chapter 4: security policies
TRANSCRIPT
Chapter 4: Security Policies Introduction to Compute Security
Textbook
Overview • Consider a computer system to be a finite-state
automaton with a set of transition functions that change state
Simple finite-state machine. In this example, the authorized states are s1 and s2.
Simple finite-state machine. In this example, the authorized states are s1 and s2. Note: This system is not secure, because regardless of which authorized state it starts in, it can enter an unauthorized state. However, if the edge from s1 to s3 were not present, the system would be secure, because it could not enter an unauthorized state from an authorized state A breach of security occurs when a system enters an unauthorized state.
Security Policy • Policy partitions system states into:
– Authorized (secure) • These are states the system can enter
– Unauthorized (non secure) • If the system enters any of these states, it’s a security
violation
• Secure system – Starts in authorized state
– Never enters unauthorized state
Example • Consider a computer system to be a finite-state automaton with a set of
transition functions that changes the system state.
S1 S2
S5
S4
S3
t1
t2t4
t3
t5
t6
State either the system is authorized (secure) or not, explain your answer in the
case of (secure or unsecure). If it is unsecure show how would you make it secure.
Note that S1,S2, and S5 are secure states Answer: The system is unsecure due to t2, t5, and t6
It can become secure if we either change the arrow
direction of t2, t5, and t6 or remove the former edges.
Confidentiality • Making sure that those who should not see information (recall)
• X set of entities, I information
• I has confidentiality property with respect to X if no x X can obtain information from I
• I can be disclosed to others
• Example: – X set of students
– I final exam answer key
– I is confidential with respect to X if students cannot obtain final exam answer key
Example: a contractor working for a company may be authorized to access
proprietary information during the lifetime of a nondisclosure agreement, when that
nondisclosure agreement expires, the contractor can no longer access that
information. This aspect of the security policy is often called a confidentiality policy.
Integrity • Making sure that the information has not been changed from its original
(Recall)
• X set of entities, I information
• I has integrity property with respect to X if all x X trust information in I
• Types of integrity: – trust I, its conveyance and protection (data integrity)
– I information about origin of something or an identity (origin integrity, authentication)
– I resource: means resource functions as it should (assurance)
Example, in many transactions, a principle called separation of duties forbids an entity from completing the transaction on its own.
Those parts of the security policy that describe the conditions and manner in
which data can be altered are called the integrity policy
Availability • Making sure that the information is available for use when you need it
(recall)
• X set of entities, I resource
• I has availability property with respect to X if all x X can access I
• Types of availability: – traditional: x gets access or not
– quality of service: promised a level of access (for example, a specific level of bandwidth) and not meet it, even though some access is achieved
Example, that a browser may download Web pages but not Java applets.
It may require a level of service—for example, that a server will provide
authentication data within 1 minute of the request being made.
This relates directly to issues of quality of service.
Security Policy
• The statement of a security policy may formally state the desired properties of the system.
• If the system is to be provably secure, the formal statement will allow the designers and implementers to prove that those desired properties hold.
• If a formal proof is unnecessary or infeasible, analysts can test that the desired properties hold for some set of inputs
Policy Models
• Abstract description of a policy or class of policies
• Focus on points of interest in policies
– Security levels in multilevel security models
– Separation of duty in Clark-Wilson model
– Conflict of interest in Chinese Wall model
Types of Security Policies
• Military (governmental) security policy – Policy primarily protecting confidentiality
• Commercial security policy – Policy primarily protecting integrity
• Confidentiality policy – Policy protecting only confidentiality
• Integrity policy – Policy protecting only integrity
Integrity and Transactions
• Begin in consistent state
– “Consistent” defined by specification
• Perform series of actions (transaction)
– Actions cannot be interrupted
– If actions complete, system in consistent state
– If actions do not complete, system reverts to beginning (consistent) state
Trust
Administrator installs patch
1. Trusts patch came from vendor, not tampered with in transit
2. Trusts vendor tested patch thoroughly
3. Trusts vendor’s test environment corresponds to local environment
4. Trusts patch is installed correctly
Trust in Formal Verification
• Gives formal mathematical proof that given input i, program P produces output o as specified
• Suppose a security-related program S formally verified to work with operating system O
• What are the assumptions?
