Slide 1Slide 2Slide 3Slide 4Slide 5Slide 6Slide 7Slide 8Slide 9Slide 10Slide 11Slide 12Slide 13Slide 14Slide 15Slide 16Slide 17Slide 18Slide 19Slide 20Slide 21Slide 64Slide 65Slide 66Slide 67Slide 68Slide 69Slide 70Slide 71Slide 72Slide 73Slide #5-1Confidentiality PoliciesCS498SH – Information AssuranceFall 2006Susan HinrichsBased on slides provided by Matt Bishop for use with Computer Security: Art and ScienceSlide #5-2Reading•Chapter 5 in either Bishop book•Bell-LaPadula and McLean papers linked on class web site if you are interested in the proofsSlide #5-3Outline•Overview–Mandatory versus discretionary controls–What is a confidentiality model•Bell-LaPadula Model–General idea–Description of rules•Tranquility•Controversy–†-property–System ZSlide #5-4MAC vs DAC•Discretionary Access Control (DAC)–Normal users can change access control state directly assuming they have appropriate permissions–Access control implemented in standard OS’s, e.g., Unix, Linux, Windows–Access control is at the discretion of the user•Mandatory Access Control (MAC)–Access decisions cannot be changed by normal rules–Generally enforced by system wide set of rules–Normal user cannot change access control schema•“Strong” system security requires MAC–Normal users cannot be trustedSlide #5-5Confidentiality Policy•Goal: prevent the unauthorized disclosure of information–Deals with information flow–Integrity incidental•Multi-level security models are best-known examples–Bell-LaPadula Model basis for many, or most, of theseSlide #5-6Bell-LaPadula Model, Step 1•Security levels arranged in linear ordering–Top Secret: highest–Secret–Confidential–Unclassified: lowest•Levels consist of security clearance L(s)–Objects have security classification L(o)Bell, LaPadula 73Slide #5-7Exampleobjectsubjectsecurity levelTelephone ListsActivity LogsE-Mail FilesPersonnel FilesUlaleyUnclassifiedClaireConfidentialSamuelSecretTamaraTop Secret•Tamara can read all files•Claire cannot read Personnel or E-Mail Files•Ulaley can only read Telephone ListsSlide #5-8Reading Information•Information flows up, not down–“Reads up” disallowed, “reads down” allowed•Simple Security Condition (Step 1)–Subject s can read object o iff, L(o) ≤ L(s) and s has permission to read o•Note: combines mandatory control (relationship of security levels) and discretionary control (the required permission)–Sometimes called “no reads up” ruleSlide #5-9Writing Information•Information flows up, not down–“Writes up” allowed, “writes down” disallowed•*-Property (Step 1)–Subject s can write object o iff L(s) ≤ L(o) and s has permission to write o•Note: combines mandatory control (relationship of security levels) and discretionary control (the required permission)–Sometimes called “no writes down” ruleSlide #5-10Basic Security Theorem, Step 1•If a system is initially in a secure state, and every transition of the system satisfies the simple security condition (step 1), and the *-property (step 1), then every state of the system is secure–Proof: induct on the number of transitions•Meaning of “secure” in axiomaticSlide #5-11Bell-LaPadula Model, Step 2•Expand notion of security level to include categories (also called compartments)•Security level is (clearance, category set)•Examples–( Top Secret, { NUC, EUR, ASI } )–( Confidential, { EUR, ASI } )–( Secret, { NUC, ASI } )Slide #5-12Levels and Lattices•(A, C) dom (A, C) iff A ≤ A and C C•Examples–(Top Secret, {NUC, ASI}) dom (Secret, {NUC})–(Secret, {NUC, EUR}) dom (Confidential,{NUC, EUR})–(Top Secret, {NUC}) dom (Confidential, {EUR})–(Secret, {NUC}) dom (Confidential,{NUC, EUR})•Let C be set of classifications, K set of categories. Set of security levels L = C K, dom form lattice–Partially ordered set–Any pair of elements•Has a greatest lower bound•Has a least upper boundSlide #5-13Example LatticeASI,NUCASI,EURASIEURNUCSLNUC,EURASI,NUC,EURSlide #5-14Subset LatticeTS:NUC,EURTS:NUC,ASITS:NUCS:NUCC:NUC,EURC:EURSLTS: ASI,NUC,EURSlide #5-15Levels and Ordering•Security levels partially ordered–Any pair of security levels may (or may not) be related by dom•“dominates” serves the role of “greater than” in step 1–“greater than” is a total ordering, thoughSlide #5-16Reading Information•Information flows up, not down–“Reads up” disallowed, “reads down” allowed•Simple Security Condition (Step 2)–Subject s can read object o iff L(s) dom L(o) and s has permission to read o•Note: combines mandatory control (relationship of security levels) and discretionary control (the required permission)–Sometimes called “no reads up” ruleSlide #5-17Writing Information•Information flows up, not down–“Writes up” allowed, “writes down” disallowed•*-Property (Step 2)–Subject s can write object o iff L(o) dom L(s) and s has permission to write o•Note: combines mandatory control (relationship of security levels) and discretionary control (the required permission)–Sometimes called “no writes down” ruleSlide #5-18Basic Security Theorem, Step 2•If a system is initially in a secure state, and every transition of the system satisfies the simple security condition (step 2), and the *-property (step 2), then every state of the system is secure–Proof: induct on the number of transitions–In actual Basic Security Theorem, discretionary access control treated as third property, and simple security property and *-property phrased to eliminate discretionary part of the definitions — but simpler to express the way done here.Slide #5-19Problem•Colonel has (Secret, {NUC, EUR}) clearance•Major has (Secret, {EUR}) clearance•Can Major write data that Colonel can read?•Can Major read data that Colonel wrote?•What about the reverse?Slide #5-20Solution•Define maximum, current levels for subjects–maxlevel(s) dom curlevel(s)•Example–Treat Major as an object (Colonel is writing to him/her)–Colonel has maxlevel (Secret, { NUC, EUR })–Colonel sets curlevel to (Secret, { EUR })–Now L(Major) dom curlevel(Colonel)•Colonel can write to Major without violating “no writes down”–Does L(s) mean curlevel(s) or maxlevel(s)?•Formally, we need a more precise notationSlide #5-21Adjustments to “write up”•General write permission is both read and right–So both simple security
View Full Document
Unlocking...