Lattice-based Access Control Models 2 Daniel Trivellato.
-
Upload
shana-briggs -
Category
Documents
-
view
225 -
download
2
Transcript of Lattice-based Access Control Models 2 Daniel Trivellato.
06/10/2008 DTM course - Daniel Trivellato 2
Outline
Review of BLP The Biba model Multi-lateral security: the Chinese Wall Exercises and discussion
06/10/2008 DTM course - Daniel Trivellato 3
Outline
Review of BLP The Biba model Multi-lateral security: the Chinese Wall Exercises and discussion
06/10/2008 DTM course - Daniel Trivellato 4
Security lattice - Example Levels: TS, S and TS > S
TS, {Nuclear, Chemical}
TS, {Nuclear} TS, {Chemical}S, {Nuclear, Chemical}
TS, {}
S, {}
S, {Nuclear} S, {Chemical}
the partial order on security classes is called dominates(L1,C1) ≥ (L2,C2) iff L1 ≥ L2 and C2 C C1
Compartments: Nuclear, Chemical
06/10/2008 DTM course - Daniel Trivellato 5
The BLP model
formalizes mandatory policy for secrecy goal: prevent information flow to LOWER or
incomparable security classes idea: augment DAC with MAC (security
labels) to enforce information flow policies two-step approach
1. discretionary access matrix D
2. operations authorized by MAC policy, over which users have no control
06/10/2008 DTM course - Daniel Trivellato 6
BLP mandatory access rules
object o has security label (class) SL(o) subject s has security label (clearance) SL(s) simple security property: subject s can read
object o only if SL(s) ≥ SL(o) *-property: subject s can write object o only if
SL(o) ≥ SL(s)
NO READ UPNO WRITE DOWN
06/10/2008 DTM course - Daniel Trivellato 7
BLP information flow
SUBJECTS OBJECTS
…….....
…….....
…….....
…….....
TS
S
C
U
Info
rma
tion
flow
TS
S
C
U
writ
e
read
writ
e
read
writ
e
read
writ
e
read
06/10/2008 DTM course - Daniel Trivellato 8
BLP + tranquility
Tranquility property strong: security labels never change during system
operation
TOO STRONG! weak: labels never change in such a way as to violate a
defined security policy
e.g. dynamic upgrade of labels principle of least privilege
06/10/2008 DTM course - Daniel Trivellato 9
Outline
Review of BLP The Biba model Multi-lateral security: the Chinese wall Exercises and discussion
06/10/2008 DTM course - Daniel Trivellato 10
Mandatory policies for integrity
policies for secrecy control only improper leakage of information
do not safeguard integrity! assign integrity classes to:
subjects: reflect subject’s trustworthiness not to improperly modify the informatin
objects: reflect the potential damage that could result from improper modification/deletion
06/10/2008 DTM course - Daniel Trivellato 11
The Biba model
defines mandatory policy for integrity goal: prevent information flow to HIGHER or
incomparable integrity classes strict integrity policy is based on principles
dual to those of BLP
06/10/2008 DTM course - Daniel Trivellato 12
Biba mandatory access rules
object o has integrity label (class) IL(o) subject s has integrity label IL(s)
simple integrity property: subject s can read object o only if IL(s) ≤ IL(o)
*-integrity property: subject s can write object o only if IL(s) ≥ IL(o)
NO READ DOWNNO WRITE UP
06/10/2008 DTM course - Daniel Trivellato 13
Biba information flow
SUBJECTS OBJECTS
…….....
…….....
…….....
