Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Policy What is a security policy? –Defines what it means for a system to be secure Formally: Partition system into –Secure (authorized) states.

Published byRichard Gordon Modified over 8 years ago

Similar presentations

Presentation on theme: "Security Policy What is a security policy? –Defines what it means for a system to be secure Formally: Partition system into –Secure (authorized) states."— Presentation transcript:

1 Security Policy What is a security policy? –Defines what it means for a system to be secure Formally: Partition system into –Secure (authorized) states –Non-secure (unauthorized) states Secure system: –Starts in authorized state –Can’t enter unauthorized state

2 Additional Definitions: Breach of security –Transition causing system to enter unauthorized state Let X be a set of entities, I be information. –I has confidentiality with respect to X if no member of X can obtain information on I –I has integrity with respect to X if all members of X trust I –I has availability with respect to X if all members of X can access I Security Policy defines all of the above –Now just need to define obtain, trust, access

3 Confidentiality Policy What does “obtain” information mean? Formally: information flow –Transfer of rights –Transfer of information without transfer of rights Model often depends on trust –Parts of system where information could flow –Trusted entity must participate to enable flow Highly developed in Military/Government

4 Integrity Policy Defines how information can be altered –Entities allowed to alter data –Conditions under which data can be altered –Limits to change of data Examples: –Purchase over $1000 requires signature –Check over $10,000 must be signed by two officers Separation of duties Highly developed in commercial world

5 Availability Policy Defines what it means for information to be accessible –Time limits (quality of service) –Access methods On-line access vs. telephone vs. mail Integrity and availability may interrelate –Fast old copy vs. slow current version

6 Security Mechanism Policy describes what is allowed Mechanism enforces (part of) policy The two need not be the same! Example Policy: Students should not copy homework –Mechanism: Disallow access to files owned by other users Does mechanism enforce policy? –Is mechanism too strict?

7 Security Model Security Policy: What is/isn’t authorized Problem: Policy specification often informal –Implicit vs. Explicit –Ambiguity Security Model: Model that represents a particular policy (policies) –Model must be explicit, unambiguous

8 Trust Trusted Entity –Entity that can violate security What are typical Trusted Entities? –People with access to information –System developers –Hardware –?–? Where does it end?

9 Common Mechanisms: Access Control Discretionary Access Control (DAC) –Owner determines access rights –Typically identity-based access control: Owner specifies other users who have access Mandatory Access Control (MAC) –Rules specify granting of access –Also called rule-based access control Originator Controlled Access Control (ORCON) –Originator controls access –Originator need not be owner! Role Based Access Control (RBAC) –Identity governed by role user assumes

10 Policy Languages Security Policy isn’t enough –Need to express it to get Policy Model Policy Language: Means of expression High-level: Independent of mechanisms –Example: Domain-Type Enforcement Language Subjects partitioned into domains Objects partitioned into types Each domain has set of rights over each type Low-level: Acts on mechanisms –Example: Tripwire: Flags what has changed Configuration file specifies settings to be checked History file keeps old (good) example

11 Creating a Secure System Can we make it secure? –E–Easy! But can we make it precise? Next Time: Model allowing us to capture this secureprecise set of reachable states set of secure states

12 Modeling Secure/Precise: Confidentiality (Jones and Lipton) What are we modeling? A program –p: I 1  …  I n  R is a program Defined in terms of inputs and outputs –Goal: Determine if p can violate confidentiality Observability –Output of function p(i 1,…,i n ) encodes all available information on inputs i 1,…,i n –Output may include things not normally thought of as part of function result Data accessed Timing Anything that can be observed

13 Modeling Secure/Precise: Confidentiality Protection Mechanism m: I 1  …  I n  R  E such that: –m(i 1,…,i n ) = p(i 1,…,i n ), or Acceptable result –m(i 1,…,i n )  E Protection violation (result of p would disclose confidential information) Confidentiality Policy for program p: c: I 1  …  I n  A –A  I 1  …  I n is inputs that can be revealed

14 Modeling Secure/Precise: Confidentiality Secure Program: Given confidentiality policy c for program p, and mechanism m for p –m is secure iff  m’:A  R  E such that  i k  I k, m(i 1, …, i n ) = m’(c(i 1, …, i n )) What does this mean? –Must be able to generate results from non- confidential inputs

15 Modeling Secure/Precise: Confidentiality m 1 as precise as m 2 if  i k  I k –m 2 (i 1, …, i n ) = p(i 1, …, i n )  m 1 (i 1, …, i n ) = p(i 1, …, i n ) –Write m 1 ≈ m 2 m 1 more precise than m 2 if  i k  I k s.t. –m 1 (i 1, …, i n ) = p(i 1, …, i n ) –m 2 (i 1, …, i n )  p(i 1, …, i n ) –Write m 1 ~ m 2

