1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.

Slides:



Advertisements
Similar presentations
Information Flow and Covert Channels November, 2006.
Advertisements

1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.
Lecture 8 Access Control (cont)
I NFORMATION S ECURITY : C ONFIDENTIALITY P OLICIES (C HAPTER 4) Dr. Shahriar Bijani Shahed University.
CS591 – Chapter 5.2/5.4 of Security in Computing
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality model Bell-LaPadula Model –General idea –Informal description of rules.
Access Control Intro, DAC and MAC System Security.
1 Confidentiality Policies CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 18, 2004.
Confidentiality Policies  Overview  What is a confidentiality model  Bell-LaPadula Model  General idea  Informal description of rules  Formal description.
June 1, 2004Computer Security: Art and Science © Matt Bishop Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality.
April 20, 2004ECS 235Slide #1 DG/UX System Provides mandatory access controls –MAC label identifies security level –Default labels, but can define others.
Security Fall 2006McFadyen ACS How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality.
Sicurezza Informatica Prof. Stefano Bistarelli
User Domain Policies.
7/15/2015 5:04 PM Lecture 4: Bell LaPadula James Hook CS 591: Introduction to Computer Security.
Mandatory Flow Control Bismita Srichandan. Outline Mandatory Flow Control Models Information Flow Control Lattice Model Multilevel Models –The Bell-LaPadula.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Assistant Professor, SIS Lecture 5 September 27, 2007 Security Policies Confidentiality Policies.
MANDATORY FLOW CONTROL Xiao Chen Fall2009 CSc 8320.
CH14 – Protection / Security. Basics Potential Violations – Unauthorized release, modification, DoS External vs Internal Security Policy vs Mechanism.
1 Confidentiality Policies September 21, 2006 Lecture 4 IS 2150 / TEL 2810 Introduction to Security.
1 IS 2150 / TEL 2810 Information Security & Privacy James Joshi Associate Professor, SIS Lecture 6 Oct 2-9, 2013 Security Policies Confidentiality Policies.
© G. Dhillon, IS Department Virginia Commonwealth University Principles of IS Security Formal Models.
Polyinstantiation Problem
1 Polyinstantiation. 2 Definition and need for polyinstantiation Sea View model Jajodia – Sandhu model.
Session 2 - Security Models and Architecture. 2 Overview Basic concepts The Models –Bell-LaPadula (BLP) –Biba –Clark-Wilson –Chinese Wall Systems Evaluation.
Security+ All-In-One Edition Chapter 19 – Privilege Management Brian E. Brzezicki.
Next-generation databases Active databases: when a particular event occurs and given conditions are satisfied then some actions are executed. An active.
Chapter 5 Network Security
Chapter 6: Integrity Policies  Overview  Requirements  Biba’s models  Clark-Wilson model Introduction to Computer Security ©2004 Matt Bishop.
Slide #5-1 Confidentiality Policies CS461/ECE422 Computer Security I Fall 2010 Based on slides provided by Matt Bishop for use with Computer Security:
CMSC 414 Computer (and Network) Security Lecture 11 Jonathan Katz.
Trusted OS Design and Evaluation CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University.
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 5 September 29, 2009 Security Policies Confidentiality Policies.
1/15/20161 Computer Security Confidentiality Policies.
Access Control: Policies and Mechanisms Vinod Ganapathy.
Computer Security: Principles and Practice
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #5-1 Confidentiality Policies Overview –What is a confidentiality model Bell-LaPadula.
CS426Fall 2010/Lecture 211 Computer Security CS 426 Lecture 21 The Bell LaPadula Model.
Security Models Xinming Ou. Security Policy vs. Security Goals In a mandatory access control system, the system defines security policy to achieve security.
IS 2150/TEL 2810: Introduction of Computer Security1 September 27, 2003 Introduction to Computer Security Lecture 4 Security Policies, Confidentiality.
Database Security. Introduction to Database Security Issues (1) Threats to databases Loss of integrity Loss of availability Loss of confidentiality To.
Database Security Database System Implementation CSE 507 Some slides adapted from Navathe et. Al.
Access Controls Mandatory Access Control by Sean Dalton December 5 th 2008.
22 feb What is Access Control? Access control is the heart of security Definitions: * The ability to allow only authorized users, programs or.
Lecture 2 Page 1 CS 236 Online Security Policies Security policies describe how a secure system should behave Policy says what should happen, not how you.
9- 1 Last time ● User Authentication ● Beyond passwords ● Biometrics ● Security Policies and Models ● Trusted Operating Systems and Software ● Military.
Database System Implementation CSE 507
Access Control Model SAM-5.
Access Control CSE 465 – Information Assurance Fall 2017 Adam Doupé
Chapter 5: Confidentiality Policies
Basic Security Theorem
Computer Security Confidentiality Policies
IS 2150 / TEL 2810 Introduction to Security
Information Security CS 526 Topic 17
Advanced System Security
Chapter 5: Confidentiality Policies
Confidentiality Models
DG/UX System Provides mandatory access controls Initially
Chapter 5: Confidentiality Policies
Lecture 17: Mandatory Access Control
Chapter 5: Confidentiality Policies
Computer Security Confidentiality Policies
IS 2150 / TEL 2810 Information Security & Privacy
Chapter 5: Confidentiality Policies
Advanced System Security
Presentation transcript:

