1 FM and Security-Overview FM Formal Security Models Based on Slides prepared by A. Jones and Y. Lin. Material based on C. Landwehr paper.

Slides:



Advertisements
Similar presentations
ACCESS-CONTROL MODELS
Advertisements

Information Flow and Covert Channels November, 2006.
ISBN Chapter 3 Describing Syntax and Semantics.
Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality model Bell-LaPadula Model –General idea –Informal description of rules.
Access Control Intro, DAC and MAC System Security.
Secure Operating Systems Lesson 0x11h: Systems Assurance.
CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.
Security Fall 2009McFadyen ACS How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.
Security Fall 2006McFadyen ACS How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality.
Ch5: Software Specification. 1 Overview  Use of specifications  Specification qualities  Classification of specification styles  Verification of specifications.
Describing Syntax and Semantics
User Domain Policies.
Mandatory Flow Control Bismita Srichandan. Outline Mandatory Flow Control Models Information Flow Control Lattice Model Multilevel Models –The Bell-LaPadula.
Lecture 7 Access Control
Dr. Kalpakis CMSC 621, Advanced Operating Systems. Fall 2003 URL: Security & Protection.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
CS-550 (M.Soneru): Protection and Security - 2 [SaS] 1 Protection and Security - 2.
Dr. Kalpakis CMSC 621, Advanced Operating Systems. Security & Protection.
CH14 – Protection / Security. Basics Potential Violations – Unauthorized release, modification, DoS External vs Internal Security Policy vs Mechanism.
Security Policy What is a security policy? –Defines what it means for a system to be secure Formally: Partition system into –Secure (authorized) states.
1 Confidentiality Policies September 21, 2006 Lecture 4 IS 2150 / TEL 2810 Introduction to Security.
1 IS 2150 / TEL 2810 Information Security & Privacy James Joshi Associate Professor, SIS Lecture 6 Oct 2-9, 2013 Security Policies Confidentiality Policies.
© G. Dhillon, IS Department Virginia Commonwealth University Principles of IS Security Formal Models.
1 A pattern language for security models Eduardo B. Fernandez and Rouyi Pan Presented by Liping Cai 03/15/2006.
The Architecture of Secure Systems Jim Alves-Foss Laboratory for Applied Logic Department of Computer Science University of Idaho By, Nagaashwini Katta.
Session 2 - Security Models and Architecture. 2 Overview Basic concepts The Models –Bell-LaPadula (BLP) –Biba –Clark-Wilson –Chinese Wall Systems Evaluation.
Security Architecture and Design Chapter 4 Part 3 Pages 357 to 377.
Next-generation databases Active databases: when a particular event occurs and given conditions are satisfied then some actions are executed. An active.
Lattice-Based Access Control Models Ravi S. Sandhu Colorado State University CS 681 Spring 2005 John Tesch.
Chapter 5 Network Security
Formal Verification Lecture 9. Formal Verification Formal verification relies on Descriptions of the properties or requirements Descriptions of systems.
Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Information Flow Control Language and System Level.
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 3 September 15, 2009 Mathematical Review Security Policies.
Programming Languages and Design Lecture 3 Semantic Specifications of Programming Languages Instructor: Li Ma Department of Computer Science Texas Southern.
Access Control MAC. CSCE Farkas 2 Lecture 17 Reading assignments Required for access control classes:  Ravi Sandhu and P. Samarati, Access Control:
12/4/20151 Computer Security Security models – an overview.
Information Security CS 526 Topic 17
A Lattice Model of Secure Information Flow By Dorothy E. Denning Presented by Drayton Benner March 22, 2000.
Computer Security: Principles and Practice
2/1/20161 Computer Security Foundational Results.
Duminda WijesekeraSWSE 623: Introduction1 Introduction to Formal and Semi- formal Methods Based on A Specifier's Introduction to Formal Methods (J. Wing)
CS426Fall 2010/Lecture 211 Computer Security CS 426 Lecture 21 The Bell LaPadula Model.
Certification of Programs for Secure Information Flow Dorothy & Peter Denning Communications of the ACM (CACM) 1977.
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 16 October 14, 2004.
Chapter 8: Principles of Security Models, Design, and Capabilities
Design and Implementation MAC in Security Operating System CAI Yi, ZHENG Zhi-rong, SHEN Chang-xiang Presented By, Venkateshwarlu Jangili. 1.
Database Security Database System Implementation CSE 507 Some slides adapted from Navathe et. Al.
Access Controls Mandatory Access Control by Sean Dalton December 5 th 2008.
IS 2620: Developing Secure Systems Formal Verification/Methods Lecture 9 March 15, 2012.
TOPIC: Web Security Models
Database System Implementation CSE 507
Access Control CSE 465 – Information Assurance Fall 2017 Adam Doupé
Verifiable Security Goals
IS 2150 / TEL 2810 Information Security & Privacy
Operating Systems Security
IS 2935: Developing Secure Systems
Information Security CS 526 Topic 17
Advanced System Security
Confidentiality Models
IS 2150 / TEL 2810 Introduction to Security
Chapter 5: Confidentiality Policies
An information flow model FM is defined by
Computer Security Access Control
IS 2150 / TEL 2810 Introduction to Security
IS 2150 / TEL 2810 Information Security & Privacy
A Survey of Formal Models for Computer Security
IS 2150 / TEL 2810 Information Security & Privacy
Advanced System Security
Presentation transcript:

