IS 2150 / TEL 2810 Introduction to SecurityObjectiveClark-Wilson Integrity ModelClark/Wilson Model EntitiesClark/Wilson: Certification/Enforcement RulesClark-Wilson: Certification/Enforcement RulesSlide 7Clark-WilsonSlide 9Chinese Wall ModelExampleCW-Simple Security Property (Read rule)WritingCW-*-Property (Write rule)Slide 15Role Based Access Control (RBAC)RBACRBAC (NIST Standard)Core RBAC (relations)RBAC with Role HierarchyRBAC with General Role HierarchySlide 22Constrained RBACStatic Separation of DutyDynamic Separation of DutyCan we represent BLP using RBAC?Advantages of RBACRBAC’s BenefitsCost BenefitsSlide 30Problem: Consistent PoliciesSecure InteroperabilitySecure Interoperability (Example)Summary1IS 2150 / TEL 2810Introduction to SecurityJames JoshiAssociate Professor, SISLecture 6October 6, 2009Hybrid ModelsRole based Access Control2ObjectiveDefine/Understand various Integrity modelsClark-WilsonDefine/Understand Chinese Wall ModelRole-based Access Control modelOverview the secure interoperation issue3Clark-Wilson Integrity ModelTransactions as the basic operationIntegrity defined by a set of constraintsData in a consistent or valid state when it satisfies theseExample: BankD today’s deposits, W withdrawals, YB yesterday’s balance, TB today’s balanceIntegrity constraint: D + YB –WWell-formed transaction A series of operations that move system from one consistent state to anotherState before transaction consistent state after transaction consistentIssue: who examines, certifies transactions done correctly?Separation of duty is crucial4Clark/Wilson Model EntitiesConstrained Data Items (CDI) : data subject to Integrity ControlEg. Account balancesUnconstrained Data Items (UDI): data not subject to ICEg. Gifts given to the account holdersIntegrity Verification Procedures (IVP)Test CDIs’ conformance to integrity constraints at the time IVPs are run (checking that accounts balance)Transformation Procedures (TP); Examples?5Clark/Wilson:Certification/Enforcement RulesC1: When any IVP is run, it must ensure all CDIs are in valid stateC2: A TP must transform a set of CDIs from a valid state to another valid stateTR must not be used on CDIs it is not certified forE1: System must maintain certified relationsTP/CDI sets enforced6Clark-Wilson: Certification/Enforcement RulesE2: System must control users(user, TP, {CDI}) mappings enforced C3: Relations between (user, TP, {CDI}) must support separation of duty E3: Users must be authenticated to execute TPNote, unauthenticated users may manipulate UDIs7Clark-Wilson: Certification/Enforcement RulesC4: All TPs must log undo information to append-only CDI (to reconstruct an operation)C5: A TP taking a UDI as input must either reject it or transform it to a CDIE4: Only certifier of a TP may change the list of entities associated with that TP; Certifier cannot executeEnforces separation of duty (?)8Clark-WilsonClark-Wilson introduced new ideasCommercial firms do not classify data using multilevel scheme they enforce separation of dutyNotion of certification is different from enforcement; enforcement rules can be enforced, certification rules need outside intervention, andprocess of certification is complex and error prone9Hybrid Policies10Chinese Wall ModelSupports confidentiality and integrityInformation flow between items in a Conflict of Interest setApplicable to environment of stock exchange or investment houseModels conflict of interestObjects: items of information related to a companyCompany dataset (CD): contains objects related to a single companyWritten CD(O)Conflict of interest class (COI): contains datasets of companies in competitionWritten COI(O)Assume: each object belongs to exactly one COI class11ExampleBank COI ClassBank of AmericaBank of AmericaCitizens BankCitizens BankPNC BankPNC BankGasoline Company COI ClassShell OilShell OilUnion’76Union’76Standard OilStandard OilARCOARCO12CW-Simple Security Property (Read rule)CW-Simple Security Property s can read o if any of the following holds o’ PR(s) such that CD(o’) = CD(o) o’, o’ PR(s) COI(o’) COI(o), oro has been “sanitized”(o’ PR(s) indicates o’ has been previously read by s)Public information may belong to a CDno conflicts of interest ariseSensitive data sanitized13WritingAlice, Bob work in same trading houseAlice can read BankOfAmercia’s CD,Bob can read CitizensBanks’s CD, Both can read ARCO’s CDAlice could write to ARCO’s CD, what is a problem?14CW-*-Property (Write rule)CW-*- Propertys can write o iff the following holdsThe CW-simple security condition permits S to read O.For all unsanitized objects o’, s can read o’ CD(o’) = CD(o)Alice can read both CDs Is Condition 1 met?She can read unsanitized objects of BankOfAmercia, hence condition 2 is falseCan Alice write to objects in ARCO’s CD?15Role-Based Access Control16Access control in organizations is based on “roles that individual users take on as part of the organization”Access depends on function, not identityExample: Allison is bookkeeper for Math Dept. She has access to financial records. If she leaves and Betty is hired as the new bookkeeper, Betty now has access to those records. The role of “bookkeeper” dictates access, not the identity of the individual.A role is “is a collection of permissions”Role Based Access Control (RBAC)17RBACu1u2uno1o2omu1u2uno1o2omRolern + massignmentsn massignmentsUsersPermissionUsersPermissions(a)(b)AdministratorEmployeeEngineerSeniorEngineerSeniorAdministratorManagerTotal number Of assignmentsPossible?Total number Of assignmentsPossible?18PermissionsRBAC (NIST Standard)Users Roles Operations ObjectsSessionsUAuser_sessions(one-to-many)role_sessions(many-to-many)PAWhat model entity would relate to the traditional notion of subject?What model entity would relate to the traditional notion of subject?Total number of subjects possible?Total number of subjects possible?Role vs Group?Role vs Group?19Core RBAC (relations)Permissions = 2Operations x Objects UA ⊆ Users x RolesPA ⊆ Permissions x Rolesassigned_users: Roles 2Users assigned_permissions: Roles 2PermissionsOp(p): set of operations associated with permission pOb(p):
View Full Document