1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop

2 cs691 chow Goals of Confidentiality Policies Confidentiality Policies emphasize the protection of confidentiality. Confidentiality policy also called information flow policy, prevents unauthorized disclosure of information. Example: Privacy Act requires that certain personal data be kept confidential. E.g., income tax return info only available to IRS and legal authority with court order. It limits the distribution of documents/info. Confidentiality Policies emphasize the protection of confidentiality. Confidentiality policy also called information flow policy, prevents unauthorized disclosure of information. Example: Privacy Act requires that certain personal data be kept confidential. E.g., income tax return info only available to IRS and legal authority with court order. It limits the distribution of documents/info.

3 cs691 chow Bell-LaPadula Model also called the multi-level model, was proposed by Bell and LaPadula of MITRE for enforcing access control in government and military applications. It corresponds to military-style classifications. In such applications, subjects and objects are often partitioned into different security levels. A subject can only access objects at certain levels determined by his security level. For instance, the following are two typical access specifications: ``Unclassified personnel cannot read data at confidential levels'' and ``Top-Secret data cannot be written into the files at unclassified levels'' also called the multi-level model, was proposed by Bell and LaPadula of MITRE for enforcing access control in government and military applications. It corresponds to military-style classifications. In such applications, subjects and objects are often partitioned into different security levels. A subject can only access objects at certain levels determined by his security level. For instance, the following are two typical access specifications: ``Unclassified personnel cannot read data at confidential levels'' and ``Top-Secret data cannot be written into the files at unclassified levels''

4 cs691 chow Informal Description Simplest type of confidentiality classification is a set of security clearances arranged in a linear (total) ordering. Clearances represent the security levels. The higher the clearance, the more sensitive the info. Basic confidential classification system: individualsdocuments Top Secret (TS)Tamara, ThomasPersonnel Files Secret (S)Sally, SamuelElectronic Mails Confidential (C)Claire, ClarenceActivity Log Files Unclassified (UC)Ulaley, UrsulaTelephone Lists Simplest type of confidentiality classification is a set of security clearances arranged in a linear (total) ordering. Clearances represent the security levels. The higher the clearance, the more sensitive the info. Basic confidential classification system: individualsdocuments Top Secret (TS)Tamara, ThomasPersonnel Files Secret (S)Sally, SamuelElectronic Mails Confidential (C)Claire, ClarenceActivity Log Files Unclassified (UC)Ulaley, UrsulaTelephone Lists

5 cs691 chow Mandatory and Discretionary Access Control Bell-LaPadula model combines Mandatory and Discretionary Access Controls. “S has discretionary read (write) access to O” means that the access control matrix entry for S and O corresponding to the discretionary access control component contains a read (write) right. AB C D O Q Sread(D) T If the mandatory controls not present, S would be able to read (write) O. Bell-LaPadula model combines Mandatory and Discretionary Access Controls. “S has discretionary read (write) access to O” means that the access control matrix entry for S and O corresponding to the discretionary access control component contains a read (write) right. AB C D O Q Sread(D) T If the mandatory controls not present, S would be able to read (write) O.

