I NFORMATION S ECURITY : C ONFIDENTIALITY P OLICIES (C HAPTER 4) Dr. Shahriar Bijani Shahed University.

Slides:



Advertisements
Similar presentations
ACCESS-CONTROL MODELS
Advertisements

Information Flow and Covert Channels November, 2006.
1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.
June 1, 2004Computer Security: Art and Science © Matt Bishop Slide #30-1 Chapter 30: Lattices Overview Definitions Lattices Examples.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality model Bell-LaPadula Model –General idea –Informal description of rules.
Access Control Intro, DAC and MAC System Security.
1 Confidentiality Policies CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 18, 2004.
Confidentiality Policies  Overview  What is a confidentiality model  Bell-LaPadula Model  General idea  Informal description of rules  Formal description.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #27-1 Chapter 27: Lattices Overview Definitions Lattices Examples.
June 1, 2004Computer Security: Art and Science © Matt Bishop Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality.
April 20, 2004ECS 235Slide #1 DG/UX System Provides mandatory access controls –MAC label identifies security level –Default labels, but can define others.
1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality.
Sicurezza Informatica Prof. Stefano Bistarelli
User Domain Policies.
7/15/2015 5:04 PM Lecture 4: Bell LaPadula James Hook CS 591: Introduction to Computer Security.
Mandatory Flow Control Bismita Srichandan. Outline Mandatory Flow Control Models Information Flow Control Lattice Model Multilevel Models –The Bell-LaPadula.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Assistant Professor, SIS Lecture 5 September 27, 2007 Security Policies Confidentiality Policies.
Mandatory Security Policies CS461/ECE422 Spring 2012.
MANDATORY FLOW CONTROL Xiao Chen Fall2009 CSc 8320.
Security Policy Models CSC 482/582: Computer Security.
1 Confidentiality Policies September 21, 2006 Lecture 4 IS 2150 / TEL 2810 Introduction to Security.
1 IS 2150 / TEL 2810 Information Security & Privacy James Joshi Associate Professor, SIS Lecture 6 Oct 2-9, 2013 Security Policies Confidentiality Policies.
© G. Dhillon, IS Department Virginia Commonwealth University Principles of IS Security Formal Models.
1 Announcement: End of Campaign Celebration When: Wednesday, October 1, 15:30 Where: New building site (NW corner 3 rd & University) Please attend and.
Session 2 - Security Models and Architecture. 2 Overview Basic concepts The Models –Bell-LaPadula (BLP) –Biba –Clark-Wilson –Chinese Wall Systems Evaluation.
Lattice-Based Access Control Models Ravi S. Sandhu Colorado State University CS 681 Spring 2005 John Tesch.
Confidentiality Policies and Integrity Policies by Stefanie Wilcox.
Slide #5-1 Confidentiality Policies CS461/ECE422 Computer Security I Fall 2010 Based on slides provided by Matt Bishop for use with Computer Security:
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 3 September 15, 2009 Mathematical Review Security Policies.
Access Control MAC. CSCE Farkas 2 Lecture 17 Reading assignments Required for access control classes:  Ravi Sandhu and P. Samarati, Access Control:
Information Security CS 526 Topic 17
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 5 September 29, 2009 Security Policies Confidentiality Policies.
1/15/20161 Computer Security Confidentiality Policies.
Mandatory Access Control and SE Linux CS 460 Cyber Security Lab Spring ‘10.
Access Control: Policies and Mechanisms Vinod Ganapathy.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #5-1 Confidentiality Policies Overview –What is a confidentiality model Bell-LaPadula.
CS426Fall 2010/Lecture 211 Computer Security CS 426 Lecture 21 The Bell LaPadula Model.
Security Models Xinming Ou. Security Policy vs. Security Goals In a mandatory access control system, the system defines security policy to achieve security.
IS 2150/TEL 2810: Introduction of Computer Security1 September 27, 2003 Introduction to Computer Security Lecture 4 Security Policies, Confidentiality.
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 16 October 14, 2004.
22 feb What is Access Control? Access control is the heart of security Definitions: * The ability to allow only authorized users, programs or.
Lecture 2 Page 1 CS 236 Online Security Policies Security policies describe how a secure system should behave Policy says what should happen, not how you.
Access Control CSE 465 – Information Assurance Fall 2017 Adam Doupé
SSD951: Secure Software Development Security Models
Chapter 5: Confidentiality Policies
Basic Security Theorem
Computer Security Confidentiality Policies
Mandatory Access Control (MAC)
IS 2150 / TEL 2810 Introduction to Security
Information Security CS 526 Topic 17
Advanced System Security
Chapter 5: Confidentiality Policies
Confidentiality Models
Confidentiality Policies
Trust Models CS461/ECE422.
Chapter 5: Confidentiality Policies
Lecture 17: Mandatory Access Control
Chapter 5: Confidentiality Policies
Background material.
Background material.
Computer Security Confidentiality Policies
IS 2150 / TEL 2810 Information Security & Privacy
Chapter 5: Confidentiality Policies
Advanced System Security
Presentation transcript:

I NFORMATION S ECURITY : C ONFIDENTIALITY P OLICIES (C HAPTER 4) Dr. Shahriar Bijani Shahed University

S LIDES R EFERENCES Matt Bishop, Computer Security: Art and Science, the author homepage, Chris Clifton, CS 526: Information Security course, Purdue university,

C HAPTER 5: C ONFIDENTIALITY P OLICIES Overview What is a confidentiality model Bell-LaPadula Model General idea Informal description of rules Formal description of rules Tranquility Controversy †-property System Z 3

O VERVIEW Bell-LaPadula Informally Formally Example Instantiation Tranquility Controversy System Z 4

C ONFIDENTIALITY P OLICY Goal: prevent the unauthorized disclosure of information Deals with information flow Multi-level security models are best-known examples Bell-LaPadula Model basis for many, or most, of these 5

B ACKGROUND Clearance levels Top Secret In-depth background check; highly trusted individual Secret Routine background check; trusted individual For Official Use Only/Sensitive No background check, but limited distribution; minimally trusted individuals May be exempt from disclosure Unclassified Unlimited distribution Untrusted individuals 6

B ELL -L A P ADULA M ODEL (S TEP 1) Security levels arranged in linear ordering Top Secret: highest Secret Confidential Unclassified: lowest Levels consist of: Subject has security clearance L(s) = l s Object has security classification L(o) = l o Clearance/Classification ordered: l i < l i+1 Mandatory access control 7

E XAMPLE security levelsubjectobject l 4: Top Secret BillPersonnel Files l 3: Secret Samuel Files l 2: Confidential ClaireActivity Logs l 1: Unclassified JohnTelephone Lists Bill can read all files Claire cannot read Personnel or Files John can only read Telephone Lists

R EADING I NFORMATION Information flows up, not down “Reads up” disallowed, “ reads down ” allowed Simple Security Condition (Step 1) Subject s can read object o iff, L ( o ) ≤ L ( s ) and s has permission to read o Note: combines mandatory control (relationship of security levels) and discretionary control (the required permission) Sometimes called “no reads up” rule 9

W RITING I NFORMATION Information flows up, not down “ Writes up ” allowed, “writes down” disallowed *-Property (Step 1) Subject s can write object o iff L ( s ) ≤ L ( o ) and s has permission to write o Note: combines mandatory control (relationship of security levels) and discretionary control (the required permission) Sometimes called “no writes down” rule 10

B ASIC S ECURITY T HEOREM, S TEP 1 If a system is initially in a secure state, and every transition of the system satisfies the simple security condition, step 1, and the *-property, step 1, then every state of the system is secure Proof: induct on the number of transitions 11

B ASICS : P ARTIALLY O RDERED S ET A Set S with relation  (written (S,  ) is called a partially ordered set if  is Anti-symmetric If a  b and b  a then a = b Reflexive For all a in S, a  a Transitive For all a, b, c. a  b and b  c implies a  c 12

B ACKGROUND : P OSET EXAMPLES Natural numbers with less than (total order) Sets under the subset relation (not a total order) Natural numbers ordered by divisibility 13

B ACKGROUND : L ATTICE Partially ordered set (S,  ) and two operations: greatest lower bound (glb X) Greatest element less than all elements of set X least upper bound (lub X) Least element greater than all elements of set X Every lattice has bottom (glb L) a least element top (lub L) a greatest element 14

