MT Computer Security - Models & Policies

Slides:



Advertisements
Similar presentations
TOPIC CLARK-WILSON MODEL Ravi Sandhu.
Advertisements

Information Flow and Covert Channels November, 2006.
Security Models and Architecture
Access Control Intro, DAC and MAC System Security.
Hybrid Policies Overview Chinese Wall Model Clinical Information Systems Security Policy ORCON RBAC Introduction to Computer Security ©2004 Matt Bishop.
Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson model Introduction to Computer Security ©2004 Matt Bishop.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
Bell-LaPadula Model. Why Security Models?  When we have implemented a security policy, do we know that it will (and can) be.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
Verifiable Security Goals
Security Models.
1 Clark Wilson Implementation Shilpa Venkataramana.
1 Integrity Policies CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 22, 2004.
Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson model Introduction to Computer Security ©2004 Matt Bishop.
CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz.
1 FM and Security-Overview FM Formal Security Models Based on Slides prepared by A. Jones and Y. Lin. Material based on C. Landwehr paper.
CMSC 414 Computer (and Network) Security Lecture 10 Jonathan Katz.
Information Systems Security Security Architecture Domain #5.
CS526Topic 21: Integrity Models1 Information Security CS 526 Topic 21: Integrity Protection Models.
User Domain Policies.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #6-1 Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson.
Lecture 7 Access Control
Dr. Kalpakis CMSC 621, Advanced Operating Systems. Fall 2003 URL: Security & Protection.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
Dr. Kalpakis CMSC 621, Advanced Operating Systems. Security & Protection.
Mandatory Security Policies CS461/ECE422 Spring 2012.
1 September 14, 2006 Lecture 3 IS 2150 / TEL 2810 Introduction to Security.
Slide #6-1 Integrity Policies CS461/ECE422 – Computer Security I Fall 2009 Based on slides provided by Matt Bishop for use with Computer Security: Art.
CH14 – Protection / Security. Basics Potential Violations – Unauthorized release, modification, DoS External vs Internal Security Policy vs Mechanism.
© G. Dhillon, IS Department Virginia Commonwealth University Principles of IS Security Formal Models.
3/16/2004Biba Model1 Biba Integrity Model Presented by: Nathan Balon Ishraq Thabet.
1 Lecture 3 Security Model. 2 Why Security Models? u A security model is a formal description of a security policy u Models are used in high assurance.
Computer Security 3e Dieter Gollmann
Week 8 - Wednesday.  What did we talk about last time?  Authentication  Challenge response  Biometrics  Started Bell-La Padula model.
Switch off your Mobiles Phones or Change Profile to Silent Mode.
Session 2 - Security Models and Architecture. 2 Overview Basic concepts The Models –Bell-LaPadula (BLP) –Biba –Clark-Wilson –Chinese Wall Systems Evaluation.
Security Architecture and Design Chapter 4 Part 3 Pages 357 to 377.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
Lattice-Based Access Control Models Ravi S. Sandhu Colorado State University CS 681 Spring 2005 John Tesch.
Chapter 5 Network Security
CS426Fall 2010/Lecture 251 Computer Security CS 426 Lecture 25 Integrity Protection: Biba, Clark Wilson, and Chinese Wall.
Access Control MAC. CSCE Farkas 2 Lecture 17 Reading assignments Required for access control classes:  Ravi Sandhu and P. Samarati, Access Control:
Trusted OS Design and Evaluation CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University.
Computer Security 3e Dieter Gollmann
UT DALLAS Erik Jonsson School of Engineering & Computer Science FEARLESS engineering Integrity Policies Murat Kantarcioglu.
12/4/20151 Computer Security Security models – an overview.
Information Security CS 526 Topic 17
Academic Year 2014 Spring Academic Year 2014 Spring.
A Lattice Model of Secure Information Flow By Dorothy E. Denning Presented by Drayton Benner March 22, 2000.
Computer Security: Principles and Practice
A security policy defines what needs to be done. A security mechanism defines how to do it. All passwords must be updated on a regular basis and every.
CS426Fall 2010/Lecture 211 Computer Security CS 426 Lecture 21 The Bell LaPadula Model.
Chapter 8: Principles of Security Models, Design, and Capabilities
Slide #6-1 Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson model.
6/22/20161 Computer Security Integrity Policies. 6/22/20162 Integrity Policies Commercial requirement differ from military requirements: the emphasis.
CS526Topic 19: Integrity Models1 Information Security CS 526 Topic 19: Integrity Protection Models.
Chapter 7. Hybrid Policies
TOPIC: Web Security Models
Verifiable Security Goals
Chapter 6 Integrity Policies
2. Access Control Matrix Introduction to Computer Security © 2004 Matt Bishop 9/21/2018.
Chapter 5: Confidentiality Policies
Information Security CS 526 Topic 17
Security Modeling Jagdish S. Gangolly School of Business
Guest Lecture in Acc 661 (Spring 2007) Instructor: Christopher Brown)
Chapter 6: Integrity Policies
Computer Security Access Control
Chapter 6: Integrity Policies
Computer Security Integrity Policies
Presentation transcript:

MT5104 - Computer Security - Models & Policies The previous lecture has presented a choice of access control structures. Access control structures are there to encode security policies. A security policy captures the security requirements of an enterprise, or describes the steps that have to be taken to achieve security. A security model is a formal description of a security policy. MT5104 - Computer Security - Models & Policies

MT5104 - Computer Security - Models & Policies Security Policies Organisational security policy: Laws, rules, and practices that regulate how an organisation manages and protects resources to achieve its security policy objectives. (A topic of IS1) Automated security policy: Restrictions and properties that specify how a computing system prevents violations of the organisational security policy. (A topic for this course) D. F. Sterne: On the Buzzword ‘Security Policy’ MT5104 - Computer Security - Models & Policies

MT5104 - Computer Security - Models & Policies Why Security Models? They are used today in high assurance security evaluations (smart cards are currently a fruitful area of application) They are important historic milestones in computer security (e.g. Bell-LaPadula) They demonstrate some of the fundamental design decisions in a precise setting MT5104 - Computer Security - Models & Policies

MT5104 - Computer Security - Models & Policies Agenda The Bell-LaPadula (BLP) model Changing access rights: Harrison-Ruzo-Ullman, Chinese Wall Integrity: Biba, Clark-Wilson Perfection: information flow and non-interference models MT5104 - Computer Security - Models & Policies

MT5104 - Computer Security - Models & Policies Notation for Sets a  A: a is an element of set A A  B: the Cartesian product of two sets A and B; the elements of A  B are pairs (a,b); the elements of S  O  A would be tuples (s,o,a). AB: the set of functions from B to A; the elements of AB are functions f: B  A . P(A): the power set of A; the elements of P(A) are subsets of A. MT5104 - Computer Security - Models & Policies

State Machine Models (Automata) Abstract models that record relevant features, like the security of a computer system, in their state. States change at discrete points in time, e.g. triggered by a clock or an input event. State machine models have numerous applications in computer science: processor design, programming languages, or security. Examples: Switch: two states, ‘on’ and ‘off’ Ticket machine: inputs: ticket requests, coins, state: ticket requested and money to be paid, output: ticket, change Microprocessors: state: register contents, inputs: machine instructions MT5104 - Computer Security - Models & Policies

Basic Security Theorems To design a secure system with the help of state machine models, define its state set so that it captures ‘security’. check that all state transitions starting in a ‘secure’ state yield a ‘secure’ state. check that the initial state of the system is ‘secure’. Security is then preserved by all state transitions. The system will always be ‘secure’. This Basic Security Theorem has been derived without any definition of ‘security’! MT5104 - Computer Security - Models & Policies

Bell-LaPadula Model (BLP) BLP formalizes a confidentiality policy forbidding information flows from ‘high’ security levels down to ‘low’ security level. BLP only considers information flows that occur when a subject observes or alters an object. BLP is a state machine model. Access permissions are defined through an access control matrix and through a partial ordering of security levels. MT5104 - Computer Security - Models & Policies

