ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang

2 More details about two types of policies –In previous chapter, we say that there are two types of policies: confidentiality and integrity policies. Here we will provide more details for each type –Confidentiality policies: emphasize the protection of confidentiality. Also called information flow policy Prevent unauthorized disclosure of information Example: Bell-LaPadula model

3 Bell-LaPadula model: –One sentence description: no read up and no write down –Informal description The simplest type of confidentiality classification is a set of security clearances arranged in ordering A subject has a “security clearance” An object has a “security classification” Goal: prevent a subject with low clearance from reading objects at high classification

4 The Bell-LaPadula model combine mandatory and discretionary AC –Simple security condition (in plain English): S can read O if and only if the classification of O is NOT higher than clearance of S, and S has discretionary read access to O. –Why do we need another rule? –Star-property (*-property in plain English): S can write O if and only if the classification of O is NOT lower than clearance of S, and S has discretionary write access to O.

5 Look at the example we provide: –Claire cannot read personnel file –Tamara can read anything if she has the discretionary read right –Tamara cannot write an activity log file Basic security theorem (in plain English): A system has a secure initial state σ 0, and a set of state transformations. If every transformation preserves the simple security condition and the star property, then every state σ i is secure.

6 Security clearance and classification provide one dimensional control for access, how can we control access to information at the same level? –Discretionary (it works, too much overhead) –Introduce a second dimension: category Each category describes a kind of information. Both subjects and objects can be in multiple categories.

7 Now every subject and object needs to be described by a two dimensional entry –Captain John Wayne: (Confidential, {army}) –Pres. Obama: (TS, {army, navy, air force}) –Lunch menu for Easy Company: (c, {army}) –Plan to attack xxxx: (TS, {army, navy, air}) –If S has the categories {army, navy}, she can read objects with {}, {army}, {navy}, and {army, navy} if the clearance and discretionary rights allow him/her to do so.

8 Now we have to redefine the confidentiality policies Definition: a security level (l, c) dominates the security level (l’, c’) if and only if l’ ≤ l and c’ is a subset of c. Example: –George (s, {army, navy}), doc A (c, {army}), doc B (s, {army, air}), doc C (s, {navy}) –George dominates doc A and C, but not doc B

9 Now we can rewrite the simple security condition and *-property –Simple security condition: s can read o if and only if s dominates o and s has the discretionary read access to o. –*-property: s can write to o if and only if o dominates s and s has the discretionary write access to o. –Now we see what we mean by “no read up” and “no write down”

10 We can redefine basic security theorem as well –A system has a secure initial state σ 0, and a set of state transformations. If every transformation preserves the simple security condition and the star property, then every state σ i is secure.

11 Now our system is safe from the view of confidentiality, but does it works –How can a General send a file to a captain? The model introduces a mechanism to solve the problem –A subject has a maximum security level (msl) and current security level (csl) msl must dominate csl A subject can decrease to the level of csl for communication reasons

12 Example: General Alice (s, {army, navy}), captain Bob (c, {army}). Alice changes her security level to (c, {army}) and talks to Bob.

13 An example: Data General’s B2 Unix system –Enforce mandatory access control (MAC) –Use an updated version of Bell-LaPadula Read down is permitted Write has to be at the same level To allow communication, B2 Unix provides processes and objects a range of labels, where the upper bound must dominate the lower bound

14 Example: we have s and ts security classification; army, navy, and air force categories –(s, {army}), (ts, {army}) is a range –(s, {}), (ts, {army, air, navy}) is a range –(s, {army}), (ts, {navy, air}) is not a range

15 A process –Can read an object if its MAC label grants read access to the upper bound of the range –Has write access if its MAC label grants write access to any label in the range Example: an object (s, {army}), (ts, {army, navy}) –A process with (s, {army}): can write but not read –A process with (ts, {army, navy, air}): can read but not write –A process with (ts, {army, navy}): both read and write