Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Security Confidentiality Policies

Published byRune Lorentzen Modified over 5 years ago

Similar presentations

Presentation on theme: "Computer Security Confidentiality Policies"— Presentation transcript:

1 Computer Security Confidentiality Policies
5/11/2019

2 Confidentiality Policies
A confidentiality policy, or information flow policy prevents unauthorized disclosure of information. 5/11/2019

3 The Bell-LaPadula model
Top secret (TS) Personnel files Alice, Bob Secret (S) Electronic mail files Sally, Cindy Confidential (C) Activity log files Claire, David Unclassified (UC) Telephone list files Joe Bloggs Confidentiality, in its simplest form, can be achieved by using a set of security clearances, arranged, say linearly (hierarchically). 5/11/2019

4 The Bell-LaPadula model
Let L(S) = lS be the security clearance of subject S and L(O) = lO be the security classification of object O. Simple Security Property (ss- Property), Preliminary version : S can read O iff .lO ≤ lS (MAC) and S has discretionary read access to O (DAC). *- Property (star Property), Preliminary version : S can write O iff .lS ≤ lO (MAC) and S has discretionary write access to O (DAC). 5/11/2019

5 Secure Systems A system S is secure if all its states satisfy the ss-property and the *-property. Theorem. Basic Security Theorem, Preliminary version. Let S be a system with secure initial state s0, and let T be the set of its state transformations. If every element of T preserves the ss- and *-properties then S is secure. 5/11/2019

6 Extending the model Extend the structure of the security clearances by using a lattice instead of a hierarchical (linear) structure. This model uses categories. Objects are placed in multiple categories Sets of category are added to each security classification. Categories arise from the “need-to-know ” principle 5/11/2019

7 An example of a lattice: the set of subsets of {a,b,c}
{a,b} {b,c} {a,c} {a} {b} {c} 5/11/2019

8 A lattice for the categories NUC, EUR and US
{NUC, EUR, US} {NUC, EUR} {EUR, US} {NUC, US} {NUC} {EUR} {US} 5/11/2019

9 An example, continued Let H = TS, S, SC, UC be a set of classifications with hierarchical ordering Take a set of categories NUC, EUR, US A compartment is a set of categories. A security label is a pair (L,C), where L in H is the security level and C is a compartment. 5/11/2019

10 An example, continued The partial ordering is defined by:
(L,C) dom (L,C ) if and only if L L and C C . We say that (L,C) dominates (L,C ). Example: (S, NUC,EUR) dom (UC, NUC). 5/11/2019

11 A sublattice of a partial ordering
{TS; NUC,EUR, US} . {S; NUC, EUR} {S; NUC, US} {S; EUR, US} {UC;NUC} {UC;EUR} {UC; US} (the full lattice has 48=32 nodes) 5/11/2019

12 Examples Suppose George is cleared into security level (S, NUC,EUR) DocA is classified (UC, NUC) DocB is classified (UC, EUR,US) DocC is classified (S, EUR) Then George dom DocA, George dom DocC, George dom DocB, 5/11/2019

13 Bell-LaPadula (BLP) Model
BLP Structure Combines, .access permission matrices for access control, a security lattice, for security levels, an automaton, for access operations. Security policies are reduced to relations in the BLP structure. 5/11/2019

14 BLP Model A set of subjects S A set of objects O
A set of access operations A = {execute,read,append,write} A set L of security levels, with a partial ordering. 5/11/2019

15 The Bell-LaPadula model (general case)
Simple Security Condition (ss-Condition): S can read O iff S dom O (MAC) and S has discretionary read access to O (DAC). *- Condition (star Condition), Preliminary version : S can write O iff O dom S (MAC) and S has discretionary write access to O (DAC). 5/11/2019

16 Secure Systems Theorem. Basic Security Theorem
Let S be a system with secure initial state s0, and let T be the set of its state transformations. If every element of T preserves the ss and * conditions then S is secure. 5/11/2019