6 cs691 chow Star Property (Preliminary Version) Let L(S)=ls be the security clearance of subject S. Let L(O)=lo be the security classification of object ). For all security classification li, i=0,…, k-1, li<li+1 Simple Security Condition: S can read O if and only if lo<=ls and S has discretionary read access to O. *-Property (Star property): S can write O if and only if ls<=lo and S has discretionary write access to O. TS guy can not write documents lower than TS.  Prevent classified information leak. But how can different groups communicate? Let L(S)=ls be the security clearance of subject S. Let L(O)=lo be the security classification of object ). For all security classification li, i=0,…, k-1, li<li+1 Simple Security Condition: S can read O if and only if lo<=ls and S has discretionary read access to O. *-Property (Star property): S can write O if and only if ls<=lo and S has discretionary write access to O. TS guy can not write documents lower than TS.  Prevent classified information leak. But how can different groups communicate?

7 cs691 chow Basic Security Theorem Let  be a system with secure initial state  0 Let T be the set of state transformations. If every element of T preserves the simple security condition, preliminary version, and the *-property, preliminary version, Then every state  i, i≥0, is secure. Let  be a system with secure initial state  0 Let T be the set of state transformations. If every element of T preserves the simple security condition, preliminary version, and the *-property, preliminary version, Then every state  i, i≥0, is secure.

8 cs691 chow Categories and Need to Know Principle Expand the model by adding a set of categories. Each category describe a kind of information. These category arise from the “need to know” principle  no subject should be able to read objects unless reading them is necessary for that subject to perform its function. Example: three categories: NUC, EUR, US. Each security level and category form a security level or compartment. Subjects have clearance at (are cleared into, or are in) a security level. Objects are at the level of (or are in) a security level. Expand the model by adding a set of categories. Each category describe a kind of information. These category arise from the “need to know” principle  no subject should be able to read objects unless reading them is necessary for that subject to perform its function. Example: three categories: NUC, EUR, US. Each security level and category form a security level or compartment. Subjects have clearance at (are cleared into, or are in) a security level. Objects are at the level of (or are in) a security level.

9 cs691 chow Security Lattice William may be cleared into level (SECRET, {EUR}) George into level (TS, {NUC, US}). A document may be classified as (C, {EUR}) Someone with clearance at (TS, {NUC, US}) will be denied access to document with category EUR. William may be cleared into level (SECRET, {EUR}) George into level (TS, {NUC, US}). A document may be classified as (C, {EUR}) Someone with clearance at (TS, {NUC, US}) will be denied access to document with category EUR. {NUC, EUR, US} {NUC, EUR}{NUC, US}{EUR, US} {NUC} {EUR}{US} 

10 cs691 chow Dominate (dom) Relation The security level (L, C) dominates the security level (L’, C’) if and only if L’  L and C’  C  Dom  dominate relation is false. Geroge is cleared into security level (S, {NUC, EUR}) DocA is classified as (C, {NUC}) DocB is classified as (S, {EUR, US}) DocC is classified as (S, {EUR}) George dom DocA George  dom DocB George dom DocC The security level (L, C) dominates the security level (L’, C’) if and only if L’  L and C’  C  Dom  dominate relation is false. Geroge is cleared into security level (S, {NUC, EUR}) DocA is classified as (C, {NUC}) DocB is classified as (S, {EUR, US}) DocC is classified as (S, {EUR}) George dom DocA George  dom DocB George dom DocC

