Presentation is loading. Please wait.

Presentation is loading. Please wait.

A security policy defines what needs to be done. A security mechanism defines how to do it. All passwords must be updated on a regular basis and every.

Published byMichael Riley Modified over 8 years ago

Similar presentations

Presentation on theme: "A security policy defines what needs to be done. A security mechanism defines how to do it. All passwords must be updated on a regular basis and every."— Presentation transcript:

1 A security policy defines what needs to be done. A security mechanism defines how to do it. All passwords must be updated on a regular basis and every one must include at least one embedded non-alphabetic symbol. example security policy corresponding security mechanisms

2 state -- a particular collection of value assignments (i.e. to computer registers, memory, secondary stores, relevant network devices, etc. P all -- the set of all possible protection states (i.e., a universal set) protection state -- a state that deals only with assignments relevant to security/protection P auth -- the set of all authorized protection states safe state -- state s is safe iff s  breach -- security has been breached whenever a system enters state s for which s  security policy -- a security policy should define what constitutes P auth security mechanism -- a security mechanism should ensure that a system never reaches a state in

3 If a policy is P auth, then why is it impractical to enumerate P auth ? a better solution: define policy in terms of who has access to what Subject(s) and Asset (a). a is confidential to s iff other subjects ____________________ about a. Confidentiality Policy a has integrity to s iff s _________ a. Integrity Policy a is available to s iff s is __________________ a. Availability Policy

4 In practice, security policies are expressed informally as rights responsibilities consequences Examples university acceptable use policy university academic dishonesty policy Laws HIPPA Privacy Act

5 Consider a policy for maintaining the confidentiality of government documents. policy model -- a set of policies (abstractly, a set of policy properties) levelnumeric equivalent Top Secret1 Secret2 Confidential3 Unclassified4 -- assets -- subjects

6 Simple Security Property levelnumeric equivalent Top Secret1 Secret2 Confidential3 Unclassified4 Subject s can read asset a iff clearance(s) ≥ classification(a) This property has been widely used for years. However, the Simple Security Property only applies to reads. What about writes?

7 Simple Security Property levelnumeric equivalent Top Secret1 Secret2 Confidential3 Unclassified4 Subject s can read asset a iff clearance(s) ≥ classification(a) Another Issue: Why does the Simple Security Property not enforce a Need-to-know policy? *-Property Subject s can write to asset a iff clearance(s) classification(a) a multi-level confidentiality model circa 1986

8 It is common to include codewords in addition to classification and clearance. (e.g., DesertStorm, Umbra) In this system a security classification/clearance consists of an ordered pair: ( level, set of codewords ) We can define access using a dominance relation, dom, as follows: let clearance(s) = ( sLevel, sCodewords ) classification(a) = ( aLevel, aCodewords ) dom(s, a) means sLevel ≥ aLevel and  c [(c  aCodewords)  (c  sCodewords)] Example v = (TopSecret, {Iraq, Iran, Nato, China)} w = (Secret, {Iraq}) x = (TopSecret, {Nato}) y = (Confidential, {Nato}) z = (Confidential, {Iran, Iraq, Nato})

9 Simple Security Property Subject s can read asset a iff ( dom(s, a) and read  acm[s, a] ) A system is said to be secure (in the sense of confidentiality) given that it maintains the following two properties: *-Property Subject s can write to asset a iff ( dom(a, s) and write  acm[s, a] )

10 Simple Security Property Subject s can read asset a iff ( dom(s, a) and read  acm[s, a] ) *-Property Subject s can write to asset a iff ( dom(a, s) and write  acm[s, a] ) Following these properties is it possible for someone write to a document they cannot read? Following these properties is it possible for someone read a document they cannot write? How can a superior communicate with a subordinate?

11 Raising an asset ’ s security level This has little impact except for future limited access. Solution: Neither clearances nor classifications change throughout the system ’ s lifetime. Lowering an asset ’ s security level This violates the *-property. Two Types of Tranquility Strong Tranquility Weak Tranquility Clearances and classifications can only change in a way that preserves both the simple security property and the *-property.