16 Modeling Secure/Precise: Confidentiality m 3 = m 1  m 2 defined as –p(i 1, …, i n ) when m 1 (i 1, …, i n ) = p(i 1, …, i n ) or m 2 (i 1, …, i n ) = p(i 1, …, i n ) –else m 1 (i 1, …, i n ) –Less restrictive than either Theorem: if m 1 and m 2 secure, –m 1  m 2 secure –m 1  m 2 ≈ m 1 and m 1  m 2 ≈ m 2

17 Modeling Secure/Precise: Confidentiality Theorem: if m 1 and m 2 secure, –m 1  m 2 secure –m 1  m 2 ≈ m 1 and m 1  m 2 ≈ m 2 Proof Sketch –Result = result of p Only if same as m 1 or m 2 m 1 and m 2 secure –Result = result of m 1 m 1 secure

18 Modeling Secure/Precise: Confidentiality Theorem: Given p and c,  a precise, secure mechanism m* such that  secure m for p and c, m* ≈ m –Proof: Induction from previous theorem Theorem: Impossible to construct m* –Proof: Reduction from Halting Problem –c = constant function (reveal no information) –p such that m either non-constant or undefined Non-constant not allowed Undefined corresponds to p halts –Contradiction: Either m non-constant, or we know p halts p defined as in halting problem

19 Modeling Secure/Precise: Integrity Integrity Policy: Set of valid outputs for given input Mechanism: Given program, policy, produce output allowed by policy –Program output if allowed –Valid output otherwise probably includes error Precision: Does mechanism produce program result whenever allowed?

20 Next – Confidentiality Policy: Bell-LaPadula Model Formally models military-style classification –Multi-level access control Mandatory Access Control –Clearance Discretionary Access Control –Need to Know First real attempt to model and prove security of real systems

Download ppt "Security Policy What is a security policy? –Defines what it means for a system to be secure Formally: Partition system into –Secure (authorized) states."

Similar presentations

Information Flow and Covert Channels November, 2006.

Information Flow and Covert Channels November, 2006.
1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.

1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.
Access Control Methodologies

Access Control Methodologies
Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality model Bell-LaPadula Model –General idea –Informal description of rules.

Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality model Bell-LaPadula Model –General idea –Informal description of rules.
Access Control Intro, DAC and MAC System Security.

Access Control Intro, DAC and MAC System Security.
1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.
Hybrid Policies Overview Chinese Wall Model Clinical Information Systems Security Policy ORCON RBAC Introduction to Computer Security ©2004 Matt Bishop.

Hybrid Policies Overview Chinese Wall Model Clinical Information Systems Security Policy ORCON RBAC Introduction to Computer Security ©2004 Matt Bishop.
Chapter 4: Security Policies Overview The nature of policies What they cover Policy languages The nature of mechanisms Types Secure vs. precise Underlying.

Chapter 4: Security Policies Overview The nature of policies What they cover Policy languages The nature of mechanisms Types Secure vs. precise Underlying.
April 13, 2004ECS 235Slide #1 Expressive Power How do the sets of systems that models can describe compare? –If HRU equivalent to SPM, SPM provides more.

April 13, 2004ECS 235Slide #1 Expressive Power How do the sets of systems that models can describe compare? –If HRU equivalent to SPM, SPM provides more.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #4-1 Chapter 4: Security Policies Overview The nature of policies –What they.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #4-1 Chapter 4: Security Policies Overview The nature of policies –What they.
Robust Declassification Steve Zdancewic Andrew Myers Cornell University.

Robust Declassification Steve Zdancewic Andrew Myers Cornell University.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality.
1 Clark Wilson Implementation Shilpa Venkataramana.

1 Clark Wilson Implementation Shilpa Venkataramana.
CMSC 414 Computer (and Network) Security Lecture 10 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 10 Jonathan Katz.
User Domain Policies.

User Domain Policies.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #6-1 Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #6-1 Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
2  A system can protect itself in two ways: It can limit who can access the system. This requires the system to implement a two-step process of identification.

2  A system can protect itself in two ways: It can limit who can access the system. This requires the system to implement a two-step process of identification.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Assistant Professor, SIS Lecture 5 September 27, 2007 Security Policies Confidentiality Policies.

1 IS 2150 / TEL 2810 Introduction to Security James Joshi Assistant Professor, SIS Lecture 5 September 27, 2007 Security Policies Confidentiality Policies.

Similar presentations

Ads by Google