MT5104 - Computer Security - Models & Policies What has to be modeled? All current access operations: an access operation is described by a triple (s,o,a), s  S(ubjects), o  O(bjects), a  A(ccess_Operations) The set of all current access operations is an element of P(S  O  A). We use B as shorthand for P(S  O  A). We use b to denote a set of current access operations. The current permissions as defined by the access control matrix M M is the set of access control matrices. MT5104 - Computer Security - Models & Policies

MT5104 - Computer Security - Models & Policies What has to be modeled? The current assignment of security levels: maximal security level: fS: S  L (L … labels) current security level: fC: S  L classification: fo: O  L The security level of a user is the user’s clearance. The current security level allows subjects to be down-graded temporarily (more later). F  LS  LS  LO is the set of security level assignments. f = (fS, fC, fO) denotes an element of F. The state set of BLP: V = B M  F A state is denoted by (b,M,f) MT5104 - Computer Security - Models & Policies

BLP Policies Forbid information flows from ‘high’ security levels to ‘low’ security levels that occur directly through access operations. Simple Security Property (ss-property) Information flow is still possible. For example, a low subject creates a high Trojan horse program that reads a high document and copies its contents to a low file. This constitutes an improper ‘declassification’ of the document. No read-up: fS(s)  fO(o) if access is in observe mode MT5104 - Computer Security - Models & Policies

MT5104 - Computer Security - Models & Policies read Trojan horse copy create read MT5104 - Computer Security - Models & Policies

MT5104 - Computer Security - Models & Policies Star Property  - Property (star property) The very first version of BLP did not consider the  - property. The ss- property and  - property are called the mandatory BLP policies. No write-down: fC(s)  fO(o) if access is in alter mode; also, if subject s has access to an object o in alter mode, then fO(o’)  fO(o) for all objects o’ accessed by s in observe mode. MT5104 - Computer Security - Models & Policies

MT5104 - Computer Security - Models & Policies No Write-Down The  - property stops a high level subject from sending legitimate messages to a low level subject. There are two ways to escape from this restriction. Temporarily downgrade a high level subject. This is the reason for the current security level fC. BLP assumes that subjects have no memory of their own! Identify a set of trusted subjects, which are permitted to violate the  - property. We redefine the  - property and demand it only for subjects, which are not trusted. Trusted subjects may violate security policies! Distinguish between trusted subjects and trustworthy subjects. MT5104 - Computer Security - Models & Policies

Discretionary BLP Policy Discretionary Security Property (ds-property) Access must be permitted by the access control matrix: (s,o,a)  Mso. MT5104 - Computer Security - Models & Policies

Basic Security Theorem A state is secure, if all current access tuples (s,o,a) are permitted by the ss-, -, and ds-properties. A state transition is secure if it goes from a secure state to a secure state. This Basic Security Theorem has nothing to do with the BLP security policies, only with state machine modeling. Basic Security Theorem: If the initial state of a system is secure and if all state transitions are secure, then the system will always be secure. MT5104 - Computer Security - Models & Policies

MT5104 - Computer Security - Models & Policies Tranquility McLean: consider a system with an operation downgrade: downgrades all subjects to system low downgrades all objects to system low enters all access rights in all positions of the access control matrix. The resulting state is secure according to BLP. Should such a system be regarded secure? McLean: no, everybody is allowed to do everything Bell: yes, if downgrade was part of the system specification Problem: BLP has no policies for changing access control data. Fact: BLP assumes tranquility, i.e. access control data do not change. MT5104 - Computer Security - Models & Policies

MT5104 - Computer Security - Models & Policies Covert Channels Covert Channel: a communications channel that allows transfer of information in a manner that violates the system’s security policy. Storage channels: e.g. through operating system messages, file names, etc. Timing channels: e.g. through monitoring system performance Orange Book: 100 bits per second is ‘high’ bandwidth for storage channels, no upper limit on timing channels. The bandwidth of some covert channels can be reduced by reducing the performance of the system. Covert channels are not detected by BLP modeling. MT5104 - Computer Security - Models & Policies