11 cs691 chow New Security Condition and *-Property Let C(S) be the category set of subject S. Let C(O) be the category set of object O. Simple Security Condition (not read up): S can read O if and only if S dom O and S has discretionary read access to O. *-Property (not write down): S can write to O if and only if O dom S and S has discretionary write access to O. Basic Security Theorem: Let  be a system with secure initial state  0 Let T be the set of state transformations. If every element of T preserves the simple security condition, preliminary version, and the *-property, preliminary version, Then every state  i, i≥0, is secure. Let C(S) be the category set of subject S. Let C(O) be the category set of object O. Simple Security Condition (not read up): S can read O if and only if S dom O and S has discretionary read access to O. *-Property (not write down): S can write to O if and only if O dom S and S has discretionary write access to O. Basic Security Theorem: Let  be a system with secure initial state  0 Let T be the set of state transformations. If every element of T preserves the simple security condition, preliminary version, and the *-property, preliminary version, Then every state  i, i≥0, is secure.

12 cs691 chow Allow Write Down? Bell-LaPadula allows higher-level subject to write into lower level object that low level subject can read. A subject has a maximum security level and a current security level. maximum security level must dominate current security level. A subject may (effectively) decrease its security level from the maximum in order to communicate with entities at lower security levels. Colonel’s maximum security level is (S, {NUC, EUR}). She changes her current security level to (S, {EUR}). Now she can create document at Major is clearance level (S, {EUR}). Bell-LaPadula allows higher-level subject to write into lower level object that low level subject can read. A subject has a maximum security level and a current security level. maximum security level must dominate current security level. A subject may (effectively) decrease its security level from the maximum in order to communicate with entities at lower security levels. Colonel’s maximum security level is (S, {NUC, EUR}). She changes her current security level to (S, {EUR}). Now she can create document at Major is clearance level (S, {EUR}).

13 cs691 chow Data General B2 Unix System Data General B2 Unix (DG/UX) provides mandatory access controls (MAC). The MAC label is a label identifying a particular compartment. The initial label (assigned at login time) is the label assigned to the user in a database called Authorization and Authentication (A&A) Database. When a process begins, it is assigned to MAC label of its parent (whoever creates it). Objects are assigned labels at creation. The labels can be explicit or implicit. The explicit label is stored as parts of the object’s attributes. The implicit label derives from the parent directory of the object. IMPL_HI: the least upper bound of all components in DG/UX lattice has IMPL_HI as label. IMPL_LO: the greatest lower bound of all components in DG/UX lattice has IMPL_LO as the label Data General B2 Unix (DG/UX) provides mandatory access controls (MAC). The MAC label is a label identifying a particular compartment. The initial label (assigned at login time) is the label assigned to the user in a database called Authorization and Authentication (A&A) Database. When a process begins, it is assigned to MAC label of its parent (whoever creates it). Objects are assigned labels at creation. The labels can be explicit or implicit. The explicit label is stored as parts of the object’s attributes. The implicit label derives from the parent directory of the object. IMPL_HI: the least upper bound of all components in DG/UX lattice has IMPL_HI as label. IMPL_LO: the greatest lower bound of all components in DG/UX lattice has IMPL_LO as the label

14 cs691 chow Three MAC Regions in DG/UX MAC Lattice Figure 5-3 The three MAC regions in the MAC lattice (modified from the DG/UX Security Manual [257], p. 4-7, Figure 4-4). TCB stands for "trusted computing base.“

15 cs691 chow Accesses with MAC Labels Read up and write up from users to Admin Region not allowed. Admin processes sanitize data sent to user processes with MAC Labels in the user region. System programs are in the lowest region. No user can write to or alter them. Only programs with the same label as the directory can create files in that directory. The above restriction will prevent compiling (need to access /tmp) mail delivery (need to access mail spool directory) Solution  multilevel directory. Read up and write up from users to Admin Region not allowed. Admin processes sanitize data sent to user processes with MAC Labels in the user region. System programs are in the lowest region. No user can write to or alter them. Only programs with the same label as the directory can create files in that directory. The above restriction will prevent compiling (need to access /tmp) mail delivery (need to access mail spool directory) Solution  multilevel directory.

