Integrity PoliciesIntegrityDifferent NeedsBiba Integrity ModelIntuition Behind Model ConstructionTest case: Information Transfer PathLow-Water-Mark PolicyConstrains Information Transfer PathRing PolicyBiba Model (Strict Integrity Policy)Example: LOCUS Distributed OSLipner’s Integrity Matrix ModelAssign Security LevelsDoes the Model Meet 5 Requirements?Checking RequirementsProblem with Simple Lipner’s ModelLipner's Full Integrity ModelAssign Classes/Categories to UsersAssign Classes/Categories to ObjectsOperation/Comparison of the ModelClark-Wilson Integrity ModelCertification Rules/Enforcement RulesAdditional RulesSatisfy the RequirementsSlide 25Compared with Biba ModelExercisesSlide 281cs691chowIntegrity PoliciesIntegrity PoliciesCS691 – Chapter 6 of Matt Bishop2cs691chowIntegrityIntegrityProblem area: systems require data to be changed accurately and follow the rules. Disclosure is not a major concern.Lipner [636] identifies five requirements for preserving data integriy:1. Users will not write their own programs, but will use existing production programs and databases.2. Programmers will develop and test programs on a nonproduction system; if they need access to actual data, they will be given production data via a special process, but will use it on their development system.3. A special process must be followed to install a program from the development system onto the production system.4. The special process in requirement 3 must be controlled and audited.5. The managers and auditors must have access to both the system state and the system logs that are generated.Auditing: the process of analyzing systems to determine what actions took place and who performed them. It uses extensive logging.These requirement suggest 3 principles of operation:Separation of duty (two different people? perform two critical steps)Separation of function (program not developed on production system; production data for development needs to be sanitized.)Auditing. (Commercial systems emphasize recovery and accountability.) Problem area: systems require data to be changed accurately and follow the rules. Disclosure is not a major concern.Lipner [636] identifies five requirements for preserving data integriy:1. Users will not write their own programs, but will use existing production programs and databases.2. Programmers will develop and test programs on a nonproduction system; if they need access to actual data, they will be given production data via a special process, but will use it on their development system.3. A special process must be followed to install a program from the development system onto the production system.4. The special process in requirement 3 must be controlled and audited.5. The managers and auditors must have access to both the system state and the system logs that are generated.Auditing: the process of analyzing systems to determine what actions took place and who performed them. It uses extensive logging.These requirement suggest 3 principles of operation:Separation of duty (two different people? perform two critical steps)Separation of function (program not developed on production system; production data for development needs to be sanitized.)Auditing. (Commercial systems emphasize recovery and accountability.)3cs691chowDifferent NeedsDifferent NeedsCommercial firms grant access based on individual needs and has a larger categories large number of security levels.In military environment, creation of compartment is centralized. In commercial firms, it is decentralized.Aggregating distributed inoncuous info, one can often deduce sensitive information. The Bell-LaPadula Model lack capability to track what questions have been asked.Commercial firms grant access based on individual needs and has a larger categories large number of security levels.In military environment, creation of compartment is centralized. In commercial firms, it is decentralized.Aggregating distributed inoncuous info, one can often deduce sensitive information. The Bell-LaPadula Model lack capability to track what questions have been asked.4cs691chowBiba Integrity ModelBiba Integrity ModelIn 1977, Biba [94] studied the nature of the integrity of systems. He proposed three policies, one of which was the mathematical dual of the Bell-LaPadula Model.A system consists of a set S of subjects, a set 0 of objects, and a set I of integrity levels. The levels are ordered. The relation < I x I holds when the second integrity level dominates the first. The relation ≤ I x I holds when the second integrity level either dominates or is the same as the first. The function min: I x II gives the lesser of the two integrity levelsThe function i:S O1 returns the integrity level of an object or a subject. The relation r S x 0 defines the ability of a subject to read an object; the relation w S x 0 defines the ability of a subject to write to an object;the relation x S x S defines the ability of a subject to invoke (execute) another subject.In 1977, Biba [94] studied the nature of the integrity of systems. He proposed three policies, one of which was the mathematical dual of the Bell-LaPadula Model.A system consists of a set S of subjects, a set 0 of objects, and a set I of integrity levels. The levels are ordered. The relation < I x I holds when the second integrity level dominates the first. The relation ≤ I x I holds when the second integrity level either dominates or is the same as the first. The function min: I x II gives the lesser of the two integrity levelsThe function i:S O1 returns the integrity level of an object or a subject. The relation r S x 0 defines the ability of a subject to read an object; the relation w S x 0 defines the ability of a subject to write to an object;the relation x S x S defines the ability of a subject to invoke (execute) another subject.5cs691chowIntuition Behind Model ConstructionIntuition Behind Model ConstructionThe higher the level, the more confidence one has that a program will execute correctly (or detect problems with its inputs and stop executing). Data at a higher level is more accurate, reliable, trustworthy than data at a lower level. Integrity labels, in general, are not also security labels. They are assigned and maintained separately, because the reasons behind the labels are
View Full Document