Integrity PoliciesReadingOverviewBiba Integrity ModelIntuition for Integrity LevelsInformation Transfer PathStrict Integrity PolicyNotion of timeLow-Water-Mark PolicyInformation Flow and ModelProblemsRing PolicyIntegrity Matrix ModelRequirements of Integrity PoliciesBell-LaPadula ClearancesBell-LaPadula CategoriesUsers and Security LevelsObjects and ClassificationsLipner LatticeIdeasCheck RequirementsMore RequirementsProblemAdding BibaSimplify Bell-LaPadulaUsers and LevelsSlide 29Slide 30Clark-Wilson Integrity ModelEntitiesCertification Rule 1CR2CR1 and ER1Other RulesSlide 37Slide 38Slide 39Handling Untrusted InputSeparation of Duty In ModelComparison With RequirementsSlide 43Comparison to BibaUNIX ImplementationCDI ArrangementBasic ExampleExamplesSlide 49Problem IllustratedSolutionOther ProblemsKey Points1Integrity PoliciesCS461 – Introduction to Computer SecuritySpring 2007Nikita BorisovBased on slides provided by Matt Bishop for use with Computer Security: Art and Science2Reading•Bishop: Chapter 63Overview•RequirementsVery different than confidentiality policies•Biba’s modelsLow-Water-Mark policyRing policyStrict Integrity policy•Lipner’s modelCombines Bell-LaPadula, Biba•Clark-Wilson model4Biba Integrity ModelBasis for all 3 models:•Set of subjects S, objects O, integrity levels I, relation ≤  I  I holding when second dominates first•min: I  I  I returns lesser of integrity levels•i: S  O  I gives integrity level of entity•r  S  O means s  S can read o  O•w, x defined similarlyBiba 775Intuition for Integrity Levels•The higher the level, the more confidenceThat a program will execute correctlyThat data is accurate and/or reliable•Note relationship between integrity and trustworthiness•Important point: integrity levels are not security levels6Information Transfer Path•An information transfer path is a sequence of objects o1, ..., on+1 and corresponding sequence of subjects s1, ..., sn such that si r oi and si w oi+1 for all i, 1 ≤ i ≤ n.•Idea: information can flow from o1 to on+1 along this path by successive reads and writesO1 S2 O2 S3 O37Strict Integrity Policy•Dual of Bell-LaPadula model1. s  S can read o  O iff i(s) ≤ i(o)2. s  S can write to o  O iff i(o) ≤ i(s)3. s1  S can execute s2  O iff i(s2) ≤ i(s1)•Add compartments and discretionary controls to get full dual of Bell-LaPadula model•Information can flow only down1. no reads down, no writes up1.Term “Biba Model” refers to thisNotion of time•Strict policy may be too strictO1HighIntegrityO2S1LowIntegrityreadwriteTime9Low-Water-Mark Policy•Idea: a subject’s integrity level changes with timeTracks the lowest integrity level object it has read•Rules1. s  S can write to o  O if and only if i(o) ≤ i(s).2. If s  S reads o  O, then i(s) = min(i(s), i(o)), wherei(s) is the subject’s integrity level after the read.3. s1  S can execute s2  S if and only if i(s2) ≤ i(s1).10Information Flow and Model•If there is information transfer path from o1  O to on+1  O, enforcement of low-water-mark policy requires i(on+1) ≤ i(o1) for all n O1 S2 O2 S3 O3S2 S311Problems•Subjects’ integrity levels decrease as system runsSoon no subject will be able to access objects at high integrity levels•Alternative: change object levels rather than subject levelsSoon all objects will be at the lowest integrity level•Crux of problem is model prevents indirect modificationBecause subject levels lowered when subject reads from low-integrity object12Ring Policy•Idea: subject integrity levels static•Rules1. s  S can write to o  O if and only if i(o) ≤ i(s).2. Any subject can read any object.3. s1  S can execute s2  S if and only if i(s2) ≤ i(s1).1.Eliminates indirect modification problem2.Does the information flow constraint hold?15Integrity Matrix Model•Lipner proposed this as first realistic commercial model•Combines Bell-LaPadula, Biba models to obtain model conforming to requirements•Do it in two stepsBell-LaPadula component firstAdd in Biba componentLipner 8216Requirements of Integrity Policies1. Users will not write their own programs, but will use existing production programs and databases. 2. Programmers will develop and test programs on a non-production system; if they need access to actual data, they will be given production data via a special process, but will use it on their development system.3. A special process must be followed to install a program from the development system onto the production system.4. The special process in requirement 3 must be controlled and audited.5. The managers and auditors must have access to both the system state and the system logs that are generated.Lipner 8217Bell-LaPadula Clearances•2 security clearances/classificationsAM (Audit Manager): system audit, management functionsSL (System Low): any process can read at this level18Bell-LaPadula Categories•5 categoriesD (Development): production programs in development but not yet in usePC (Production Code): production processes, programsPD (Production Data): data covered by integrity policySD (System Development): system programs in development but not yet in useT (Software Tools): programs on production system not related to protected data19Users and Security Levels(SL, {D, PC, PD, SD, T}) and downgrade privilegeSystem controllers(AM, { D, PC, PD, SD, T })System managers and auditors(SL, { SD, T })System programmers(SL, { D, T })Application developers(SL, { PC, PD })Ordinary usersSecurity LevelSubjects20Objects and Classifications(AM, { approp riate })System and application logs(SL, { SD, T })System programs in modification(SL,  )System programs(SL, { T })Software tools(SL, { PC, PD })Production data(SL, { PC })Production code(SL, { D, T })Development code/test dataSecurity LevelObjectsLipner LatticeSL, {PC, PD}S: Ordinary usersO: Production dataSL, {D, T}S: DevelopersO: Development codeSL, {T}O: Software ToolsSL, {PC}O: Production CodeSL, {}O: System programsSL, {SD,T}S: System programmersO: Tools inmodificationAM, {...}S: System ManagersO: System LogsSL, {PC,PD,D,T,SD}S: System Controllers22Ideas•Ordinary users can execute (read) production code but cannot alter it•Ordinary users can alter and read production data•System managers need access to all logs but cannot change levels of objects•System