September 18, 2003Bell-LaPadula: Basics“No Read Up”“No Write Down”Bell LaPadula Model CategoriesLattice of categoriesAccess RulesProblem: No write-downPrinciple of TranquilityTypes of TranquilitySlide 11Slide 12OverviewRequirements of Commercial Integrity Policies (Lipner)Integrity Policy: Principles of operationBiba’s Integrity Policy ModelPoliciesLOCUS and BibaLipner: Integrity MatrixSlide 20Check against the requirementSlide 22ProblemLipner’s full model Introduce integrity levelsSimplify Bell-LaPadulaUsers and LevelsKey Ideas for Assigning Integrity Levels to ObjectsObjects and ClassificationsWhat can an ordinary user do?Clark-Wilson Integrity ModelClark/Wilson Model EntitiesClark/Wilson: Certification/Enforcement RulesClark/Wilson: Certification/Enforcement RulesSlide 34Comparison With RequirementsSlide 36SummarySlide 38Chinese Wall ModelExampleCW-Simple Security Property (Read rule)WritingCW-*-Property (Write rule)Compare to Bell-LaPadulaSlide 45Compare to Clark-WilsonClinical Information Systems Security Policy (Anderson)Assumptions and PrinciplesAccessSlide 50Slide 51Slide 52CreationDeletionConfinementAggregationEnforcementSlide 58Slide 59ORCONRequirementsMAC FailsRole Based Access Control (RBAC)RBACAdvantages of RBACSlide 66Courtesy of Professors Chris Clifton & Matt BishopINFSCI 2935: Introduction of Computer Security1September 18, 2003September 18, 2003Introduction to Introduction to Computer SecurityComputer SecurityLecture 4Lecture 4Confidentiality and Integrity PoliciesConfidentiality and Integrity PoliciesINFSCI 2935: Introduction to Computer Security 2Bell-LaPadula: BasicsBell-LaPadula: BasicsMandatory access control Mandatory access control Entities are assigned security levelsSubject has security clearance L(s) = lsObject has security classification L(o) = loSimplest case: Security levels are arranged in a linear order li < li+1ExampleExampleTop secret > Secret > Confidential >UnclassifiedINFSCI 2935: Introduction to Computer Security 3““No Read Up”No Read Up”Information is allowed to flow Information is allowed to flow upup, , not not downdownSimple security property: Simple security property: s can read o if and only iflo ≤ ls ands has read access to o-Combines mandatory (security levels) and discretionary (permission required)-Prevents subjects from reading objects at higher levels (No Read Up rule)INFSCI 2935: Introduction to Computer Security 4““No Write Down”No Write Down”Information is allowed to flow Information is allowed to flow upup, , not not downdown*property *property s can write o if and only ifls ≤ lo ands has write access to o-Combines mandatory (security levels) and discretionary (permission required)-Prevents subjects from writing to objects at lower levels (No Write Down rule)INFSCI 2935: Introduction to Computer Security 5Bell LaPadula ModelBell LaPadula ModelCategoriesCategoriesTotal order of classifications not flexible enoughTotal order of classifications not flexible enoughAlice cleared for missiles; Bob cleared for warheads; Both cleared for targetsSolution: CategoriesSolution: CategoriesUse set of compartments (from power set of compartments)Enforce “need to know” principleSecurity levels (level, category set)(Top Secret, {Nuc, Eur, Asi})(Top Secret, {Nuc, Asi})Dominates relationDominates relation(L,C) dominates (L’,C’)  L’ ≤ L and C’  CInduces lattice of security levelsINFSCI 2935: Introduction to Computer Security 6Lattice of categoriesLattice of categories{Nuc} {Eur}{Us}{Nuc, Eur} {Nuc, Us} {Eur, Us}{Nuc, Eur, Us}{}Examples of levelsExamples of levels(Top Secret, {Nuc,Asi}) dom (Secret, {Nuc})?(Secret, {Nuc, Eur}) dom (Confidential, {Nuc,Eur})?(Top Secret, {Nuc}) dom (Confidential, {Eur}) ?BoundsBoundsGreatest lower, glbLowest upper, lubglb of {Nuc, Us} & {Eur, Us}?lub of {Nuc, Us} & {Eur, Us}?INFSCI 2935: Introduction to Computer Security 7Access RulesAccess RulesSimple Security ConditionSimple Security Condition: : SS can read can read OO if and if and only if only if Clearance of S dominates classification of O andS has read access to O*-Property*-Property:: S S can write can write OO if and only if if and only ifClassification of O dominates clearance of S andS has write access to OSecure system: One with above propertiesSecure system: One with above propertiesTheorem: Let Theorem: Let ΣΣ be a system with secure initial be a system with secure initial state state σσ00, , TT be a set of state transformations be a set of state transformationsIf every element of T follows rules, every state σi secureINFSCI 2935: Introduction to Computer Security 8Problem: No write-downProblem: No write-downCleared subject can’t communicate to non-cleared subjectCleared subject can’t communicate to non-cleared subjectAny write from Any write from llii to to llkk, , ii > > kk, would violate *-property, would violate *-propertySubject at li can only write to li and aboveAny read from Any read from llkk to to llii, , ii > > kk, would violate simple security , would violate simple security propertypropertySubject at lk can only read from lk and belowSubject at level Subject at level i i can’t write something readable by can’t write something readable by subject at subject at kkNot very practicalSolution: Allow maximum level and current level.INFSCI 2935: Introduction to Computer Security 9Principle of TranquilityPrinciple of TranquilityShould we change classification levels?Should we change classification levels?Raising object’s security levelRaising object’s security levelInformation once available to some subjects is no longer availableUsually assumes information has already been accessedSimple security property violated? Lowering object’s security levelLowering object’s security levelSimple security property violated?The declassification problemEssentially, a “write down” violating *-propertySolution: define set of trusted subjects that sanitize or remove sensitive information before security level is loweredINFSCI 2935: Introduction to Computer Security 10Types of TranquilityTypes of TranquilityStrong TranquilityStrong TranquilityThe clearances of subjects, and the classifications of objects, do not change during the lifetime of the systemWeak TranquilityWeak