MT5104 - Computer Security - Models & Policies Aspects of BLP The descriptive capability of its state machine model; can be used for other properties, e.g. for integrity The access control structures proposed, access control matrix and security levels; can be replaced by other structures, e.g. on S  S  O to capture ‘delegation’. The actual security policies, the ss-,  -, and ds-properties; can be replaced by other policies (see Biba model) A specific application of BLP, e.g. its Multics interpretation (more next week). MT5104 - Computer Security - Models & Policies

MT5104 - Computer Security - Models & Policies Limitations of BLP Restricted to confidentiality No policies for changing access rights; a general and complete downgrade is secure; BLP is intended for systems with static security levels. BLP contains covert channels: a low subject can detect the existence of high objects when it is denied access. Sometimes, it is not sufficient to hide only the contents of objects. Also their existence may have to be hidden. MT5104 - Computer Security - Models & Policies

Harrison-Ruzo-Ullman Model BLP does not have policies for changing access rights or for the creation and deletion of subjects and objects. The Harrison-Ruzzo-Ullman (HRU) model defines authorisation systems that address these issues. The components of the HRU model: a set of subjects S, a set of objects O, a set of access rights R, an access matrix M = (Mso)sS,oO , the entry Mso is the subset of R specifying the rights subject s has on object o. MT5104 - Computer Security - Models & Policies

Primitive Operations in HRU Six primitive operations for manipulating subjects, objects, and the access matrix: enter r into Mso delete r from Mso create subject s delete subject s create object o delete object o Commands in HRU model: c(x1,... ,xk) if r1 in Ms1,o1 and if r2 in Ms2,o2 and : if rm in Msm,om then op1 op2 opn end si and oi taken from x1,…,xk MT5104 - Computer Security - Models & Policies

MT5104 - Computer Security - Models & Policies Examples Subject s creates a file f so that s owns the file (access right o) and has read and write permission to the file (access rights r and w). command create_file(s,f) create f enter o into Ms,f enter r into Ms,f enter w into Ms,f end The owner s of file f grants read access to another subject p with command grant_read(s,p,f) if o in Ms,f then enter r in Mp,f end MT5104 - Computer Security - Models & Policies

‘Leaking’ of Rights in HRU Commands effect changes in the access matrix. The access matrix describes the state of the system. The HRU model can capture security policies regulating the allocation of access rights. To verify that a system complies with a given policy, you have to check that there exists no way for undesirable access rights to be granted. An access matrix M is said to leak the right r if there exists a command c that adds r into a position of the access matrix that previously did not contain r. An access matrix M is said to be safe with respect to the right r if no sequence of commands can transform M into a state that leaks r. Do not expect the meaning of ‘leak’ and ‘safe’ to match your own intuition. MT5104 - Computer Security - Models & Policies

Safety Properties of HRU The safety problem cannot be tackled in its full generality. For restricted models, the chances of success are better. Theorem. Given an access matrix M and a right r, verifying the safety of M with respect to r is undecidable. Mono-operational commands contain a single operation: Theorem. Given a mono-operational authorisation system, an access matrix M, and a right r, verifying the safety of M with respect to r is decidable. With two operations per command, the safety problem is again undecidable. Limiting the size of the authorisation system is another way of making the safety problem tractable. Theorem. The safety problem for arbitrary authorisation systems is decidable if the number of subjects is finite. MT5104 - Computer Security - Models & Policies

The 3rd Design Principle. If you design complex systems that can only be described by complex models, it becomes difficult to find proofs of security. In the worst case (undecidability), there does not exist an universal algorithm that verifies security in all cases. If you want verifiable security properties, you are better off when the complexity of the security model is limited. Such a model may not describe all desirable security properties, but you may gain efficient methods for verifying ‘security’. In turn, you are advised to design simple systems that can be adequately described in the simple model. The more expressive a security model is, both with respect to the security properties and the systems it can describe, the more difficult it is usually to verify security properties. MT5104 - Computer Security - Models & Policies