17 Formal model S = set of subjects O = set of objects
P = set of rights: r (read), a (write), w (read/write), e (empty) (= execute in BLP) M = set of possible ACMs L = CK lattice of security levels, where: C = set of clearances, K = set of categories F = set of triples (fs, fo, fc,) where fs and fc, associate to each subject a maximum/current security level and fo associates with each object a security level. 5/11/2019

18 Formal model Objects may be organized as a set of hierarchies (trees and single node). Let H =  h: OP (O) represent the set of hierarchy functions. For oi, oj, ok  O we require that: If oi h(oi) and ojh(oi) , then h(oi)∩ h(oi) = There is no set o1, o2,…,ok  O such that for each i = 1,2,…, k, oi+1 h(oi) and ok+1= o1 5/11/2019

19 Formal model An example of a set of hierarchies: 5/11/2019

20 Formal model A state v  V of the system is a 4-tuple (b,m,f,h), where
b = (s,o,p) P (SOP) indicates which subjects have access to which objects and what the rights are m  M is the ACM for the current state f  F is the triple indicating the current subject and object clearances and categories h  H is the hierarchy of objects for the current state 5/11/2019

21 Formal model The history of a system as it executes.
R denotes the set of requests. D denotes the set of outcomes (decisions). W = (r,d,v,v’)  R D V V the set of actions of the system moving the system from one state (in V) to the next one The history of a system as it executes. Let N be the set of +ve integers (representing time) X = RN are sequences of requests x (a tuple) Y = DN are sequences of decisions y (a tuple) Z = VN are sequences of states z (a tuple) We interpret this as follows: at some point in time t N: The system is in state vt-1 A subject makes a request xi The system makes a decision yi The system transitions into a possibly new state zt 5/11/2019

22 Formal model S = S (R,D,W,z0)  X Y  Z , with z0 the initial state.
A system S is represented by an initial state and a sequence of requests, decisions and corresponding states. Formally: S = S (R,D,W,z0)  X Y  Z , with z0 the initial state. Furthermore, (x,y,z)  S (R,D,W,z0) iff (xt, yt, zt , zt-1)  W for all t  N 5/11/2019

23 An example See textbook p.133 5/11/2019

24 The Bell-LaPadula model
ss-property: (s,o,p) SOP satisfies the ss-property relative to the security level f iff one of the following holds: p = e or p = a p = r or p = w and fc(s) dom fo(o). A system satisfies the ss-property if all its states satisfy it. 5/11/2019

25 The Bell-LaPadula model
ss-property: In other words, a subject can read an object or read and write to it, only if it dominates it. 5/11/2019

26 The Bell-LaPadula model
Define b(s: p1,…,pn) to be the set of objects that s has access to. *-property: A state satisfies the *-property iff for each sS the following hold: b(s:a) ≠   [o b(s:a) [fo(o) dom fc(s)] ] “write-up”1 b(s:w) ≠   [o b(s:w) [fo(o) = fc(s)] ] “equality for read/write” b(s:r) ≠   [o b(s:r) [fc(s) dom fo(o)] ] “read-down” 1 N.B. Should be write-same-or-up, or better, not-write-down 5/11/2019

27 The Bell-LaPadula model
*-propety: In other words, a state satisfies the *-property if for each sS: s can write to an object o only if the objects classification dominates the subjects clearance (write-up) s can also read (read/write) o if its classification is the same as the clearance level (equality for read/write) 5/11/2019

28 The Bell-LaPadula model
ds-property A state v = (b,m,f,h) satisfies the discretionary security property (ds-property) iff:  (s,o,p)  b we have p  m[s,o]. A system is secure if it satisfies (all its states) the ss-property, the *-property and the ds-property. 5/11/2019

29 The Bell-LaPadula model
Basic Security Theorem S(R,D,W,z0) is a secure system if it satisfies the ss- property, the *-property and the ds-property. 5/11/2019