Trust in Formal Methods
1. Proof has no errors • Bugs in automated theorem provers
2. Preconditions hold in environment in which S is to be used
3. S transformed into executable S whose actions follow source code – Compiler bugs, linker/loader/library problems
4. Hardware executes S as intended – Hardware bugs (Pentium f00f bug, for example)
Types of Access Control
• Discretionary Access Control (DAC)
– individual user sets access control mechanism to allow or deny access to an object
• Mandatory Access Control (MAC)
– system mechanism controls access to object, and individual cannot alter that access
• Originator Controlled Access Control (ORCON)
– originator (creator) of information controls who can access information
Access Control
• Internet Security Glossary , defines access control as a process by which use of system resources is regulated according to a security policy and is permitted only by authorized entities (users, programs, processes, or other systems) according to that policy.
Subjects, Objects, and Access Rights
Subject
An entity capable of accessing
objects
Three classes
• Owner
• Group
• World
Object
A resource to which access is
controlled
Entity used to contain and/or
receive information
Access
right
Describes the way in which a subject
may access an object
Could include:
• Read
• Write
• Execute
• Delete
• Create
• Search
Discretionary Access Control (DAC)
• Scheme in which an entity may enable another entity to access some resource
• Often provided using an access matrix – One dimension consists of identified subjects that may attempt
data access to the resources
– The other dimension lists the objects that may be accessed
• Each entry in the matrix indicates the access rights of a particular subject for a particular object
Each entry in the matrix indicates the access
rights of a particular subject for a particular
object.
user A owns files 1 and 3 and has read and
write access rights to those files. User B has
read access rights to file 1, and so on.
For each object, an ACL lists users and their permitted access rights. The ACL may contain a default, or public, entry. This allows users that are not explicitly listed as having special rights to have a default set of rights. The default set of rights should always follow the rule of least privilege or read-only access, whichever is applicable
Decomposition by rows yields
capability tickets
matrix may be decomposed by columns
Example Access Control Matrix • Consider a computer system with four users: Ali, Ibrahim,
Hala, and Ahmed. Ali owns the file Ali_recfile, Ibrahim and Hala can read it. Hala can read and write Ibrahim’s file Ibrahim_recfile, but Ali can read and write on it while Ahmed can read, execute and write on it only. Only Hala can read and write her file Hala_recfile; Ali can write to Ahmed’s file Ahmed_recfile. Assume the owner of each of these files can execute it
Ahmed_recfile Hala_recfile Ibrahim_recfile Ali_recfile
W R R, W, O, X Ali
R, W, O, X R Ibrahim
R, W, O, X R, W R Hala
R, W, O, X R, X, W Ahmed
Access control matrix (cont) • Hala gives Ali permission to read Hala_recfile. Write
the primitive operation that adds right to the subject Ali
– Enter R into A[Ali, Hala_recfile]
• Ahmed removes Ali’s ability to write Ahmed_recfile. Write the primitive operation that delete right from subject Ali.