MT5104 - Computer Security - Models & Policies Chinese Wall Model In financial institutions analysts deal with a number of clients and have to avoid conflicts of interest. The model has the following components subjects: analysts objects: data item for a single client company datasets: y:O  C gives for each object its company dataset conflict of interest classes: companies that are competitors; x: O  P(C) gives for each object o the companies with a conflict of interest on o ‘labels’: company dataset + conflict of interest class sanitized information: no access restrictions. MT5104 - Computer Security - Models & Policies

Chinese Wall Model - Policies Simple Security Property: Access is only granted if the object requested is in the same company dataset as an object already accessed by that subject belongs not to any of the conflict of interest classes of objects already accessed by that subject Formally: N = (Nso)sS,oO , Boolean matrix, Nso = true if s has accessed o ss-property: subject s gets access to object o only if for all objects o’ with Nso’ = true, y(o) x(o’) or y(o)=y(o’). MT5104 - Computer Security - Models & Policies

Chinese Wall Model - Policies Indirect information flow: two competitors, A and B, have their account with the same Bank. Analyst_A, dealing with A and the Bank, updates the Bank portfolio with sensitive information about A. Analyst_B, dealing with B and the Bank, now has access to information about a competitor.  - Property: A subject s will be permitted write access to an object only if s has no read access to any object o’, which is in a different company dataset and is unsanitized. Formally: subject s gets write access to object o only if s has no read access to an object o’ with y(o)  y(o’) or x(o’)  {}. Access rights of subjects change dynamically with every access operation. MT5104 - Computer Security - Models & Policies

MT5104 - Computer Security - Models & Policies Biba Model Biba is a state machine model similar to BLP for integrity policies that regulate modification of objects Integrity levels (such as ‘clean’ or ‘dirty’) are assigned to subjects and objects The Biba model has policies for an ‘invoke’ operation whereby one subject can access (invoke) another subject MT5104 - Computer Security - Models & Policies

Biba: static integrity levels The policies for static integrity levels are the dual of the mandatory BLP policies (tranquility). Simple Integrity Property Integrity  - Property No write-up: If subject s can modify (alter) object o, then fS(s)  fO(o). If subject s can read (observe) object o, then s can have write access to some other object o’ only if fO(o)  fO(o’). MT5104 - Computer Security - Models & Policies

Biba: dynamic integrity levels Low watermark policies automatically adjust levels (as in the Chinese Wall model): Subject Low Watermark Policy Object Low Watermark Policy Subject s can read (observe) an object o at any integrity level. The new integrity level of s is g.l.b.(fS(s), fO(o)). Subject s can modify (alter) an object o at any integrity level. The new integrity level of o is g.l.b.(fS(s), fO(o)). MT5104 - Computer Security - Models & Policies

Biba policies for invocation Invoke Property: Adds to the first two mandatory integrity policies; A ‘dirty’ subject s1 must not touch a ‘clean’ object indirectly by invoking s2. Ring Property: A ‘dirty’ subject s1 can invoke a ‘clean’ tool s2 to touch a ‘clean’ object. The ring property is the opposite of the invoke property! Subject s1 can invoke subject s2 only if fS(s1)  fS(s2). Subject s1 can read objects at all integrity levels, modify objects o with fS(s1)  fO(o), and invoke a subject s2 only if fS(s1)  fS(s2). MT5104 - Computer Security - Models & Policies

MT5104 - Computer Security - Models & Policies Clark-Wilson Model Addresses the security requirements of commercial applications. ‘Military’ and ‘commercial’ are shorthand for different ways of using computers. Emphasis on integrity internal consistency: properties of the internal state of a system external consistency: relation of the internal state of a system to the outside world. Mechanisms for maintaining integrity well-formed transactions separation of duties MT5104 - Computer Security - Models & Policies

Clark-Wilson: Access Control Subjects and objects are ‘labeled’ with programs. Programs serve as an intermediate layer between subjects and objects. Access control: define the access operations (transformation procedures) that can be performed on each data item (data types). define the access operations that can be performed by subjects (roles). Note the difference between a general purpose opera-ting system (BLP) and an application oriented IT system (Clark-Wilson). MT5104 - Computer Security - Models & Policies

