Download presentation
Presentation is loading. Please wait.
Published byWendy Hill Modified over 9 years ago
1
CMSC 414 Computer (and Network) Security Lecture 11 Jonathan Katz
2
Midterm? Will be held Oct 21, in class Will cover everything up to and including the preceding lecture (Oct 16) Includes all reading posted on the class syllabus!
3
Newsgroup Send questions to newsgroup if the answer would be of interest to other students (If you want to reach me, send email)
4
Security policies “Military security policy” is primarily concerned with confidentiality –Does not exclude other concerns… “Commercial security policy” is primarily concerned with integrity (think: banking industry) –E.g., consistent transactions –The question of “trust” is much harder than the question of confidentiality
5
A few words about trust Everything rests on certain assumptions… E.g., sys admin applies patch; has this improved security? –Assumptions Patch was not tampered with Patch itself works correctly Patch will work correctly in new environment Patch installed/configured correctly Sys admin trustworthy
6
Access control Discretionary access control –User can allow/deny access to objects –Also called identity-based access control Mandatory access control –System-wide mechanism allows/denies access –E.g., root may have read access to all files –Also called rule-based access control
7
Policy languages Language for representing security policy High-level policy languages –Formal specification of policy –Example: deny(x op x) when b –E.g., deny(file.read) when (file.getname() = “/etc/passwd”)
8
Policy languages Low-level policy languages –Explicit system commands that mandate certain policy –E.g., chmod, xhost
9
Example security policy See book…
10
Covert channels Information may be leaked in unexpected ways –E.g., timing difference between login with incorrect username or incorrect password –Error messages (e.g., learn filenames) –Side effects (e.g., values of other variables) –Printers, monitors, external hardware These should be taken into account when designing security mechanism/policy
11
“Precision” of a mechanism The precision of a mechanism is a measure of how overly-restrictive the mechanism is with respect to the policy –I.e., due to preventing things that are allowed Unfortunately, it is impossible (in general) to develop a “maximally-precise” mechanism for an arbitrary policy
12
Assumptions/trust Both policies and mechanisms make certain assumptions, and determinations of “trust” –Important to recognize this –Occasionally re-think these assumptions
13
Confidentiality policies (Chapter 5)
14
Bell-LaPadula model Security classes with linear ordering Subjects have security clearance Objects have security classification Prevent read access to objects with security classification higher than the subject’s security clearance
15
Access control Can combine Bell-LaPadula model with discretionary access control as well –Simple security condition: S can read O if and only if l o l s and S has discretionary read access to O
16
Potential problems? What if I have clearance to read a file, but copy it into an unclassified location? –Potential security breach *-property –S can write O if and only if l s l o and S has discretionary write access to O “Read down; write up”
17
Basic security theorem If a system begins in a secure state, and always preserves the simple security condition and the *-property, then the system will always remain in a secure state
18
Categories We can extend the model by adding categories to each security classification –A category describes a kind of information –Objects may be in multiple categories; subjects may have access to multiple categories May be represented as a lattice –“Need to know” principle
19
Security levels Each security classification and category form a security level –Informally, a subject can read an object only if (1) the subject’s security clearance are at least the security classification of the object; and (2) the subject’s categories include the categories of the object
20
More formally… Say (L, C) dominates (L’, C’) if: –L’ L and C’ C This modifies the simple security condition as follows: –S can read O if and only if the security level of S dominates the security level of O (and S has discretionary read access to O)
21
Similarly… The *-property is modified as follows: –S can write to O if and only if the security level of O dominates the security level of S (and S has discretionary write access to O) –Basic security theorem modified accordingly Note that if A does not dominate B, this does not imply that B dominates A
22
Communicating down… How to communicate from a higher security level to a lower one? –Maximum security level and current security level –Maximum security level must always dominate the current security level –Reduce security level to write down…
23
Controversy about BL model Does the basic security theorem say anything meaningful? –Or is it just a tautology? In any case, the Bell-LaPadula model is useful
24
Integrity policies (Chapter 6)
25
Some requirements/assumptions Users will not write their own programs –Will use existing programs and databases Programs will be written/tested on a nonproduction system Special process must be followed to install new program on production system
26
Requirements, continued… The special installation process is controlled and audited Auditors must have access to both system state and system logs
27
Some corollaries… “Separation of duty” –Basically, have multiple people check any critical functions (e.g., software installation) “Separation of function” –Develop new programs on a separate system Auditing –Recovery/accountability
28
Commercial vs. military systems The Bell-LaPadula model does not work as well for commercial systems –Users given access to data as needed –Would require large number of categories and classifications –Decentralized handling of security clearances –Desire to release some information
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.