CS426Fall 2010/Lecture 211 Computer Security CS 426 Lecture 21 The Bell LaPadula Model.

Slides:



Advertisements
Similar presentations
ACCESS-CONTROL MODELS
Advertisements

11 World-Leading Research with Real-World Impact! A Lattice Interpretation of Group-Centric Collaboration with Expedient Insiders Khalid Zaman Bijon, Tahmina.
CSC 405 Introduction to Computer Security
Information Flow and Covert Channels November, 2006.
1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.
Lecture 8 Access Control (cont)
Computer Security: Principles and Practice Chapter 10 – Trusted Computing and Multilevel Security.
1 COVERT CHANNELS Ravi Sandhu. 2 COVERT CHANNELS A covert channel is a communication channel based on the use of system resources not normally intended.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality model Bell-LaPadula Model –General idea –Informal description of rules.
Access Control Intro, DAC and MAC System Security.
1 Confidentiality Policies CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 18, 2004.
Confidentiality Policies  Overview  What is a confidentiality model  Bell-LaPadula Model  General idea  Informal description of rules  Formal description.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
Bell-LaPadula Model. Why Security Models?  When we have implemented a security policy, do we know that it will (and can) be.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality.
Sicurezza Informatica Prof. Stefano Bistarelli
Multilevel Security CySecLab Graduate School of Information Security.
User Domain Policies.
7/15/2015 5:04 PM Lecture 4: Bell LaPadula James Hook CS 591: Introduction to Computer Security.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
CH14 – Protection / Security. Basics Potential Violations – Unauthorized release, modification, DoS External vs Internal Security Policy vs Mechanism.
1 Confidentiality Policies September 21, 2006 Lecture 4 IS 2150 / TEL 2810 Introduction to Security.
1 IS 2150 / TEL 2810 Information Security & Privacy James Joshi Associate Professor, SIS Lecture 6 Oct 2-9, 2013 Security Policies Confidentiality Policies.
© G. Dhillon, IS Department Virginia Commonwealth University Principles of IS Security Formal Models.
Chapter 5 – Designing Trusted Operating Systems  What makes an operating system “secure”? Or “trustworthy?  How are trusted systems designed, and which.
Session 2 - Security Models and Architecture. 2 Overview Basic concepts The Models –Bell-LaPadula (BLP) –Biba –Clark-Wilson –Chinese Wall Systems Evaluation.
Security Architecture and Design Chapter 4 Part 3 Pages 357 to 377.
Lattice-Based Access Control Models Ravi S. Sandhu Colorado State University CS 681 Spring 2005 John Tesch.
Chapter 5 Network Security
CS426Fall 2010/Lecture 251 Computer Security CS 426 Lecture 25 Integrity Protection: Biba, Clark Wilson, and Chinese Wall.
CMSC 414 Computer (and Network) Security Lecture 11 Jonathan Katz.
Access Control MAC. CSCE Farkas 2 Lecture 17 Reading assignments Required for access control classes:  Ravi Sandhu and P. Samarati, Access Control:
Trusted OS Design and Evaluation CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University.
Computer Security 3e Dieter Gollmann
Secure Operating Systems Lesson 4: Access Control.
Policy, Models, and Trust
Information Security CS 526 Topic 17
Chapter 5 – Designing Trusted Operating Systems
COEN 350: Network Security Authorization. Fundamental Mechanisms: Access Matrix Subjects Objects (Subjects can be objects, too.) Access Rights Example:
1/15/20161 Computer Security Confidentiality Policies.
CSCE 201 Introduction to Information Security Fall 2010 Access Control Models.
Access Control: Policies and Mechanisms Vinod Ganapathy.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #5-1 Confidentiality Policies Overview –What is a confidentiality model Bell-LaPadula.
Security Models Xinming Ou. Security Policy vs. Security Goals In a mandatory access control system, the system defines security policy to achieve security.
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 16 October 14, 2004.
Design and Implementation MAC in Security Operating System CAI Yi, ZHENG Zhi-rong, SHEN Chang-xiang Presented By, Venkateshwarlu Jangili. 1.
Access Control Models Sandro Etalle slides by Daniel Trivellato.
PREPARED BY: MS. ANGELA R.ICO & MS. AILEEN E. QUITNO (MSE-COE) COURSE TITLE: OPERATING SYSTEM PROF. GISELA MAY A. ALBANO PREPARED BY: MS. ANGELA R.ICO.
EN Lecture Notes Spring 2016 ACCESS CONTROL MODELS.
Lecture 2 Page 1 CS 236 Online Security Policies Security policies describe how a secure system should behave Policy says what should happen, not how you.
9- 1 Last time ● User Authentication ● Beyond passwords ● Biometrics ● Security Policies and Models ● Trusted Operating Systems and Software ● Military.
TOPIC: Web Security Models
Access Control CSE 465 – Information Assurance Fall 2017 Adam Doupé
Mandatory Access Control (MAC)
Security Models and Designing a Trusted Operating System
Computer Security Confidentiality Policies
Mandatory Access Control (MAC)
Information Security CS 526 Topic 17
Advanced System Security
Confidentiality Models
Guest Lecture in Acc 661 (Spring 2007) Instructor: Christopher Brown)
Information Security CS 526
Chapter 5: Confidentiality Policies
Lecture 17: Mandatory Access Control
Computer Security Confidentiality Policies
IS 2150 / TEL 2810 Information Security & Privacy
Chapter 5: Confidentiality Policies
Advanced System Security
Presentation transcript:

CS426Fall 2010/Lecture 211 Computer Security CS 426 Lecture 21 The Bell LaPadula Model

Annoucements October 15: Guest lecture by Prof. Steve Elliott on biometrics October 22: Mid-term exam CS426Fall 2010/Lecture 212

CS426Fall 2010/Lecture 213 Bell-LaPadula Model: A MAC Model for Achieving Multi-level Security Introduce in 1973 Air Force was concerned with security in time- sharing systems –Many OS bugs –Accidental misuse Main Objective: –Enable one to formally show that a computer system can securely process classified information

CS426Fall 2010/Lecture 214 What is a Security Model? A model describes the system –e.g., a high level specification or an abstract machine description of what the system does A security policy –defines the security requirements for a given system Verification shows that a policy is satisfied by a system System Model + Security Policy = Security Model

CS426Fall 2010/Lecture 215 Security Goal of BLP There are security classifications or security levels –Users/principals/subjects have security clearances –Objects have security classifications Example –Top Secret –Secret –Confidential –Unclassified In this case Top Secret > Secret > Confidential > Unclassified Security goal (confidentiality): ensures that information do not flow to those not cleared for that level

CS426Fall 2010/Lecture 216 Approach of BLP Use state-transition systems to describe computer systems Define a system as secure iff. every reachable state satisfies 3 properties –simple-security property, *-property, discretionary- security property Prove a Basic Security Theorem (BST) –so that one can prove a system is secure by proving things about the system description

CS426Fall 2010/Lecture 217 The BLP Security Model A computer system is modeled as a state- transition system –There is a set of subjects; some are designated as trusted. –Each state has objects, an access matrix, and the current access information. –There are state transition rules describing how a system can go from one state to another –Each subject s has a maximal sec level L m (s), and a current sec level L c (s) –Each object has a classification level

Elements of the BLP Model CS426Fall 2010/Lecture 218 Subjects Trusted Subjects Objects Current Accesses Security levels, e.g.: {TS, S, C, U} L m : Max Sec. Level L: Class. Lev. L c : Current Sec. Level Access Matrix

CS426Fall 2010/Lecture 219 The BLP Security Model A state is secure if it satisfies –Simple Security Condition (no read up): S can read O iff L m (S) ≥ L(O) –The Star Property (no write down): for any S that is not trusted S can read O iff L c (S) ≥ L(O) S can write O iff L c (S) ≤ L(O) –Discretionary-security property every access is allowed by the access matrix A system is secure if and only if every reachable state is secure.

