© G. Dhillon, IS Department Virginia Commonwealth University Principles of IS Security Formal...
-
Upload
melissa-hicks -
Category
Documents
-
view
214 -
download
0
Transcript of © G. Dhillon, IS Department Virginia Commonwealth University Principles of IS Security Formal...
© G. Dhillon, IS DepartmentVirginia Commonwealth
University
Principles of IS Security
Formal Models
© G. Dhillon, IS DepartmentVirginia Commonwealth
University
The Good Old Days
Mainframe computers• Physically isolated from casual access by
unauthorized personnel
• Programs, data passed to/from computer by trusted staff
• No authorization, no job
So, no problem, right?
© G. Dhillon, IS DepartmentVirginia Commonwealth
University
The Good New Days
Computers are everywhere Access can often be achieved by walking
up to the keyboard/display and beginning to work
What’s an authorization number? So, big problem, right?
© G. Dhillon, IS DepartmentVirginia Commonwealth
University
Access Control
Determines and monitors who can do what with what in the computer
Is much more than establishing a physical perimeter around the computer
Can’t happen without identification and authentication (about which, more later)
Needs to be instantiated in a policy
© G. Dhillon, IS DepartmentVirginia Commonwealth
University
Subjects and Objects
Remember your English grammar Subjects act Objects are acted upon These roles are not graven in stone
• If you hit the ball, you are the subject
• If the ball hits you, you are the object
It is just the same in computer science
© G. Dhillon, IS DepartmentVirginia Commonwealth
University
Access Control Model
Subject RequestReferenceMonitor Object
Any of these points is a vulnerability. How to protect?
© G. Dhillon, IS DepartmentVirginia Commonwealth
University
Access Control
Determine whether a principal can perform a requested operation on a target object
Principal: user, process, etc. Operation: read, write, etc. Object: file, tuple, etc.
© G. Dhillon, IS DepartmentVirginia Commonwealth
University
Basic Access Control
Authorization Mechanism
request
subject
Security Policyobject
grant/deny
© G. Dhillon, IS DepartmentVirginia Commonwealth
University
Why are we still talking about access control?
An access control policy is a specification for an access decision function
The policy aims to achieve• Permit the principal’s intended function (availability)
• Ensure security properties are met (integrity, confidentiality)
• Limit to “Least Privilege,” Protect system integrity, Prevent unauthorized leakage, etc.
• Also known as ‘constraints’
• Enable administration of a changeable system (simplicity)
© G. Dhillon, IS DepartmentVirginia Commonwealth
University
“Simple” example
Prof A manages access to course objects• Assign access to individual (principal: Bob)
• Assign access to aggregate (course-students)
• Associate access to relation (students(course))
• Assign students to project groups (student(course, project, group)) Prof A wants certain guarantees
• Students cannot modify objects written by Prof Alice
• Students cannot read/modify objects of other groups Prof A must be able to maintain access policy
• Ensure that individual rights do not violate guarantees
• However, exceptions are possible – students may distribute their results from previous assignments for an exam
© G. Dhillon, IS DepartmentVirginia Commonwealth
University
Access Control is Hard Because
Access control requirements are domain-specific• Generic approaches over-generalize
Access control requirements can change• Anyone could be an administrator
The Safety Problem• Can only know what is leaked right now
Access is fail-safe, but Constraints are not• And constraints must restrict all future states
© G. Dhillon, IS DepartmentVirginia Commonwealth
University
Remember the Purpose
Confidentiality Integrity Availability
© G. Dhillon, IS DepartmentVirginia Commonwealth
University
Reference Monitor
Makes access control work You can tell it
• What a subject is allowed to do (privilege)
• What may be done with an object (permission) In order to specify these things, you need
to know all the possibilities, or you need to define things narrowly so that what you don't know doesn’t become allowed
© G. Dhillon, IS DepartmentVirginia Commonwealth
University
Access Operations (Example)
Observe• Read
• Write
Alter• Write
• Append
How do you execute a program?
© G. Dhillon, IS DepartmentVirginia Commonwealth
University
Bell-LaPadula Access Rights
e: execute r: read a: append w: write Don’t assume anything when dealing
with security!
© G. Dhillon, IS DepartmentVirginia Commonwealth
University
Access Control Types
Discretionary: the file owner is in charge Mandatory: the system policy is in
charge One can exist within the other, especially
discretionary within a class of mandatory
© G. Dhillon, IS DepartmentVirginia Commonwealth
University
Access Control Matrix
A = set of access operations permitted S = set of subjects O = set of objects
M M so s S o O M Aso
, ,
© G. Dhillon, IS DepartmentVirginia Commonwealth
University
Access Control Matrix Example
Bill.doc Edit.exe Fun.comBill r,w e e,r,wAlice e e,r
How easy is this to implement?
