CSC 474/574 Dr. Peng Ning 1Computer ScienceCSC 474/574 Information SystemsSecurityTopic 4.2: Lattice Based AccessControl ModelsCSC 474/574 Dr. Peng Ning 2Computer ScienceLATTICE-BASED MODELS• Information flow policies– Denning’s axioms• Bell-LaPadula model (BLP)• Biba model and its duality (or equivalence)to BLPCSC 474/574 Dr. Peng Ning 3Computer ScienceInformation Flow Policies• Concerned with the flow of information from one securityclass to another.– Not between objects– Does such a policy care about• Information from top secret class to secret class?• Information from file A to file B?• Approach– Assign each object a security class (also called a security label).– Control information flow between objects based on their labels.• Information flows from security class A to security class B– Information flows from an object labeled A to an object labeled B.CSC 474/574 Dr. Peng Ning 4Computer ScienceDenning'S Definition of InformationFlow Policy< SC, ‡, ⊕ >SC set of security classes‡ Õ SC X SC flow relation (i.e., can-flow)⊕: SC X SC ‡ SC class-combining operatorIntuitions:A‡B: Information can flow from security class A tosecurity class B.A⊕B‡C: Information combined from A and B can flow to C.CSC 474/574 Dr. Peng Ning 5Computer ScienceExample 1• High-low policy– Information can only flow between each classand from low class to high class, but not fromhigh class to low class• In Denning’s formalism:– SC={H, L}– ‡={______, ______, ______}– ⊕={H ⊕ H=___, H ⊕ L=___, L ⊕ H=___, L ⊕L=___}CSC 474/574 Dr. Peng Ning 6Computer ScienceExample 2• Policy– Two departments A and B.– Four security classes• {}: Public information• {A}: Only people working in A can access• {B}: Only people working in B can access.• {A, B}: Only people working in both A and B can access.– Never disclose any secret information.• In Denning’s formalism:– SC = {____, ____, ____, ____}– ‡={______, ______, ______, ______, ______, ______,______, ______, ______}– ⊕={______, ______, ______, ______, ______, ______}CSC 474/574 Dr. Peng Ning 7Computer ScienceDENNING'S AXIOMS< SC, Æ, ⊕ >1. SC is finite1. SC is finite2. 2. ÆÆ is a partial order on SC is a partial order on SC3. SC has a lower bound L such that L 3. SC has a lower bound L such that L ÆÆ A for all A A for all A ŒŒ SC SC4. 4. ⊕⊕ is a totally defined least upper bound operator on SC is a totally defined least upper bound operator on SCCSC 474/574 Dr. Peng Ning 8Computer ScienceDENNING'S AXIOMS (Cont’d)• Axiom 2: Æ is a partial order on SC– ‡ is reflexive:• For all A in SC, A‡A.• Intuition: Information can flow within each class.– ‡ is transitive:• If A‡B and B‡C, then A‡C.• Intuition: If indirect flow is possible from A to C via B, then weshould allow directly information flow from A to C.• Not always desirable.– ‡ is anti-symmetric:• If A‡B and B‡A, then A=B.• Intuition: We don’t need redundant classes.• Equivalently, if A‡B and A!=B, then B !‡ A.CSC 474/574 Dr. Peng Ning 9Computer ScienceExample 3• Which of the following are partial orders?– {A, B, C}, A‡B, B‡C, A‡C– {A, B, C}, A‡A, B‡B, C‡C– {A, B, C}, A‡A, B‡B, C‡C, A‡BCSC 474/574 Dr. Peng Ning 10Computer ScienceDENNING'S AXIOMS (Cont’d)• Axiom 3: SC has a lower bound L such thatL‡A for all A in SC.– Existence of public information in the system.CSC 474/574 Dr. Peng Ning 11Computer ScienceDENNING'S AXIOMS (Cont’d)• Axiom 4: ⊕ is a totally defined least upperbound (lub) operator on SC– A ⊕ B is defined for each pair of A and B in SC.• Intuition: It is possible to combine information fromany two classes.– The ⊕ operator is a least upper bound• A‡A ⊕ B and B‡A ⊕ B for all A, B in SC• If A‡C and B‡C, then A ⊕ B‡C.– A ⊕ B is the least one among all the upper bounds of A andB.– The ⊕ operator can be applied to any number ofsecurity classes.CSC 474/574 Dr. Peng Ning 12Computer ScienceDENNING'S AXIOMS IMPLY• SC is a universally bounded lattice• there exists a Greatest Lower Bound (glb)operator ƒ (also called meet)• there exists a highest security class HCSC 474/574 Dr. Peng Ning 13Computer ScienceLATTICE STRUCTURES• reflexive and transitive edges are implied butnot shownUnclassifiedConfidentialSecretTop SecretHierarchicalClassescan-flowCSC 474/574 Dr. Peng Ning 14Computer ScienceLATTICE STRUCTURESUnclassifiedConfidentialSecretTop Secretcan-flowdominance≥CSC 474/574 Dr. Peng Ning 15Computer ScienceCategories and Compartments• Categories: individual elements• Compartments: set of categories.– The set of compartments is the power set of theset of categories.– Compartments form a subset lattice over the setof categories.• Example:– The set of categories: {A, B}– The set of Compartments:• {______, ______, ______, ______}CSC 474/574 Dr. Peng Ning 16Computer ScienceLATTICE STRUCTURES{ARMY, CRYPTO}Compartmentsand Categories{ARMY }{CRYPTO}{}CSC 474/574 Dr. Peng Ning 17Computer ScienceLATTICE STRUCTURES{ARMY, NUCLEAR, CRYPTO}Compartmentsand Categories{ARMY, NUCLEAR}{ARMY, CRYPTO}{NUCLEAR, CRYPTO}{ARMY}{NUCLEAR} {CRYPTO}{}CSC 474/574 Dr. Peng Ning 18Computer ScienceCombining Different Lattices• Two lattices L1= (SC1, ‡, ƒ) and L2 = (SC2, ‡, ƒ) can becombined into L = (SC, ‡, ƒ) as follows:– SC = SC1 ¥ SC2• Intuition: The result security classes are all combinations ofthose in L1 and L2.– For (c1, c2) and (c1’, c2’) in SC, (c1, c2) ‡ (c1’, c2’) ifand only if c1‡c1’ and c2‡c2’.• Intuition: Information can flow from (c1, c2) to (c1’, c2’) if andonly if L1 permits information flow from c1 to c1’ and L2permits information flow from c2 to c2’– (c1, c2) ƒ (c1’, c2’) = (c1 ƒ c1’, c2 ƒ c2’).• Intuition: Combining security classes in L is equivalent tocombining security classes in L1 and L2 separately.CSC 474/574 Dr. Peng Ning 19Computer ScienceLATTICE STRUCTURESCombined Lattice:TSS{A,B}{}{A}{B}The product of the two lattices.The product of the two lattices.CSC 474/574 Dr. Peng Ning 20Computer ScienceSMITH'S LATTICE• With large lattices a vanishingly smallfraction of the labels will actually be used• Smith's lattice: 4 hierarchical levels, 8compartments, therefore– number of possible labels = 4*2^8 = 1024– Only 21 labels are actually used (2%)– Consider 16 hierarchical levels, 64compartments which
View Full Document