12 Simple Security Property Subject s can write asset a iff integrity(s) integrity(a) *-Property Subject s can read to asset a iff integrity(s) integrity(a) Ken Biba, 1975 read only upwrite only down The integrity of an asset is only as good as the ________________ of all subjects that contribute to its content. Low water mark principle Execute Property Action p 1 can execute an action p 2 iff integrity(p 1 ) integrity(p 2 )

13 Multi-level Models Multi-lateral Models Top Secret Secret Confidential Unclassified Asset Group 1 Asset Group 2 Asset Group 3 S1S1 S1S1 S2S2 S2S2 S3S3 S3S3 S4S4 S4S4

14 This model is often used in the service industry where knowledge of sensitive information comes from multiple different competing and non-competing companies. (e.g. consulting companies, law practices, insurance companies) a multi-lateral hybrid model, Brewer & Nash 1989 Example A financial consulting firm has the following clients: Sun Microsystems, Microsoft, General Motors, Ford Motor Co. and Toyota. Consider the potential conflicts of interest.

15 Simple Security Property Subject s can read asset a iff  a' (a’ readable by s)[ company(a)  competitors(company(a')) ] OR company(a) = company(a') ] Consider that assets are partitioned into conflict of interest groups (industrial competitors). *-Property Subject s can write to asset a iff a satisfies the Simple Security Property for s AND  a' (a’ readable by s)[ competitors(company(a')) =  OR company(a) = company(a') ] ]

16 Rules (numbered to match Bishop) CR1. The system has procedures to verify the integrity of every constrained data item (CDI). a security model of double-entry book keeping, 1987 CR2. A CDI’s integrity must be maintained whenever a transformation procedure (TP) is applied. ER1. The only way to change a CDI is by applying a proper TP. ER2. Subjects can only initiate selected TPs on selected CDIs. CR3. The Rule ER2 restrictions must enforce an appropriate separation of duty policy on subjects. CR5. Certain special TPs can produce CDIs from unrestricted data. CR4. The application of a TP must store enough info in an append-only CDI to be able to reconstruct the transaction. ER3. The system must authenticate subjects attempting to initiate a TP. ER4. Only special subjects (i.e., security officers) are permitted to alter authorized-related data.

Download ppt "A security policy defines what needs to be done. A security mechanism defines how to do it. All passwords must be updated on a regular basis and every."

Similar presentations

TOPIC CLARK-WILSON MODEL Ravi Sandhu.

TOPIC CLARK-WILSON MODEL Ravi Sandhu.
Title ON FOUR DEFINITIONS OF DATA INTEGRITY Ravi Sandhu George Mason University FIVE.

Title ON FOUR DEFINITIONS OF DATA INTEGRITY Ravi Sandhu George Mason University FIVE.
Information Flow and Covert Channels November, 2006.

Information Flow and Covert Channels November, 2006.
Access Control Methodologies

Access Control Methodologies
Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality model Bell-LaPadula Model –General idea –Informal description of rules.

Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality model Bell-LaPadula Model –General idea –Informal description of rules.
Access Control Intro, DAC and MAC System Security.

Access Control Intro, DAC and MAC System Security.
Chapter 2.  CIA Model  Host Security VS Network Security  Least Privileges  Layered Security  Access Controls Prepared by Mohammed Saher2.

Chapter 2.  CIA Model  Host Security VS Network Security  Least Privileges  Layered Security  Access Controls Prepared by Mohammed Saher2.
1 Confidentiality Policies CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 18, 2004.

1 Confidentiality Policies CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 18, 2004.
Confidentiality Policies  Overview  What is a confidentiality model  Bell-LaPadula Model  General idea  Informal description of rules  Formal description.

Confidentiality Policies  Overview  What is a confidentiality model  Bell-LaPadula Model  General idea  Informal description of rules  Formal description.
Hybrid Policies Overview Chinese Wall Model Clinical Information Systems Security Policy ORCON RBAC Introduction to Computer Security ©2004 Matt Bishop.

Hybrid Policies Overview Chinese Wall Model Clinical Information Systems Security Policy ORCON RBAC Introduction to Computer Security ©2004 Matt Bishop.
Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson model Introduction to Computer Security ©2004 Matt Bishop.

Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson model Introduction to Computer Security ©2004 Matt Bishop.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
Verifiable Security Goals

Verifiable Security Goals
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
1 Integrity Policies CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 22, 2004.

1 Integrity Policies CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 22, 2004.
Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson model Introduction to Computer Security ©2004 Matt Bishop.

Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson model Introduction to Computer Security ©2004 Matt Bishop.
CMSC 414 Computer (and Network) Security Lecture 10 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 10 Jonathan Katz.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
CS526Topic 21: Integrity Models1 Information Security CS 526 Topic 21: Integrity Protection Models.

CS526Topic 21: Integrity Models1 Information Security CS 526 Topic 21: Integrity Protection Models.

Similar presentations

Ads by Google