ACCESS CONTROL & SECURITY MODELS (REVIEW) Center of gravity of computer security.
Models of Security
description
Transcript of Models of Security
Models of SecurityModels of Security
Security models are used toSecurity models are used to• Test a particular policy for completeness Test a particular policy for completeness
and consistencyand consistency• Document a policyDocument a policy• Help conceptualize and design an Help conceptualize and design an
implementationimplementation• Check whether an implementation Check whether an implementation
meets its requirementsmeets its requirements
Multilevel SecurityMultilevel Security
Want to build a model to represent a Want to build a model to represent a range of sensitivities and to reflect need to range of sensitivities and to reflect need to separate subjects from objects to which separate subjects from objects to which they should not have access.they should not have access.
Use the Use the lattice modellattice model of security of security• military security model where <= in the model military security model where <= in the model
is the relation operator in the lattice (transitive, is the relation operator in the lattice (transitive, antisymmetric)antisymmetric)
• Commercial security model (public, Commercial security model (public, proprietary, internal)proprietary, internal)
Bell-La Padula Confidentiality ModelBell-La Padula Confidentiality Model
Formal description of allowable paths of Formal description of allowable paths of information flow in a secure systeminformation flow in a secure system• Simple Security Property. Simple Security Property. A subject A subject ss may may
have have readread access to an object access to an object oo only if C(o) <= only if C(o) <= C(s)C(s)
• *-Property*-Property – A subject – A subject ss who has who has readread access access to an object to an object oo may have may have writewrite access to an access to an object object pp only if C(o) <= C(p) only if C(o) <= C(p)
The *-property is used to prevent The *-property is used to prevent write-down write-down (subject with access to high-level data transfers that (subject with access to high-level data transfers that data by writing it to a low-level object.data by writing it to a low-level object.
Bibb Integrity ModelBibb Integrity Model
Simple Integrity PropertySimple Integrity Property. Subject . Subject ss can modify (have can modify (have writewrite access to) access to) object object oo only if I(s) >= I(o) only if I(s) >= I(o)
Integrity *-PropertyIntegrity *-Property. If subject . If subject ss has has readread access to object access to object oo with with integrity level I(o), integrity level I(o), ss can have can have writewrite access to object access to object pp only if I(o) >= I(p) only if I(o) >= I(p)
Models Proving Theoretical Models Proving Theoretical Limitations of Security SystemsLimitations of Security Systems
Graham-Denning ModelGraham-Denning Model – introduced – introduced concept of a formal system of protection concept of a formal system of protection rules; constructs a model having generic rules; constructs a model having generic protection propertiesprotection properties
Harrison-Ruzzo-Ullman ModelHarrison-Ruzzo-Ullman Model – uses – uses commands involving conditions and commands involving conditions and primitive operations where a primitive operations where a protection protection systemsystem is a set of subjects, objects, is a set of subjects, objects, rights, and commandsrights, and commands
Take-Grant SystemsTake-Grant Systems
Four operations performed by Four operations performed by subjects on objects with rightssubjects on objects with rights• Create(o,r) subject creates an object Create(o,r) subject creates an object
with certain rightswith certain rights• Revoke(o,r) subject removes rights from Revoke(o,r) subject removes rights from
objectobject• Grant(o,p,r) subject grants to o access Grant(o,p,r) subject grants to o access
rights on prights on p• Take (o,p,r) subject removes from o Take (o,p,r) subject removes from o
access rights on paccess rights on p
Trusted System Design ElementsTrusted System Design Elements
Least privilegeLeast privilege Economy of mechanismEconomy of mechanism Open designOpen design Complete mediationComplete mediation Permission basedPermission based Separation of privilegeSeparation of privilege Least common mechanismLeast common mechanism Ease of useEase of use
Security Features of Ordinary Security Features of Ordinary Operating SystemsOperating Systems
Authentication of usersAuthentication of users Protection of memoryProtection of memory File and I/O device access controlFile and I/O device access control Allocation and access control to general Allocation and access control to general
objectsobjects Enforcement of sharingEnforcement of sharing Guarantee of fair serviceGuarantee of fair service Interprocess communications and Interprocess communications and
synchronizationsynchronization Protection of operating system protection Protection of operating system protection
datadata
Security Features of Trusted Security Features of Trusted Operating SystemsOperating Systems
Trusted systems incorporate technology to Trusted systems incorporate technology to address both features and assuranceaddress both features and assurance
Objects are accompanied (surrounded) by Objects are accompanied (surrounded) by an access control mechanisman access control mechanism
Memory is separated by user, and data Memory is separated by user, and data and program libraries have controlled and program libraries have controlled sharing and separationsharing and separation
Security Features of Trusted Security Features of Trusted Operating SystemsOperating Systems
Identification and AuthenticationIdentification and Authentication• Require secure id of individuals, each Require secure id of individuals, each
individual must be uniquely identifiedindividual must be uniquely identified Mandatory and Discretionary Access Mandatory and Discretionary Access
ControlControl• MAC – access control policy decisions are made MAC – access control policy decisions are made
beyond the control of the individual owner of beyond the control of the individual owner of the objectthe object
• DAC – leaves access control to the discretion of DAC – leaves access control to the discretion of the object’s ownerthe object’s owner
• MAC has precedence over DACMAC has precedence over DAC
Security Features of Trusted Security Features of Trusted Operating SystemsOperating Systems
Object Reuse ProtectionObject Reuse Protection• Prevent object reuse leakagePrevent object reuse leakage• OS clears (overwrites) all space to be OS clears (overwrites) all space to be
reassignedreassigned• Problem of Problem of magnetic remanencemagnetic remanence
Complete MediationComplete Mediation• All accesses must be controledAll accesses must be controled
Trusted PathTrusted Path• For critical operations (setting password, etc.), For critical operations (setting password, etc.),
users want unmistakable communicationsusers want unmistakable communications
Security Features of Trusted Security Features of Trusted Operating SystemsOperating Systems
Accountability and AuditAccountability and Audit• Maintain a log of security relevant eventsMaintain a log of security relevant events• Audit log must be protected from outsidersAudit log must be protected from outsiders
Audit Log ReductionAudit Log Reduction• Audit only open and close of files/objectsAudit only open and close of files/objects
Intrusion detectionIntrusion detection• Build patterns of normal system usage, Build patterns of normal system usage,
triggering an alarm any time usage seems triggering an alarm any time usage seems abnormalabnormal
• Intrusion preventionIntrusion prevention
Kernelized DesignKernelized Design
Kernel – part of OS that performs Kernel – part of OS that performs lowest-level functionslowest-level functions• Synchronization, interprocess Synchronization, interprocess
communications, message passing, communications, message passing, interrupt handlinginterrupt handling
• Security kernel – responsible for Security kernel – responsible for enforcing security mechanism for entire enforcing security mechanism for entire OS; provides interface among the OS; provides interface among the hardware, OS, and other parts of hardware, OS, and other parts of computer systemcomputer system