Computer Security Integrity Policies 7/31/2019
Integrity Policies Commercial requirement Users should not write their own programs Programmers will develop and test programs on a non production system. A special process must be followed to install a program from the development system onto the production system. This must be controlled and audited. Managers and auditors must have access to both the system state and log state. 7/31/2019
Integrity Policies Goals Separation of duties Separation of function: developers and testers. Auditing: recovery and accountability 7/31/2019
Biba Integrity model Basically a dual of the Bell-LaPadula model. We have a subject set S, an object set O, a set of integrity levels I, and a relation on I. Let i : SO I return the integrity level, Relations r : ability to read an object w : ability to write an object x : ability to execute a subject 7/31/2019
Information transfer path A Information transfer path is a sequence of objects o1, … , on+1 and a corresponding sequence of subject s1, … , sn such that sj r oj and sj w oj+1 for all i 7/31/2019
Low-Water-Mark Policy s S can write to o O iff i (o) i (s) . If s S reads o O then i ’ (s)= min(i (s) ,i (o)), where i ’ (s) is the integrity level of s after the read. s1 S can execute s2 S iff i (s2) i (s1) . So write up is prevented (prevents implant of corrupted data) Integrity level drops on read access to lower level objects (prevents contaminating the subject: relying on less trustworthy data) execute up is prevented. 7/31/2019
Low-Water-Mark Policy Theorem: If there is an information path from o1 O to on+1 O , then enforcement of the low-water-mark policy requires that i (on+1) i (o1) for all i>n. Proof The integrity level cannot go up. Proof by induction. 7/31/2019
Low-Water-Mark Policy Problem The integrity level of a subject is non-increasing, resulting in some subjects being eventually unable to access certain objects. 7/31/2019
Ring Policy This ignores indirect modifications and focuses on direct modifications. s S can write to o O iff i (o) i (s) . s S can read any o O. s1S can execute s2 S iff i (s2) i (s1) . Difference: Subjects can read any object. 7/31/2019
Biba’s strict integrity Policy s S can write to o O iff i (o) i (s) . s S can read o O iff i (s) i (o) . s1 S can execute s2 S iff i (s2) i (s 1) . So write up is prevented read down is prevented (prevents relying on less trustworthy data) execute up is prevented. 7/31/2019
Lipner’s Integrity Matrix Model Basic Security levels Audit Manager (AM): system and management functions System Low (SL): any process can read info at this level. Categories Development (D) Production Code (PC) Production Data (PD) System Development (SD) Software Tools 7/31/2019
Lipner’s Integrity Matrix Model Users Clearance levels Ordinary users (SL, {PC,PD}) Application Developers (SL, {D,T}) System Programmers (SL, {SD,T}) System Managers & Auditors (AM, {D,PC,PD,ST,T}) System Controllers (SL, {D,PC,PD,ST,T}) and downgrade privileges. 7/31/2019
Reminder:The Bell-LaPadula model ss-property: (s,o,p) SOP satisfies the ss-property relative to the security level f iff one of the following holds: p = e or p = a p = r or p = w and fc(s) dom fo(o). Also DAC! 7/31/2019
Reminder: The Bell-LaPadula model Define b(s: p1,…,pn) to be the set of objects that s has access to. *-property: For each sS the following hold: b(s:a) ≠ [o b(s:a) [fc(o) dom fc(s)] ] (write-up) b(s:w) ≠ [o b(s:w) [fc(o) = fc(s)] ] (equality for read) b(s:r) ≠ [o b(s:r) [fc(s) dom fo(o)] ] (read-down) Also DAC! 7/31/2019
Lipner’s Integrity Matrix Model Lipner’s model combines Biba and Bell-LaPadula. Bell-LaPadula model: Simple security condition * property For example: an ordinary user can execute production code; if he needs to alter production data, the *-property dictates that the data be in (System Low, {Production Code, Production Data}). 7/31/2019
Lipner’s Integrity Matrix Model Objects Class Development code/test data (SL, {D,T}) Production code (SL, {PC}) Production data (SL, {PC,PD}) Software tools (SL, {T}) System programs (SL, {}) System programs in modification (SL, {SD,T}) System and application logs (AM, {appropriate categories}) Logs are append only. By the *-property their class must dominate those of the subjects that write to them 7/31/2019
The Clark-Wilson (CW) Model This model addresses data integrity requirements for commercial applications, e.g. bank transactions. Integrity requirements are divided into, internal consistency: properties of the internal state that can be enforced by the computer system. external consistency: the relation of the internal state to the real world: enforced by means outside the system, e.g. auditing. 7/31/2019
The CW Model Integrity is enforced by, well formed transactions: data items can be manipulated only by a specific set of programs; users have access to programs rather than data items. separation of duties: users have to collaborate to manipulate data and collude to penetrate the system. 7/31/2019
The CW Model In the Clark-Wilson model, Subjects must be identified and authenticated, Objects can be manipulated only by a restricted set of programs, Subjects can execute only a restricted set of programs, A proper audit log has to be maintained, The system must be certified to work properly. 7/31/2019
The CW Model In the Clark-Wilson model, Subjects must be identified and authenticated, Objects can be manipulated only by a restricted set of programs, Subjects can execute only a restricted set of programs, A proper audit log has to be maintained, The system must be certified to work properly. 7/31/2019
The CW Model In the Clark-Wilson model, Data items are called Constrained Data Items (CDIs), Input items are Unconstrained Data Items (UDIs), Conversion of UDIs to CDIs cannot be controlled solely by the security mechanisms of the system, CDIs can only be manipulated by Transformation Procedures (TPs) The integrity of a state is checked by Integrity Verification Procedure (IVPs) 7/31/2019
The CW Model Security procedures are defined by 5 Certification rules: IVPs must ensure that all CDIs are in a valid state when the IVP is run. TPs must be must transform “their” valid CDIs into valid CDIs. The “allowed” access relations must meet the requirements imposed by the principle of separation of duty. 4. All TPs must write to an append-only CDI log. 5. Any TP that takes a UDI as input must either convert it into a CDI or reject it. 7/31/2019
The CW Model Integrity is enforced by the 4 Enforcement rules: The system must maintain and protect the certified relations: (TPi:CDIa,CDIb, … ) and ensure that only TPs certified to run on a CDI manipulate that CDI. The system must maintain and protect the list of entries: (User,TPi:CDIa,CDIb, … ) specifying the TPs that users can execute. The system must authenticate each user requesting to execute a TP. Only the certifier of a TP may modify the respective entities associated with that TP. No certifier of a TP may have execute permission with respect to that entity. 7/31/2019