Integrity PoliciesIntegrityDifferent NeedsBiba Integrity ModelIntuition Behind Model ConstructionTest case: Information Transfer PathLow-Water-Mark PolicyConstrains Information Transfer PathRing PolicyBiba Model (Strict Integrity Policy)Example: LOCUS Distributed OSLipner’s Integrity Matrix ModelAssign Security LevelsDoes the Model Meet 5 Requirements?Checking RequirementsProblem with Simple Lipner’s ModelLipner's Full Integrity ModelAssign Classes/Categories to UsersAssign Classes/Categories to ObjectsOperation/Comparison of the ModelClark-Wilson Integrity ModelCertification Rules/Enforcement RulesAdditional RulesSatisfy the RequirementsSlide 25Compared with Biba ModelExercisesSlide 281cs691chowIntegrity PoliciesIntegrity PoliciesCS691 – Chapter 6 of Matt Bishop2cs691chowIntegrityIntegrityProblem area: systems require data to be changed accurately and follow the rules. Disclosure is not a major concern.Lipner [636] identifies five requirements for preserving data integriy:1. Users will not write their own programs, but will use existing production programs and databases.2. Programmers will develop and test programs on a nonproduction system; if they need access to actual data, they will be given production data via a special process, but will use it on their development system.3. A special process must be followed to install a program from the development system onto the production system.4. The special process in requirement 3 must be controlled and audited.5. The managers and auditors must have access to both the system state and the system logs that are generated.Auditing: the process of analyzing systems to determine what actions took place and who performed them. It uses extensive logging.These requirement suggest 3 principles of operation:Separation of duty (two different people? perform two critical steps)Separation of function (program not developed on production system; production data for development needs to be sanitized.)Auditing. (Commercial systems emphasize recovery and accountability.) Problem area: systems require data to be changed accurately and follow the rules. Disclosure is not a major concern.Lipner [636] identifies five requirements for preserving data integriy:1. Users will not write their own programs, but will use existing production programs and databases.2. Programmers will develop and test programs on a nonproduction system; if they need access to actual data, they will be given production data via a special process, but will use it on their development system.3. A special process must be followed to install a program from the development system onto the production system.4. The special process in requirement 3 must be controlled and audited.5. The managers and auditors must have access to both the system state and the system logs that are generated.Auditing: the process of analyzing systems to determine what actions took place and who performed them. It uses extensive logging.These requirement suggest 3 principles of operation:Separation of duty (two different people? perform two critical steps)Separation of function (program not developed on production system; production data for development needs to be sanitized.)Auditing. (Commercial systems emphasize recovery and accountability.)3cs691chowDifferent NeedsDifferent NeedsCommercial firms grant access based on individual needs and has a larger categories  large number of security levels.In military environment, creation of compartment is centralized. In commercial firms, it is decentralized.Aggregating distributed inoncuous info, one can often deduce sensitive information. The Bell-LaPadula Model lack capability to track what questions have been asked.Commercial firms grant access based on individual needs and has a larger categories  large number of security levels.In military environment, creation of compartment is centralized. In commercial firms, it is decentralized.Aggregating distributed inoncuous info, one can often deduce sensitive information. The Bell-LaPadula Model lack capability to track what questions have been asked.4cs691chowBiba Integrity ModelBiba Integrity ModelIn 1977, Biba [94] studied the nature of the integrity of systems. He proposed three policies, one of which was the mathematical dual of the Bell-LaPadula Model.A system consists of a set S of subjects, a set 0 of objects, and a set I of integrity levels. The levels are ordered. The relation <  I x I holds when the second integrity level dominates the first. The relation ≤  I x I holds when the second integrity level either dominates or is the same as the first. The function min: I x II gives the lesser of the two integrity levelsThe function i:S  O1 returns the integrity level of an object or a subject. The relation r  S x 0 defines the ability of a subject to read an object; the relation w  S x 0 defines the ability of a subject to write to an object;the relation x  S x S defines the ability of a subject to invoke (execute) another subject.In 1977, Biba [94] studied the nature of the integrity of systems. He proposed three policies, one of which was the mathematical dual of the Bell-LaPadula Model.A system consists of a set S of subjects, a set 0 of objects, and a set I of integrity levels. The levels are ordered. The relation <  I x I holds when the second integrity level dominates the first. The relation ≤  I x I holds when the second integrity level either dominates or is the same as the first. The function min: I x II gives the lesser of the two integrity levelsThe function i:S  O1 returns the integrity level of an object or a subject. The relation r  S x 0 defines the ability of a subject to read an object; the relation w  S x 0 defines the ability of a subject to write to an object;the relation x  S x S defines the ability of a subject to invoke (execute) another subject.5cs691chowIntuition Behind Model ConstructionIntuition Behind Model ConstructionThe higher the level, the more confidence one has that a program will execute correctly (or detect problems with its inputs and stop executing). Data at a higher level is more accurate, reliable, trustworthy than data at a lower level. Integrity labels, in general, are not also security labels. They are assigned and maintained separately, because the reasons behind the labels are