CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerCSE 543 - Computer SecurityLecture 21 - IP Security November 13, 2005URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/1CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerAbstract•One sentence each for:•Area•Topic of work•Problem•What’s the issue?•Solution•How do you propose to address the problem?•Experimental insight•Methodology•What’s the experiment?•Results•What did you find?•Take Away: Lesson2CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerAbstract•An example•Not always (usually) followed exactly...3A Comparison of Commercial and MilitarYcomputer SecurityPoliciesDavid D. Clark*- David Il. Wilson*’e*Senior Research Scientist,MIT Laboratory for Computer Sciencf**545 Technology Square, Cambridge, MA 02139Director, Information Security Servicesl Ernst & whinneY2000 National City Center, Cleveland, OH44114ABSTRACTMostdiscussions ofcomputersecurity focus on control of disclosure.In Particular, the U.S. Department ofDefense has developed a set of criteriafor computermechanisms toprovidecontrolof classifiedinformation.However,for thatcoreofdataprocessingconcernedwithbusinessoperationandcontrol ofassets,theprimarysecurityconcernisdataintegrity.This paper presents a policyfor data integrity based on commercialdata processi ng pr actices, and comparesthe mechanisms needed forthis policywith the mechanisms needed to enforcethelatticemodelforinformationsecurity.We argue that a lattice modelisnotsufficient tocharacteri zeintegrity policies,andthat distinctmechanismsareneeded toControldisclosure and to provide integrity.INTRODUCTIONAny discussion ofmechanisms toenforce computer security must involve aparticularsecuritypolicythatspecifies the security goals the systemmust meetand thethreats itmustresist. For example,thehigh-levelsecurity goals most often specified arethatthe systemshouldpreventunauthorizeddisclosure or theft ofinformation, should prevent unauthorizedmodification of information,and shouldprevent denial of service.Traditionalthreatsthat must be countered aresystem penetration byunauthorizedpersons,unauthorizedactions byauthorized persons, and abuse of specialprivileges by systemsprogrammers andfacility operators. Thesethreats maybe intentional or accidental.Imprecise or conflicting assumptionsaboutdesiredpoliciesoften confusediscussionsof computersecuritymechanisms.In particular, in comparingcommercialand militarysystems, amisunderstandingaboutthe underlyingpolicies the two are trying to enforceoftenleads todifficulty inunderstanding the motivation for certainmechanisms that have been developed andespoused by one 9rouP ortheother.Thispaperdiscussesthe militarysecuritypolicy, presents asecuritypolicyvalidin manycommercialsituations,and thencomparesthe twopolicies to reveal important differencesbetween them.The military security policy we a r ereferring to is a set of policies thatregulatethecontrol ofclassifiedinformation within the government.Thiswell-understood,high-levelinformationsecurity policy isthat all classifiedinformationshall beprotectedfromunauthorizeddisclosureordeclassification.Mechanisms use d toenforcethis policy include themandatory labeling of all documents withtheirclassification level, and theassigning ofuseracc esscategoriesbased ontheinvestigation(or“clearing”) of all persons permitted touse this information. During the last15 to 20 ye ars, considerable effort hasgoneinto determining which mechanismsshould be used to enforce this policywithin a computer.Mechanisms such asidentificationand authorization ofusers, generation of audit information,and association of access control labelswith all informationobjects are wellunderstood.This policyis defined intheDepartment ofDefenseTrustedcomputerSystemEvaluationCriteria[DOD], often called the“Orange Book”fromthecolor ofitscove r .Itarticulates astandard for maintainingconfidentiality ofinformation and is,forthe purposes ofourpaper , the“military”informationsecurity policy.The term “military” is perhaps not themostdescriptivecharacterization ofthis policy; it is relevant toanysituation inwhich access rules forsensitive material must be enforced. Weuse the term‘military”as a concise tagwhich at least capturesthe origin ofthe policy.184CH2416-61871000010 184SOi.000 19871EEEArea: Computer SecurityProblem: However, ... primary securityAreaSolution: This paperMethodology: ArgueTake Away: Distinct mechanisms are neededCSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerIntroduction•One paragraph each on:•Area•More elaborate•Problem•Scenario •Why is problem not solved•Brief of related work or the challenge•Proposed insight (“In this paper, ...”)•What is the experiment?•Contributions -- What will the reader learn?4CSE543 Computer (and Network) Security - Fall 2007 - Professor JaegerIntro Example5A Comparison of Commercial and MilitarYcomputer SecurityPoliciesDavid D. Clark*- David Il. Wilson*’e*Senior Research Scientist,MIT Laboratory for Computer Sciencf**545 Technology Square, Cambridge, MA 02139Director, Information Securit y Servicesl Ernst & whinneY2000 National City Center, Cleveland, OH44114ABSTRACTMostdiscussions ofcomputersecurity focus on control of di s c l osure.In Particular, the U.S. Department ofDefense has developed a set of criteriafor computermechanisms toprovidecontrolof classifiedinformation.However,for thatcoreofdataprocessingconcernedwithbusinessoperationandcontrol ofassets,theprimarysecurityconcernisdataintegrity.This paper presents a policyfor data integrity based on commercialdata processing practices, and comparesthe mechanisms needed forthis policywith the mechanisms needed to enforcethelatticemodelforinformationsecurity.We argue that a lattice modelisnotsufficient tocharacterizeintegrity policies,andthat distinctmechanismsareneeded toControldisclosure and to provide integrity.INTRODUCTIONAny discussion ofmechanisms toenforce computer security must involve aparticularsecuritypolicythatspecifies the security goals the systemmust meetand thethreats itmustresist. For example,thehigh-levelsecurity goals most often specified arethatthe systemshouldpreventunauthorizeddisclosure or theft ofinformation, should prevent unauthorizedmodification of information,and shouldprevent denial of service.Traditionalthreatsthat must be countered aresystem penetration byunauthorizedpersons,unauthorizedactions
View Full Document
Unlocking...