– Delete W from A[Ali, Ahmed_recfile]
Ahmed_recfile Hala_recfile Ibrahim_recfile Ali_recfile
W (removed) R inserted R R, W, O, X Ali
R, W, O, X R Ibrahim
R, W, O, X R, W R Hala
R, W, O, X R, X, W Ahmed
Mandatory Access Control (MAC)
22
Unclassified
Confidential
Secret
Top Secret
can-flow dominance
Labeling Mechanism is used
Military Security
Require a strict classification of
subjects and objects in security levels
Drawback of being too rigid
Applicable only to very few
environments
Prevent any illegal flow of
information through the
enforcement of multilevel security
Adopted from : Role-Based Access Control by Prof.Ravi Sandhu
Compartments and Sensitivity Levels
Unclassified
Restricted
Confidential
Secret
Top Secret Compartment 1
Compartment 3
Compartment 2
• Information access is limited by the need-to-know
• Compartment: Each piece of classified information may be associated with one or more projects called compartments
Example • Consider the table
Employee below
• (a) Employee – the original tuples
• What result set will be obtained if
• Select * from employee
• is invoked by a user of S (Secret) level? Show resulting table and explain the result
Name Salary JobPerformance TC
Smith U 40000 C Fair TS TS
Brown C 80000 S Good C S
Name Salary JobPerformance TC
Smith U 40000 C Null S S
Brown C 80000 S Good C S
As far as the user’s level is S, according to no read-up rule, he can’t see higher level information, replaced by Null in the display
Question
• Policy disallows cheating
– Includes copying homework, with or without permission
• CS class has students do homework on computer
• Anne forgets to read-protect her homework file
• Bill copies it
• Who cheated?
– Anne, Bill, or both?
Answer Part 1
• Bill cheated – Policy forbids copying homework assignment
– Bill did it
– System entered unauthorized state (Bill having a copy of Anne’s assignment)
• If not explicit in computer security policy, certainly implicit – Not credible that a unit of the university allows something
that the university as a whole forbids, unless the unit explicitly says so
Answer Part 2
• Anne didn’t protect her homework
– Not required by security policy
• She didn’t breach security
• If policy said students had to read-protect homework files, then Anne did breach security
– She didn’t do this
Mechanisms
• Entity or procedure that enforces some part of the security policy
– Access controls (like bits to prevent someone from reading a homework file)
– Disallowing people from bringing CDs and floppy disks into a computer facility to control what is placed on systems
Example English Policy
• Computer security policy for academic institution
– Institution has multiple campuses, administered from central office
– Each campus has its own administration, and unique aspects and needs
• Authorized Use Policy
• Electronic Mail Policy
Authorized Use Policy
• Intended for one campus (Davis) only
• Goals of campus computing – Underlying intent
• Procedural enforcement mechanisms – Warnings
– Denial of computer access
– Disciplinary action up to and including expulsion
• Written informally, aimed at user community
Electronic Mail Policy
• Systemwide, not just one campus
• Three parts
– Summary
– Full policy
– Interpretation at the campus
Summary
• Warns that electronic mail not private
– Can be read during normal system administration
– Can be forged, altered, and forwarded
• Unusual because the policy alerts users to the threats
– Usually, policies say how to prevent problems, but do not define the threats
Summary
• What users should and should not do – Think before you send
– Be courteous, respectful of others
– Don’t nterfere with others’ use of email
• Personal use okay, provided overhead minimal
• Who it applies to – Problem is UC is quasi-governmental, so is bound by rules that private
companies may not be
– Educational mission also affects application
Full Policy
• Context – Does not apply to Dept. of Energy labs run by the university
– Does not apply to printed copies of email • Other policies apply here
• E-mail, infrastructure are university property – Principles of academic freedom, freedom of speech apply
– Access without user’s permission requires approval of vice chancellor of campus or vice president of UC
– If infeasible, must get permission retroactively
Uses of E-mail
• Anonymity allowed – Exception: if it violates laws or other policies
• Can’t interfere with others’ use of e-mail – No spam, letter bombs, e-mailed worms, etc.
• Personal e-mail allowed within limits – Cannot interfere with university business
– Such e-mail may be a “university record” subject to disclosure
Security of E-mail
• University can read e-mail
– Won’t go out of its way to do so
– Allowed for legitimate business purposes
– Allowed to keep e-mail robust, reliable
• Archiving and retention allowed
– May be able to recover e-mail from end system (backed up, for example)
Implementation
• Adds campus-specific requirements and procedures – Example: “incidental personal use” not allowed if it
benefits a non-university organization
– Allows implementation to take into account differences between campuses, such as self-governance by Academic Senate
• Procedures for inspecting, monitoring, disclosing e-mail contents
• Backups
Key Points
• Policies describe what is allowed
• Mechanisms control how policies are enforced
• Trust underlies everything