Courtesy of ProfessorsChris Clifton & Matt BishopINFSCI 2935: Introduction of Computer Security 1September 18, 2003September 18, 2003Introduction to Introduction to Computer SecurityComputer SecurityLecture 4Lecture 4Confidentiality and Integrity PoliciesConfidentiality and Integrity PoliciesINFSCI 2935: Introduction to Computer Security 2BellBell--LaPadulaLaPadula: Basics: BasicsllMandatory access control Mandatory access control ¡Entities are assigned security levels¡Subject has security clearance L(s) = ls¡Object has security classification L(o) = lo¡Simplest case: Security levels are arranged in a linear order li< li+1llExampleExampleTop secret > Secret > Confidential >UnclassifiedINFSCI 2935: Introduction to Computer Security 3““No Read Up”No Read Up”llInformation is allowed to flow Information is allowed to flow upup, , not not downdownllSimple security property: Simple security property: ¡s can read o if and only ifllo= lsandls has read access to o- Combines mandatory (security levels) and discretionary (permission required)- Prevents subjects from reading objects at higher levels (No Read Up rule)INFSCI 2935: Introduction to Computer Security 4““No Write Down”No Write Down”llInformation is allowed to flow Information is allowed to flow upup, , not not downdownll*property *property ¡s can write o if and only iflls= lo andls has write access to o- Combines mandatory (security levels) and discretionary (permission required)- Prevents subjects from writing to objects at lower levels (No Write Down rule)INFSCI 2935: Introduction to Computer Security 5Bell Bell LaPadulaLaPadulaModelModelCategoriesCategoriesllTotal order of classifications not flexible enoughTotal order of classifications not flexible enough¡ Alice cleared for missiles; Bob cleared for warheads; Both cleared for targetsllSolution: CategoriesSolution: Categories¡ Use set of compartments (from power set of compartments)¡ Enforce “need to know” principle¡ Security levels (level, category set)l (Top Secret, {Nuc, Eur, Asi})l (Top Secret, {Nuc, Asi})llDominates relationDominates relation¡ (L,C) dominates (L’,C’) ⇔ L’ = L and C’ ⊆ C¡ Induces lattice of security levelsINFSCI 2935: Introduction to Computer Security 6Lattice of categoriesLattice of categories{Nuc} {Eur}{Us}{Nuc, Eur} {Nuc, Us} {Eur, Us}{Nuc, Eur, Us}{}llExamples of levelsExamples of levels¡ (Top Secret, {Nuc,Asi}) dom(Secret, {Nuc})?¡ (Secret, {Nuc, Eur}) dom(Confidential, {Nuc,Eur})?¡ (Top Secret, {Nuc}) dom(Confidential, {Eur}) ?llBoundsBounds¡ Greatest lower, glb¡ Lowest upper, lub¡ glb of {Nuc, Us} & {Eur, Us}?¡ lub of {Nuc, Us} & {Eur, Us}?INFSCI 2935: Introduction to Computer Security 7Access RulesAccess RulesllSimple Security ConditionSimple Security Condition: : SScan read can read OOif and if and only if only if ¡Clearance of S dominates classification of O and¡S has read access to Oll**--PropertyProperty::SScan write can write OOif and only ifif and only if¡Classification of O dominates clearance of S and¡S has write access to OllSecure system: One with above propertiesSecure system: One with above propertiesllTheorem: Let Theorem: Let SSbe a system with secure initial be a system with secure initial state state ss00, , TTbe a set of state transformationsbe a set of state transformations¡If every element of T follows rules, every state sisecureINFSCI 2935: Introduction to Computer Security 8Problem: No writeProblem: No write--downdownCleared subject can’t communicate to nonCleared subject can’t communicate to non--cleared subjectcleared subjectllAny write from Any write from lliito to llkk, , ii> > kk, would violate *, would violate *--propertyproperty¡ Subject at lican only write to liand abovellAny read from Any read from llkkto to llii, , ii> > kk, would violate simple security , would violate simple security propertyproperty¡ Subject at lkcan only read from lkand belowllSubject at level Subject at level i i can’t write something readable by can’t write something readable by subject at subject at kk¡ Not very practical¡ Solution: Allow maximum level and current level.INFSCI 2935: Introduction to Computer Security 9Principle of TranquilityPrinciple of TranquilityllShould we change classification levels?Should we change classification levels?llRaising object’s security levelRaising object’s security level¡ Information once available to some subjects is no longer available¡ Usually assumes information has already been accessed¡ Simple security property violated? llLowering object’s security levelLowering object’s security level¡ Simple security property violated?¡ The declassification problem¡ Essentially, a “write down” violating *-property¡ Solution: define set of trusted subjects that sanitize or remove sensitive information before security level is loweredINFSCI 2935: Introduction to Computer Security 10Types of TranquilityTypes of TranquilityllStrong TranquilityStrong Tranquility¡The clearances of subjects, and the classifications of objects, do not change during the lifetime of the systemllWeak TranquilityWeak Tranquility¡The clearances of subjects, and the classifications of objects, do not change in a way that violates the simple security condition or the *-property during the lifetime of the systemINFSCI 2935: Introduction to Computer Security 11Class PersonObject O1, UAttributes:Name : StringAge : IntCountry : StringAttributes:Name :(Ralph,U)Age :(35, C)Country:(USA, C)Instance ofObject O1, CAttributes:Name :Age :35Country:USAObject O1, UAttributes:Name :RalphAge :”C”Country:CanadaMultilevel DatabaseAttributes:Name :JohnAge :35Country:USAAttributes:Name :RalphAge :”C”Country:CanadaAfter updateClassified DB Unclassified DB(a)(b)MultiviewMultiviewModel of Model of multilevel securitymultilevel securityCourtesy of ProfessorsChris Clifton & Matt BishopINFSCI 2935: Introduction of Computer Security 12Integrity PoliciesIntegrity PoliciesINFSCI 2935: Introduction to Computer Security 13OverviewOverviewllRequirementsRequirements¡Very different than confidentiality policiesllBiba’sBiba’smodelsmodels¡Low-Water-Mark policy¡Ring policy¡Strict Integrity policyllLipner’sLipner’smodelmodel¡Combines Bell-LaPadula, BiballClarkClark--Wilson modelWilson modelINFSCI 2935: Introduction to Computer Security 14Requirements of Commercial Integrity Requirements of Commercial Integrity Policies (Policies