HI
MI
LI
Info
rma
tion
flow
HI
MI
LI
writ
e
read
writ
e
read
writ
e
read
06/10/2008 DTM course - Daniel Trivellato 14
Combining Biba and BLP
The security class of each object consists of two labels a security label SL an integrity label IL
the combinatory mandatory controls are subject s can read object o only if SL(s) ≥ SL(o) and
IL(s) ≤ IL(o) subject s can write object o only if SL(s) ≤ SL(o) and
IL(s) ≥ IL(o) implemented in several OS, DBs and network
products for the military domain
06/10/2008 DTM course - Daniel Trivellato 15
BLP + Biba - ExampleSL = {SH, SL}, SH ≥ SL
IL = {IH, IL}, IH ≥ IL
SL,IL SL,IH SH,IL SH,IH
SL,IL rw r w -SL,IH w rw w wSH,IL r r rw rSH,IH - r w rw
SL,IL
SH,IL
SH,IH
SL,IH
BLP Lattice
SL,IL
SL,IH
SH,IH
SH,IL
Biba Lattice
Info
rma
tion
flo
w
Info
rma
tion
flo
w
06/10/2008 DTM course - Daniel Trivellato 16
Biba alternative policies
low-water-mark for subjects (no write up) a subject s can write object o only if IL(s) ≥ IL(o) a subject s can read any object o
after the access IL(s) = glb(IL(s),IL(o))
low-water-mark for objects (no read down) a subject s can read object o only if IL(o) ≥ IL(s) a subject s can write any object o
after the access IL(o) = glb(IL(s),IL(o))
06/10/2008 DTM course - Daniel Trivellato 17
Biba weaknesses flow controls may result too restrictive in the commercial domain authorizations are
linked to programs, rather than subjects enforces integrity only by preventing information
flows from lower to higher classifications
the integrity problem is much more than this
integrity has to prevent also improper use of data concurrency control and recovery techniques integrity constraints (limitations on values)
06/10/2008 DTM course - Daniel Trivellato 18
Biba in the real world – Windows Vista
Microsoft Windows Vista adopts a multi-level integrity policy
file objects marked with an integrity level Low, Medium, High, System (critical Vista files)
Internet Explorer runs by default at Low things downloaded with IE can read but not write
system files or anything else with higher integrity level
dropped the no-read-down constraint
06/10/2008 DTM course - Daniel Trivellato 19
Alternative models for integrity Well-formed transaction rules are based on the
ACID principles Atomicity: either all actions of a transactions are
performed or none of them Consistency: a transaction must preserve the integrity
constraints on the data Isolation: the concurrent execution of a set of
transactions must have the same effects of the serial execution of them
Durability: results of committed transactions are permanent
ACID do not take into consideration the subject
06/10/2008 DTM course - Daniel Trivellato 20
Clark and Wilson (1/2)
Four basic criteria to safeguard integrity Authentication: the system must separately
authenticate and identify the user Audit: the system must log programs executed
and the name of the authorizing user Well-formed transactions: data items can be
manipulated only by a restricted set of programs that meet the well-formed transaction rule
Separation of duty: each user is associated with a set of programs to be run, and the set must meet the separation of duty rule
06/10/2008 DTM course - Daniel Trivellato 21
Clark and Wilson (2/2)
Advantages addresses integrity in a more complete way models commercial environments
Shortcomings not well formalized it is difficult to reason about
security properties
06/10/2008 DTM course - Daniel Trivellato 22
Outline
Review of BLP The Biba model Multi-lateral security: the Chinese wall Exercises and discussion
06/10/2008 DTM course - Daniel Trivellato 23
The Chinese wall
Brewer and Nash (1989) arises in the commercial sector (consultancy) goal: prevent information flows which cause
conflict of interests for individual consultants mandatory dynamic separation of duty
06/10/2008 DTM course - Daniel Trivellato 24
Chinese wall - Motivation
consultants deal with confidential companies’ information for their clients
a consultant should not have access to information about, for example, two banks or oil companies
this would create a conflict of interests influence in the analysis disservice to the client potential use for personal profit
06/10/2008 DTM course - Daniel Trivellato 25
Objects classification
The model makes a first distinction between public objects company information: need to be protected
Company information is organized hierarchically in 3 levels: basic objects (e.g. files) company datasets: group objects referring to the
same corporation conflict of interest classes: groups all company
datasets whose corporations are in competition
06/10/2008 DTM course - Daniel Trivellato 26
Object classification - Example
Public information
Conflict of Interest Class 1 Conflict of Interest Class 2
Company A Company B Company C Company D
ObjA-1
ObjA-2ObjA-3
ObjB-1
ObjB-2
ObjC-1
ObjC-2ObjD-3
ObjD-1
ObjD-4
ObjD-2
public bulletin boards, public databases, etc.
06/10/2008 DTM course - Daniel Trivellato 27
Policy rules (1/2)
simple security rule: a subject s can access an object o only if: o is in the same company dataset as all the objects
that s has already accessed (within the wall) o belongs to a different conflict of interest class
but…users may need to compare information from different corporations!
