Presentation is loading. Please wait.

Presentation is loading. Please wait.

12/4/20151 Computer Security Security models – an overview.

Published byShanon Shaw Modified over 8 years ago

Similar presentations

Presentation on theme: "12/4/20151 Computer Security Security models – an overview."— Presentation transcript:

1 12/4/20151 Computer Security Security models – an overview.

2 12/4/20152 Finite State Machine Models Automata (=Finite State Machines) are a popular way Of modeling many aspects of computing systems. The essential feature of these are then concepts of: State State transition

3 12/4/20153 Bell-LaPadula (BLP) Model BLP Structure Combines,.Access permission matrices for access control, a Security lattice, for security levels, an Automaton, for access operations. Security policies are reduced to relations in the BLP structure.

4 12/4/20154 BLP Model A set of subjects S A set of objects O A set of access operations A = {execute,read,append,write} A set L of security levels, with a partial ordering.

5 12/4/20155 BLP Model We want to use the state of the system to check its security. The state set is: B x M x F, where B = P ( SxOxA ) the set of current accesses b. M is the set of permission matrices M A set of security level assignments F L s x L s x L o.

6 12/4/20156 BLP Model The security level assignments F L s x L s x L o. F has elements f =, where

7 12/4/20157 BLP Model Security policies: a state ( b,M,f ) must satisfy, 1.Simple security property ( ss-property ): –for each access request ( s,o,a ) in b, with access operation a = read, or write, the security level of s must dominate the classification of o, i.e., This is a no read/write up security policy

8 12/4/20158 BLP Model 2. Star property ( * -property): –for each access request ( s,o,a ) in b, with access operation a = append, or write, the current security level of s is dominated by the classification of the object o, i.e.. This is a no append/write down policy. Also, if there is an ( s,o,a ) in b with a = append or write, then we must have for all o’ with ( s,o’,a’ ) in b and a’ = read or write

9 12/4/20159 BLP Model 3. Discretionary security property ( ds-property ): -- for each access ( s,o,a ) in b, we must have.

10 12/4/201510 BLP Model The * -property implies that is not possible to send messages to low level subjects. There are two ways to remedy this. Temporarily downgrade a high level subject  this is why we introduced the current security level. Identify a set of subjects that are permitted to violate the * -property. These are called trusted subjects.

11 12/4/201511 BLP Security A state v = ( b,M,f ) is called secure if all three security properties are satisfied. A transition from state v 1 = ( b 1,M 1, f 1 ) to state v 2 = ( b 2,M 2, f 2 ) is secure if v 2 is secure whenever v 1 is.

12 12/4/201512 BLP Security Theorem If all state transitions are secure and if the initial state is secure then every subsequent state is secure, no matter which inputs occur.

13 12/4/201513 BLP Security Proof -informal A formal proof would proceed by induction on the length of the input sequences. It would build on the fact that security is preserves by state transitions. Remark This theorem means that to check security you only need to check that state transitions preserve security.

14 12/4/201514 BLP Security Proof, the ss-property A state transition from ( b 1,M 1, f 1 ) to ( b 2,M 2, f 2 ) preserves the ss-property if and only if:

15 12/4/201515 BLP Security Proof, the * & ds-property Preservation of the * -property and the ds-property can be described in a similar way.

16 12/4/201516 BLP Security McLean defined a BLP system which downgrades all subjects to the lowest level, downgrades all objects to the lowest level, enters all access rights in all positions of the access control matrix M.

17 12/4/201517 BLP Security A BLP system is only as good as its state transitions are. When a security system is designed within the framework of a model, it is important that the implementation of the primitives of the model captures correctly the security requirements of the system.

18 12/4/201518 Limitations of BLP The BLP model, 1.only deals with confidentiality, not integrity, 2.does not address management of access control, 3.contains covert channels.

19 12/4/201519 Limitations of BLP These are features of BLP, and should not be regarded as flaws. Limiting the goals of a model makes it easier to deal with security issues BLP does not state policies for the modification of access rights. BLP was originally intended for systems with no changes in the security levels.

20 12/4/201520 Limitations of BLP Covert channels are information channels that are not controlled by the security mechanism of the system. Information can flow (leak) from a high security level to a low security level as follows: 1.A low-level subject creates an object dummy.obj at its own level, 2.Its high-level accomplice, either upgrades it to a high level, or does not. 3. Later the low level subject tries to read dummy.obj. If it can, the covert bit is 1; otherwise it is 0.

21 12/4/201521 Limitations of BLP Telling a subject that a certain operation is or is not permitted, constitutes information flow.

22 12/4/201522 The Harrison-Ruzzo-Ullman (HRU) Model The BLP model is not dynamic : it does not allow for the creation or deletion of subjects and objects and for changing access rights. The HRU model defines authorization systems that address this issue.

