DOC PREVIEW
U of I CS 498 - Integrity Policies

This preview shows page 1-2-3-4-24-25-26-50-51-52-53 out of 53 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 53 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 53 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 53 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 53 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 53 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 53 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 53 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 53 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 53 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 53 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 53 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 53 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

Slide 1Slide 2Slide 3Slide 4Slide 5Slide 6Slide 7Slide 8Slide 9Slide 10Slide 11Slide 12Slide 13Slide 14Slide 15Slide 16Slide 17Slide 18Slide 19Slide 20Slide 21Slide 22Slide 23Slide 24Slide 25Slide 26Slide 27Slide 28Slide 29Slide 30Slide 31Slide 32Slide 33Slide 34Slide 35Slide 36Slide 37Slide 38Slide 39Slide 40Slide 41Slide 42Slide 43Slide 44Slide 45Slide 46Slide 47Slide 48Slide 49Slide 50Slide 51Slide 52Slide 53Slide #6-1Integrity PoliciesCS498SH – Information AssuranceFall 2006Susan HinrichsBased on slides provided by Matt Bishop for use with Computer Security: Art and ScienceSlide #6-2Reading•Bishop: Chapter 6Slide #6-3Overview•Requirements–Very different than confidentiality policies•Biba’s models–Low-Water-Mark policy–Ring policy–Strict Integrity policy•Lipner’s model–Combines Bell-LaPadula, Biba•Clark-Wilson modelSlide #6-4Requirements of Integrity Policies1. Users will not write their own programs, but will use existing production programs and databases. 2. Programmers will develop and test programs on a non-production system; if they need access to actual data, they will be given production data via a special process, but will use it on their development system.3. A special process must be followed to install a program from the development system onto the production system.4. The special process in requirement 3 must be controlled and audited.5. The managers and auditors must have access to both the system state and the system logs that are generated.Lipner 82Slide #6-5Biba Integrity ModelBasis for all 3 models:•Set of subjects S, objects O, integrity levels I, relation ≤  I  I holding when second dominates first•min: I  I  I returns lesser of integrity levels•i: S  O  I gives integrity level of entity•r  S  O means s  S can read o  O•w, x defined similarlyBiba 77Slide #6-6Intuition for Integrity Levels•The higher the level, the more confidence–That a program will execute correctly–That data is accurate and/or reliable•Note relationship between integrity and trustworthiness•Important point: integrity levels are not security levelsSlide #6-7Information Transfer Path•An information transfer path is a sequence of objects o1, ..., on+1 and corresponding sequence of subjects s1, ..., sn such that si r oi and si w oi+1 for all i, 1 ≤ i ≤ n.•Idea: information can flow from o1 to on+1 along this path by successive reads and writesO1 S2 O2 S3 O3Slide #6-8Low-Water-Mark Policy•Idea: when s reads o, i(s) = min(i(s), i (o)); s can only write objects at lower levels•Rules1. s  S can write to o  O if and only if i(o) ≤ i(s).2. If s  S reads o  O, then i(s) = min(i(s), i(o)), where i(s) is the subject’s integrity level after the read.3. s1  S can execute s2  S if and only if i(s2) ≤ i(s1).Slide #6-9Information Flow and Model•If there is information transfer path from o1  O to on+1  O, enforcement of low-water-mark policy requires i(on+1) ≤ i(o1) for all n O1 S2 O2 S3 O3S2 S3Slide #6-10Problems•Subjects’ integrity levels decrease as system runs–Soon no subject will be able to access objects at high integrity levels•Alternative: change object levels rather than subject levels–Soon all objects will be at the lowest integrity level•Crux of problem is model prevents indirect modification–Because subject levels lowered when subject reads from low-integrity objectSlide #6-11Ring Policy•Idea: subject integrity levels static•Rules1. s  S can write to o  O if and only if i(o) ≤ i(s).2. Any subject can read any object.3. s1  S can execute s2  S if and only if i(s2) ≤ i(s1).•Eliminates indirect modification problem•Same information flow result holdsSlide #6-12Strict Integrity Policy•Dual of Bell-LaPadula model1. s  S can read o  O iff i(s) ≤ i(o)2. s  S can write to o  O iff i(o) ≤ i(s)3. s1  S can execute s2  O iff i(s2) ≤ i(s1)•Add compartments and discretionary controls to get full dual of Bell-LaPadula model•Information flow result holds–Different proof, though•Term “Biba Model” refers to thisSlide #6-13Execute Clarification•What is the label of the new process created as result of executing a file?–In a real implementation would probably have mechanisms for choosing label of invoking process, label of executable, or some combination. •see Trusted OS slides–Labeling new files has similar points of confusion•For the base case, assume new process inherit integrity label of invoking process–This would be the minimum of the two labelsSlide #6-14LOCUS and Biba•Goal: prevent untrusted software from altering data or other software•Approach: make levels of trust explicit–credibility rating based on estimate of software’s trustworthiness (0 untrusted, n highly trusted)–trusted file systems contain software with a single credibility level–Process has risk level or highest credibility level at which process can execute–Must use run-untrusted command to run software at lower credibility levelPozzo, Gray 86Slide #6-15Integrity Matrix Model•Lipner proposed this as first realistic commercial model•Combines Bell-LaPadula, Biba models to obtain model conforming to requirements•Do it in two steps–Bell-LaPadula component first–Add in Biba componentLipner 82Slide #6-16Bell-LaPadula Clearances•2 security clearances/classifications–AM (Audit Manager): system audit, management functions–SL (System Low): any process can read at this levelSlide #6-17Bell-LaPadula Categories•5 categories–D (Development): production programs in development but not yet in use–PC (Production Code): production processes, programs–PD (Production Data): data covered by integrity policy–SD (System Development): system programs in development but not yet in use–T (Software Tools): programs on production system not related to protected dataSlide #6-18Users and Security Levels(SL, {D, PC, PD, SD, T}) and downgrade privilegeSystem controllers(AM, { D, PC, PD, SD, T })System managers and auditors(SL, { SD, T })System programmers(SL, { D, T })Application developers(SL, { PC, PD })Ordinary usersSecurity LevelSubjectsSlide #6-19Objects and Classifications(AM, { appropriate })System and application logs(SL, { SD, T })System programs in modification(SL,  )System programs(SL, { T })Software tools(SL, { PC, PD })Production data(SL, { PC })Production code(SL, { D, T })Development code/test


View Full Document

U of I CS 498 - Integrity Policies

Documents in this Course
Lecture 5

Lecture 5

13 pages

LECTURE

LECTURE

39 pages

Assurance

Assurance

44 pages

LECTURE

LECTURE

36 pages

Pthreads

Pthreads

29 pages

Load more
Download Integrity Policies
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Integrity Policies and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Integrity Policies 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?