Security Models Xinming Ou. Security Policy vs. Security Goals In a mandatory access control system, the system defines security policy to achieve security.

Slides:



Advertisements
Similar presentations
George Mason University
Advertisements

ACCESS-CONTROL MODELS
11 World-Leading Research with Real-World Impact! A Lattice Interpretation of Group-Centric Collaboration with Expedient Insiders Khalid Zaman Bijon, Tahmina.
Information Flow and Covert Channels November, 2006.
Operating System Security
1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.
ISA 562 Information System Security
Multilevel Security (MLS) Database Security and Auditing.
Lecture 8 Access Control (cont)
Special systems: MLS Multilevel security [“Red book” US-DOD 1987] Considers the assurance risk when composing multilevel secure systems evaluated under.
I NFORMATION S ECURITY : C ONFIDENTIALITY P OLICIES (C HAPTER 4) Dr. Shahriar Bijani Shahed University.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality model Bell-LaPadula Model –General idea –Informal description of rules.
Database Security - Farkas 1 Database Security and Privacy.
Access Control Intro, DAC and MAC System Security.
1 Confidentiality Policies CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 18, 2004.
Confidentiality Policies  Overview  What is a confidentiality model  Bell-LaPadula Model  General idea  Informal description of rules  Formal description.
Verifiable Security Goals
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality.
Sicurezza Informatica Prof. Stefano Bistarelli
User Domain Policies.
Mandatory Flow Control Bismita Srichandan. Outline Mandatory Flow Control Models Information Flow Control Lattice Model Multilevel Models –The Bell-LaPadula.
Dr. Kalpakis CMSC 621, Advanced Operating Systems. Fall 2003 URL: Security & Protection.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Assistant Professor, SIS Lecture 5 September 27, 2007 Security Policies Confidentiality Policies.
Dr. Kalpakis CMSC 621, Advanced Operating Systems. Security & Protection.
MANDATORY FLOW CONTROL Xiao Chen Fall2009 CSc 8320.
CH14 – Protection / Security. Basics Potential Violations – Unauthorized release, modification, DoS External vs Internal Security Policy vs Mechanism.
Lattices, Confidentiality, BLP
1 Confidentiality Policies September 21, 2006 Lecture 4 IS 2150 / TEL 2810 Introduction to Security.
1 IS 2150 / TEL 2810 Information Security & Privacy James Joshi Associate Professor, SIS Lecture 6 Oct 2-9, 2013 Security Policies Confidentiality Policies.
© G. Dhillon, IS Department Virginia Commonwealth University Principles of IS Security Formal Models.
Access Control Policies Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) 11 Coming up:
Session 2 - Security Models and Architecture. 2 Overview Basic concepts The Models –Bell-LaPadula (BLP) –Biba –Clark-Wilson –Chinese Wall Systems Evaluation.
Security Architecture and Design Chapter 4 Part 3 Pages 357 to 377.
Lattice-Based Access Control Models Ravi S. Sandhu Colorado State University CS 681 Spring 2005 John Tesch.
Chapter 5 Network Security
Access Control MAC. CSCE Farkas 2 Lecture 17 Reading assignments Required for access control classes:  Ravi Sandhu and P. Samarati, Access Control:
Information Security CS 526 Topic 17
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 5 September 29, 2009 Security Policies Confidentiality Policies.
Materials credits: M. Bishop, UC Davis T. Jaeger, Penn State U.
1/15/20161 Computer Security Confidentiality Policies.
CSCE 201 Introduction to Information Security Fall 2010 Access Control Models.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #5-1 Confidentiality Policies Overview –What is a confidentiality model Bell-LaPadula.
CS426Fall 2010/Lecture 211 Computer Security CS 426 Lecture 21 The Bell LaPadula Model.
Database Security. Introduction to Database Security Issues (1) Threats to databases Loss of integrity Loss of availability Loss of confidentiality To.
Database Security Database System Implementation CSE 507 Some slides adapted from Navathe et. Al.
PREPARED BY: MS. ANGELA R.ICO & MS. AILEEN E. QUITNO (MSE-COE) COURSE TITLE: OPERATING SYSTEM PROF. GISELA MAY A. ALBANO PREPARED BY: MS. ANGELA R.ICO.
22 feb What is Access Control? Access control is the heart of security Definitions: * The ability to allow only authorized users, programs or.
Lecture 2 Page 1 CS 236 Online Security Policies Security policies describe how a secure system should behave Policy says what should happen, not how you.
9- 1 Last time ● User Authentication ● Beyond passwords ● Biometrics ● Security Policies and Models ● Trusted Operating Systems and Software ● Military.
Database System Implementation CSE 507
Access Control CSE 465 – Information Assurance Fall 2017 Adam Doupé
Verifiable Security Goals
Mandatory Access Control (MAC)
Computer Security Confidentiality Policies
Mandatory Access Control (MAC)
IS 2150 / TEL 2810 Introduction to Security
Information Security CS 526 Topic 17
Advanced System Security
System state models.
OS Access Control Mauricio Sifontes.
Confidentiality Models
Chapter 5: Confidentiality Policies
Lecture 17: Mandatory Access Control
Computer Security Confidentiality Policies
IS 2150 / TEL 2810 Information Security & Privacy
Chapter 5: Confidentiality Policies
Advanced System Security
Presentation transcript:

Security Models Xinming Ou

Security Policy vs. Security Goals In a mandatory access control system, the system defines security policy to achieve security goals – Policies cannot be bypassed or changed by users (processes) – How to ensure the policies are defined correctly, i.e., the security goals are actually achieved

Information Flow When a subject s reads an object o, information flows from o to s. When a subject s writes to an object o, information flows from s to o.

Information Flow Graph Information flow graph for a protection state Directed graph G = (V,E) where: (1) the set of vertices V includes all subjects and objects in the protection state, and (2) the set of directed edges E consists of each read and write information flow in the protection state.

Example Source: Operating system security, Jaeger’08, Morgan & Claypool

Use Information Flow Graph to Reason about Security Goals Secrecy – Can data be leaked from one subject/object to another subject/object? Integrity – Can subject/object of low integrity influence subject/object with high integrity?

Secrecy Model Goal: prevent unauthorized disclosure of information Secrecy model ensures that policies defined according to the model will not result in unauthorized disclosure – Only applicable to MAC, not DAC.

Lattice A lattice is formed by a partial order relations

Example a c b d e Some partial order relations: The join operator: least upper bound The dominance relation: …

Secrecy Lattice Top secret Confidential Secret Unclassified Nodes are called "security class" -- labels assigned to objects and subjects Partial order represents the “can flow” relation

Bell LaPadula Model Security labels arranged in linear ordering – Top Secret: highest – Secret – Confidential – Unclassified: lowest Labels assigned to subjects: security clearance (SC) Labels assigned to objects: security classification (SC)

BLP Model (MLS) Simple-Security Property (no read up): *-Security Property (no write down):

Labeling State Assignment of labels to subjects and objects happens at the creation time – The label must dominate the label of the creating process Labels cannot be changed once assigned

Extension of the MLS model Introduce categories to further differentiate the security class – Security class consists of the sensitivity level (top secret, secret, confidential, unclassified) and zero or more categories. Secret: MIL Top secret: ST Secret: MIL+ST Top secret: NONE

Extension of the MLS model All categories form a lattice as well MIL+ST NONE MIL ST

Extension of the MLS model Security class has the form of l: c, where l is the sensitivity level and c is the category Example: Secret: None Topsecret: MIL Secret: ST Secret: MIL+ST Secret: MIL Topsecret: MIL

Integrity Model Goal: Ensure that processes of high integrity do not depend on/are not influenced by those with low integrity Integrity goal can be mapped to information flows: – Objects with low integrity cannot flow into subjects with high integrity

Biba Integrity Model Simple-Integrity Property (read up): *-Security Property (write down):

Integrity Classification E.g., System Application Middleware User