Access Control MAC

CSCE Farkas 2 Lecture 17 Reading assignments Required for access control classes:  Ravi Sandhu and P. Samarati, Access Control: Principles and Practice, IEEE Communications, Volume 32, Number 9, September  Ravi Sandhu, Lattice-Based Access Control Models, IEEE Computer, Volume 26, Number 11 (Cover Article), November

CSCE Farkas 3 Lecture 17 Mandatory Access Control Objects: security classification e.g., grades=(confidential, {student-info}) Subjects: security clearances e.g., Joe=(confidential, {student-info}) Access rules: defined by comparing the security classification of the requested objects with the security clearance of the subject e.g., subject can read object only if label(subject) dominates label(object)

CSCE Farkas 4 Lecture 17 Mandatory Access Control If access control rules are satisfied, access is permitted e.g., Joe wants to read grades. label(Joe)=(confidential,{student-info}) label(grades)=(confidential,{student-info}) Joe is permitted to read grades Granularity of access rights!

CSCE Farkas 5 Lecture 17 Mandatory Access Control Security Classes (labels): (A,C) A – total order authority level C – set of categories e.g.,A = confidential > public, C = {student-info, dept-info} (confidential,{ }) (confidential,{dept-info}) (confidential,{student-info,dept-info}) (confidential,{student-info}) (public,{student-info,dept-info}) (public,{,dept-info}) (public,{ }) (public,{student-info})

CSCE Farkas 6 Lecture 17 Mandatory Access Control Dominance (  ): label l=(A,C) dominates l’=(A’,C’) iff A  A’ and C  C’ e.g., (confidential,{student-info})  (public,{student-info}) BUT (confidential, {student-info})  (public,{student-info, department-info})

CSCE Farkas 7 Lecture 17 Bell- LaPadula (BLP) Model Confidentiality protection Lattice-based access control  Subjects  Objects  Security labels Supports decentralized administration

CSCE Farkas 8 Lecture 17 BLP Reference Monitor All accesses are controlled by the reference monitor Cannot be bypassed Access is allowed iff the resulting system state satisfies all security properties Trusted subjects: subjects trusted not to compromise security

CSCE Farkas 9 Lecture 17 BLP Axioms 1. Simple-security property: a subject s is allowed to read an object o only if the security label of s dominates the security label of o  No read up  Applies to all subjects

CSCE Farkas 10 Lecture 17 *-property: a subject s is allowed to write an object o only if the security label of o dominates the security label of s No write down Applies to un-trusted subjects only BLP Axioms 2.

CSCE Farkas 11 Lecture 17 Blind Writes Improper modification of data Most implementations disallow blind writes

CSCE Farkas 12 Lecture 17 Tranquility Read and write accesses mediated based on the security labels of objects and subjects Read and write accesses are not atomic, i.e., sequences of operations that may or may not be interrupted Example: secret subject requests a read to a secret object. While the request is being processed, the subjects lowers its level to unclassified => unclassified subject gained read access to secret object

CSCE Farkas 13 Lecture 17 Tranquility Tranquility: changing security labels Strong tranquility: security labels of subjects and objects never change during an operation Advantage: system state always satisfies security requirements Disadvantage: not flexible

CSCE Farkas 14 Lecture 17 Tranquility Weak tranquility: security labels of subjects and objects never change such a way as to violate the security policy High watermark on subject: during read a subject may upgrade its security clearance High watermark on objects: during write an object’s security classification may be upgraded.

CSCE Farkas 15 Lecture 17 Discretionary Security Property Every current access must be in the access matrix

CSCE Farkas 16 Lecture 17 Trojan Horse and BLP Employee Black’s Employee Brown: read, write Black, Brown: read, write Brown Black Word Processor TH Insert Trojan Horse Into shared program Use shared program Read Employee Copy Employee To Black’s Employee Secret Public Secret  Public Public Secret Reference Monitor

CSCE Farkas 17 Lecture 17 Biba Model – Integrity Protection Integrity protection Lattice-based access control Subjects Objects Integrity labels Access Control List

CSCE Farkas 18 Lecture 17 Integrity Labels Hierarchical integrity levels: e.g., Crucial > Very important > Important Non-hierarchical categories: e.g., {medical, personal, administrative}

CSCE Farkas 19 Lecture 17 Strict Integrity Policy Integrity *-property: a subject s can modify an object o only if the integrity level of the subject dominates the integrity level of the object (no write up) Simple integrity property: a subject s can observe an object o only if the integrity label of s is dominated by the integrity label of o (no read down) Invocation property: a subject s1 can invoke a subject s2 only if the integrity label of s1 dominates the integrity label of s2

CSCE Farkas 20 Lecture 17 Next Class: Database Security