1Security Policy, Security ModelsAnd a Look atMandatory Access ControlCMSC 426/626Overview• Background Terms• Security Policy– Security Models• Bell and LaPadula• Type EnforcementSecurity Phrases• “Security is a process, not a product.”-- Bruce SchneierSecurity Terms• Orange Book– DoD Trusted Computer System EvaluationCriteria (TCSEC)Background: Security ServicesUndeniable proof-of-participation(Sender/receiver in bank transaction)NON-REPUDIATIONAssurance of service on demand(Guaranteed dial tone)AVAILABILITYVerification of originator(Signature on check)AUTHENTICATIONPreventing disclosure. PrivacyCONFIDENTIALITYAbsolute verification data has not beenmodified(Detection of a single bit change)INTEGRITYTenets of Information AssuranceBackground: Security ServicesRSA signatureDigital SignaturesNon-repudiationMultiple RoutersRedundancyAvailabilityUnix PasswordsLoginAuthenticationAES, DESEncryptionConfidentialityHMAC, MD5,SHA-1, CRCKeyed Hash FunctionIntegrityImplementationSecurityMechanismSecurityServicesTenets of Information Assurance (continued)But wait there’s more…2Background: Security Services“wipe disk”dd if=/dev/zeroOS file systemObject ReuseSyslog(3)/var/log/messagesSystem AuditIP TracebackAccountabilityUnix ProtectionBits, ACL, BLPDiscretionary AccessControl (DAC)Mandatory AccessControl (MAC)Access ControlImplementationSecurity MechanismSecurityServicesTenets of Information Assurance (continued)Security Policy• Security Policy– “What security means to the user”– A document describing the rules andprocedure governing an informationsystem.Security Model• Expresses the requirements– Of the security policySecurity Model• DAC– Access Control Matrix (Lampson)WR, Wcontrol, ownR, W, XownPSmithWR, copyR,W,X,ownR, W, XownPJonesLPRFileSmithFileJonesPSmithPJonesAccess Rights: R, W, X, ownership, delegation, copy, …System Development PathSecurity PolicyImplementation(Abstract)SecurityModelFormal/InformalSecurity ServicesSecurity RequirementsFunctionalSpecificationUNIXSELinuxMULTICSLinuxTestFormalSpecificationExample OS LineageBSDDTOSFLUKE/FLASKThmproversSecurity Mechanisms• Discretionary Access Control (DAC)– Subjects fully control objects under their control• Able to replicate the object and• pass that control to other subjects• Mandatory Access control (MAC)– Access control is mandated by system policy– This policy and the rules for access anddissemination cannot be changed by the subject• The owner of an object must abide to this policy• MAC then DAC– In this Order3Mandatory Access Control• Security provided by the system– Application isn’t burdened access decisions– Limits exposure from a compromise• All Access mediated by the system• With granular control– Protect the application• Separation, safe execution,• Limit exposure and risk of compromiseBackground:Trojan Hose AttackRestricted.txtRW- --- ---cp restricted.txt foo.txtchmod 777 foo.txtdeniedWrite Trojan w/Extra functionalityenticeMission accomplishedDAC is not enoughSecurity Terms• Clearance– security level• Labels - Markings - Classification• Hierarchical Ordering– For example:• Expressed as a Lattice– partially ordered set where every pair has greatestlower bound and least upper bound! Unrestricted < Company Pr oprietary < CompanySecretSecurity Terms• Subjects• Objects• Why these terms?– Classical COMPUSEC• Part of Formal Proof– mathematical argument that the state of the systemis maintainedSecurity Model• A formal description of a security policy– Bell and LaPadula Model (BLP)• Model captures confidentiality of MAC• Prevents unauthorized disclosure– Prevent unauthorized dissemination! Access =1 if LevelSubject> LevelObject( )0 Otherwise" # $ Technically, “Dominates” and not g.t.BLP uses “class” for the subject’s level and object’s security label.Security Models• From BLP– Simple Security Property (SSP)• Can read down• Cannot read up– *-Property (star property)• Also known as confinement property• Prevents write-down4Security Models“Restricted”“Uncleared”XClearance to“Restricted”“Uncleared”! Uncleared < Re strictedClearance and labelsfor our exampleReadWhat aboutWrite down?BLP Continued:Security Models• BLP Only deals with secrecy– Prevent unauthorized disclosure• What about– Modification of data and Integrity of thesource?• Consider a read up?Security Quotes• Security always involves a tradeoffbetween convenience and risk.– AnonymousSecurity ModelsReadConsider the source (integrity) of the newly created document.What can you say aboutThe information flow?LOWHighNewSecurity Models• Biba Model– Integrity Model• Integrity != MD5, CRC, etc.• Think in terms of trusting the source.– Rules are flipped from BLPSecurity Models“Highest” integrityX“High” integrity“Low” integrityWriteReadTrust the sourceBiba -> Integrity ModelXRead5Security Models• Clark-Wilson– Transactional integrity model• Chinese Wall Model– Organizational separation to prevent COI– RW access authorized by group membership• Perfection– Information flow and non-interference modelsSecurity Models• Basic Security Theorem• Tranquility– Prevents the re-association of an accessclass in mid operation.– As done in BLPSecurity Terms• Process Isolation• Privileged Instructions– Instructions available to processes of higher privilege– Consider Disk IO and access to IO ports• Privileged property– extra privileges assigned to a process– Override• Possibly overide Bell-LaPadula (BLP)– SSP & *-propertySecurity Terms• Principle of Least Privilege– every entity granted least privileges necessary toperform assigned tasks– A policy such that each process• Has access only to those objects• For its assigned task• and no other privilegeSecurity Terms• Resource– anything used while a system is functioning (egCPU time, memory, disk space)• Resource encapsulation– property which states resources cannot be directlyaccessed by subjects because subject accessmust be controlled by the reference monitor[Rothke]Security Terms• Reference Monitor– a security control which controls subjects’access to resources - an example is the securitykernel for a given hardware base1. Must Always Be Invoked1. Mediates Access2. Must Not Be Circumventable3. Must Be Easily Verifiable6Security Quotes• Microsoft could have incorporated effective security