1 FM and Security-Overview FM Formal Security Models Based on Slides prepared by A. Jones and Y. Lin. Material based on C. Landwehr paper

2 FM and Security-Overview FM Why Formal Models? u Regulations are generally descriptive rather than prescriptive, so they don’t tell you how to implement u Systems must be secure security must be demonstrable --> proofs therefore, formal security models

3 FM and Security-Overview FM Military Security u Classification levels unclassified classified: confidential, secret, top secret u Compartments topic specific u Clearance - ability to access a certain level/compartment of sensitive information

4 FM and Security-Overview FM Formal Models - Basic Concepts u Finite state machine model this structure is the basis for all models in this paper u Lattice model u Access matrix model u Security kernel (small enough for verification) u Information-flow model

5 FM and Security-Overview FM Lattice Model (for military application) u Sensitivity levels a, b u Compartments c, d (a,c) >= (b,d) u iff a >= b and c contains d u Implies greatest lower bound -- (unclass, no compartments u least upper bound -- (top secret, all compartments)

6 FM and Security-Overview FM Access Matrix Model u Three principal components: object, subject, rules u Access matrix (subject X object) read, write, append, and execute u Reference monitor - checks each access u Two approaches capability list (row-wise) access control list (column-wise)

7 FM and Security-Overview FM Access Matrix Objects SubjectsO1O2O3O4S1S2… S1rrrrxkill S2rwx S3rrx S4rr …

8 FM and Security-Overview FM Take-Grant Model u Use graphs to model access control u Access right: read, write, take, grant u Each directed arc represents a capability arc from one object to another labeled with access right u Compact representation of sparse access matrix

9 FM and Security-Overview FM Take-Grant Model (cont) u Set of rules for rewriting graph E.g. take rule: A has take right to B, then A can acquire all rights to any object that B has u Rules control deletion & creation of arcs, objects

take read,grant take read,grant A A B B C C

grant write A B C grant write A B C

12 FM and Security-Overview FM Take Grant Model (cont) u Question asked of model: given initial graph plus rules, can A ever get right R to object X? u I.e. question of graph transformation u Undecidable for general graphs u But decidable for specific graphs & rules u Defined predicates: “can know”, “can tell”, “ can steal”

13 FM and Security-Overview FM Bell & LaPadula Model u Captures military classification u Use finite state machine u Formally define a state to be secure, then consider transitions (that maintain security) u Uses subjects & objects of access matrix u Adds military security subject has clearance & current class.n level each object has a classification

