IS 2150 / TEL 2810IS 2150 / TEL 2810Introduction to SecurityJames JoshiAssistant Professor SISAssistant Professor, SISLecture 5September 23, 2008Security PoliciesConfidentiality Policies1Confidentiality PoliciesRe-Cap Decidable vs Undecidable?Safety–leakage of rightsSafety –leakage of rights HRU results:St ithti l dSystems with mono-operational commands k <= n*(?)(?) + 1?GiSft blGeneric Safety problem Turing machine ? Safety2Today’s Objectives Understanding/defining security policy and nature of trust Overview of different policy modelsUnderstand and analyze lattice structureUnderstand and analyze lattice structure Define/Understand existing Bell-LaPadula model of confidentialityy how lattice helps? Understand the Biba integrity model3Security Policies4Security Policy Defines what it means for a system to be secure Formally: Partitions a system into Set of secure (authorized) states() Set of non-secure (unauthorized) states Secure system is one that y Starts in authorized state Cannot enter unauthorized state5Secure System - ExampleUnauthorizedA B C DUnauthorizedstatesIs this Finite State Machine Secure?AuthorizedstatesIs this Finite State Machine Secure?Ais start state ?Bis start state ?Bis start state ?Cis start state ? How can this be made secure if not?6Suppose A, B, and Care authorized states ?Additional Definitions: Security breach: system enters an unauthorized state Let Xbe a set of entities, Ibe information.Ihasconfidentialitywith respect toXif no member ofIhas confidentialitywith respect to Xif no member of Xcan obtain information on IIhas integrity with respect to Xif all members of Xtrust ITrust I, its conveyance and storage (data integrity)Imaybe origin information or an identity (authentication)Iis a resource – its integrity implies it functions as it should (assurance)Ihas availabilitywith respect to Xif all members of Xcan access I Time limits (quality of service)7Confidentiality Policy Also known as information flow Transfer of rights Transfer of information without transfer of rights Temporal context Model often depends on trust Parts of system where information couldflowTrusted entity must participate to enable flow Highly developed in Military/Government8Integrity Policy Defines how information can be altered Entities allowed to alter data Conditions under which data can be altered Limits to change of dataElExamples: Purchase over $1000 requires signatureCheck over $10 000 must be approved by oneCheck over $10,000 must be approved by one person and cashed by anotherSeparation of duties : for preventing fraud9 Highly developed in commercial worldTrust Theories and mechanisms rest on some trust assumptions Administrator installs patch1. Trusts patch came from vendor, not tampered with in transit2. Trusts vendor tested patch thoroughlyTrusts vendor’s test environment corresponds to3.Trusts vendor’s test environment corresponds to local environment4.Trusts patch is installed correctly10pyTrust in Formal Verification Formal verification provides a formal mathematical proof that given input i, program Pproduces output o as specified Suppose a security-related program Sformally verified to work with operating system OWh h i d i iWhat are the assumptions during its installation?11Security Mechanism Policy describes what is allowedMechanismMechanism Is an entity/procedure that enforces (part of) policy Example Policy: Students should not copy homework Mechanism: Disallow access to files owned by other users12Security Model A model that represents a particular policy or set of policiespolicy or set of policies Abstracts details relevant to analysisFocus on specific characteristics of policiesFocus on specific characteristics of policies E.g., Multilevel security focuses on information flow control13Security policies Military security policy Focuses on confidentialityCommercial security policyCommercial security policy Primarily IntegrityTransaction-oriented Begin in consistent state “Consistent” defined by specification Perform series of actions (transaction)Ati tb it tdActions cannot be interrupted If actions complete, system in consistent state If actions do not complete, system reverts to beginning (consistent) state14Access Control Discretionary Access Control (DAC) Owner determines access rightsg Typically identity-based access control: Owner specifies other users who have access Mandatory Access Control (MAC) Rules specify granting of access Also called rule-based access control15Access Control Originator Controlled Access Control (ORCON)(ORCON) Originator controls accessOriginator need not be owner!Originator need not be owner! Role Based Access Control (RBAC)Id tit d b lIdentity governed by role user assumes16ConfidentialityPoliciesConfidentiality Policies17Confidentiality Policy Also known as information flow policy Integrity is secondary objective Eg. Military mission “date” Bell-LaPadula Model Formally models military requirementsFormally models military requirements Information has sensitivity levels or classification Subjects have clearance Subjects with clearance are allowed access Multi-level access control or mandatory access control18Bell-LaPadula: Basics Mandatory access control Entities are assigned security levels Subject has security clearance L(s) = ls Object has security classification L(o) = lo Simplest case: Security levels are arranged in a linear order li<li+1ExampleExampleTop secret > Secret > Confidential >Unclassified19“No Read Up” Information is allowed to flow up, not downSimple security property: pyppyscan read oif and only iflo≤ lsandshas discretionary read access to o- Combines mandatory(security levels) and discretionary(permission required)discretionary(permission required)- Prevents subjects from reading objects at higher levels (No Read Up rule)20“No Write Down” Information is allowed to flow up, not down*property pp yscan write oif and only ifls≤ lo andshas write access to o- Combines mandatory(security levels) and discretionary(permission required)discretionary(permission required)- Prevents subjects from writing to objects at lower
View Full Document
Unlocking...