MLS Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) Coming up: Multi-Level Security 11

Multi-Level Security An early security problem was protection of confidentiality within a military setting. Given information at various sensitivity levels and individuals having various degrees of trustworthiness, how do you control access to information within the system to protect confidentiality? This problem is called multi-level security (MLS) and predates computers. Coming up: MLS Thought Experiment 22

MLS Thought Experiment Setting: General Eisenhower’s office in 1943 Europe. Assume an environment in which there are information at different “sensitivity” levels: the war plan, the defense budget, the base softball schedule, the cafeteria menu, etc.; individuals permitted access to selected pieces of information: Gen. Eisenhower, privates, colonels, secretaries, janitors, spies, etc. The goal: Understand what “security” might mean in this context and define a policy (some rules) to implement it. Coming up: Risk Assessment 33

Risk Assessment Question: What are we protecting? Against what threats? Answer: The confidentiality of information—no person not authorized to view a piece of information may have access to it. Very important proviso: For this thought experiment we are only concerned with confidentiality, not integrity or availability. Coming up: Confidentiality Questions 44

Confidentiality Questions Some questions appropriate for considering a confidentiality policy: Is all of my data equally sensitive? If not, how do I group and categorize data? How do I characterize who is authorized to see what? How are the permissions administered and checked? According to what rules? Can authorizations change over time? Coming up: Categorizing Data 55

Categorizing Data Back to Gen. Eisenhower’s office. The relevant “space” of information contains lots of individual atoms or factoids: 1.The base softball team has a game tomorrow at 3pm. 2.The Normandy invasion is scheduled for June 6. 3.The cafeteria is serving chopped beef on toast today. 4.Col. Jones just got a raise. 5.Col. Smith didn’t get a raise. 6.The British have broken the German Enigma codes. 7.and so on. Not all information is equally sensitive. How do we group and categorize information rationally? Coming up: Object Sensitivity Labels 66

Object Sensitivity Labels Information is parceled out into separate containers (documents/folders/objects/files) labeled according to their sensitivity level. One part of the label is taken from a linearly ordered set: Unclassified, Confidential, Secret, Top Secret. There are also “need-to-know” categories, from an unordered set, expressing membership within some interest group, e.g., Crypto, Nuclear, Janitorial, Personnel, etc. Coming up: Sensitivity Labels 77

Sensitivity Labels Ideally, the label on any folder reflects the sensitivity of the information contained within that folder. The label contains both a hierarchical component and a set of categories. For example, two documents might have levels: (Secret: {Nuclear, Crypto}), (Top Secret: {Crypto}). One can infer that the first contains somewhat sensitive information related to the categories Nuclear and Crypto. This second contains very sensitive information in category Crypto. Some security officer makes these labeling decisions. How they are made is outside the scope of our concern. Coming up: Mixed Information 88

Mixed Information Question: How do you label a document that contains “mixed information”? Suppose the document contains both sensitive and non- sensitive information? Use the highest appropriate level. Suppose it contains information relating to both the Crypto and Nuclear domains? Use both categories. Aside: Sometimes a decision is made that a document classification should be changed. This is called downgrading (or upgrading). Coming up: Lessons 99

Lessons for Categorizing Data For our MLS example, we partition information into containers and provide labels that reflect the sensitivity of the information. The labels are structured, with a hierarchical component and a set of need-to-know categories. A folder with “mixed” information must be labeled to protect the information at the highest hierarchical level and protect all categories of information. Coming up: MLS Thought Experiment 10

MLS Thought Experiment Setting: General Eisenhower’s office in 1943 Europe. Assume an environment in which we have: information at different “sensitivity” levels; individuals permitted access to selected pieces of information. The goal: Understand what “security” (confidentiality) could mean in this context and define a policy (rules) to implement it. Coming up: Folder Sensitivity Labels 11

Folder Sensitivity Labels Information is parceled out into separate containers (documents/folders) labeled according to sensitivity level. Examples: (Secret: {Nuclear, Crypto}), (Top Secret: {Crypto}). A question we suggested for confidentiality policies is: How do I characterize who is authorized to see what? Coming up: Authorization Levels 12

Authorization Levels Let’s assign individuals clearances or authorization levels, of the same form as document sensitivity levels. That is, each individual has: a hierarchical security level indicating the degree of trustworthiness to which he or she has been vetted; a set of “need-to-know categories” indicating domains of interest in which he or she is authorized to operate. Notice that labels on documents indicate the sensitivity of the contained information; “labels” on humans indicate classes of information that person is authorized to access. Coming up: Least Privilege: An Aside 13

Least Privilege: An Aside The need-to-know categories are a reflection that even within a given security level (such as Top Secret) not everyone needs to know everything. This is an instance of: Principle of Least Privilege: Any subject should have access to the minimum amount of information needed to do its job. This is as close to an axiom as anything in security. Why does it make sense? Coming up: Now What? 14

