1IS 2150 / TEL 2810Introduction to SecurityJames JoshiAssistant Professor, SISLecture 5September 27, 2007Security PoliciesConfidentiality Policies2Re-Cap Decidable vs Undecidable? Safety – leakage of rights HRU results: Systems with mono-operational commands k <= n*(?)(?) + 1? Generic Safety problem Turing machine ? Safety3Today’s Objectives Understanding/defining security policy and nature of trust Overview of different policy models Understand and analyze the lattice structure Define/Understand existing Bell-LaPadulamodel how lattice helps?4Security Policies5Security Policy Defines what it means for a system to be secure Formally: Partitions a system into Set of secure (authorized) states Set of non-secure (unauthorized) states Secure system is one that Starts in authorized state Cannot enter unauthorized state6Secure System - Example Is this Finite State Machine Secure?Ais start state ?Bis start state ?Cis start state ? How can this be made secure if not?Suppose A, B, and Care authorized states ?A B C DUnauthorizedstatesAuthorizedstates7Additional Definitions: Security breach: system enters an unauthorized state Let Xbe a set of entities, Ibe information.Ihas confidentiality with respect to Xif no member of Xcan obtain information on IIhas integrity with respect to Xif all members of Xtrust I Trust I, its conveyance and storage (data integrity)Imaybe origin information or an identity (authentication)Iis a resource – its integrity implies it functions as it should (assurance)Ihas availability with respect to Xif all members of Xcan access I Time limits (quality of service)8Confidentiality Policy Also known as information flow Transfer of rights Transfer of information without transfer of rights Temporal context Model often depends on trust Parts of system where information couldflow Trusted entity must participate to enable flow Highly developed in Military/Government9Integrity Policy Defines how information can be altered Entities allowed to alter data Conditions under which data can be altered Limits to change of data Examples: Purchase over $1000 requires signature Check over $10,000 must be approved by one person and cashed by anotherSeparation of duties : for preventing fraud Highly developed in commercial world10Trust Theories and mechanisms rest on some trust assumptions Administrator installs patch1. Trusts patch came from vendor, not tampered with in transit2. Trusts vendor tested patch thoroughly3. Trusts vendor’s test environment corresponds to local environment4. Trusts patch is installed correctly11Trust in Formal Verification Formal verification provides a formal mathematical proof that given input i, program Pproduces output o as specified Suppose a security-related program Sformally verified to work with operating system O What are the assumptions?12Security Mechanism Policy describes what is allowed Mechanism Is an entity/procedure that enforces (part of) policy Example Policy: Students should not copy homework Mechanism: Disallow access to files owned by other users13Security Model A model that represents a particular policy or set of policies Abstracts details relevant to analysis Focus on specific characteristics of policies E.g., Multilevel security focuses on information flow control14Security policies Military security policy Focuses on confidentiality Commercial security policy Primarily Integrity Transaction-oriented Begin in consistent state “Consistent” defined by specification Perform series of actions (transaction) Actions cannot be interrupted If actions complete, system in consistent state If actions do not complete, system reverts to beginning (consistent) state15Access Control Discretionary Access Control (DAC) Owner determines access rights Typically identity-based access control: Owner specifies other users who have access Mandatory Access Control (MAC) Rules specify granting of access Also called rule-based access control16Access Control Originator Controlled Access Control (ORCON) Originator controls accessOriginator need not be owner! Role Based Access Control (RBAC) Identity governed by role user assumes17LatticeConfidentiality Policies18Lattice Sets Collection of unique elements Let S, T be sets Cartesian product: S x T = {(a, b) | a ∈ A, b ∈ B} A set of order pairs Binary relation R from S to T is a subset of S x T Binary relation R on S is a subset of S x S19Lattice If (a, b) ∈Rwe write aRb Example: R is “less than equal to” (≤) For S = {1, 2, 3} Example of R on S is {(1, 1), (1, 2), (1, 3), ????) (1, 2) ∈ R is another way of writing 1≤220Lattice Properties of relations Reflexive: if aRa for all a ∈ S Anti-symmetric: if aRb and bRa implies a = b for all a, b ∈ S Transitive: if aRb and bRc imply that aRc for all a, b, c ∈ S Exercise: Which properties hold for “less than equal to” (≤)? Draw the Hasse diagram Captures all the relations21Lattice Total ordering: when the relation orders all elements E.g., “less than equal to” (≤) on natural numbers Partial ordering (poset): the relation orders only some elements not all E.g. “less than equal to” (≤) on complex numbers; Consider (2 + 4i) and (3 + 2i)22Lattice Upper bound (u, a, b ∈ S) u is an upper bound of a and b means aRu and bRu Least upper bound : lub(a, b)closest upper bound Lower bound (l, a, b ∈ S) l is a lower bound of a and b means lRa and lRb Greatest lower bound : glb(a, b)closest lower bound23Lattice A lattice is the combination of a set of elements Sand a relation Rmeeting the following criteria R is reflexive, antisymmetric, and transitive on the elements of S For every s, t∈ S, there exists a greatest lower bound For every s, t∈ S, there exists a lowest upper bound Some examples S = {1, 2, 3} and R = ≤? S = {2+4i; 1+2i; 3+2i, 3+4i} and R = ≤?24Confidentiality Policy Also known as information flow policy Integrity is secondary objective Eg. Military mission “date” Bell-LaPadula Model Formally models military requirements Information has sensitivity levels or classification Subjects have
View Full Document