03_IntegrityPolicies

7/30/2019 03_IntegrityPolicies

1/19

Slide #6-1

Chapter 3: Chnh sch ton vn

Tng quan

Cc yu cu

M hnh Biba

M hnh Clark-Wilson


2/19

Slide #6-2

Yu cu ca chnh sch

1. Ngi dng khng t vit phn mm

2. Cc lp trnh vin pht trin v kim th chng trnh trn cc hthng khng sn xut; nu h cn cc d liu thc, h s c cung

cp qua mt quy trnh c bit, v s s dng chng trn h thngang pht trin.

3. Mt quy trnh t bit phi c tun th khi ci t mt chngtrnh t h thng pht trin vo h thng sn xut.

4. Quy trnh c bit trong yu cu 3 phi c iu khin v kim

sot.5. Ngi qun l v ngi kim sot phi c quyn truy cp vo c 2

h thng.


3/19

Slide #6-3

Nguyn tc

Separation of Duty: Tch bit hot ng Separation of Function: Tch bit chc nng

Auditing: Kim sot


4/19

Slide #6-4

M hnh ton vn Biba

Set of subjects S, objects O, integrity levelsI, relation IIholding when second

dominates first min:IIIreturns lesser of integrity

levels

i: SOIgives integrity level of entity r: SO meanssScan read oO w, x defined similarly


5/19

Slide #6-5

Cp ton vn

Cp cng cao, cng tin cyThat a program will execute correctly

That data is accurate and/or reliable

Mi quan h gia tnh ton vn v tnh ngtin cy

Ch : integrity levels are not securitylevels


6/19

Slide #6-6

M hnh Biba

Tng t m hnh Bell-LaPadula1. sScan read oO iffi(s) i(o)2. sScan write to oO iffi(o) i(s)3. s1Scan executes2Siffi(s2) i(s1)


7/19

Slide #6-7

V d: HH LOCUS

Mc tiu: Ngn chn cc phn mm ko tin cy tinhnh thay i d liu hoc cc phn mm khc

Phng php: Lm r cp tin cy credibility ratingbased on estimate of softwarestrustworthiness (0 untrusted, n highly trusted)

trusted file systems contain software with a singlecredibility level

Process has risk levelor highest credibility level atwhich process can execute

Must use run-untrustedcommand to run software atlower credibility level


8/19

Slide #6-8

M hnh ton vn Clark-Wilson

Tnh ton vn c nh ngha bi cc rng buc Data in a consistentor valid state when it satisfies these

V d: BankDtodays deposits, Wwithdrawals, YByesterdaysbalance, TBtodays balance

Integrity constraint:D + YBW = TB

Giao dch chun: move system from oneconsistent state to another Vn : who examines, certifies transactions done

correctly?


9/19

Slide #6-9

Cc thc th

CDIs: constrained data itemsd liu c rng buc Data subject to integrity controls

UDIs: unconstrained data itemskhng cn rng buc Data not subject to integrity controls IVPs: integrity verification proceduresquy trnh xc

minh s ton vn

Procedures that test the CDIs conform to the integrity constraints TPs: transaction proceduresquy trnh thc hin giao dch

Procedures that take the system from one valid state to another


10/19

Slide #6-10

Certification Rules 1 and 2

CR1 Khi IVP chy, n phi m bo tt c CDIs ltrong trng thi hp l

CR2 Vi mt tp kt hp cc CDIs, mt TP phichuyn i cc CDIs t trng thi hp l nysang trng thi hp l khc Defines relation certifiedthat associates a set of

CDIs with a particular TP

Example: TP balance, CDIs accounts, in bankexample


11/19

Slide #6-11

Enforcement Rules 1 and 2

ER1 H thng phi duy tr cc mi quan h c xcnhn v phi m bo ch cc TP c xc nhnchy trn cc CDIs thao tc vi cc CDIs

ER2 H thng phi gn kt mi ngi dng vi TPv tp CDIs. TP c th truy cp cc CDIS vivai tr ca ngi dng c gn kt v khngc truy cp vi vai tr ca ngi dng khc System must maintain, enforce certified relation System must also restrict access based on user ID

(allowedrelation)


12/19

Slide #6-12

Users and Rules

CR3 Cc mi quan h c php phi p ng yucu ca nguyn tc phn chia cng vic

ER3 H thng phi xc thc mi ngi dng khithc thi TP Type of authentication undefined, and depends on

the instantiation

Authentication notrequired before use of thesystem, but is required before manipulation ofCDIs (requires using TPs)


13/19

Slide #6-13

Logging

CR4 Tt c TPs phi ni thm thng tin y xy dng phi thao tc vo cc CDI

(append-only)This CDI is the log

Auditor needs to be able to determine what

happened during reviews of transactions


14/19

Slide #6-14

X l cc u vo khng tin cy

CR5 TP thc hin trn d liu u vo UDI c ththc hin vic chuyn i hp l hoc khng

chuyn i cho tt c cc gi tr c th caUDI. Vic chuyn i c th t chi UDI hocchuyn n thnh CDI. In bank, numbers entered at keyboard are UDIs, so

cannot be input to TPs. TPs must validate numbers(to make them a CDI) before using them; if

validation fails, TP rejects UDI


15/19

Slide #6-15

Vn tch bit nhim v

ER4 Ch ngi xc nhn ca TP mi c ththay i danh sch thc th kt hp vi

TP . Ngi xc nhn TP hoc thc thkhng c quyn thc thi i vi thc thEnforces separation of duty with respect to

certified and allowed relations


16/19

Slide #6-16

So snh vi cc yu cu

1. Ngi dng khng t vit PM: Users cant certifyTPs, so CR5 and ER4 enforce this

2. Khng pht trin PM trn h thng sn xut:Procedural, so model doesnt directly cover it; butspecial process corresponds to using TP

No technical controls can prevent programmer from

developing program on production system;

3. Ci t h thng pht trin v h thng SX:TP doesthe installation, trusted personnel do certification


17/19

Slide #6-17

So snh vi cc yu cu

4. iu khin v kim sot: CR4 provideslogging; ER3 authenticates trusted

personnel doing installation; CR5, ER4control installation procedure

5. Log is CDI, so appropriate TP can provide

managers, auditors access Access to state handled similarly


18/19

Slide #6-18

So snh vi m hnh Biba

BibaNo notion of certification rules; trusted subjects

ensure actions obey rulesUntrusted data examined before being made

trusted

Clark-WilsonExplicit requirements that actions must meetTrusted entity must certify methodto upgrade

untrusted data (and not certify the data itself)


19/19

Slide #6-19

Key Points

Integrity policies deal with trustAs trust is hard to quantify, these policies are

hard to evaluate completelyLook for assumptions and trusted users to find

possible weak points in their implementation

Biba based on multilevel integrity Clark-Wilson focuses on separation of duty

and transactions

03_IntegrityPolicies

Documents

Transcript of 03_IntegrityPolicies