Download presentation
Presentation is loading. Please wait.
Published byGeraldine Pitts Modified over 9 years ago
1
J Carpenter 2008 702904 & 711908 lecture -05 1 702904 & 711908 Information Security 2008 Lecture 5 Access Control, Security Models
2
J Carpenter 2008 702904 & 711908 lecture -05 2 Lecture Outline Access Control - Introduction Access Policies Access Control Methods Reference Monitors Access Matrix, Capabilities, Access Control Lists (ACLs) Security Models Justification Ranked Bell-LaPadula Chinese Walls Biba Clark-Wilson
3
J Carpenter 2008 702904 & 711908 lecture -05 3 References Pfleeger & Pfleeger (4ed) Sections 4.3, 4.4, 5.1, 5.2, 5.3 Gollman Ch 3, Ch 4 Ch 9 Pfleeger (3ed) 4.3, 4.4, 5.3, 5.4 Windows Start Help search term: ‘access control’ then select ‘access control lists’ Start Help search term: ‘security’ then select ‘File Properties overview
4
J Carpenter 2008 702904 & 711908 lecture -05 4 Access Control -Introduction You want to protect some of the files you create Is confidentiality an issue ? Operating systems are designed to protect users from each other Is integrity an issue ? Terminology An active subject wishes to use an access operation on a passive object. (Sam wishes to read the production log) The same entity can sometimes be either subject or object (Sam wishes to execute the production program The production program wishes to read the production log) We could specify what the subject is allowed to do, OR what may be done with the object
5
J Carpenter 2008 702904 & 711908 lecture -05 5 Access Control -Monitors Single level (no hierarchy) Sometimes called Reference Monitor Easy to implement BUT May become a bottle-neck (IF this access-control monitor is defeated, THEN all accesses are vulnerable)
6
J Carpenter 2008 702904 & 711908 lecture -05 6 Access Control - Modes There is a lot of computing history behind the four access modes (permissions) Execute (usually includes Read capability) Read Append (blind write) Write -which includes Read capability Note that these modes do not directly allow for entities (say an active user) to create objects, and to grant access modes to that object Sam needs to create a file for the latest production report, and needs all members of the production team to have read access to that file
7
J Carpenter 2008 702904 & 711908 lecture -05 7 Policies (1) Historical considerations The history of information systems and their automation is a history of compromise. Automation had to fit into existing schemes of information management. Similarly, the addition of security mechanisms has to fit into existing structures and systems. Highly secure systems are often a consequence of redesign and re-engineering of existing systems. Mandatory Security Policies A system wide policy decrees that all subjects and all objects are classified. Access classes are associated with every subject- object pair. Access rights depend on the triple for all triplets
8
J Carpenter 2008 702904 & 711908 lecture -05 8 Policies (2) Discretionary Security Policies Users are allowed to grant access to other users - often the OWNER of an object can grant access privileges to other users, (at the owners discretion ) Discretionary Policies may allow one user to pass data to another user without the authority of the creator of the data
9
J Carpenter 2008 702904 & 711908 lecture -05 9 Access Control Methods Access Control Matrix Capabilities Access Control Lists An operating system reference is Silberschatz Operating System concepts (4 ed) Chapter 13
10
J Carpenter 2008 702904 & 711908 lecture -05 10 Access Control Matrix The entry in the table specifies the access modes that the subject in the row can perform on the object in the column Not really suitable for lots of users and files
11
J Carpenter 2008 702904 & 711908 lecture -05 11 Capabilities For each subject, a list of their access rights Associated with discretionary control policies Difficult to ascertain all those who can access a particular object Needs an operating system control program to change the access permissions on a particular object Suppose Alice has given Bob the right to read a series of files Easy to remove Alice’s capability, but how do we find and remove the capabilities that Alice granted to others ?
12
J Carpenter 2008 702904 & 711908 lecture -05 12 Access Control Lists (ACLs) The access rights to an object are stored with the object (like a reference monitor for each object) Usually implemented by placing users in groups and access rights granted to a group
13
J Carpenter 2008 702904 & 711908 lecture -05 13 Groups Used to simplify access control policies
14
J Carpenter 2008 702904 & 711908 lecture -05 14 Security Models We need models If you want a security policy to be enforceable, the policy will need to name the entities that are to have rights, and the entities that are to be controlled. There will need to be rules about both of these classes of entity, these rules are part of the policy. Security models are about different sorts of security policy.
15
J Carpenter 2008 702904 & 711908 lecture -05 15 Security Models Bell-LaPadula The Bell-LaPadula model is about information confidentiality, and this model formally represents the long tradition of attitudes to the flow of information concerning national secrets.
