i nformation s ecurity : c onfidentiality p olicies (c hapter 4) dr. shahriar bijani shahed...
Post on 17-Dec-2015
222 Views
Preview:
TRANSCRIPT
INFORMATION SECURITY:
CONFIDENTIALITY POLICIES (CHAPTER 4)
Dr. Shahriar Bijani
Shahed University
2
SLIDES REFERENCES
Matt Bishop, Computer Security: Art and Science, the author homepage, 2002-2004.
Chris Clifton, CS 526: Information Security course, Purdue university, 2010.
3
CHAPTER 5: CONFIDENTIALITY POLICIES
OverviewWhat is a confidentiality model
Bell-LaPadula ModelGeneral idea Informal description of rulesFormal description of rules
Tranquility Controversy
†-propertySystem Z
4
OVERVIEW
Bell-LaPadula Informally Formally Example Instantiation
Tranquility Controversy
System Z
5
CONFIDENTIALITY POLICY
Goal: prevent the unauthorized disclosure of
information
Deals with information flow
Multi-level security models are best-known
examples
Bell-LaPadula Model basis for many, or most, of
these
6
BACKGROUND
Clearance levelsTop Secret
In-depth background check; highly trusted individual
Secret Routine background check; trusted individual
For Official Use Only/Sensitive No background check, but limited distribution;
minimally trusted individuals May be exempt from disclosure
Unclassified Unlimited distribution Untrusted individuals
7
BELL-LAPADULA MODEL (STEP 1)
Security levels arranged in linear ordering Top Secret: highest Secret Confidential Unclassified: lowest
Levels consist of: Subject has security clearance L(s) = ls Object has security classification L(o) = lo Clearance/Classification ordered:
li < li+1
Mandatory access control
EXAMPLE
security level subject object
l4: Top Secret Bill Personnel Files
l3: Secret Samuel E-Mail Files
l2:
ConfidentialClaire Activity Logs
l1:
UnclassifiedJohn Telephone Lists
• Bill can read all files• Claire cannot read Personnel or E-Mail Files• John can only read Telephone Lists
9
READING INFORMATION
Information flows up, not down
“Reads up” disallowed, “reads down” allowed
Simple Security Condition (Step 1)
Subject s can read object o iff, L(o) ≤ L(s)
and s has permission to read o
Note: combines mandatory control (relationship of
security levels) and discretionary control (the required
permission)
Sometimes called “no reads up” rule
10
WRITING INFORMATION
Information flows up, not down
“Writes up” allowed, “writes down” disallowed
*-Property (Step 1)
Subject s can write object o iff L(s) ≤ L(o)
and s has permission to write o
Note: combines mandatory control (relationship of
security levels) and discretionary control (the required
permission)
Sometimes called “no writes down” rule
11
BASIC SECURITY THEOREM, STEP 1
If a system is initially in a secure state, and
every transition of the system satisfies the
simple security condition, step 1, and the *-
property, step 1, then every state of the
system is secure
Proof: induct on the number of transitions
12
BASICS: PARTIALLY ORDERED SET
A Set S with relation (written (S, ) is called
a partially ordered set if is
Anti-symmetric
If a b and b a then a = b
Reflexive
For all a in S, a a
Transitive
For all a, b, c. a b and b c implies a c
13
BACKGROUND: POSET EXAMPLES
Natural numbers with less than (total order)
Sets under the subset relation (not a total
order)
Natural numbers ordered by divisibility
14
BACKGROUND: LATTICE
Partially ordered set (S, ) and two operations:
greatest lower bound (glb X)
Greatest element less than all elements of set X
least upper bound (lub X)
Least element greater than all elements of set X
Every lattice has
bottom (glb L) a least element
top (lub L) a greatest element
15
BACKGROUND: LATTICE EXAMPLES
Natural numbers in an interval (0 .. n) with less
than
Also the linear order of clearances
(U FOUO S TS)
The powerset of a set of generators under
inclusion
