Security Lecture 2

8/7/2019 Security Lecture 2

1/21

1

Computer SecurityComputer Security

Lecture 2

Security ModelsSecurity Models

Syed NaqviSyed Naqvi

[email protected]@ieee.org

09 November 2010 Lecture 2: Security Models 2

Access Control Models


2/21

2


Access Control Access control constrains what a User can do directly, as

well as what programs executing on his behalf are allowedto do.

Activity in the system is initiated by entities known asSubjects. Subjects are typically Users or Programsexecuting on their behalf.

A User may sign on to the system as different Subjects on

different occasions.

Subjects can themselves be Objects. A Subject can createadditional Subjects in order to accomplish its task.


Access Control Types

Discretionary Access Control (DAC)

Mandatory Access Control (MAC)

Role-Based Access Control (RBAC)


3/21

3


Discretionary Access Control

Name AccessName Access

TomTom YesYes

JohnJohn NoNo

CindyCindy YesYes

ApplicationApplication

Access ListAccess List

used to control access by restricting a subject's

access to an object. It is generally used to limit a

user's access to a file. In this type of access

control it is the owner of the file who controls

other users' accesses to the file

IndividualsIndividuals ResourcesResources

Server 1Server 1

Server 3Server 3

Server 2Server 2


Mandatory Access Control

The need for a mandatory access control (MAC)

mechanism arises when the security policy of a system

dictates that:

protection decisions must not be decided by the object owner.

the system must enforce the protection decisions (i.e., the system

enforces the security policy over the wishes or intentions of the

object owner).


4/21

4


Mandatory Access Control

IndividualsIndividuals ResourcesResources

Server 1Server 1Top SecretTop Secret

Server 3Server 3ClassifiedClassified

Server 2Server 2SecretSecret


DAC vs. MAC

DAC

Object owner has full

power

Complete trust in users Decisions are based only

on user id and object

ownerships

Impossible to control data

flow

MAC

Object owner CAN have

some power

Only trust inadministrators

Objects and tasks

themselves can have ids

Makes data flow control

possible


5/21

5


Role-Based Access Control A user has access to an object based on the assigned role.

Roles are defined based on job functions.

Permissions are defined based on job authority and

responsibilities within a job function.

Operations on an object are invocated based on the

permissions.

The object is concerned with the users role and not the

user.


Role-Based Access Control

IndividualsIndividuals RolesRoles ResourcesResources

Role 1Role 1

Role 2Role 2

Role 3Role 3

Server 1Server 1

Server 3Server 3

Server 2Server 2

Users change frequently, Roles donUsers change frequently, Roles dontt


6/21

6


Role-Based Access Control Roles are engineered based on the principle of least

privileged.

A role contains the minimum amount of permissions to

instantiate an object.

A user is assigned to a role that allows him or her to

perform only whats required for that role.

No single role is given more permission than the samerole for another user.



Permissions

Users Roles Operations Objects

Sessions

user_sessions

(one-to-many)role_sessions

(many-to-many)

An important difference from classical models is that

Subject in other models corresponds to a Session in RBAC

User

Assignment

Permission

Assignment


7/21

7



Example:Example: Hospital SetupHospital Setup

The role of doctor can include operations to performThe role of doctor can include operations to perform

diagnosis, prescribe medication, and order laboratorydiagnosis, prescribe medication, and order laboratory

tests.tests.

The role of a researcher can be limited to gatheringThe role of a researcher can be limited to gathering

anonymous clinical information for studies.anonymous clinical information for studies.


Confidentiality Model


8/21

8


The Bell-LaPadula Model also called the multi-level model,

was proposed by Bell and LaPadula of MITRE for

enforcing access control in government and military

applications.

It corresponds to military-style classifications.

In such applications, subjects and objects are often

partitioned into different security levels.


The Bell-LaPadula Model

A subject can only access objects at certain levelsdetermined by his security level.

For instance, the following are two typical accessspecifications: ''Unclassified personnel cannot read data atconfidential levels'' and '' Top-Secret data cannot bewritten into the files at unclassified levels''


9/21

9


The Bell-LaPadula Model Simplest type of confidentiality classification is a set of

security clearances arranged in a linear (total) ordering.

Clearances represent the security levels.

The higher the clearance, the more sensitive the info.

Basic confidential classification system:

individuals documents

Top Secret (TS) Peter, Thomas Personnel Files

Secret (S) Sally, Samuel Electronic Mails

Confidential (C) Claire, Clarence Activity Log Files

Unclassified (UC) Hannah, John Telephone Lists



Let L(S)=ls be the security clearance of subject S.

Let L(O)=lo be the security classification of object O.

Simple Security Condition: (No Read Up)S can read O if and only if lo


10/21

10



Basic Security Theorem:

Let be a system with secure initial state 0

Let T be the set of state transformations.

If every element of T preserves the simple

security condition, preliminary version, and the

*-property, preliminary version,

Then every state i, i0, is secure.



Total order of classifications not flexible enough

Alice cleared for missiles; Bob cleared for warheads; Both cleared

for targets

Solution: Categories

Each category describe a kind of information.

These category arise from the need to know principle

no subject should be able to read objects unless reading them is

necessary for that subject to perform its function.

Example: three categories: NUC, EUR, US.

Each security level and category form a security level or

compartment.

Subjects have clearance at(are cleared into, or are in) a security

level.

Objects are at the level of(or are in) a security level.


11/21

11


The Bell-LaPadula Model Security Lattice

{NUC, EUR, US}{NUC, EUR, US}

{NUC, EUR}{NUC, EUR} {NUC, US}{NUC, US} {EUR, US}{EUR, US}

{NUC}{NUC} {EUR}{EUR} {US}{US}

William may be cleared into level (SECRET, {EUR})

George into level (TS, {NUC, US}).

