DAC vs. MACBell-Lapadula modelSecurity levelsSecurity propertiesThe lattice modelStraw man MAC implementationNo: Covert channelsNo: Timing channelsReducing covert channelsDeclassificationBiba integrity modelDoD href {http://www.scs.stanford.edu/10wi-cs140/sched/readings/Orange.txt}{Orange book}Limitations of Orange bookToday: Common CriteriaLOMAC href {http://www.scs.stanford.edu/10wi-cs140/sched/readings/lomac.pdf}{[Fraser]}LOMAC overviewLOMAC defaultsThe self-revocation problemSelf-revocation exampleSelf-revocation exampleSelf-revocation exampleSelf-revocation exampleSolutionThe flask security architectureArchitectureChallengesBasic flask conceptsCreating new objectSecurity server interfaceAccess vector cache (AVC)AVC in a queryAVC interfaceRevocation supportRevocation protocolPersistenceTransitioning SIDsExample: Paying invoicesIllustrationExample: Loading kernel modulesDAC vs. MAC• Most people familiar with discretionary accesscontrol (DAC)- Unix permission bits are an example- Might set a file private so only group friends can read it• Discretionary means anyone with acce s s canpropagate information:- Mail [email protected] < private• Mandatory access control- Security administrator can restrict propagation- Abbreviated MAC (NOT to be confused w. MessageAuthentication Code or Medium Access Control)1/36Bell-Lapadula model• View the system as s ubjects accessing objects- The system input is requests, the output is decisions- Objects can be organized in one or more hierarchies, H(a tree enforcing the type of decendents)• Four modes of acces s are poss ible:- execute – no observation or alteration-read – observation-append – alteration-write – both observation and modification• The current access set, b, is (subj, obj, attr) tripples• An access matrix M encodes permissible ac c e s s types(as before, subjects are row s , objects columns)2/36Security levels• A security level is a (c, s) pair:- c = classification – E.g., unclassified, secret, top secret- s = category-set – E.g., Nuclear, Crypto• (c1, s1) dominates (c2, s2) iff c1≥ c2and s2⊆ s1- L1dominates L2sometimes written L1⊒ L2or L2⊑ L1- levels then form a lattice (partial order w. lub & glb)• Subjects and objects are ass ig ned sec urity leve ls- level(S), level(O) – security level of subject/object- current-level(S) – subject may operate at lower level- level(S) bounds current-level(S) (current-level(S) ⊑ level(S))- Since level(S) is max, sometimes called S’s clearance3/36Security properties• The simple security or ss-property:- For any (S, O, A) ∈ b, if A includes observation, then level(S)must dominate level(O)- E.g., an unclassified user cannot read a top-secret document• The star security or *-property:- If a subject can observe O1and modify O2, then level(O2)dominates level(O1)- E.g., cannot copy top secret file into secret file- More precisely, given (S, O, A) ∈ b:if A = r then current-level(S) ⊒ level(O) (“no read up”)if A = a then current-level(S) ⊑ level(O) (“no write down”)if A = w then current-level(S) = level(O)4/36The lattice modelXXXL1L1means L1⊑ L2htop-secret, {Crypto}ihsecret, ∅ihsecret, {Crypto}ihtop-secret, ∅ihsecret, {Nu clear}ihtop-secret, {Nu c lear}ihtop-secret, {Nuclear, Crypto}ihunclassified, ∅i• Information can only flow up the lattice- System enforces “No read up, no write down”- Think of ⊑ as “can flow to” relation5/36Straw man MAC implementation• Take an ordinary Unix system• Put labels on all files and directories to track levels• Each user U has a s e c urity clea ra nce, level(U)• Determine current security level dynamica lly- When U logs in, start with lowest curent-level- Increase current-level as higher-level files are observed(sometimes called a floating label system)- If U’s level does not dominate current-level, kill program- Kill program that writes to file that doesn’t dominate it• Is this secure?6/36No: Covert channels• System rife with storage channels- Low current-level process executes another program- New program reads sensitive file, gets high current-level- High program exploits covert channels to pass data to low• E.g., High program inherits file descriptor- Can pass 4-bytes of information to low prog. in file offset• Other storage channels:- Exit value, signals, file locks, terminal escape codes, . . .• If we eliminate storage c hannels, is system secure?7/36No: Timing channels• Example: CPU utilization- To send a 0 bit, use 100% of CPU in busy-loop- To send a 1 bit, sleep and relinquish CPU- Repeat to transfer more bits• Example: Reso urce e xhaustion- High prog. allocates all physical memory if bit is 1- If low prog. slow from paging, knows less memory available• More examples: Disk head position, processorcache/TLB polution, . . .8/36Reducing covert channels• Observation: Covert channels come from sharing- If y ou have no shared resources, no covert channels- Extreme example: Just use two computers (common in DoD)• Problem: Sharing needed- E.g., read unclassified data when preparing classified• Approach: Strict partitioning of resources- Strictly partition and schedule resources between levels- Occasionally reapportion resources based on usag e- Do so infrequently to bound leaked information- In general, only hope to bound bandwidth of covert channels- Approach still not so g ood if many security levels possible9/36Declassific a tion• Sometimes need to prepare unclassified report fromclassified data• Declassification happens outside of system- Present file to security officer for downgrade• Job of declassification often not trivial- E.g., Microsoft word saves a lot of undo information- This might be all the secret stuff you cut from document- Another bad mistake: Redacted PDF using black censor barsover or under text (but text still selectable)10/36Biba integrity model• Problem: How to protect integrity- Suppose text editor gets trojaned, su btly modifies files, mig htmess up attack plans• Observation: Integrity is the converse o f secrecy- In secrecy, want to avoid writing less secret files- In integrity, want to avoid writing higher-integrity files• Use integrity hierarchy parallel to se c re c y one- Now security level is a hc, i, si triple, i =integrity- hc1, i1, s1i ⊑ hc2, i2, s2i iff c1≤ c2andi1≥ i2and s1⊆ s2- Only trusted users can operate at low integrity levels- If y ou read less authentic data, your current integrity level
View Full Document