16
J Carpenter 2008 702904 & 711908 lecture -05 16 Security Models Chinese Walls Large consultancies can easily find there are conflicts of interest if individual consultants are given access to all information held by the consultancy. Chinese Wall models a particular way of restricting information flow.
17
J Carpenter 2008 702904 & 711908 lecture -05 17 Security Models Biba Based on the Cold War experiences, information integrity is also important, and the Biba model, complementary to Bell- LaPadula, is based on the flow of information where preserving integrity is critical.
18
J Carpenter 2008 702904 & 711908 lecture -05 18 Security Models Clarke-Wilson In the commercial sphere, the need is to engage in well-formed transactions which can only be undertaken by authorised personnel, and the Clarke-Wilson model is an attempt to formally model a policy based on well-formed transactions.
19
J Carpenter 2008 702904 & 711908 lecture -05 19 Security Models Formal Methods One benefit of using formal models is that mathematical (sometimes called formal) methods can be used to confirm that all transitions allowed by the model preserve the secure state of the system being modeled For real systems, modeling is not easy
20
J Carpenter 2008 702904 & 711908 lecture -05 20 Access Control - Ranked Model (1) Multi-level Often called Lattice methods Basis of military and commercial security Set of ordered security levels, users assigned to a level User subjects are privileged to access a rank and all lower ranks
21
J Carpenter 2008 702904 & 711908 lecture -05 21 Access Control - Ranked Model (2) We are also concerned about need to know Compartment the information to be secured Granting access : A subject is cleared to access object only if rank(subject) >= rank (object) AND The set of all compartments that contain the object are contained within the set of compartments that the subject is cleared to access (The personnel manger will not be allowed to access confidential production data)
22
J Carpenter 2008 702904 & 711908 lecture -05 22 Access Control - Ranked Model (3) Companies often use the ranks: Public, Company Confidential, Executive-only Deciding what lies in what compartment keeps security staff occupied
23
J Carpenter 2008 702904 & 711908 lecture -05 23 Bell - LaPadula (1) Earliest formal model Each user subject and information object has a fixed security class Use the notation >= to indicate dominance Simple Security (ss) property: the no read-up property A subject has read access to an object if the Class (rank) of the subject C(s) is greater than or equal to the class (rank) of the object C(o) need C(s) >= C(o)
24
J Carpenter 2008 702904 & 711908 lecture -05 24 Bell - LaPadula (2) * property (star): the no write-down property While a subject has read access to object O, the subject can only write to object P if C(P) >= C (O) Leads to concentration of irrelevant detail at upper levels
25
J Carpenter 2008 702904 & 711908 lecture -05 25 Discretionary Security Discretionary Security (ds) property If discretionary policies are in place, accesses are further limited to this access matrix Although all users in the personnel department can read all [personnel] documents, the personnel manager would expect to limit the readers of a document that dealt with redundancies in the personnel department !
26
J Carpenter 2008 702904 & 711908 lecture -05 26 Chinese Walls Suppose a consultancy has several airlines as clients It is a conflict of interest if a consultant working with Quantas has access to confidential data on Gulf gathered from another assignment Best illustrated by a diagram: (Pfleeger & Pfleeger pp251-252 For this model to work, a history of access rights has to be maintained (Also, if confidential information is written across conflict classes, an effective conflict of interest is created)
27
J Carpenter 2008 702904 & 711908 lecture -05 27 Biba Concerned with integrity of information We wish to prevent the spread of untrusted information A Cold war issue - the intelligence services of the UK were known to have been compromised by the Soviets. How then could the USA ensure that USA intelligence data was not ‘corrupted’ by possibly misleading data flowing from UK sources ? Subject s can only modify object o if I(s) >= I(o) no write up) Integrity * property If s can read o, s can only write to p if I(o) >= I(p) So ‘clean’ objects do not become ‘contaminated’
28
J Carpenter 2008 702904 & 711908 lecture -05 28 Clark-Wilson (1) The security requirements of commercial transactions are about integrity, and the prevention of error and fraud. There is an established principle of separation of duties, which aims to ensure that users must collaborate to validly manipulate data, and hence users must collude to commit fraud. Clark-Wilson aim to define well-formed transactions, so users cannot directly access data, and specific data items can only be modified by defined programs.
29
J Carpenter 2008 702904 & 711908 lecture -05 29 Clark-Wilson (2) Internal consistency of data items should be ensured by the system External consistency (that the system matches the real world), achieved by auditing.