B ACKGROUND : L ATTICE EXAMPLES Natural numbers in an interval (0.. n) with less than Also the linear order of clearances (U  FOUO  S  TS) The powerset of a set of generators under inclusion E.g. Powerset of security categories {NUC, Crypto, ASI, EUR} The divisors of a natural number under divisibility 15

B ELL -L A P ADULA M ODEL (S TEP 2) Total order of classifications not flexible enough Solution: Categories S can access O if C(O)  C(S) Combining with clearance: ( L,C) dominates (L’,C’) L’ = L and C’  C Induces lattice instead of levels Expand notion of security level to include categories Security level is ( clearance, category set ) 16

B ELL -L A P ADULA M ODEL ( BLP ) 17 Lattice Example1 Lattice Example2 ( Top Secret, { NUC, EUR, ASI } ) ( Confidential, { EUR, ASI } ) ( Secret, { NUC, ASI } ) {NUC, EUR, US} {NUC, EUR}{NUC, US}{EUR, US} {NUC} {EUR}{US} 

L EVELS AND L ATTICES dom (dominates) relation ( L, C ) dom ( L, C ) iff L ≤ L and C  C Examples (Top Secret, {NUC, ASI}) dom (Secret, {NUC}) (Secret, {NUC, EUR}) dom (Confidential,{NUC, EUR}) (Top Secret, {NUC})  dom (Confidential, {EUR}) Let C be set of clearances, K set of categories. Set of security levels L = C  K, dom form lattice lub ( L ) = ( max ( L ), C ) glb ( L ) = ( min ( L ),  ) 18

L EVELS AND O RDERING Security levels partially ordered Any pair of security levels may (or may not) be related by dom “dominates” serves the role of “greater than” in step 1 But “greater than” is a total ordering, 19

R EADING I NFORMATION Information flows up, not down “Reads up” disallowed, “reads down” allowed Simple Security Condition (Step 2) Subject s can read object o iff L ( s ) dom L ( o ) and s has permission to read o Note: combines mandatory control (relationship of security levels) and discretionary control (the required permission) Sometimes called “no reads up” rule 20

W RITING I NFORMATION Information flows up, not down “Writes up” allowed, “writes down” disallowed *-Property (Step 2) Subject s can write object o iff L ( o ) dom L ( s ) and s has permission to write o Note: combines mandatory control (relationship of security levels) and discretionary control (the required permission) Sometimes called “no writes down” rule 21

B ASIC S ECURITY T HEOREM (S TEP 2) If a system is initially in a secure state, and every transition of the system satisfies the simple security condition (step 2) and the *-property (step 2) then every state of the system is secure Proof: induct on the number of transitions 22

E XAMPLE George is cleared into security level (SECRET,{NUC, EUR}), DocA is classified as ( CONFIDENTIAL, { NUC } ), DocB is classified as ( SECRET, { EUR, US}), and DocC is classified as (SECRET, { EUR }). Then: George dom DocA as CONFIDENTIAL ≤ SECRET and { NUC }  { NUC, EUR } George ¬dom DocB as { EUR, US }  { NUC, EUR } George dom DocC as SECRET ≤ SECRET and { EUR }  { NUC, EUR } George can read DocA and DocC but not DocB (assuming the discretionary access controls allow such access). Suppose Paul is cleared as (SECRET, { EUR, US, NUC }) and has discretionary read access to DocB. Paul can read DocB; were he to copy its contents to DocA and set its access permissions accordingly. George could then read DocB!? *-property (step 2) prevents this 23

P ROBLEM Colonel has (Secret, {NUC, EUR}) clearance Major has (Secret, {EUR}) clearance Major can talk to colonel (“write up” or “read down”) Colonel cannot talk to major (“read up” or “write down”) Not Desired! 24

S OLUTION Define maximum, current levels for subjects maxlevel ( s ) dom curlevel ( s ) Example Treat Major as an object (Colonel is writing to him) Colonel has maxlevel (Secret, { NUC, EUR }) Colonel sets curlevel to (Secret, { EUR }) Now L (Major) dom curlevel (Colonel) Colonel can write to Major without violating “no writes down” 25

26 S YSTEMS B UILT ON B ELL -L A P ADULA (BLP) BLP was a simple model Intent was that it could be enforced by simple mechanisms File system access control was the obvious choice Multics (1965) implemented BLP Unix inherited its discretionary AC from Multics