Presentation is loading. Please wait.

Presentation is loading. Please wait.

© G. Dhillon, IS Department Virginia Commonwealth University Principles of IS Security Formal Models.

Published byMelissa Hicks Modified over 9 years ago

Similar presentations

Presentation on theme: "© G. Dhillon, IS Department Virginia Commonwealth University Principles of IS Security Formal Models."— Presentation transcript:

1 © G. Dhillon, IS Department Virginia Commonwealth University Principles of IS Security Formal Models

2 © G. Dhillon, IS Department Virginia Commonwealth University The Good Old Days Mainframe computers Physically isolated from casual access by unauthorized personnel Programs, data passed to/from computer by trusted staff No authorization, no job So, no problem, right?

3 © G. Dhillon, IS Department Virginia Commonwealth University The Good New Days Computers are everywhere Access can often be achieved by walking up to the keyboard/display and beginning to work What’s an authorization number? So, big problem, right?

4 © G. Dhillon, IS Department Virginia Commonwealth University Access Control Determines and monitors who can do what with what in the computer Is much more than establishing a physical perimeter around the computer Can’t happen without identification and authentication (about which, more later) Needs to be instantiated in a policy

5 © G. Dhillon, IS Department Virginia Commonwealth University Subjects and Objects Remember your English grammar Subjects act Objects are acted upon These roles are not graven in stone If you hit the ball, you are the subject If the ball hits you, you are the object It is just the same in computer science

6 © G. Dhillon, IS Department Virginia Commonwealth University Access Control Model SubjectRequest Reference Monitor Object Any of these points is a vulnerability. How to protect?

7 © G. Dhillon, IS Department Virginia Commonwealth University Access Control Determine whether a principal can perform a requested operation on a target object Principal: user, process, etc. Operation: read, write, etc. Object: file, tuple, etc.

8 © G. Dhillon, IS Department Virginia Commonwealth University Basic Access Control Authorization Mechanism request subject Security Policy object grant/deny

9 © G. Dhillon, IS Department Virginia Commonwealth University Why are we still talking about access control? An access control policy is a specification for an access decision function The policy aims to achieve Permit the principal’s intended function (availability) Ensure security properties are met (integrity, confidentiality) Limit to “Least Privilege,” Protect system integrity, Prevent unauthorized leakage, etc. Also known as ‘constraints’ Enable administration of a changeable system (simplicity)

10 © G. Dhillon, IS Department Virginia Commonwealth University “Simple” example Prof A manages access to course objects Assign access to individual (principal: Bob) Assign access to aggregate (course-students) Associate access to relation (students(course)) Assign students to project groups (student(course, project, group)) Prof A wants certain guarantees Students cannot modify objects written by Prof Alice Students cannot read/modify objects of other groups Prof A must be able to maintain access policy Ensure that individual rights do not violate guarantees However, exceptions are possible – students may distribute their results from previous assignments for an exam

11 © G. Dhillon, IS Department Virginia Commonwealth University Access Control is Hard Because Access control requirements are domain- specific Generic approaches over-generalize Access control requirements can change Anyone could be an administrator The Safety Problem Can only know what is leaked right now Access is fail-safe, but Constraints are not And constraints must restrict all future states

12 © G. Dhillon, IS Department Virginia Commonwealth University Remember the Purpose Confidentiality Integrity Availability

13 © G. Dhillon, IS Department Virginia Commonwealth University Reference Monitor Makes access control work You can tell it What a subject is allowed to do (privilege) What may be done with an object (permission) In order to specify these things, you need to know all the possibilities, or you need to define things narrowly so that what you don't know doesn’t become allowed

14 © G. Dhillon, IS Department Virginia Commonwealth University Access Operations (Example) Observe Read Write Alter Write Append How do you execute a program?

15 © G. Dhillon, IS Department Virginia Commonwealth University Bell-LaPadula Access Rights e: execute r: read a: append w: write Don’t assume anything when dealing with security!

16 © G. Dhillon, IS Department Virginia Commonwealth University Access Control Types Discretionary: the file owner is in charge Mandatory: the system policy is in charge One can exist within the other, especially discretionary within a class of mandatory

17 © G. Dhillon, IS Department Virginia Commonwealth University Access Control Matrix A = set of access operations permitted S = set of subjects O = set of objects

18 © G. Dhillon, IS Department Virginia Commonwealth University Access Control Matrix Example How easy is this to implement?

19 © G. Dhillon, IS Department Virginia Commonwealth University Access Control Lists Stores the access rights within the object Convenient, quick Difficult to modify globally w.r.t. subjects, easy w.r.t. the object How to find out what a subject is able to do?

20 © G. Dhillon, IS Department Virginia Commonwealth University Intermediate Controls Groups Negative permissions Protection rings Abilities Privileges Role-based

21 © G. Dhillon, IS Department Virginia Commonwealth University Security Levels Linear Top secret Secret Confidential Unclassified Lattice Security level Compartment

22 © G. Dhillon, IS Department Virginia Commonwealth University Security Level Examples Linear Marking contains the name of the level Each higher level dominates those below it Lattice Marking contains name of level + name of compartment (e.g. TOP SECRET PETUNIA) Only those “read into” the compartment can read the information in that compartment, and then only at the level of their overall access

23 © G. Dhillon, IS Department Virginia Commonwealth University Who Can Read What? In a linear system? In a lattice system? What is dominance?

