Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sicurezza Informatica Prof. Stefano Bistarelli

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Sicurezza Informatica Prof. Stefano Bistarelli"— Presentation transcript:

1 Sicurezza Informatica Prof. Stefano Bistarelli bista@dipmat.unipg.it http://www.sci.unich.it/~bista/

2 Prof. Stefano Bistarelli - Sicurezza Informatica2 Chapter 5: confidentiality

3 Prof. Stefano Bistarelli - Sicurezza Informatica3 Chapter 5: Confidentiality Policies Overview What is a confidentiality model Bell-LaPadula Model General idea Informal description of rules

4 Prof. Stefano Bistarelli - Sicurezza Informatica4 Confidentiality Policy Also known as information flow policy Integrity is secondary objective Eg. Military mission “date” Bell-LaPadula Model Formally models military requirements Information has sensitivity levels or classification Subjects have clearance Subjects with clearance are allowed access Multi-level access control or mandatory access control

5 Prof. Stefano Bistarelli - Sicurezza Informatica5 Bell-LaPadula: Basics Mandatory access control Entities are assigned security levels Subject has security clearance L(s) = l s Object has security classification L(o) = l o Simplest case: Security levels are arranged in a linear order l i < l i+1 Example Top secret > Secret > Confidential >Unclassified

6 Prof. Stefano Bistarelli - Sicurezza Informatica6 “No Read Up” Information is allowed to flow up, not down Simple security property: s can read o if and only if l o ≤ l s and s has discretionary read access to o - Combines mandatory (security levels) and discretionary (permission required) - Prevents subjects from reading objects at higher levels (No Read Up rule)

7 Prof. Stefano Bistarelli - Sicurezza Informatica7 “No Write Down” Information is allowed to flow up, not down *property s can write o if and only if l s ≤ l o and s has write access to o - Combines mandatory (security levels) and discretionary (permission required) - Prevents subjects from writing to objects at lower levels (No Write Down rule)

8 Prof. Stefano Bistarelli - Sicurezza Informatica8 Example security levelsubjectobject Top SecretTamaraPersonnel Files SecretSamuelE-Mail Files ConfidentialClaireActivity Logs UnclassifiedUlaleyTelephone Lists Tamara can read which objects? And write? Claire cannot read which objects? And write? Ulaley can read which objects? And write?

9 Prof. Stefano Bistarelli - Sicurezza Informatica9 Access Rules Secure system: One in which both the properties hold Theorem: Let Σ be a system with secure initial state σ 0, T be a set of state transformations If every element of T follows rules, every state σ i secure Proof - induction

10 Prof. Stefano Bistarelli - Sicurezza Informatica10 Categories Total order of classifications not flexible enough Alice cleared for missiles; Bob cleared for warheads; Both cleared for targets Solution: Categories Use set of compartments (from power set of compartments) Enforce “need to know” principle Security levels (security level, category set) (Top Secret, {Nuc, Eur, Asi}) (Top Secret, {Nuc, Asi})

11 Prof. Stefano Bistarelli - Sicurezza Informatica11 Lattice of categories Combining with clearance: (L,C) dominates (L’,C’)  L’ ≤ L and C’  C Induces lattice of security levels

12 Prof. Stefano Bistarelli - Sicurezza Informatica12 Lattice of categories {Nuc}{Eur} {Us} {Nuc, Eur}{Nuc, Us}{Eur, Us} {Nuc, Eur, Us} {} Examples of levels (Top Secret, {Nuc,Asi}) dom (Secret, {Nuc})? (Secret, {Nuc, Eur}) dom (Confidential, {Nuc,Eur})? (Top Secret, {Nuc}) dom (Confidential, {Eur}) ? Bounds Greatest lower, glb Lowest upper, lub glb of {Nuc, Us} & {Eur, Us}? lub of {Nuc, Us} & {Eur, Us}?

13 Prof. Stefano Bistarelli - Sicurezza Informatica13 Access Rules Simple Security Condition: S can read O if and only if S dominate O and S has read access to O *-Property: S can write O if and only if O dom S and S has write access to O Secure system: One with above properties Theorem: Let Σ be a system with secure initial state σ 0, T be a set of state transformations If every element of T follows rules, every state σ i secure

14 Prof. Stefano Bistarelli - Sicurezza Informatica14 Problem Colonel has (Secret, {NUC, EUR}) clearance Major has (Secret, {EUR}) clearance Major can talk to colonel (“write up” or “read down”) Colonel cannot talk to major (“read up” or “write down”) Clearly absurd!

