Foundations of Computer SecurityLecture 9: MLS Example: Part IVDr. Bill YoungDepartment of Computer SciencesUniversity of Texas at AustinLecture 9: 1 MLS Example: Part IVMLS Thought ExperimentWe introduced the following rule, which appears to capture ourintuition about when a subject can read an object.The Simple Security Property: Subject S with clearance(LS, CS) may be granted read access to object O with classification(LO, CO) only if (LS, CS) ≥ (LO, CO).Is it all we need? What about other types of access?Lecture 9: 2 MLS Example: Part IVDo We Need Secure Writing?The Simple Security property codifies restrictions on read access todocuments. What about write access?Suppose someone with access to a Top Secret document copiesthe information onto a piece of paper and sticks it into anUnclassified folder.Has Simple Security been violated? No! Has confidentiality beenviolated? Clearly.Lecture 9: 3 MLS Example: Part IVSecure WritingIn general, subjects in the world of military documents are personstrusted not to write classified information where it can be accessedby unauthorized parties.Subjects in the world of computing are often programs operatingon behalf of a trusted user (and with his or her clearance).Some program I run may have embedded malicious logic (a “trojanhorse”) that causes it to “leak” information without my knowledgeor consent.Lecture 9: 4 MLS Example: Part IVThe *-PropertyWe restrict write access according to the following rule:The *-Property: Subject S with clearance (LS, CS) maybe granted write access to object O with classification(LO, CO) only if (LS, CS) ≤ (LO, CO).This is pronounced “the star property.” How does it help?Lecture 9: 5 MLS Example: Part IVThe *-PropertyDoes this rule make sense? Is it too restrictive? Is it too lax?Can a commanding general with a Top Secret clearance emailmarching orders to a foot soldier with no clearance? No!Can a corporal with no clearance overwrite the war plan?Nothing in our rules stops it, but that’s an integrity problem!Simple security and the *-property are sometimes characterized as“read down” and “write up,” respectively. Alternatively, they’recharacterized as “no read up” and “no write down.”Lecture 9: 6 MLS Example: Part IVLessonsControl over read and write operations is needed to preventconfidentiality breaches.The *-property uses dominates to decide whether a writeaccess should be allowed.Controlling write access is especially crucial for computersbecause the accessing subject may be a program executing onbehalf of a user. The user has been cleared; the program hasnot.Next lecture: Tranquility and BLPLecture 9: 7 MLS Example: Part
View Full Document
Unlocking...