A document may be classified as (C, {EUR})

Someone with clearance at (TS, {NUC, US}) will be denied access to

document with category EUR.



The security level (L, C) dominates the security level(L, C) if and only if L L and C C

Dom dominate relation is false.

Geroge is cleared into security level (S, {NUC, EUR})

DocA is classified as (C, {NUC})

DocB is classified as (S, {EUR, US})

DocC is classified as (S, {EUR})

George ______ DocA

George ______ DocB

George ______ DocC

dom dom

dom


12/21

12


The Bell-LaPadula Model Let C(S) be the category set of subject S.

Let C(O) be the category set of object O.

Simple Security Condition (not read up):S can read O if and only if S dom O andS has discretionary read access to O.

*-Property (not write down):S can write to O if and only if O dom S andS has discretionary write access to O.

Basic Security Theorem:

Let be a system with secure initial state 0Let T be the set of state transformations.If every element of T preserves the simple securitycondition, preliminary version, and the *-property,preliminary version,Then every state i, i0, is secure.



Bell-LaPadula allows higher-level subject to write into

lower level object that low level subject can read.

A subject has a maximum security level and a current

security level. maximum security level must dominate

current security level. A subject may (effectively) decrease its security level from

the maximum in order to communicate with entities at

lower security levels.

Colonels maximum security level is (S, {NUC, EUR}).

She changes her current security level to (S, {EUR}). Now

she can create document at Major is clearance level (S,

{EUR}).


13/21

13


The Bell-LaPadula Model Example:

Alices level is secret, Bobs level is unclassified, Carols levelis classified

Memo1 is classified and Memo2 is top secret

The simple security property specifies that:

Memo2 should not be read by Alice, Bob, or Carol

Bob is not allowed to read memo1, but both Alice andCarol are allowed to read it

The *-property specifies that:

Bob and Carol can write to memo1, since its level is not

lower than theirs Alices level is secret, so she is not permitted to write to

memo1

Alice, Bob, and Carol are all at a lower level than memo2and can therefore write to it


Integrity Model


14/21

14


The Biba Model

Based on Bell-LaPadula

Subject, Objects

Integrity Levels with dominance relation

Higher levels more reliable/trustworthy

More accurate

Information transfer path:

Sequence of subjects, objects where

si r oi si w oi+1


The Biba Model

Characterized by the phrase: no write up, no read down.

Users can only create content at or below their own

security level.

Users can only view content at or above their own securitylevel

Information may only flow downwards.


15/21

15


The Biba Model Prevents corruption of clean higher level entities by dirty

lower level entities. Biba model addresses integrity whereas Bell-La Padula concerns

disclosure of information

Notations Subjects and objects are ordered by an integrity scheme denoted

I(s) and I(o)

Properties Simple Integrity Property: Subject s can modify (or have write

access to) object o iff I(s)

I(o) Integrity *-property: If subject s has read access to object o withintegrity level I(o), s can have write access to object p iff I(o) I(p)

Problem: Ignores secrecy


The Biba Model

Low-Water-Mark Policy

s w o i(o) i(s) prevents writing to higher level

s r o i(s) = min(i(s), i(o)) drops subjects level

s1 x s2 i(s2) i(s1) prevents executing higher level objects

Ring Policy

s r o allows any subject to read any object

s w o i(o) i(s) (same as above)

s1 x s2 i(s2) i(s1)


16/21

16


The Biba Model Bibas Model: Strict Integrity Policy (dual of

Bell-LaPadula)

s r o i(s) i(o) (no read-down)

s w o i(o) i(s) (no write-up)

s1 x s2 i(s2) i(s1)

Theorem for each: If there is an information transfer path from object o1 to

object on+1, then the enforcement of the policy requiresthat i(on+1) i(o1) for all n>1


Data Isolation Model


17/21

17


The Chinese Wall Model Used mainly by services and consultancy firms

Effective in securing data/information that may lead to

conflict of interests within an organization/corporation

Intended to prevent unauthorized flow of information from

one organization to another via consultant working at both

Introduces concept of separation of duty into access

control GENERAL RULE: there must be no information flow that

causes a conflict of interest


The Chinese Wall Model

Company A Company B

Bank X

Analyst A Analyst B

competitors

has account inhas account in

consults for consults forupdates Banks

portfolio w/ info

on Company A

has access to

Banks portfolio


18/21

18



The simple security policy

A subject has access to a particular object incompany X only if such subject has had accessto such object

The * property

A subject can write to an object in a givencompany X only if such subject cannot read anydata (or objects) from any company that iscompetitor of X unless such objects have beensanitized



Object

File containing commercial information

If an object contains information that is not

commercially sensitive it is said to be sanitized

Company dataset

Set of files belonging to a particular organization

Conflict of interest class

Set of companies whose owners are competitors

Oil companies


19/21

19


The Chinese Wall Model Set of subjects S

Set of objects O

Set of companies C

Set of conflict of interest classes K

Each company belongs to at least one conflict of interest class

Every unsanitized object has a security label (x(o),y(o))

y : O ! Cidentifies the owner of an object

x : O ! Kidentifies the objects conflict of interest class

Every sanitized object has the same security label

A history matrix H



The Chinese Wall model must address confidentiality

requirements over time

The history matrix is used to record a history of past access

to objects

Rows indexed by subjects

Columns indexed by objects

Entries 0 or 1

[s, o] = 1 indicates that subject s has accessed object o


20/21


21/21

Security Lecture 2

Documents

Transcript of Security Lecture 2