23 12/4/201523 HRU Model A set of subjects S A set of objects O A set of access rights R An access matrix

24 12/4/201524 HRU Model We also have six primitive operations,

25 12/4/201525 HRU Model Commands in HRU are of type,

26 12/4/201526 HRU Model Basic operations are of type, The owner s of file f grants read access to s,

27 12/4/201527 HRU Model -security Definitions An access matrix M leaks the right r if there is a command that adds the right r in a position of M that did not previously contain r, that is, An access matrix M is safe with respect to the right r if no sequence of commands can transform M into a state that leaks r. So, verifying HRU security reduces to verifying safety properties.

28 12/4/201528 HRU Model -security Theorems 1.Given an access matrix M and a right r, verifying the safety of M with respect to the right r is an undecidable problem. 2.Given a mono-operational * authorization system, an access matrix M and a right r, verifying the safety of M with respect to the right r is decidable. Even if two operations per command are allowed we get undecidability. 3.The safety problem for authorization systems is decidable if the number of subjects is bounded. * Commands contain a single operation are mono-operational

29 12/4/201529 The Chinese Wall Model This models a consultancy business where analysts have to make sure that no conflicts arise when dealing with different clients (companies). Informally, a conflict arises when clients are direct competitors in the same market, or because of the ownership of companies.

30 12/4/201530 The Chinese Wall Model 1.A set of subjects S 2.A set of companies C 3.A set of objects O –the objects concerning the same company are called company datasets. –the function gives the company dataset for each object. 4.The function gives the conflict of interest classes for each object.

31 12/4/201531 The Chinese Wall Model Conflicts of interest may also arise from objects that have been accessed in then past. Let N s,o = true, if subject s has had access to object o false, if subject s never had access to object o

32 12/4/201532 The Chinese Wall Model ss – property : That is, access is granted only if the object requested belongs to: a company dataset already held by the subject (the analyst), or an entirely different conflict of interest class.

33 12/4/201533 The Chinese Wall Model * - property : That is, write access to an object is only granted if no other object can be read which is in a different company dataset and contains unsanitised information.

34 12/4/201534 The Biba Model This model addresses integrity by using a state machine model in a similar way to BLP. Unlike BLP there is no single high-level integrity policy. Instead, there is a variety of approaches.

35 12/4/201535 The Biba Model The integrity policies guarantee that information only flows downwards. In particular, “clean” high level entities cannot be corrupted by “dirty” low level entities.

36 12/4/201536 The Biba Model – static integrity Simple integrity property : “first try’’ : Integrity * - property : These properties prevent clean subjects and objects from being contaminated by dirty information.

37 12/4/201537 The Biba Model – static integrity Simple integrity property : Integrity * - property :

38 12/4/201538 The Biba Model – dynamic integrity This uses an approach similar to the Chinese Wall model, in which the integrity of a subject is adjusted if the subject comes into contact with low-level information.

39 12/4/201539 The Biba Model – dynamic integrity Subject low watermark property : Object low watermark property :

40 12/4/201540 The Clark - Wilson Model This model addresses the security requirements of commercial applications. The requirements of this model are to secure data integrity. Integrity requirements are divided into, internal consistency: properties of the internal state that can be enforced by the computer system. external consistency: the relation of the internal state to the real world: enforced by means outside the system, e.g. auditing.

41 12/4/201541 The CW Model Integrity is enforced by, well formed transactions : data items can be manipulated only by a specific set of programs; users have access to programs rather than data items. separation of duties : users have to collaborate to manipulate data and collude to penetrate the system.

42 12/4/201542 The CW Model In the Clark-Wilson model, Subjects must be identified and authenticated, Objects can be manipulated only by a restricted set of programs, Subjects can execute only a restricted set of programs, A proper audit log has to be maintained, The system must be certified to work properly.

43 12/4/201543 The CW Model In the Clark-Wilson model, Data items governed by the security policy are called Constrained Data Items (CDIs), Inputs captured as Unconstrained Data Items (UDIs), Conversion of UDIs to CDIs is a critical part of the system which cannot be controlled solely by the security mechanisms in the system, CDIs can be manipulated by Transformation Procedures (TPs) The integrity of a state is checked by Integrity Verification Procedure (IVPs)

44 12/4/201544 The CW Model Security procedures are defined by 5 certification rules: 1.Integrity Verification Procedures must ensure that all Constrained Data Items are in a valid state when the IVP is run. 2.Transformation Procedures must be certified to be valid, i.e. CDIs must always be transformed into CDIs. 3.The access rules must certify any separation of duties requirements. 4. All TPs must write to an append-only log. 5. Any TP that takes a UDI as input must either convert it into a CDI or reject it.