16 cs691 chow Multilevel Directory A directory with a set of subdirectories, one for each label. These hidden directories normally invisible to the user. When a process with label MAC_A creates a file in /tmp, it actually create a file in hidden directory under /tmp with label MAC_A The parent directory of a file in /tmp is the hidden directory. A reference to the parent directory goes to the hidden directory. Process A with MAC_A creates /tmp/a. Process B with MAC_B creates /tmp/a. Each of them performs “cd /tmp/a; cd..” The system call stat(“.”, &stat_buffer) returns different inode number for each process. It returns the inode number of the respective hidden directory. Try “stat” command to display file and related status. DG/UX provides dg_mstat(“.”, &stat_buffer) to translate the current working directory to the multilevel directory A directory with a set of subdirectories, one for each label. These hidden directories normally invisible to the user. When a process with label MAC_A creates a file in /tmp, it actually create a file in hidden directory under /tmp with label MAC_A The parent directory of a file in /tmp is the hidden directory. A reference to the parent directory goes to the hidden directory. Process A with MAC_A creates /tmp/a. Process B with MAC_B creates /tmp/a. Each of them performs “cd /tmp/a; cd..” The system call stat(“.”, &stat_buffer) returns different inode number for each process. It returns the inode number of the respective hidden directory. Try “stat” command to display file and related status. DG/UX provides dg_mstat(“.”, &stat_buffer) to translate the current working directory to the multilevel directory

17 cs691 chow Mounting Unlabeled File System All files in that file system need to be lable. Symbolic links aggravate this problem. Does the MAC label the target of the link control, or does the MAC label the link itself? DG/UX uses a notion of inherited labels (called implicit labels) to solve this problem. The following rules control the way objects are labeled. 1. Roots of file systems have explicit MAC labels. If a file system without labels is mounted on a labeled file system, the root directory of the mounted file system receives an explicit label equal to that of the mount point. However, the label of the mount point, and of the underlying tree, is no longer visible, and so its label is unchanged (and will become visible again when the file system is unmounted). 2. An object with an implicit MAC label inherits the label of its parent. 3. When a hard link to an object is created, that object must have an explicit label; if it does not, the object's implicit label is converted to an explicit label. A corollary is that moving a file to a different directory makes its label explicit. 4. If the label of a directory changes, any immediate children with implicit labels have those labels converted to explicit labels before the parent directory's label is changed. 5. When the system resolves a symbolic link, the label of the object is the label of the target of the symbolic link. However, to resolve the link, the process needs access to the symbolic link itself. All files in that file system need to be lable. Symbolic links aggravate this problem. Does the MAC label the target of the link control, or does the MAC label the link itself? DG/UX uses a notion of inherited labels (called implicit labels) to solve this problem. The following rules control the way objects are labeled. 1. Roots of file systems have explicit MAC labels. If a file system without labels is mounted on a labeled file system, the root directory of the mounted file system receives an explicit label equal to that of the mount point. However, the label of the mount point, and of the underlying tree, is no longer visible, and so its label is unchanged (and will become visible again when the file system is unmounted). 2. An object with an implicit MAC label inherits the label of its parent. 3. When a hard link to an object is created, that object must have an explicit label; if it does not, the object's implicit label is converted to an explicit label. A corollary is that moving a file to a different directory makes its label explicit. 4. If the label of a directory changes, any immediate children with implicit labels have those labels converted to explicit labels before the parent directory's label is changed. 5. When the system resolves a symbolic link, the label of the object is the label of the target of the symbolic link. However, to resolve the link, the process needs access to the symbolic link itself.