E.g. Powerset of security categories
{NUC, Crypto, ASI, EUR}
The divisors of a natural number under divisibility
16
BELL-LAPADULA MODEL (STEP 2)
Total order of classifications not flexible enough
Solution: Categories
S can access O if C(O) C(S)
Combining with clearance:
(L,C) dominates (L’,C’) L’ = L and C’ C
Induces lattice instead of levels
Expand notion of security level to include categories
Security level is (clearance, category set)
17
BELL-LAPADULA MODEL (BLP)
Lattice Example1
Lattice Example2 ( Top Secret, { NUC, EUR, ASI } ) ( Confidential, { EUR, ASI } ) ( Secret, { NUC, ASI } )
{NUC, EUR, US}
{NUC, EUR} {NUC, US} {EUR, US}
{NUC} {EUR} {US}
18
LEVELS AND LATTICES
dom (dominates) relation
(L, C) dom (L, C) iff L ≤ L and C C
Examples
(Top Secret, {NUC, ASI}) dom (Secret, {NUC})
(Secret, {NUC, EUR}) dom (Confidential,{NUC, EUR})
(Top Secret, {NUC}) dom (Confidential, {EUR})
Let C be set of clearances, K set of categories. Set
of security levels L = C K, dom form lattice
lub(L) = (max(L), C)
glb(L) = (min(L), )
19
LEVELS AND ORDERING
Security levels partially ordered
Any pair of security levels may (or may not) be
related by dom
“dominates” serves the role of “greater
than” in step 1
But “greater than” is a total ordering,
20
READING INFORMATION
Information flows up, not down
“Reads up” disallowed, “reads down” allowed
Simple Security Condition (Step 2)
Subject s can read object o iff L(s) dom L(o)
and s has permission to read o
Note: combines mandatory control (relationship of
security levels) and discretionary control (the required
permission)
Sometimes called “no reads up” rule
21
WRITING INFORMATION
Information flows up, not down
“Writes up” allowed, “writes down” disallowed
*-Property (Step 2)
Subject s can write object o iff L(o) dom
L(s) and s has permission to write o
Note: combines mandatory control (relationship of
security levels) and discretionary control (the required
permission)
Sometimes called “no writes down” rule
22
BASIC SECURITY THEOREM (STEP 2)
If a system is initially in a secure state, and
every transition of the system satisfies the
simple security condition (step 2) and the *-
property (step 2) then every state of the
system is secure
Proof: induct on the number of transitions
23
EXAMPLE George is cleared into security level (SECRET,{NUC, EUR}),
DocA is classified as ( CONFIDENTIAL, { NUC } ), DocB is classified as ( SECRET, { EUR, US}), and DocC is classified as (SECRET, { EUR }). Then:
George dom DocA as CONFIDENTIAL ≤ SECRET and { NUC } { NUC, EUR }
George ¬dom DocB as { EUR, US } { NUC, EUR } George dom DocC as SECRET ≤ SECRET and { EUR } { NUC, EUR } George can read DocA and DocC but not DocB (assuming the
discretionary access controls allow such access). Suppose Paul is cleared as (SECRET, { EUR, US, NUC }) and has
discretionary read access to DocB. Paul can read DocB; were he to copy its contents to DocA and set its access permissions accordingly. George could then read DocB!?
*-property (step 2) prevents this
24
PROBLEM
Colonel has (Secret, {NUC, EUR}) clearance
Major has (Secret, {EUR}) clearance
Major can talk to colonel (“write up” or “read
down”)
Colonel cannot talk to major (“read up” or “write
down”)
Not Desired!
25
SOLUTION Define maximum, current levels for subjects
maxlevel(s) dom curlevel(s)
Example
Treat Major as an object (Colonel is writing to him)
Colonel has maxlevel (Secret, { NUC, EUR })
Colonel sets curlevel to (Secret, { EUR })
Now L(Major) dom curlevel(Colonel)
Colonel can write to Major without violating “no writes
down”
26
SYSTEMS BUILT ON BELL-LAPADULA (BLP)
BLP was a simple model
Intent was that it could be enforced by simple
mechanisms
File system access control was the obvious
choice
Multics (1965) implemented BLP
Unix inherited its discretionary AC from Multics
top related