Security Models

Copyright by Aakash PanchalAll Right reversed by LJ Projects

2

Basic Concepts

Terminology

3

Trusted Computing Base (TCB) – combination of protection mechanisms within a computer system

Subjects / ObjectsSubjects are active (e.g., users / programs)Objects are passive (e.g., files)

Reference Monitor – abstract machine that mediates subject access to objects

Security Kernel – core element of TCB that enforces the reference monitor’s security policy

Types of Access Control

4

Discretionary Access Control (DAC) – data owners can create and modify matrix of subject / object relationships (e.g., ACLs)

Mandatory Access Control (MAC) – “insecure” transactions prohibited regardless of DAC

Cannot enforce MAC rules with DAC security kernelSomeone with read access to a file can copy

it and build a new “insecure” DAC matrix because he will be an owner of the new file.

Information Flow Models

5

In reality, there are state transitions

Key is to ensure transitions are secure

Models provide rules for how information flows from state to state.

Information flow models do not address covert channels Trojan horsesRequesting system resources to learn about other

users

State Machine ModelState is a snapshot of the system at one

moment in time.

State transition is the change to the next state.

If all the state transitions in a system are secure and if the initial state of the system is secure, then every subsequent state will also be secure, no matter what input occurs.

7

Access Control Models

Bell-LaPadula (BLP) Model

8

BLP is formal (mathematical) description of mandatory access control

First model that was created to control access to data.

Three properties:ds-property (discretionary security) ss-property (simple security – no “read up”)*-property (star property – no “write down”)

A secure system satisfies all of these propertiesBLP includes mathematical proof that if a system is

secure and a transition satisfies all of the properties, then the system will remain secure.

Bell-LaPadula Model (Continued)

9

Honeywell Multics kernel was only true implementation of BLP, but it never took hold

DOD information security requirements currently achieved via discretionary access control and segregation of systems rather than BLP-compliant computers

The problem with this model is that it does not deal with integrity of the data.

Bell-LaPadula Model (Continued)

10

The star property makes it possible for a lower level subject to write to a higher classified object.

A covert channel is an information flow that is not controlled by a security mechanism.

A low level subject may see high level object name but are denied access to the contents of the object.

Harrison-Ruzzo-Ullman ModelBLP model does not state policies for

changing access rights or for the creation or deletion of subjects and objects.

This model defines authorization system that address these issues.

It operates on access matrices and verifies if there is any sequence of instructions that cause an access right to leak information.

Three Main Goals of IntegrityPreventing unauthorized users from making

modifications to data or programs.

Preventing authorized users from making improper or unauthorized modifications.

Maintaining internal and external consistency of data and programs.

Biba Model

13

Similar to BLP but focus is on integrity, not confidentiality

Implements the first goal of integrity.

Result is to turn the BLP model upside downHigh integrity subjects cannot read lower integrity

objects (no “read down”)

Subjects cannot move low integrity data to high-integrity environment (no “write up”)

Intuition Behind Models Control of confidential information is

important both in military and commercial environment.

However in commercial environment the integrity of data is also equally important to prevent errors and frauds.

The higher the level, the more confidence one has that a program will execute correctly.

Data at higher level is more accurate, reliable and trustworthy than data at the lower level.

Clark-Wilson Model

15

Reviews distinction between military and commercial policyMilitary policy focus on confidentialityCommercial policy focus on integrity

Mandatory commercial controls typically involve who gets to do what type of transaction rather than who sees what (Example: Handle a check above a certain amount)

Clark-Wilson Model (Continued)

16

Two types of objects:Constrained Data Items (CDIs)Unconstrained Data Items (UDIs)

Two types of transactions on CDIs in modelIntegrity Verification Procedures (IVPs)Transformation Procedures (TPs)

IVPs certify that TPs on CDIs result in valid state

All TPs must be certified to result in valid transformation

Clark-Wilson Model (Continued)

17

System maintains list of valid relations of the form:{UserID, TP, CDI/UDI}

Only permitted manipulation of CDI is via an authorized TP

If a TP takes a UDI as an input, then it must result in a proper CDI or the TP will be rejected

Additional requirementsAuditing: TPs must write to an append-only

CDI (log)Separation of duties

Clark-Wilson Model (Continued)

18

Subjects have to identified and authenticated.

Objects can be manipulated only by a restricted set of programs.

Subjects can execute only a restricted set of programs

A proper audit log has to be maintained.

Clark-Wilson versus Biba

19

In Biba’s model, UDI to CDI conversion is performed by trusted subject only (e.g., a security officer), but this is problematic for data entry function.

In Clark-Wilson, TPs are specified for particular users and functions. Biba’s model does not offer this level of granularity.

Chinese Wall

20

Focus is on conflicts of interest.Principle: Users should not access the

confidential information of both a client organization and one or more of its competitors.

How it worksUsers have no “wall” initially.Once any given file is accessed, files with

competitor information become inaccessible.Unlike other models, access control rules

change with user behavior

Chinese Wall

21

Separation of Duty.A given user may perform transaction A or

Transaction B but not both.A simple security property

A subject has access to an object if and only if, all the objects that subject can read are from non competing groups.

The *- PropertyA subject can write to client only if the subject

can not read any object from a competing group.

+91-82381-35844

Aakashpanchal100@gmail.com

Follow us