Now What? Question: Given that we have labels for documents and clearances for individuals, how do we decide which humans are permitted access to which documents? Answer: Surely it’s some relationship between the subject level and the object level. But what? Should a human with the given clearance be able to read a document at the given sensitivity? Coming up: Lessons 15

Lessons To control access by individuals to documents/folders, we need “labels” for both. For documents the labels indicate the sensitivity of the information contained. For individuals, the labels indicate the authorization (clearance) to view certain classes of information. An individual should be given the minimal authorization to perform the job assigned. (Least Privilege) Whether an individual should be able to view a specific document depends on a relationship between the label of the document and the clearance of the individual. Coming up: MLS Thought Experiment 16

MLS Thought Experiment Recall that we’ve assigned sensitivity labels to documents and clearances to individuals within our MLS environment. Now we’re attempting to answer the following confidentiality question: How are the permissions administered and checked? According to what rules? Coming up: A Little Vocabulary 17

A Little Vocabulary In the type of security policy we’re constructing, the following terms are often used: Objects: the information containers protected by the system(documents, folders, files, directories, databases, etc.) Subjects: entities (users, processes, etc.) that execute activities and request access to objects. Actions: operations, primitive or complex, executed on behalf of subjects that may affect objects. The subjects in our MLS example are the humans; the objects are the folders containing information. Coming up: The Dominates Relation 18

The Dominates Relation Given a set of security labels (L, S), comprising hierarchical levels and categories, we can define an ordering relation among labels. Definition: (L 1, S 1 ) dominates (L 2, S 2 ) iff 1.L 1 ≥ L 2 in the ordering on levels, and 2.S 2 ⊆ S 1. We usually write (L 1, S 1 ) ≥ (L 2, S 2 ). Note that this is a partial order, not a total order. I.e., there are security labels A and B, such that neither A ≥ B nor B ≥ A. Coming up: Dominates Example S 2 is a subset of S 1 or equal to 19 Can you think of one?

Dominates Example In the following table, for which pairs does Label 1 dominate Label 2? Does this suggest how you might decide whether to allow a subject to read an object? Coming up: Simple Security Property 20

Simple Security Property The following rule appears to capture our intuition about when a subject can read an object. The Simple Security Property: Subject S with clearance (L S, C S ) may be granted read access to object O with classification (L O, C O ) if and only if (L S, C S ) ≥ (L O, C O ). Operationally, an individual asking to see a document must show that his clearance level dominates the sensitivity level of the document. Coming up: Lessons 21

Lessons The dominates relation formalizes a relationship between any two labels. The Simple Security Property shows how to use dominates to decide whether a read access should be allowed. Coming up: MLS Thought Experiment 22

MLS Thought Experiment We introduced the following rule, which appears to capture our intuition about when a subject can read an object. The Simple Security Property: Subject S with clearance (L S, C S ) may be granted read access to object O with classification (L O, C O ) only if (L S, C S ) ≥ (L O, C O ). Is it all we need? What about other types of access? Coming up: Do We Need Secure Writing? 23

Do We Need Secure Writing? The Simple Security property codifies restrictions on read access to documents. What about write access? Suppose someone with access to a Top Secret document copies the information onto a piece of paper and sticks it into an Unclassified folder. Has Simple Security been violated? No! Has confidentiality been violated? Clearly. Coming up: Secure Writing 24

Secure Writing In general, subjects in the world of military documents are persons trusted not to write classified information where it can be accessed by unauthorized parties. Subjects in the world of computing are often programs operating on behalf of a trusted user (and with his or her clearance). Some program I run may have embedded malicious logic (a “trojan horse”) that causes it to “leak” information without my knowledge or consent. Coming up: The *-Property 25

The *-Property We restrict write access according to the following rule: The *-Property: Subject S with clearance (L S, C S ) may be granted write access to object O with classification (L O, C O ) only if (L S, C S ) ≤ (L O, C O ). This is pronounced “the star property.” How does it help? Coming up: The *-Property 26

The *-Property Does this rule make sense? Is it too restrictive? Is it too lax? Can a commanding general with a Top Secret clearance marching orders to a foot soldier with no clearance? No! Can a corporal with no clearance overwrite the war plan? Nothing in our rules stops it, but that’s an integrity problem! Simple security and the *-property are sometimes characterized as “read down” and “write up,” respectively. Alternatively, they’re characterized as “no read up” and “no write down.” Coming up: Lessons 27

Lessons Control over read and write operations is needed to prevent confidentiality breaches. The *-property uses dominates to decide whether a write access should be allowed. Controlling write access is especially crucial for computers because the accessing subject may be a program executing on behalf of a user. The user has been cleared; the program has not. End of presentation 28