Presentation is loading. Please wait.

Presentation is loading. Please wait.

Session 2 - Security Models and Architecture. 2 Overview Basic concepts The Models –Bell-LaPadula (BLP) –Biba –Clark-Wilson –Chinese Wall Systems Evaluation.

Published byMatthew Alexander Modified over 9 years ago

Similar presentations

Presentation on theme: "Session 2 - Security Models and Architecture. 2 Overview Basic concepts The Models –Bell-LaPadula (BLP) –Biba –Clark-Wilson –Chinese Wall Systems Evaluation."— Presentation transcript:

1 Session 2 - Security Models and Architecture

2 2 Overview Basic concepts The Models –Bell-LaPadula (BLP) –Biba –Clark-Wilson –Chinese Wall Systems Evaluation

3 3 Basic Concepts

4 4 Terminology Trusted Computing Base (TCB) – combination of protection mechanisms within a computer system Subjects / Objects –Subjects are active (e.g., users / programs) –Objects are passive (e.g., files) Reference Monitor – abstract machine that mediates subject access to objects Security Kernel – core element of TCB that enforces the reference monitor’s security policy

5 5 Types of Access Control Discretionary Access Control (DAC) – data owners can create and modify matrix of subject / object relationships (e.g., ACLs) Mandatory Access Control (MAC) – “insecure” transactions prohibited regardless of DAC Cannot enforce MAC rules with DAC security kernel –Someone with read access to a file can copy it and build a new “insecure” DAC matrix because he will be an owner of the new file.

6 6 Information Flow Models Pour cement over a PC and you have a secure system In reality, there are state transitions Key is to ensure transitions are secure Models provide rules for how information flows from state to state. Information flow models do not address covert channels –Trojan horses –Requesting system resources to learn about other users

7 7 Access Control Models

8 8 Models Bell-LaPadula Biba Clark-Wilson Chinese Wall

9 9 Bell-LaPadula (BLP) Model BLP is formal (mathematical) description of mandatory access control Three properties: –ds-property (discretionary security) –ss-property (simple security – no “read up”) –*-property (star property – no “write down”) A secure system satisfies all of these properties BLP includes mathematical proof that if a system is secure and a transition satisfies all of the properties, then the system will remain secure.

10 10 Bell-LaPadula Model (Continued) Honeywell Multics kernel was only true implementation of BLP, but it never took hold DOD information security requirements currently achieved via discretionary access control and segregation of systems rather than BLP-compliant computers

11 11 Bell-LaPadula Model, Step 1 Security levels arranged in linear ordering –Top Secret: highest –Secret –Confidential –Unclassified: lowest Levels consist of security clearance L(s) –Objects have security classification L(o)

12 12 Example security levelsubjectobject Top SecretTamaraPersonnel Files SecretSamuelE-Mail Files ConfidentialClaireActivity Logs UnclassifiedLarryTelephone Lists Tamara can read all files Claire cannot read Personnel or E-Mail Files Larry can only read Telephone Lists

13 13 Reading Information Information flows up, not down –“Reads up” disallowed, “reads down” allowed Simple Security Condition (Step 1) –Subject s can read object o iff, L(o) ≤ L(s) and s has permission to read o –Sometimes called “no reads up” rule

14 14 Writing Information Information flows up, not down –“Writes up” allowed, “writes down” disallowed *-Property (Step 1) –Subject s can write object o iff L(s) ≤ L(o) and s has permission to write o –Sometimes called “no writes down” rule

15 15 Example Scenario RoleUserClearanceProjects Project Manager AliceHighProj1,Proj2,Pr oj3 InternBobLowProj1,Proj2 Dev ManagerCharlesHighProj1

16 16 Foundation Sensitivity Labels UserSensitivity Label AliceHigh:Proj1,Proj2,Proj3 BobLow:Proj1,Proj2 CharlesHigh:Proj1

17 17 Operations What is the highest Proj1 file label such that –Alice and Bob can both read? –Alice and Charles can both read? –All three can read What about write?

