Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 TOPIC SYSTEM Z Ravi Sandhu This lecture is primarily based on: John McLean, Roger R. Schell and Donald L. Brinkley, "Security Models." Encyclopedia of.

Published byClementine Newton Modified over 8 years ago

Similar presentations

Presentation on theme: "1 TOPIC SYSTEM Z Ravi Sandhu This lecture is primarily based on: John McLean, Roger R. Schell and Donald L. Brinkley, "Security Models." Encyclopedia of."— Presentation transcript:

1 1 TOPIC SYSTEM Z Ravi Sandhu This lecture is primarily based on: John McLean, Roger R. Schell and Donald L. Brinkley, "Security Models." Encyclopedia of Software Engineering,

2 2 BLP S, fixed set of subjects O, fixed set of objects L, fixed lattice of security labels F: S U O → L, assignment of security labels to subjects and objects M: S X O → 2 {read,write}, access matrix, system state V is set of all possible system states A system consists of –An initial state v 0 –A set of requests R –A state transition function T: V X R → V

3 3 BLP is read secure (simple security) iff for all s, o read in M[s,o] → F(s) ≥ F(o) is write secure (star-property) iff for all s, o write in M[s,o] → F(s) ≤ F(o) is state secure iff it is read secure and write secure

4 4 BLP BASIC SECURITY THEOREM (BST)

5 5 BLP WITH TRANQUILITY F does not change F v (s) = F v0 (s) F v (o) = F v0 (o) BLP with tranquility is intuitively secure BLP with tranquility satisfies BST and thereby is formally “secure” BUT System Z is intuitively (and egregiously) insecure System Z satisfies BST so BST is useless

6 6 SYSTEM Z Initial state v 0 is state secure Single transition rule: on any read or write request all subjects and objects are downgraded to system low and the access is allowed System Z satisfies Basic Security Theorem

7 7 BLP WITH HIGH WATER MARK F(o) does not change, F v (o) = F v0 (o) F(s) can change but –only upwards, F v (s) ≥ F v0 (s) –only as far as user’s clearance, F v (s) ≤ F(user(s)) –every change upwards in F(s) requires removal of write from M[s,o] cells where after the change F(s) > F(o) BLP with high water mark is considered intuitively secure (and also satisfies BST)

8 8 BLP WITH LOW WATER MARK F(o) does not change, F v (o) = F v0 (o) F(s) can change but –only downwards, F v (s) ≤ F v0 (s) –can downgrade all the way to system low –every change downwards in F(s) requires removal of read from M[s,o] cells where after the change F(s) < F(o) BLP with low water mark is considered intuitively insecure (and also satisfies BST) –memory of higher level reads can be retained in RAM, cache, CPU registers, program counter, etc

9 9 NON-INTERFERENCE Views the system as a black box with input/output events that are caused by users McLean’s paper assigns an input event the same level as the user’s clearance. This is not correct. More correctly an input event can be caused by a user but its security level should be specifiable by the user. Reasonably intuitive and intuitively secure for deterministic systems For non-deterministic systems it pushes intuition boundaries

10 10 NON-INTERFERENCE time Inputs Outputs HLLHHLHH HHHLLHL

11 11 NON-INTERFERENCE time Inputs Outputs HLLHHLHH LLL

12 12 NON-INTERFERENCE time Inputs Outputs LLL LLL

13 13 NON-INTERFERENCE

14 14 NON-INTERFERENCE

15 15 NON-INTERFERENCE vs BLP Generally understood that non-interference can deal with storage covert channels but not with timing covert channels

16 16 NON-INTERFERENCE AND ENCRYPTION XOR XV Y X: plaintext V: encryption key (one-time pad) Y: ciphertext

Download ppt "1 TOPIC SYSTEM Z Ravi Sandhu This lecture is primarily based on: John McLean, Roger R. Schell and Donald L. Brinkley, "Security Models." Encyclopedia of."

Similar presentations

ACCESS-CONTROL MODELS

ACCESS-CONTROL MODELS
Symmetric Message Authentication Codes Prof. Ravi Sandhu.

Symmetric Message Authentication Codes Prof. Ravi Sandhu.
ROLE HIERARCHIES AND CONSTRAINTS FOR LATTICE-BASED ACCESS CONTROLS

ROLE HIERARCHIES AND CONSTRAINTS FOR LATTICE-BASED ACCESS CONTROLS
Information Flow and Covert Channels November, 2006.

Information Flow and Covert Channels November, 2006.
1 COVERT CHANNELS Ravi Sandhu. 2 COVERT CHANNELS A covert channel is a communication channel based on the use of system resources not normally intended.

1 COVERT CHANNELS Ravi Sandhu. 2 COVERT CHANNELS A covert channel is a communication channel based on the use of system resources not normally intended.
CMSC 414 Computer (and Network) Security Lecture 12 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 12 Jonathan Katz.
Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality model Bell-LaPadula Model –General idea –Informal description of rules.

Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality model Bell-LaPadula Model –General idea –Informal description of rules.
Database Security - Farkas 1 Database Security and Privacy.

Database Security - Farkas 1 Database Security and Privacy.
Access Control Intro, DAC and MAC System Security.

Access Control Intro, DAC and MAC System Security.
Bell-LaPadula Model. www.wiley.com/go/gollmann2 Why Security Models?  When we have implemented a security policy, do we know that it will (and can) be.

Bell-LaPadula Model. Why Security Models?  When we have implemented a security policy, do we know that it will (and can) be.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
Verifiable Security Goals

Verifiable Security Goals
Robust Declassification Steve Zdancewic Andrew Myers Cornell University.

Robust Declassification Steve Zdancewic Andrew Myers Cornell University.
Chapter 2 Access Control Fundamentals. Chapter Overview Protection Systems Mandatory Protection Systems Reference Monitors Definition of a Secure Operating.

Chapter 2 Access Control Fundamentals. Chapter Overview Protection Systems Mandatory Protection Systems Reference Monitors Definition of a Secure Operating.
Midterm Tuesday October 23 Covers Chapters 3 through 6 - Buses, Clocks, Timing, Edge Triggering, Level Triggering - Cache Memory Systems - Internal Memory.

Midterm Tuesday October 23 Covers Chapters 3 through 6 - Buses, Clocks, Timing, Edge Triggering, Level Triggering - Cache Memory Systems - Internal Memory.
Processor Architecture Kieran Mathieson. Outline Memory CPU Structure Design a CPU Programming Design Issues.

Processor Architecture Kieran Mathieson. Outline Memory CPU Structure Design a CPU Programming Design Issues.
MT Computer Security - Models & Policies

MT Computer Security - Models & Policies
CS526Topic 21: Integrity Models1 Information Security CS 526 Topic 21: Integrity Protection Models.

CS526Topic 21: Integrity Models1 Information Security CS 526 Topic 21: Integrity Protection Models.
User Domain Policies.

User Domain Policies.
1 TOPIC THE CHINESE WALL LATTICE Ravi Sandhu. 2 CHINESE WALL POLICY Example of a commercial security policy for confidentiality Mixture of free choice.

1 TOPIC THE CHINESE WALL LATTICE Ravi Sandhu. 2 CHINESE WALL POLICY Example of a commercial security policy for confidentiality Mixture of free choice.

Similar presentations

Ads by Google