sanitization: disguising a corporate information, preventing the discovery of its identity
06/10/2008 DTM course - Daniel Trivellato 28
Policy rules (2/2) *-property: a subject s can write an object o
only if access is permitted by the simple security rule no object can be read by s (no authorization)
which (i) is in a different company dataset than o and (ii) contains unsanitized information
Example: Alice reads ObjA-1 and writes ObjC-1, Bob reads ObjC-1 and
writes ObjB-1Conflict of Interest Class 1 Conflict of Interest Class 2
Company A Company B Company C Company D
ObjA-1ObjA-2
ObjA-3
ObjB-1
ObjA-2
ObjC-1
ObjC-2ObjD-3
ObjD-1
ObjD-4ObjD-2
06/10/2008 DTM course - Daniel Trivellato 29
Chinese wall axioms
the simple security property prevents flow by a single user
the *-property rule prevents indirect flows that can be enacted by collusions between users
sanitization provides more flexibility w.r.t. the application of the policy
discretionary access is assumed to be enforced
06/10/2008 DTM course - Daniel Trivellato 30
Policy model
assume there are n conflict of interest classes (COI)
each object o is labeled with the set of companies of which it contains information L(o) = {c1,c2,…cn}, where ci is in COIi u ,
i = {1,…,n} the clearance of a user is a high-water mark
that can float up in the lattice but not down
06/10/2008 DTM course - Daniel Trivellato 31
Chinese wall - Example
consider 2 conflict of interest classes: Banks = {Bank A, Bank B} Oil Companies = {OC1, OC2}
then labels such as {Bank A, OC1, OC2} are contrary to the Chinese wall policy
a new consultant starts with no mandatory restriction on access rights (i.e. clearance { , })
if he reads a file about Bank A, his clearance becomes {Bank A, }
06/10/2008 DTM course - Daniel Trivellato 32
The lattice
labels are compared according to the dominance relation, defined as follows Let L1 = {c1
1,c12,…,c1
n} and L1 = {c21,c2
2,…,c2n}
L1 ≥ L2 iff c1i = c2
i or c2i = , for i = {1,…,n}
label { , } corresponds to public information label SysHigh dominates all other labels
combines information from different companies in the same COI class (access to all)
contrary to the Chinese wall policy no user gets this clearance exceptions: system administration and audit
06/10/2008 DTM course - Daniel Trivellato 33
The lattice - Example
{ , }
{Bank A, } {Bank B, }{ , OC1} { , OC2}
{Bank A, OC1} {Bank A, OC2} {Bank B, OC1} {Bank B, OC2}
SysHigh
06/10/2008 DTM course - Daniel Trivellato 34
Chinese wall weaknesses
not completely formalized leaves open problems, such as
keep and manage history of access ensure accessibility (e.g. if all the users read the
same datasets, the system become unusable) data sanitization is not addressed (complex)
06/10/2008 DTM course - Daniel Trivellato 35
Summary
Biba: mandatory policy for integrity. Principles are dual to BLP combined with BLP to deal with both secrecy and
integrity does not take into account all aspects of integrity
Chinese wall: multi-lateral security model to prevent conflicts of interests for consultants users can not access (neither directly nor
indirectly) to information about competing companies
06/10/2008 DTM course - Daniel Trivellato 36
Outline
Review of BLP The Biba model Multi-lateral security: the Chinese wall Exercises and discussion
06/10/2008 DTM course - Daniel Trivellato 37
Exercises (lecture 1) Construct a lattice of security classes for security levels
{public, secret, top-secret} and compartments {army, politics, business}
P,{}
S,{} P,{A} P,{P} P,{B}
TS,{} P,{A,B}P,{A,P} P,{P,B}S,{A} S,{P} S,{B}
TS,{A} TS,{P} TS,{B} S,{A,B}S,{A,P} S,{P,B} P,{A,P,B}
TS,{A,B}TS,{A,P} TS,{P,B} S,{A,P,B}
TS,{A,P,B}
Security levels = n = 3
Compartments = m = 3
Lattice nodes =
n * 2m = 3 * 23 = 24
06/10/2008 DTM course - Daniel Trivellato 38
Exercises
Is it reasonable for an object to have security label “unclassified” and integrity label “high”? Give an example in which it makes sense.
How can we combine BLP and Biba in such a way that they both allow information to flow only upwards?
Can we combine MAC with RBAC? How?
06/10/2008 DTM course - Daniel Trivellato 39
Exercises
What is the conceptual difference between the BLP and the Chinese wall policy?
Why does the Chinese wall policy prohibit a consultant to access information about 2 competing companies?
For which purpose do we need a SysHigh label dominating all other labels in the Chinese wall lattice?
06/10/2008 DTM course - Daniel Trivellato 41
The most important lesson…
100% security is impossible to achieve …and it would not be flexible enough for ANY
real world system!!!
When designing security establish YOUR security goals find good compromises keep in mind the weaknesses of your system
06/10/2008 DTM course - Daniel Trivellato 42
References
Ravi S. Sandhu – Lattice-Based Access Control Models (strongly recommended)
Carl E. Landwehr – Formal Models for Computer Security (strongly recommended)
Pierangela Samarati, Sabrina De Capitani di Vimercati - Access Control: Policies, Models, and Mechanisms (recommended)
Ross Anderson – Security Engineering (2nd Edition) (suggested)
Thank you for your [email protected]