18 18 Biba Model Similar to BLP but focus is on integrity, not confidentiality Result is to turn the BLP model upside down –High integrity subjects cannot read lower integrity objects (no “read down”) –Subjects cannot move low integrity data to high- integrity environment (no “write up”) McLean notes that ability to flip models essentially renders their assurance properties useless

19 19 Clark-Wilson Model Reviews distinction between military and commercial policy –Military policy focus on confidentiality –Commercial policy focus on integrity Mandatory commercial controls typically involve who gets to do what type of transaction rather than who sees what (Example: cut a check above a certain dollar amount)

20 20 Clark-Wilson Model (Continued) Two types of objects: –Constrained Data Items (CDIs) –Unconstrained Data Items (UDIs) Two types of transactions on CDIs in model –Integrity Verification Procedures (IVPs) –Transformation Procedures (TPs) IVPs certify that TPs on CDIs result in valid state All TPs must be certified to result in valid transformation

21 21 Clark-Wilson Model (Continued) System maintains list of valid relations of the form: {UserID, TP, CDI/UDI} Only permitted manipulation of CDI is via an authorized TP If a TP takes a UDI as an input, then it must result in a proper CDI or the TP will be rejected Additional requirements –Auditing: TPs must write to an append-only CDI (log) –Separation of duties

22 22 Clark-Wilson versus Biba In Biba’s model, UDI to CDI conversion is performed by trusted subject only (e.g., a security officer), but this is problematic for data entry function. In Clark-Wilson, TPs are specified for particular users and functions. Biba’s model does not offer this level of granularity.

23 23 Chinese Wall Focus is on conflicts of interest. Principle: Users should not access the confidential information of both a client organization and one or more of its competitors. How it works –Users have no “wall” initially. –Once any given file is accessed, files with competitor information become inaccessible. –Unlike other models, access control rules change with user behavior

24 24 Conclusion In practice, DAC is widely used. Other models are too stringent and expensive. Access control list is common application of DAC.

Download ppt "Session 2 - Security Models and Architecture. 2 Overview Basic concepts The Models –Bell-LaPadula (BLP) –Biba –Clark-Wilson –Chinese Wall Systems Evaluation."

Similar presentations

TOPIC CLARK-WILSON MODEL Ravi Sandhu.

TOPIC CLARK-WILSON MODEL Ravi Sandhu.
CSC 405 Introduction to Computer Security

CSC 405 Introduction to Computer Security
Information Flow and Covert Channels November, 2006.

Information Flow and Covert Channels November, 2006.
1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.

1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.
Access Control Methodologies

Access Control Methodologies
Security Models and Architecture

Security Models and Architecture
Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality model Bell-LaPadula Model –General idea –Informal description of rules.

Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality model Bell-LaPadula Model –General idea –Informal description of rules.
1 Confidentiality Policies CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 18, 2004.

1 Confidentiality Policies CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 18, 2004.
Confidentiality Policies  Overview  What is a confidentiality model  Bell-LaPadula Model  General idea  Informal description of rules  Formal description.

Confidentiality Policies  Overview  What is a confidentiality model  Bell-LaPadula Model  General idea  Informal description of rules  Formal description.
Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson model Introduction to Computer Security ©2004 Matt Bishop.

Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson model Introduction to Computer Security ©2004 Matt Bishop.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
Verifiable Security Goals

Verifiable Security Goals
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality.
1 Integrity Policies CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 22, 2004.

1 Integrity Policies CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 22, 2004.
Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson model Introduction to Computer Security ©2004 Matt Bishop.

Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson model Introduction to Computer Security ©2004 Matt Bishop.
Sicurezza Informatica Prof. Stefano Bistarelli

Sicurezza Informatica Prof. Stefano Bistarelli
Information Systems Security Security Architecture Domain #5.

Information Systems Security Security Architecture Domain #5.
CS526Topic 21: Integrity Models1 Information Security CS 526 Topic 21: Integrity Protection Models.

CS526Topic 21: Integrity Models1 Information Security CS 526 Topic 21: Integrity Protection Models.
User Domain Policies.

User Domain Policies.

Similar presentations

Ads by Google