14 FM and Security-Overview FM Bell & LaPadula Model (cont) u Four modes of access read-only, append, execute, and read-write u Ownership -- owner can pass access modes to owned object to other subjects u Core of operating system is a monitor (security kernel) that checks all accesses u Minimum code; prove its properties u In practice, it is difficult to isolate all security- relevant functions to a small kernel

15 FM and Security-Overview FM Bell & LaPadula Model (cont’d) u Properties for a state to be secure simple security property (restricts “reading up”) the star-property (prohibits “writing down”) u Tranquility principle no operation may change the classification of an active object

16 FM and Security-Overview FM Bell and LaPadula Model (cont’d) u Rules of transition: create object, change security level, rescind access, give access, etc u Trusted subjects not to compromise security even if some accesses violate the star-property u “Flat” set of objects atomic objects, each with a single classification no hierarchy

17 FM and Security-Overview FM Problems of B-L Model u Static representation is restrictive u Although hierarchies of objects are added in later version, no corresponding appropriate set of axioms u No clear guidance to determine trusted processes u In practice, declassification is a problem

18 FM and Security-Overview FM Problems of B-L Model (cont’d) u Allow information to be transmitted improperly through control variables (storage channels) u Their final forms don’t contain storage channels, but timing channels can exist u Many operations that are in fact secure will be disallowed by the model

19 FM and Security-Overview FM u Focus on operations that transfer information between objects u Five components objects -- hold information processes -- active agents security classes -- disjoint classes of information flow relation -- given 2 classes, determine if information is allowed to flow from one to other Information-Flow Model

20 FM and Security-Overview FM Information-Flow Model (cont’d) u Flow relation forms a lattice u Information flow (x->y) explicit -- opn.s causing flow are independent of value of x, e.g. assignment operation, x=y implicit -- conditional assignment (if x then y=z) u A program is secure if it does not specify any information flows that violate the given flow relation

21 FM and Security-Overview FM Information-Flow Model (cont’d) u Program is secure if it does not specify any information flows that violate the given flow relation u Consider static binding vs dynamic binding

22 FM and Security-Overview FM Programs as Channels for Information Transmission u Each of the models views a program as a medium for information transmission u Key question what information is conveyed by the execution of a program? what deductions about protected information are possible?

23 FM and Security-Overview FM Programs as Channels for Information Transmission (cont’d) u Filters (Jones and Lipton) views policy as function that maps from input domain of program to some subset of that domain protection mechanism as a filter that assures that policy is followed

24 FM and Security-Overview FM Discussion and Conclusion u Each model defines its own world and its own concept of security in that world u Appropriateness of a particular model depends on the application for which it is to be used

25 FM and Security-Overview FM Discussion & Conclusion (cont’d) u Common problem: an operation is either secure or not not helpful in making trade-offs between security and performance not true in the physical world, e.g. “safes’ u Formal verification or security properties of systems is an active research topic u Most assume a security kernel

26 FM and Security-Overview FM Discussion & Conclusion (cont’d) u Models can be divided into three groups controlling direct access to objects information flows among objects an observer’s ability to make inference u Formal models of computer security are needed in order to ask or answer whether a computer system is secure

27 FM and Security-Overview FM Relevant Specification Languages Based on materials from I. Cervesato, NRL

28 FM and Security-Overview FM Languages to Specify What? u Message flow u Message constituents u Operating environment u Protocol goals

29 FM and Security-Overview FM Desirable Properties u Unambiguous u Simple u Flexible Adapts to protocols u Powerful Applies to a wide class of protocols u Insightful Gives insight about protocols

30 FM and Security-Overview FM Language Families u “Usual notation” (user interfaces) u Knowledge logic BAN u Process theory Spi-calculus Strands MSR FDR, Casper Petri nets u Inductive methods  Temporal logic  Automata  CAPSL  NRL Protocol Analyzer  Mur   … Why so many?  Experience from mature fields  Unifying problem  Scientifically intriguing  Funding opportunities Convergence of approaches

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.