15 Prof. Stefano Bistarelli - Sicurezza Informatica15 Communication across level Communication is needed between Subject at higher level and a subject at the lower levels Need write down to a lower object One mechanism Subjects have max and current levels max must dominate current Subjects decrease clearance level

16 Prof. Stefano Bistarelli - Sicurezza Informatica16 Key Points Confidentiality models restrict flow of information Bell-LaPadula models multilevel security Cornerstone of much work in computer security

17 Prof. Stefano Bistarelli - Sicurezza Informatica17 Example DG/UX System Only a trusted user (security administrator) can lower object’s security level In general, process MAC labels cannot change If a user wants a new MAC label, needs to initiate new process Cumbersome, so user can be designated as able to change process MAC label within a specified range

18 Prof. Stefano Bistarelli - Sicurezza Informatica18 DG/UX Labels Lowest upper bound: IMPL_HI Greatest lower bound: IMPL_LO

19 Prof. Stefano Bistarelli - Sicurezza Informatica19 DG/UX Once you login MAC label that of user in Authorization and Authentication (A&A) Databases When a process begins It gets its parent’s MAC label Reading up and writing up not allowed

20 Prof. Stefano Bistarelli - Sicurezza Informatica20 DG/UX S:MAC_A creates O If O:MAC_B already exists Fails if MAC_B dom MAC_A Creating files in a directory Only programs with the same level as the directory can create files in the directory Problems with /tmp and /var/mail Solution: use multilevel directory: a directory with a subdirectory for each level (hidden) If process with MAC_A creates a file – put in subdirecotry with label MAC_A Reference to parent directory of a file refers to the hidden directory

21 Prof. Stefano Bistarelli - Sicurezza Informatica21 DG/UX Provides a range of MAC labels Called MAC Tuples: [Lower, Upper] [(S, {Europe}), (TS, {Europe})] [(S,  ), (TS, {Nuclear, Europe, Asia})] Objects can have a tuple as well as a required MAC label Tuple overrides A process can read an object if its MAC label grants it read access to the upper bound A process can read an object if its MAC label grants it write access to the lower bound

22 Prof. Stefano Bistarelli - Sicurezza Informatica22 Discussion: Vedere cascade su www.sci.unich.it/~bista/papers/papers- download/jcs-v8_final.pdf www.sci.unich.it/~bista/papers/papers- download/jcs-v8_final.pdf E slides lesson3-bista-foley- osullivan@jcs.ppt

Download ppt "Sicurezza Informatica Prof. Stefano Bistarelli"

Similar presentations

Information Flow and Covert Channels November, 2006.

Information Flow and Covert Channels November, 2006.
1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.

1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.
Lecture 8 Access Control (cont)

Lecture 8 Access Control (cont)
Access Control Methodologies

Access Control Methodologies
I NFORMATION S ECURITY : C ONFIDENTIALITY P OLICIES (C HAPTER 4) Dr. Shahriar Bijani Shahed University.

I NFORMATION S ECURITY : C ONFIDENTIALITY P OLICIES (C HAPTER 4) Dr. Shahriar Bijani Shahed University.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality model Bell-LaPadula Model –General idea –Informal description of rules.

Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality model Bell-LaPadula Model –General idea –Informal description of rules.
Access Control Intro, DAC and MAC System Security.

Access Control Intro, DAC and MAC System Security.
Information Security Principles & Applications Topic 6: Security Policy Models 虞慧群

Information Security Principles & Applications Topic 6: Security Policy Models 虞慧群
1 Confidentiality Policies CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 18, 2004.

1 Confidentiality Policies CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 18, 2004.
Confidentiality Policies  Overview  What is a confidentiality model  Bell-LaPadula Model  General idea  Informal description of rules  Formal description.

Confidentiality Policies  Overview  What is a confidentiality model  Bell-LaPadula Model  General idea  Informal description of rules  Formal description.
June 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality.

June 1, 2004Computer Security: Art and Science © Matt Bishop Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality.
April 20, 2004ECS 235Slide #1 DG/UX System Provides mandatory access controls –MAC label identifies security level –Default labels, but can define others.

April 20, 2004ECS 235Slide #1 DG/UX System Provides mandatory access controls –MAC label identifies security level –Default labels, but can define others.
1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.

1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality.
User Domain Policies.

User Domain Policies.
April 15, 2004ECS 235Slide #1 Policy Languages Express security policies in a precise way High-level languages –Policy constraints expressed abstractly.

April 15, 2004ECS 235Slide #1 Policy Languages Express security policies in a precise way High-level languages –Policy constraints expressed abstractly.
7/15/2015 5:04 PM Lecture 4: Bell LaPadula James Hook CS 591: Introduction to Computer Security.

7/15/2015 5:04 PM Lecture 4: Bell LaPadula James Hook CS 591: Introduction to Computer Security.
Mandatory Flow Control Bismita Srichandan. Outline Mandatory Flow Control Models Information Flow Control Lattice Model Multilevel Models –The Bell-LaPadula.

Mandatory Flow Control Bismita Srichandan. Outline Mandatory Flow Control Models Information Flow Control Lattice Model Multilevel Models –The Bell-LaPadula.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

Similar presentations

Ads by Google