© G. Dhillon, IS DepartmentVirginia Commonwealth
University
Access Control Lists
Stores the access rights within the object Convenient, quick Difficult to modify globally w.r.t. subjects,
easy w.r.t. the object How to find out what a subject is able to
do?
© G. Dhillon, IS DepartmentVirginia Commonwealth
University
Intermediate Controls
Groups Negative permissions Protection rings Abilities Privileges Role-based
© G. Dhillon, IS DepartmentVirginia Commonwealth
University
Security Levels Linear
• Top secret
• Secret
• Confidential
• Unclassified Lattice
• Security level
• Compartment
© G. Dhillon, IS DepartmentVirginia Commonwealth
University
Security Level Examples
Linear• Marking contains the name of the level
• Each higher level dominates those below it Lattice
• Marking contains name of level + name of compartment (e.g. TOP SECRET PETUNIA)
• Only those “read into” the compartment can read the information in that compartment, and then only at the level of their overall access
© G. Dhillon, IS DepartmentVirginia Commonwealth
University
Who Can Read What?
In a linear system? In a lattice system? What is dominance?
© G. Dhillon, IS DepartmentVirginia Commonwealth
University
System High/Low
System High is the highest security level in the system. It can be thought of the apex of all lattice levels
System Low is the lowest security level in the system. It can be thought of as that level which all system users can “see”
© G. Dhillon, IS DepartmentVirginia Commonwealth
University
Security Models Implement Access Control Policy
Why?• If you can’t describe it, you can’t measure it,
and you don’t know what it is
• Policy requires a model
• Security requires a policy
© G. Dhillon, IS DepartmentVirginia Commonwealth
University
Access Control Models
Subjects and Objects have security levels and optional categories
Confidentiality Policy (e.g., Bell-LaPadula) • Simple property: may read only if the subject’s security
level dominates the object’s security level (read-down)
• *-property: may write only if the subject’s security level is dominated by the object’s security level (write-up)
• Tranquility property: may not change the security level of an object concurrent to its use
Integrity Policy • Biba is the dual of BLP for integrity
© G. Dhillon, IS DepartmentVirginia Commonwealth
University
Security Levels and Policies
L:1
L:2
L:3
Dominance1 > 2 > 3
BLP OperationsBiba Operations
Read/writeRead/write
Read
WriteRead
Write
© G. Dhillon, IS DepartmentVirginia Commonwealth
University
BLP: Example 1
Top Secret
Secret
Unclassified
Top Secret
Secret
Unclassified
Read OK
Read OK
Read O
K
Subjects Objects
info
rmatio
n fl
ow
© G. Dhillon, IS DepartmentVirginia Commonwealth
University
BLP: Example 2
Top Secret
Secret
Unclassified
Top Secret
Secret
Unclassified
Read OKRead Forbidden
Read OK
Subjects Objectsinfo
rmatio
n fl
ow
© G. Dhillon, IS DepartmentVirginia Commonwealth
University
BLP: Example 3 Suppose Tom’s security class is [Secret, {medical, salary}].
• Then Tom can read the following information:• Any information classified Secret or lower and has no categories
• Any information classified Secret or lower and belongs to category medical
• Any information classified Secret or lower and belongs to the category salary
• Tom CANNOT read information that is • Classified higher than Secret
• Classified Secret or lower and has a category other than medical or salary associated with it.
Suppose a file’s security class is [Secret, {medical, salary}]• It can be read only by subjects having a clearance of Secret or better,
and who have read access to BOTH categories medical and salary.
© G. Dhillon, IS DepartmentVirginia Commonwealth
University
Purpose of BLP and Biba
BLP• Prevent Trojan horses from leaking information to lower
security levels
• Mandatory access control and implicit constraints Biba
• Prevent low integrity information flows to higher integrity processes
• E.g., code, configuration, user requests, buffer overflows Categories/Compartments for separation within levels Safety is implicit in the model
• No additional constraints are needed to express security guarantees
© G. Dhillon, IS DepartmentVirginia Commonwealth
University
Problems with these models
enforce a single security policy do not support the specification of
expressive policies policies are not adaptive (do not allow
active actions when security violations are suspected or detected)
provide no means to reason about the composition of policies
© G. Dhillon, IS DepartmentVirginia Commonwealth
University
Problems: Example 1
MACDAC
access request
local policies