© G. Dhillon, IS Department Virginia Commonwealth University Principles of IS Security Formal...

© G. Dhillon, IS DepartmentVirginia Commonwealth

University

Principles of IS Security

Formal Models


University

The Good Old Days

Mainframe computers• Physically isolated from casual access by

unauthorized personnel

• Programs, data passed to/from computer by trusted staff

• No authorization, no job

So, no problem, right?


University

The Good New Days

Computers are everywhere Access can often be achieved by walking

up to the keyboard/display and beginning to work

What’s an authorization number? So, big problem, right?


University

Access Control

Determines and monitors who can do what with what in the computer

Is much more than establishing a physical perimeter around the computer

Can’t happen without identification and authentication (about which, more later)

Needs to be instantiated in a policy


University

Subjects and Objects

Remember your English grammar Subjects act Objects are acted upon These roles are not graven in stone

• If you hit the ball, you are the subject

• If the ball hits you, you are the object

It is just the same in computer science


University

Access Control Model

Subject RequestReferenceMonitor Object

Any of these points is a vulnerability. How to protect?


University

Access Control

Determine whether a principal can perform a requested operation on a target object

Principal: user, process, etc. Operation: read, write, etc. Object: file, tuple, etc.


University

Basic Access Control

Authorization Mechanism

request

subject

Security Policyobject

grant/deny


University

Why are we still talking about access control?

An access control policy is a specification for an access decision function

The policy aims to achieve• Permit the principal’s intended function (availability)

• Ensure security properties are met (integrity, confidentiality)

• Limit to “Least Privilege,” Protect system integrity, Prevent unauthorized leakage, etc.

• Also known as ‘constraints’

• Enable administration of a changeable system (simplicity)


University

“Simple” example

Prof A manages access to course objects• Assign access to individual (principal: Bob)

• Assign access to aggregate (course-students)

• Associate access to relation (students(course))

• Assign students to project groups (student(course, project, group)) Prof A wants certain guarantees

• Students cannot modify objects written by Prof Alice

• Students cannot read/modify objects of other groups Prof A must be able to maintain access policy

• Ensure that individual rights do not violate guarantees

• However, exceptions are possible – students may distribute their results from previous assignments for an exam


University

Access Control is Hard Because

Access control requirements are domain-specific• Generic approaches over-generalize

Access control requirements can change• Anyone could be an administrator

The Safety Problem• Can only know what is leaked right now

Access is fail-safe, but Constraints are not• And constraints must restrict all future states


University

Remember the Purpose

Confidentiality Integrity Availability


University

Reference Monitor

Makes access control work You can tell it

• What a subject is allowed to do (privilege)

• What may be done with an object (permission) In order to specify these things, you need

to know all the possibilities, or you need to define things narrowly so that what you don't know doesn’t become allowed


University

Access Operations (Example)

Observe• Read

• Write

Alter• Write

• Append

How do you execute a program?


University

Bell-LaPadula Access Rights

e: execute r: read a: append w: write Don’t assume anything when dealing

with security!


University

Access Control Types

Discretionary: the file owner is in charge Mandatory: the system policy is in

charge One can exist within the other, especially

discretionary within a class of mandatory


University

Access Control Matrix

A = set of access operations permitted S = set of subjects O = set of objects

M M so s S o O M Aso

, ,


University

Access Control Matrix Example

Bill.doc Edit.exe Fun.comBill r,w e e,r,wAlice e e,r

How easy is this to implement?


University

Access Control Lists

Stores the access rights within the object Convenient, quick Difficult to modify globally w.r.t. subjects,

easy w.r.t. the object How to find out what a subject is able to

do?


University

Intermediate Controls

Groups Negative permissions Protection rings Abilities Privileges Role-based


University

Security Levels Linear

• Top secret

• Secret

• Confidential

• Unclassified Lattice

• Security level

• Compartment


University

Security Level Examples

Linear• Marking contains the name of the level

• Each higher level dominates those below it Lattice

• Marking contains name of level + name of compartment (e.g. TOP SECRET PETUNIA)

• Only those “read into” the compartment can read the information in that compartment, and then only at the level of their overall access


University

Who Can Read What?

In a linear system? In a lattice system? What is dominance?


University

System High/Low

System High is the highest security level in the system. It can be thought of the apex of all lattice levels

System Low is the lowest security level in the system. It can be thought of as that level which all system users can “see”


University

Security Models Implement Access Control Policy

Why?• If you can’t describe it, you can’t measure it,

and you don’t know what it is

• Policy requires a model

• Security requires a policy


University

Access Control Models

Subjects and Objects have security levels and optional categories

Confidentiality Policy (e.g., Bell-LaPadula) • Simple property: may read only if the subject’s security

level dominates the object’s security level (read-down)

• *-property: may write only if the subject’s security level is dominated by the object’s security level (write-up)

• Tranquility property: may not change the security level of an object concurrent to its use

Integrity Policy • Biba is the dual of BLP for integrity


University

Security Levels and Policies

L:1

L:2

L:3

Dominance1 > 2 > 3

BLP OperationsBiba Operations

Read/writeRead/write

Read

WriteRead

Write


University

BLP: Example 1

Top Secret

Secret

Unclassified

Top Secret

Secret

Unclassified

Read OK

Read OK

Read O

K

Subjects Objects

info

rmatio

n fl

ow


University

BLP: Example 2

Top Secret

Secret

Unclassified

Top Secret

Secret

Unclassified

Read OKRead Forbidden

Read OK

Subjects Objectsinfo

rmatio

n fl

ow


University

BLP: Example 3 Suppose Tom’s security class is [Secret, {medical, salary}].

• Then Tom can read the following information:• Any information classified Secret or lower and has no categories

• Any information classified Secret or lower and belongs to category medical

• Any information classified Secret or lower and belongs to the category salary

• Tom CANNOT read information that is • Classified higher than Secret

• Classified Secret or lower and has a category other than medical or salary associated with it.

Suppose a file’s security class is [Secret, {medical, salary}]• It can be read only by subjects having a clearance of Secret or better,

and who have read access to BOTH categories medical and salary.


University

Purpose of BLP and Biba

BLP• Prevent Trojan horses from leaking information to lower

security levels

• Mandatory access control and implicit constraints Biba

• Prevent low integrity information flows to higher integrity processes

• E.g., code, configuration, user requests, buffer overflows Categories/Compartments for separation within levels Safety is implicit in the model

• No additional constraints are needed to express security guarantees


University

Problems with these models

enforce a single security policy do not support the specification of

expressive policies policies are not adaptive (do not allow

active actions when security violations are suspected or detected)

provide no means to reason about the composition of policies


University

Problems: Example 1

MACDAC

access request

local policies

© G. Dhillon, IS Department Virginia Commonwealth University Principles of IS Security Formal...

Documents

Transcript of © G. Dhillon, IS Department Virginia Commonwealth University Principles of IS Security Formal...