18 cs691 chow Interesting Case with Hard Links Let /x/y/z: and /x/a/b be hard links to the same object. Suppose y has an explicit label IMPL_HI and a an explicit label IMPL_B. Then the file object can be accessed by a process at IMPL_HI as /x/y/z and by a process at IMPL_B as /x/alb. Which label is correct? Two cases arise. Suppose the hard link is created while the file system is on a DG/UX B2 system. Then the DG/UX system converts the target's implicit label to an explicit one (rule 3). Thus, regardless of the path used to refer to the object, the label of the object will be the same. Suppose the hard link exists when the file system is mounted on the DG/UX B2 system. In this case, the target had no file label when it was created, and one must be added. If no objects on the paths to the target have explicit labels, the tar­get will have the same (implicit) label regardless of the path being used. But if any object on any path to the target of the link acquires an explicit label, the target's label may depend on which path is taken. To avoid this, the implicit labels of a directory's children must be preserved when the directory's label is made explicit. Rule 4 does this. Because symbolic links interpolate path names of files, rather than store Mode numbers, computing the label of symbolic links is straightforward. If /x/y/z is a sym­ bolic link to /a/b/c, then the MAC label of c is computed in the usual way. However, the symbolic link itself is a file, and so the process must also have access to the link file z. Let /x/y/z: and /x/a/b be hard links to the same object. Suppose y has an explicit label IMPL_HI and a an explicit label IMPL_B. Then the file object can be accessed by a process at IMPL_HI as /x/y/z and by a process at IMPL_B as /x/alb. Which label is correct? Two cases arise. Suppose the hard link is created while the file system is on a DG/UX B2 system. Then the DG/UX system converts the target's implicit label to an explicit one (rule 3). Thus, regardless of the path used to refer to the object, the label of the object will be the same. Suppose the hard link exists when the file system is mounted on the DG/UX B2 system. In this case, the target had no file label when it was created, and one must be added. If no objects on the paths to the target have explicit labels, the tar­get will have the same (implicit) label regardless of the path being used. But if any object on any path to the target of the link acquires an explicit label, the target's label may depend on which path is taken. To avoid this, the implicit labels of a directory's children must be preserved when the directory's label is made explicit. Rule 4 does this. Because symbolic links interpolate path names of files, rather than store Mode numbers, computing the label of symbolic links is straightforward. If /x/y/z is a sym­ bolic link to /a/b/c, then the MAC label of c is computed in the usual way. However, the symbolic link itself is a file, and so the process must also have access to the link file z.

19 cs691 chow Enable Flexible Write in DG/UX Provide a range of labels called MAC tuple. A range is a set of labels expressed by a lower bound and an upper hound. A MAC tuple consists of up to three ranges (one for each of the regions in Figure 5-3). Example: A system has two security levels. TS and S, the former dominating the latter. The categories are COMP. NUC, and ASIA. Examples of ranges are: [(S, { COMP } ), (TS, { COMP } )] [( S,  ), (TS, { COMP, NUC. ASIA } )] [( S, { ASIA } ), ( TS, { ASIA, NUC } )] The label ( TS, { COMP }) is in the first two ranges. The label ( S, { NUC, ASIA } ) is in the last two ranges. However, [( S, {ASIA} ), ( TS, { COMP, NUC} )] is not a valid range because ( TS, {COMP. NUC } ) dom ( S, { ASIA } ). Provide a range of labels called MAC tuple. A range is a set of labels expressed by a lower bound and an upper hound. A MAC tuple consists of up to three ranges (one for each of the regions in Figure 5-3). Example: A system has two security levels. TS and S, the former dominating the latter. The categories are COMP. NUC, and ASIA. Examples of ranges are: [(S, { COMP } ), (TS, { COMP } )] [( S,  ), (TS, { COMP, NUC. ASIA } )] [( S, { ASIA } ), ( TS, { ASIA, NUC } )] The label ( TS, { COMP }) is in the first two ranges. The label ( S, { NUC, ASIA } ) is in the last two ranges. However, [( S, {ASIA} ), ( TS, { COMP, NUC} )] is not a valid range because ( TS, {COMP. NUC } ) dom ( S, { ASIA } ).