30 Example model instantiation Multics
The Multics system There are five groups of rules A set of requests R1: to request & release access A set of requests R2 : to give access & remove access from a different subject A set of requests R3 : to create and reclassify objects A set of requests R4 : to remove objects A set of requests R5 : to change a subjects security level 5/11/2019

31 Tranquility Principle of tranquility Principle of strong tranquility
Subjects and objects may not change their security levels once they have been instantiated. Principle of strong tranquility No change during the lifetime of the system. Principle of weak tranquility Security levels do not change in a way that violates the rules of a given security policy. (for BLP: ss, *- and ds) 5/11/2019

32 McLean’s system Z Mc Lean reformulated the notion of a secure action and defined an alternative version of ss, * and ds Roughly, A system S satisfies these properties if: given a state of S that satisfies them, the action transforms the state into a possibly new state that also satisfies them and eliminates any accesses present in the transformed state of S that would violate the initial state. 5/11/2019

33 McLean’s system Z Theorem
S is secure if its initial state is secure and if each action satisfies the alternative versions of ss, *- and ds. 5/11/2019

Download ppt "Computer Security Confidentiality Policies"

Similar presentations

George Mason University

George Mason University
ACCESS-CONTROL MODELS

ACCESS-CONTROL MODELS
11 World-Leading Research with Real-World Impact! A Lattice Interpretation of Group-Centric Collaboration with Expedient Insiders Khalid Zaman Bijon, Tahmina.

11 World-Leading Research with Real-World Impact! A Lattice Interpretation of Group-Centric Collaboration with Expedient Insiders Khalid Zaman Bijon, Tahmina.
Information Flow and Covert Channels November, 2006.

Information Flow and Covert Channels November, 2006.
1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.

1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.
ISA 562 Information System Security

ISA 562 Information System Security
I NFORMATION S ECURITY : C ONFIDENTIALITY P OLICIES (C HAPTER 4) Dr. Shahriar Bijani Shahed University.

I NFORMATION S ECURITY : C ONFIDENTIALITY P OLICIES (C HAPTER 4) Dr. Shahriar Bijani Shahed University.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality model Bell-LaPadula Model –General idea –Informal description of rules.

Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality model Bell-LaPadula Model –General idea –Informal description of rules.
1 Confidentiality Policies CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 18, 2004.

1 Confidentiality Policies CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 18, 2004.
Confidentiality Policies  Overview  What is a confidentiality model  Bell-LaPadula Model  General idea  Informal description of rules  Formal description.

Confidentiality Policies  Overview  What is a confidentiality model  Bell-LaPadula Model  General idea  Informal description of rules  Formal description.
Bell-LaPadula Model. www.wiley.com/go/gollmann2 Why Security Models?  When we have implemented a security policy, do we know that it will (and can) be.

Bell-LaPadula Model. Why Security Models?  When we have implemented a security policy, do we know that it will (and can) be.
June 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality.

June 1, 2004Computer Security: Art and Science © Matt Bishop Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality.
April 20, 2004ECS 235Slide #1 DG/UX System Provides mandatory access controls –MAC label identifies security level –Default labels, but can define others.

April 20, 2004ECS 235Slide #1 DG/UX System Provides mandatory access controls –MAC label identifies security level –Default labels, but can define others.
1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.

1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality.
Sicurezza Informatica Prof. Stefano Bistarelli

Sicurezza Informatica Prof. Stefano Bistarelli
7/15/2015 5:04 PM Lecture 4: Bell LaPadula James Hook CS 591: Introduction to Computer Security.

7/15/2015 5:04 PM Lecture 4: Bell LaPadula James Hook CS 591: Introduction to Computer Security.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Assistant Professor, SIS Lecture 5 September 27, 2007 Security Policies Confidentiality Policies.

1 IS 2150 / TEL 2810 Introduction to Security James Joshi Assistant Professor, SIS Lecture 5 September 27, 2007 Security Policies Confidentiality Policies.

Similar presentations

Ads by Google