24 © G. Dhillon, IS Department Virginia Commonwealth University System High/Low System High is the highest security level in the system. It can be thought of the apex of all lattice levels System Low is the lowest security level in the system. It can be thought of as that level which all system users can “see”

25 © G. Dhillon, IS Department Virginia Commonwealth University Security Models Implement Access Control Policy Why? If you can’t describe it, you can’t measure it, and you don’t know what it is Policy requires a model Security requires a policy

26 © G. Dhillon, IS Department Virginia Commonwealth University Access Control Models Subjects and Objects have security levels and optional categories Confidentiality Policy (e.g., Bell-LaPadula) Simple property: may read only if the subject’s security level dominates the object’s security level (read-down) *-property: may write only if the subject’s security level is dominated by the object’s security level (write-up) Tranquility property: may not change the security level of an object concurrent to its use Integrity Policy Biba is the dual of BLP for integrity

27 © G. Dhillon, IS Department Virginia Commonwealth University Security Levels and Policies L:1 L:2 L:3 Dominance 1 > 2 > 3 BLP Operations Biba Operations Read/write Read Write Read Write

28 © G. Dhillon, IS Department Virginia Commonwealth University BLP: Example 1 Top Secret Secret Unclassified Top Secret Secret Unclassified Read OK Subjects Objects information flow

29 © G. Dhillon, IS Department Virginia Commonwealth University BLP: Example 2 Top Secret Secret Unclassified Top Secret Secret Unclassified Read OK Read Forbidden Read OK Subjects Objects information flow

30 © G. Dhillon, IS Department Virginia Commonwealth University BLP: Example 3 Suppose Tom’s security class is [Secret, {medical, salary}]. Then Tom can read the following information: Any information classified Secret or lower and has no categories Any information classified Secret or lower and belongs to category medical Any information classified Secret or lower and belongs to the category salary Tom CANNOT read information that is Classified higher than Secret Classified Secret or lower and has a category other than medical or salary associated with it. Suppose a file’s security class is [Secret, {medical, salary}] It can be read only by subjects having a clearance of Secret or better, and who have read access to BOTH categories medical and salary.

31 © G. Dhillon, IS Department Virginia Commonwealth University Purpose of BLP and Biba BLP Prevent Trojan horses from leaking information to lower security levels Mandatory access control and implicit constraints Biba Prevent low integrity information flows to higher integrity processes E.g., code, configuration, user requests, buffer overflows Categories/Compartments for separation within levels Safety is implicit in the model No additional constraints are needed to express security guarantees

32 © G. Dhillon, IS Department Virginia Commonwealth University Problems with these models enforce a single security policy do not support the specification of expressive policies policies are not adaptive (do not allow active actions when security violations are suspected or detected) provide no means to reason about the composition of policies

33 © G. Dhillon, IS Department Virginia Commonwealth University Problems: Example 1 MAC DAC access request local policies

Download ppt "© G. Dhillon, IS Department Virginia Commonwealth University Principles of IS Security Formal Models."

Similar presentations

Information Flow and Covert Channels November, 2006.

Information Flow and Covert Channels November, 2006.
Operating System Security

Operating System Security
1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.

1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.
Protection and Security Protection is any mechanism for controlling the access of processes to the resources of a computer system. This mechanism must.

Protection and Security Protection is any mechanism for controlling the access of processes to the resources of a computer system. This mechanism must.
Access Control Methodologies

Access Control Methodologies
Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality model Bell-LaPadula Model –General idea –Informal description of rules.

Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality model Bell-LaPadula Model –General idea –Informal description of rules.
Access Control Patterns Fatemeh Imani Mehr Amirkabir university of technology, Department of Computer Engineering & Information Technology.

Access Control Patterns Fatemeh Imani Mehr Amirkabir university of technology, Department of Computer Engineering & Information Technology.
Database Security - Farkas 1 Database Security and Privacy.

Database Security - Farkas 1 Database Security and Privacy.
Access Control Intro, DAC and MAC System Security.

Access Control Intro, DAC and MAC System Security.
Chapter 2.  CIA Model  Host Security VS Network Security  Least Privileges  Layered Security  Access Controls Prepared by Mohammed Saher2.

Chapter 2.  CIA Model  Host Security VS Network Security  Least Privileges  Layered Security  Access Controls Prepared by Mohammed Saher2.
Confidentiality Policies  Overview  What is a confidentiality model  Bell-LaPadula Model  General idea  Informal description of rules  Formal description.

Confidentiality Policies  Overview  What is a confidentiality model  Bell-LaPadula Model  General idea  Informal description of rules  Formal description.
EE579U/2 #1 Spring 2004 © 2000-2004, Richard A. Stanley EE579U Information Systems Security and Management 2. Policy Structure, Implementation, and Development.

EE579U/2 #1 Spring 2004 © , Richard A. Stanley EE579U Information Systems Security and Management 2. Policy Structure, Implementation, and Development.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality.
Sicurezza Informatica Prof. Stefano Bistarelli

Sicurezza Informatica Prof. Stefano Bistarelli
User Domain Policies.

User Domain Policies.
Mandatory Flow Control Bismita Srichandan. Outline Mandatory Flow Control Models Information Flow Control Lattice Model Multilevel Models –The Bell-LaPadula.

Mandatory Flow Control Bismita Srichandan. Outline Mandatory Flow Control Models Information Flow Control Lattice Model Multilevel Models –The Bell-LaPadula.
Dr. Kalpakis CMSC 621, Advanced Operating Systems. Fall 2003 URL: Security & Protection.

Dr. Kalpakis CMSC 621, Advanced Operating Systems. Fall 2003 URL: Security & Protection.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Assistant Professor, SIS Lecture 5 September 27, 2007 Security Policies Confidentiality Policies.

1 IS 2150 / TEL 2810 Introduction to Security James Joshi Assistant Professor, SIS Lecture 5 September 27, 2007 Security Policies Confidentiality Policies.
Dr. Kalpakis CMSC 621, Advanced Operating Systems. Security & Protection.

Dr. Kalpakis CMSC 621, Advanced Operating Systems. Security & Protection.

Similar presentations

Ads by Google