30
J Carpenter 2008 702904 & 711908 lecture -05 30 Transitions If a system starts in a secure state, and all transitions are secure, then the system remains in a secure state. ? But what if we allow users to downgrade all objects, and then modify the access control matrix so all modes (permissions) are allowed for each entry ? So we need to beware of transitions that change access rights
31
J Carpenter 2008 702904 & 711908 lecture -05 31 Tranquility Pfleeger (4ed) p 316, Q1 Gollman p 49 Starting with a Bell-LaPadula model, with ranked classes of users Executive, Company-confidential, Public And segregated compartments, Sales, Production And all users assigned a rank, And all files assigned a rank and a compartment TRANQUILITY is when these assignments do not change – or are not allowed to change
32
J Carpenter 2008 702904 & 711908 lecture -05 32 Tranquility in practice Production program systems need to open and use work files, and open and use spool print files, class or subroutine libraries need to be accessed. For systems with mandatory security, these entities all need labels and levels (ranks). In practice assigning security levels to these sorts of entities is not easy.
33
J Carpenter 2008 702904 & 711908 lecture -05 33 Question: We have learned about different security models. Bell-Lapadula talks about 'Confidentiality', Biba model talks about information 'Integrity' and Clark-Wilson on the 'Integrity in business transactions’. Now, information security in organizations requires us to guarantee 'Confidentiality, Integrity and Availability', but none of these models deal with all aspects of security goals.
34
J Carpenter 2008 702904 & 711908 lecture -05 34 Question: Does this mean that implementing one of these security models is good enough to ensure the other two security goals? For example, if we implement Bell model, can we assume that 'Integrity and Availability' is dealt under 'Confidentiality'? Do we have to adopt multiple models to achieve those security goals? Is there any unified model which deals with all the aspects of security goals?
35
J Carpenter 2008 702904 & 711908 lecture -05 35 (A1) The three characteristics are independent (?) and so offering “C” does not offer “I” or “A” The operating system – or bureaucratic procedure – is seen to be responsible for “A” It would appear that if we are concerned about “I”, then some form of Clark-Wilson authorised transaction is required as well as some formal model offering protection against information leakage.
36
J Carpenter 2008 702904 & 711908 lecture -05 36 (A2) Considering only Bell-La Padula, there are two obvious actions needed: -enrolling users -classifying documents When we have an ‘enrol user’ operation, and a ‘assign level and compartment to document’ operation, we see there has to be operations to define compartments and the hierarchy of levels Graham-Denning addresses these issues Pfleeger (4ed) p 258
37
J Carpenter 2008 702904 & 711908 lecture -05 37
38
J Carpenter 2008 702904 & 711908 lecture -05 38 Trusted Computing Operating System Certification References Pfleeger & Pfleeger Ch 5
39
J Carpenter 2008 702904 & 711908 lecture -05 39 Trusted Computing (1) We want to know The O/sys does what is expected The O/sys only does what is specified The O/sys is reliable We want to be assured (- to have justification for our confidence - ) that the operating system functions correctly
40
J Carpenter 2008 702904 & 711908 lecture -05 40 Evaluation (1) We need evaluation criteria. There are now several, but the USA Department of Defence ‘Trusted Computer Security Evaluation Criteria’ are still the benchmark.
41
J Carpenter 2008 702904 & 711908 lecture -05 41 Evaluation (2) Target Products or Systems ? Purpose Evaluation, Certification, Accreditation We look for Repeatability and Reproducibility of evaluations Structure Function, Effectiveness, Assurance The Evaluation process must occur in some context
42
J Carpenter 2008 702904 & 711908 lecture -05 42 Trusted Computing (2) USA Department of Defence There must be a defined security policy enforced by the system Every object must be marked with a security level ‘label’ Every subject must be uniquely and convincingly identified Complete, secure records of actions that affect security must be kept There must be mechanisms that enforce security, and the effectiveness of these mechanisms must be testable The security mechanisms must be continuously protected against unauthorised change Documentation must be provided for evaluators, managers and users of the system
43
J Carpenter 2008 702904 & 711908 lecture -05 43 Certification of Secure O/S (1) Certification is the process of assessing the quality of the testing that has been performed, and assigning a measure of confidence in the correctness of the system
44
J Carpenter 2008 702904 & 711908 lecture -05 44 Certification of Secure O/S (2) Orange Book Evaluation Criteria: D. No requirement C1 & C2 Documentation and Assurance (Typical Commercial protection) B1 All objects have labels B2 Proof of security Complete narrative description of kernel Trusted Facility Management B3 & A1 Formal design to some explicit security model Penetration resistant There are significant difficulties evaluating complex software, and few systems have been certified to the A1 level.
45
J Carpenter 2008 702904 & 711908 lecture -05 45 Trusted Computing (2) We do NOT get assurance by: Emphatic assertion The vendor stating that flaws have not been found Challenges
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.