DOC PREVIEW
U of I CS 498 - Mandatory Access Control and SE Linux

This preview shows page 1-2-3-21-22-23-42-43-44 out of 44 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 44 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 44 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 44 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 44 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 44 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 44 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 44 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 44 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 44 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 44 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

Mandatory Access Controland SE LinuxOverviewMAC vs DACConfidentiality PolicyBell-LaPadula Model, Step 1ExampleReading InformationWriting InformationBasic Security Theorem, Step 1Bell-LaPadula Model, Step 2Levels and LatticesExample LatticeLevels and OrderingReading InformationWriting InformationBasic Security Theorem, Step 2ProblemSolutionAdjustments to “write up”BLP in OS’sExample ScenarioFoundation Sensitivity LabelsOperationsSE Linux MACSE Linux Type Enforcement (TE)Example TE mappingTE RulesOperationsSE Linux Security ArchitectureKey SELinux ConceptsSELinux ConceptsSE Linux ConceptsPolicy Language OverviewType TransitionAccess Vector RulesRole Based Access ControlRole SyntaxDomain TransitionsTE Policy ProblemsMLS in SE LinuxMLS in SE LinuxMCS in SE LinuxMCS in SE LinuxSummaryMandatory Access Controland SE LinuxCyber SecuritySpring ‘06Overview• Review mandatory access control• Discuss SE Linux– Type Enforcement Model– MLS or Bell-LaPadula model– Multiple Category Security (MCS)MAC vs DAC• Discretionary Access Control (DAC)– Normal users can change access control state directly assuming they have appropriate permissions– Access control implemented in standard OS’s, e.g., Unix, Linux, Windows– Access control is at the discretion of the user• Mandatory Access Control (MAC)– Enforced by system wide set of rules– Normal user cannot change access control schema• “Strong” system security requires MAC– Normal users cannot be trustedConfidentiality Policy• Goal: prevent the unauthorized disclosure of information– Deals with information flow– Integrity incidental• Multi-level security models are best-known examples– Bell-LaPadula Model basis for many, or most, of theseBell-LaPadula Model, Step 1• Security levels arranged in linear ordering– Top Secret: highest–Secret– Confidential– Unclassified: lowest• Levels consist of security clearance L(s)–Objects have security classification L(o)Bell, LaPadula 73Examplesecurity level subject objectTop Secret Tamara Personnel FilesSecret Samuel E-Mail FilesActivity LogsTelephone ListsConfidential ClaireUnclassified Ulaley• Tamara can read all files• Claire cannot read Personnel or E-Mail Files• Ulaley can only read Telephone ListsReading Information• Information flows up, not down– “Reads up” disallowed, “reads down” allowed• Simple Security Condition (Step 1)– Subject s can read object o iff, L(o) ≤ L(s) and s has permission to read o• Note: combines mandatory control (relationship of security levels) and discretionary control (the required permission)– Sometimes called “no reads up” ruleWriting Information• Information flows up, not down– “Writes up” allowed, “writes down” disallowed• *-Property (Step 1)– Subject s can write object o iff L(s) ≤ L(o) and s has permission to write o• Note: combines mandatory control (relationship of security levels) and discretionary control (the required permission)– Sometimes called “no writes down” ruleBasic Security Theorem, Step 1• If a system is initially in a secure state, and every transition of the system satisfies the simple security condition (step 1), and the *-property (step 1), then every state of the system is secure– Proof: induct on the number of transitions• Meaning of “secure” in axiomaticBell-LaPadula Model, Step 2• Expand notion of security level to include categories (also called compartments)• Security level is (clearance, category set)• Examples– ( Top Secret, { NUC, EUR, ASI } )– ( Confidential, { EUR, ASI } )– ( Secret, { NUC, ASI } )Levels and Lattices•(A, C) dom (A′, C′) iff A′ ≤ A and C′⊆ C• Examples– (Top Secret, {NUC, ASI}) dom (Secret, {NUC})– (Secret, {NUC, EUR}) dom (Confidential,{NUC, EUR})– (Top Secret, {NUC}) ¬dom (Confidential, {EUR})– (Secret, {NUC}) ¬dom (Confidential,{NUC, EUR})•Let C be set of classifications, K set of categories. Set of security levels L = C × K, dom form lattice– Partially ordered set– Any pair of elements• Has a greatest lower bound• Has a least upper boundExample LatticeTS:NUC,EURTS:NUC,ASITS:NUCS:NUCC:NUC,EURC:EURSLTS: ASI,NUC,EURLevels and Ordering• Security levels partially ordered– Any pair of security levels may (or may not) be related by dom• “dominates” serves the role of “greater than” in step 1– “greater than” is a total ordering, thoughReading Information• Information flows up, not down– “Reads up” disallowed, “reads down” allowed• Simple Security Condition (Step 2)– Subject s can read object o iff L(s) dom L(o) and s has permission to read o• Note: combines mandatory control (relationship of security levels) and discretionary control (the required permission)– Sometimes called “no reads up” ruleWriting Information• Information flows up, not down– “Writes up” allowed, “writes down” disallowed• *-Property (Step 2)– Subject s can write object o iff L(o) dom L(s) and s has permission to write o• Note: combines mandatory control (relationship of security levels) and discretionary control (the required permission)– Sometimes called “no writes down” ruleBasic Security Theorem, Step 2• If a system is initially in a secure state, and every transition of the system satisfies the simple security condition (step 2), and the *-property (step 2), then every state of the system is secure– Proof: induct on the number of transitions– In actual Basic Security Theorem, discretionary access control treated as third property, and simple security property and *-property phrased to eliminate discretionary part of the definitions — but simpler to express the way done here.Problem• Colonel has (Secret, {NUC, EUR}) clearance• Major has (Secret, {EUR}) clearance• Can Major write data that Colonel can read?• Can Major read data that Colonel wrote?• What about the reverse?Solution• Define maximum, current levels for subjects– maxlevel(s) dom curlevel(s)•Example– Treat Major as an object (Colonel is writing to him/her)– Colonel has maxlevel (Secret, { NUC, EUR })– Colonel sets curlevel to (Secret, { EUR })–Now L(Major) dom curlevel(Colonel)• Colonel can write to Major without violating “no writes down”– Does L(s) mean curlevel(s) or maxlevel(s)?• Formally, we need a more precise notationAdjustments to “write up”• General write permission is both read and write– So both


View Full Document

U of I CS 498 - Mandatory Access Control and SE Linux

Documents in this Course
Lecture 5

Lecture 5

13 pages

LECTURE

LECTURE

39 pages

Assurance

Assurance

44 pages

LECTURE

LECTURE

36 pages

Pthreads

Pthreads

29 pages

Load more
Download Mandatory Access Control and SE Linux
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Mandatory Access Control and SE Linux and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Mandatory Access Control and SE Linux 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?