NU, EUR, US}. George is cleared for (TOP SECRET, {NUC, US}) A document may be classified as (CONFIDENTIAL, {EUR}). 1/16/2019 CS /Fall06/GWU/Vora Some slides from Bishop's slide set

20 CS283-172/Fall06/GWU/Vora Some slides from Bishop's slide set
Example Lattice {NUC, EUR, US} {NUC, US} {EUR, US} {NUC, EUR}, {NUC} {EUR}, {US} The set of categories form a lattice under the subset operation 1/16/2019 CS /Fall06/GWU/Vora Some slides from Bishop's slide set

Download ppt "Confidentiality Models"

Similar presentations

George Mason University

George Mason University
ACCESS-CONTROL MODELS

ACCESS-CONTROL MODELS
11 World-Leading Research with Real-World Impact! A Lattice Interpretation of Group-Centric Collaboration with Expedient Insiders Khalid Zaman Bijon, Tahmina.

11 World-Leading Research with Real-World Impact! A Lattice Interpretation of Group-Centric Collaboration with Expedient Insiders Khalid Zaman Bijon, Tahmina.
Information Flow and Covert Channels November, 2006.

Information Flow and Covert Channels November, 2006.
1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.

1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.
Lecture 8 Access Control (cont)

Lecture 8 Access Control (cont)
I NFORMATION S ECURITY : C ONFIDENTIALITY P OLICIES (C HAPTER 4) Dr. Shahriar Bijani Shahed University.

I NFORMATION S ECURITY : C ONFIDENTIALITY P OLICIES (C HAPTER 4) Dr. Shahriar Bijani Shahed University.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality model Bell-LaPadula Model –General idea –Informal description of rules.

Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality model Bell-LaPadula Model –General idea –Informal description of rules.
Access Control Intro, DAC and MAC System Security.

Access Control Intro, DAC and MAC System Security.
1 Confidentiality Policies CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 18, 2004.

1 Confidentiality Policies CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 18, 2004.
Confidentiality Policies  Overview  What is a confidentiality model  Bell-LaPadula Model  General idea  Informal description of rules  Formal description.

Confidentiality Policies  Overview  What is a confidentiality model  Bell-LaPadula Model  General idea  Informal description of rules  Formal description.
June 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality.

June 1, 2004Computer Security: Art and Science © Matt Bishop Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality.
April 20, 2004ECS 235Slide #1 DG/UX System Provides mandatory access controls –MAC label identifies security level –Default labels, but can define others.

April 20, 2004ECS 235Slide #1 DG/UX System Provides mandatory access controls –MAC label identifies security level –Default labels, but can define others.
1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.

1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality.
Sicurezza Informatica Prof. Stefano Bistarelli

Sicurezza Informatica Prof. Stefano Bistarelli
User Domain Policies.

User Domain Policies.
7/15/2015 5:04 PM Lecture 4: Bell LaPadula James Hook CS 591: Introduction to Computer Security.

7/15/2015 5:04 PM Lecture 4: Bell LaPadula James Hook CS 591: Introduction to Computer Security.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

Similar presentations

Ads by Google