CS426Fall 2010/Lecture 2110 STAR-PROPERTY Applies to subjects (principals) not to users Users are trusted (must be trusted) not to disclose secret information outside of the computer system Subjects are not trusted because they may have Trojan Horses embedded in the code they execute Star-property prevents overt leakage of information and does not address the covert channel problem

CS426Fall 2010/Lecture 2111 Is BLP Notion of Security Good? The objective of BLP security is to ensure –a subject cleared at a low level should never read information classified high The ss-property and the *-property are sufficient to stop such information flow at any given state. What about information flow across states?

CS426Fall 2010/Lecture 2112 BLP Security Is Not Sufficient! Consider a system with s 1,s 2,o 1,o 2 –f S (s 1 )=f C (s 1 )=f O (o 1 )=high –f S (s 2 )=f C (s 2 )=f O (o 2 ) =low And the following execution –s 1 gets access to o 1, read something, release access, then change current level to low, get write access to o 2, write to o 2 Every state is secure, yet illegal information exists Solution: tranquility principle: subject cannot change current levels

CS426Fall 2010/Lecture 2113 Main Contributions of BLP The overall methodology to show that a system is secure –adopted in many later works The state-transition model –which includes an access matrix, subject security levels, object levels, etc. The introduction of *-property –ss-property is not enough to stop illegal information flow

CS426Fall 2010/Lecture 2114 Other Issues with BLP Deal only with confidentiality, –does not deal with integrity at all Does not deal with information flow through covert channels

CS426Fall 2010/Lecture 2115 Overt (Explicit) Channels vs. Covert Channels Security objective of MLS in general, BLP in particular –high-classified information cannot flow to low-cleared users Overt channels of information flow –read/write an object Covert channels of information flow –communication channel based on the use of system resources not normally intended for communication between the subjects (processes) in the system

CS426Fall 2010/Lecture 2116 Examples of Covert Channels Using file lock as a shared boolean variable By varying its ratio of computing to input/output or its paging rate, the service can transmit information to a concurrently running process Covert channels are often noisy However, information theory and coding theory can be used to encode and decode information through noisy channels

CS426Fall 2010/Lecture 2117 More on Covert Channels Covert channels cannot be blocked by *-property It is generally very difficult, if not impossible, to block all cover channels One can try to limit the bandwidth of covert channels Military requires cryptographic components be implemented in hardware –to avoid trojan horse leaking keys through covert channels

CS426Fall 2010/Lecture 2118 More on MLS: Security Levels Used as attributes of both subjects & objects –clearance & classification Typical military security levels: –top secret  secret  confidential  unclassified Typical commercial security levels –restricted  proprietary  sensitive  public

CS426Fall 2010/Lecture 2119 Security Categories Also known as compartments Typical military security categories –army, navy, air force –nato, nasa, noforn Typical commercial security categories –Sales, R&D, HR –Dept A, Dept B, Dept C

CS426Fall 2010/Lecture 2120 Security Labels Labels = Levels  P (Categories) Define an ordering relationship among Labels –(e1, C1)  (e2, C2) iff. e1  e2 and C1  C2 This ordering relation is a partial order –reflexive, transitive, anti-symmetric –e.g.,  All security labels form a lattice

CS426Fall 2010/Lecture 2121 An Example Security Lattice levels={top secret, secret} categories={army,navy} Top Secret, {army, navy} Top Secret, {army} Top Secret, {navy} Secret, {army, navy} Top Secret, {} Secret, {army} Secret, {navy} Secret, {}

CS426Fall 2010/Lecture 2122 The need-to-know principle Even if someone has all the necessary official approvals (such as a security clearance) to access certain information they should not be given access to such information unless they have a need to know: that is, unless access to the specific information necessary for the conduct of one's official duties. Can be implemented using categories and or DAC

CS426Fall 2010/Lecture 2123 Readings for This Lecture Wikipedia Bell-LaPadula model David E. Bell: Looking Back at the Bell-La Padula Model

CS426Fall 2010/Lecture 2124 Coming Attractions … Trusted Operating Systems and Assurance