Clark-Wilson: Certification Rules Security properties are partly defined through five certification rules, suggesting the checks that should be conducted so that the security policy is consistent with the application requirements. IVPs (initial verification procedures) must ensure that all CDIs (constrained data items) are in a valid state when the IVP is run. TPs (transformation procedures) must be certified to be valid, i.e. valid CDIs must always be transformed into valid CDIs. Each TP is certified to access a specific set of CDIs. The access rules must satisfy any separation of duties requirements. All TPs must write to an append-only log. Any TP that takes an UDI (unconstrained data item) as input must either convert the UDI into a CDI or reject the UDI and perform no transformation at all. MT5104 - Computer Security - Models & Policies

Clark-Wilson: Enforcement Rules Four enforcement rules describe the security mechanisms within the computer system that should enforce the security policy. These rules are similar to discretionary access control in BLP. The system must maintain and protect the list of entries (TPi:CDIa,CDIb,...)} giving the CDIs the TP is certified to access. The system must maintain and protect the list of entries (UserID,TPi:CDIa,CDIb,...)} specifying the TPs users can execute. The system must authenticate each user requesting to execute a TP. Only a subject that may certify an access rule for a TP may modify the respective entry in the list. This subject must not have execute rights on that TP. Clark-Wilson is less formal than BLP but much more than an access control model. MT5104 - Computer Security - Models & Policies

Information Flow Models Similar framework as BLP: objects are labeled with security classes (form a lattice), information may flow upwards only. Information flow is described in terms of conditional entropy (equivocation  information theory) Information flows from x to y if we learn something about x by observing y: explicit information flow: y:= x implicit information flow: IF x=0 THEN y:=1 covert channels Proving security is now undecidable. MT5104 - Computer Security - Models & Policies

Non-interference models One group of users, using a certain set of commands, is non-interfering with another group of users if what the first group does with those commands has no effect on what the second group of users can see. Take a state machine where low users only see outputs relating to their own inputs. High users are non-interfering with low users if the low users see the same no matter whether the high users had been providing inputs or not. Non-interference is an active research area in formal methods. MT5104 - Computer Security - Models & Policies

MT5104 - Computer Security - Models & Policies Exercises BLP does not specify policies for changing access rights. Which policies would you suggest? Should the star-property in the Chinese Wall model refer to current read access only or to any past read access? Give examples for application areas where a Biba policy with static integrity labels, a policy with dynamically changing integrity labels, or the ring-property is appropriate. Can you use BLP and Biba to model confidentiality and integrity simultaneously? Can you use the same labels for both policies? Develop a security model for documents, which are declassified after 30 years. In a medical information system that controls access to patient records and prescriptions, doctors may read and write patient records and prescriptions, nurses may read and write prescriptions only but should learn nothing about the contents of patient records. Can you capture this policy in a lattice model that prevents information flow from patient records to prescriptions? In your opinion, which security model is most appropriate for this policy? MT5104 - Computer Security - Models & Policies

MT5104 - Computer Security - Models & Policies Further reading Sterne, D.F., On the Buzzword ‘Security Policy’, Proceedings of the 1991 IEEE Symposium on Research in Security and Privacy, pages 219-230, 1991 Bell, D. and LaPadula, L., MITRE Technical Report 2547 (Secure Computer System): Volume II, Journal of Computer Security, vol. 4, no. 2/3, pages 239-263, 1996 Clark, D.R. and Wilson, D.R., A Comparison of Commercial and Military Computer Security Policies, Proceedings of the 1987 IEEE Symposium on Security and Privacy, pages 184-194, 1987 Goguen, J.A. and Meseguer, J., Security Policies and Security Models, Proceedings of the 1982 IEEE Symposium on Security and Privacy, pages 11-20, 1982 ESORICS 2000 (Springer Lecture Notes in Computer Science 1895): Checking secure interactions of Smart Card Applets and Verification of a Formal Security Model for Multiapplicative Smart Cards MT5104 - Computer Security - Models & Policies