45 12/4/201545 The CW Model Security procedures are enforced by the 4 rules: 1.The system must maintain and protect the list of entries: (TPi:CDIa,CDIb, … ) giving the CDIs that the TP is certified to access. 2.The system must maintain and protect the list of entries: (UserID,TPi:CDIa,CDIb, … ) specifying the TPs that users can execute. 3.The system must authenticate each user requesting to execute a TP. 4.Only a subject that may certify an access rule for a TP may modify the respective entry in the list. This subject must not have execute rights on that TP.

46 12/4/201546 In the BLP model information can flow from a low security level to a high security level through access operations without any loss of confidential information. Informally, a state transition from one object x to another object y causes information flow if we learn more about x by observing y. Information - Flow Models

47 12/4/201547 If you already know x then no information can flow from x. Otherwise we have: Explicit information flow -- Observing y after the assignment y:=x tells you the value of x. Implicit information flow -- Observing y after the conditional statement If x=0 then y:=1 may tell you something about x even if y is not 1, e.g. if y = 2. Then we deduce that x is not 0. Information - Flow Models

48 12/4/201548 A precise quantitative definition for information flow can be given in terms of Information Theory. –The information flow from x to y is measured by the equivocation (conditional entropy) H (x | y) of x, given y. Information - Flow Models

49 12/4/201549 Information - Flow Models The components of the information flow model are: A lattice A set of labeled objects

50 12/4/201550 Information - Flow Models An IF system is secure if there is no illegal information flow. Advantages: it covers all kinds of information flow. Disadvantages: far more difficult to design such systems. E.g. checking whether a given system in the IF model is secure is an undecidable problem.

51 12/4/201551 Information - Flow Models One must also distinguish between – static enforcement and – dynamic enforcement of the information flow policies.

52 12/4/201552 Information - Flow Models An alternative to information flow models are –non-interference models. These provide a different formalism to describe the knowledge of subjects regarding the state of the system.

Download ppt "12/4/20151 Computer Security Security models – an overview."

Similar presentations

TOPIC CLARK-WILSON MODEL Ravi Sandhu.

TOPIC CLARK-WILSON MODEL Ravi Sandhu.
Title ON FOUR DEFINITIONS OF DATA INTEGRITY Ravi Sandhu George Mason University FIVE.

Title ON FOUR DEFINITIONS OF DATA INTEGRITY Ravi Sandhu George Mason University FIVE.
CSC 405 Introduction to Computer Security

CSC 405 Introduction to Computer Security
Information Flow and Covert Channels November, 2006.

Information Flow and Covert Channels November, 2006.
Security Models and Architecture

Security Models and Architecture
Authorization. What is authorization? Authentication---who are you? Authorization---what is a user authroized to access? Role-based authorization Policy-based.

Authorization. What is authorization? Authentication---who are you? Authorization---what is a user authroized to access? Role-based authorization Policy-based.
Hybrid Policies Overview Chinese Wall Model Clinical Information Systems Security Policy ORCON RBAC Introduction to Computer Security ©2004 Matt Bishop.

Hybrid Policies Overview Chinese Wall Model Clinical Information Systems Security Policy ORCON RBAC Introduction to Computer Security ©2004 Matt Bishop.
Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson model Introduction to Computer Security ©2004 Matt Bishop.

Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson model Introduction to Computer Security ©2004 Matt Bishop.
Bell-LaPadula Model. www.wiley.com/go/gollmann2 Why Security Models?  When we have implemented a security policy, do we know that it will (and can) be.

Bell-LaPadula Model. Why Security Models?  When we have implemented a security policy, do we know that it will (and can) be.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
May 4, 2004ECS 235Slide #1 Biba Integrity Model Basis for all 3 models: Set of subjects S, objects O, integrity levels I, relation ≤  I  I holding when.

May 4, 2004ECS 235Slide #1 Biba Integrity Model Basis for all 3 models: Set of subjects S, objects O, integrity levels I, relation ≤  I  I holding when.
Chinese wall model in the internet Environment

Chinese wall model in the internet Environment
Verifiable Security Goals

Verifiable Security Goals
Security Models.

Security Models.
1 Clark Wilson Implementation Shilpa Venkataramana.

1 Clark Wilson Implementation Shilpa Venkataramana.
1 Integrity Policies CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 22, 2004.

1 Integrity Policies CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 22, 2004.
Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson model Introduction to Computer Security ©2004 Matt Bishop.

Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson model Introduction to Computer Security ©2004 Matt Bishop.
CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz.
Information Systems Security Security Architecture Domain #5.

Information Systems Security Security Architecture Domain #5.
MT Computer Security - Models & Policies

MT Computer Security - Models & Policies

Similar presentations

Ads by Google