Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lattice-based Access Control Models 2 Daniel Trivellato.

Published byShana Briggs Modified over 9 years ago

Similar presentations

Presentation on theme: "Lattice-based Access Control Models 2 Daniel Trivellato."— Presentation transcript:

1 Lattice-based Access Control Models 2 Daniel Trivellato

2 06/10/2008DTM course - Daniel Trivellato2 Outline Review of BLP The Biba model Multi-lateral security: the Chinese Wall Exercises and discussion

3 06/10/2008DTM course - Daniel Trivellato3 Outline Review of BLP The Biba model Multi-lateral security: the Chinese Wall Exercises and discussion

4 06/10/2008DTM course - Daniel Trivellato4 Security lattice - Example Levels: TS, S and TS > S TS, {Nuclear, Chemical} TS, {Nuclear}TS, {Chemical} S, {Nuclear, Chemical} TS, {} S, {} S, {Nuclear}S, {Chemical} the partial order on security classes is called dominates (L 1,C 1 ) ≥ (L 2,C 2 ) iff L 1 ≥ L 2 and C 2 C C 1 Compartments: Nuclear, Chemical

5 06/10/2008DTM course - Daniel Trivellato5 The BLP model formalizes mandatory policy for secrecy goal: prevent information flow to LOWER or incomparable security classes idea: augment DAC with MAC (security labels) to enforce information flow policies two-step approach 1. discretionary access matrix D 2. operations authorized by MAC policy, over which users have no control

6 06/10/2008DTM course - Daniel Trivellato6 BLP mandatory access rules object o has security label (class) SL(o) subject s has security label (clearance) SL(s) simple security property: subject s can read object o only if SL(s) ≥ SL(o) *-property: subject s can write object o only if SL(o) ≥ SL(s) NO READ UP NO WRITE DOWN

7 06/10/2008DTM course - Daniel Trivellato7 BLP information flow SUBJECTSOBJECTS ……..... TS S C U Information flow TS S C U write read write read write read write read

8 06/10/2008DTM course - Daniel Trivellato8 BLP + tranquility Tranquility property strong: security labels never change during system operation  TOO STRONG! weak: labels never change in such a way as to violate a defined security policy e.g. dynamic upgrade of labels  principle of least privilege

9 06/10/2008DTM course - Daniel Trivellato9 Outline Review of BLP The Biba model Multi-lateral security: the Chinese wall Exercises and discussion

10 06/10/2008DTM course - Daniel Trivellato10 Mandatory policies for integrity policies for secrecy control only improper leakage of information do not safeguard integrity! assign integrity classes to: subjects: reflect subject’s trustworthiness not to improperly modify the informatin objects: reflect the potential damage that could result from improper modification/deletion

11 06/10/2008DTM course - Daniel Trivellato11 The Biba model defines mandatory policy for integrity goal: prevent information flow to HIGHER or incomparable integrity classes strict integrity policy is based on principles dual to those of BLP

12 06/10/2008DTM course - Daniel Trivellato12 Biba mandatory access rules object o has integrity label (class) IL(o) subject s has integrity label IL(s) simple integrity property: subject s can read object o only if IL(s) ≤ IL(o) *-integrity property: subject s can write object o only if IL(s) ≥ IL(o) NO READ DOWN NO WRITE UP

13 06/10/2008DTM course - Daniel Trivellato13 Biba information flow SUBJECTSOBJECTS ……..... HI MI LI Information flow HI MI LI write read write read write read

14 06/10/2008DTM course - Daniel Trivellato14 Combining Biba and BLP The security class of each object consists of two labels a security label SL an integrity label IL the combinatory mandatory controls are subject s can read object o only if SL(s) ≥ SL(o) and IL(s) ≤ IL(o) subject s can write object o only if SL(s) ≤ SL(o) and IL(s) ≥ IL(o) implemented in several OS, DBs and network products for the military domain

15 06/10/2008DTM course - Daniel Trivellato15 BLP + Biba - Example SL = {S H, S L }, S H ≥ S L IL = {I H, I L }, I H ≥ I L S L,I L S L,I H S H,I L S H,I H S L,I L rwrw- S L,I H wrwww S H,I L rrrwr S H,I H -rwrw S L,I L S H,I L S H,I H S L,I H BLP Lattice S L,I L S L,I H S H,I H S H,I L Biba Lattice Information flow

16 06/10/2008DTM course - Daniel Trivellato16 Biba alternative policies low-water-mark for subjects (no write up) a subject s can write object o only if IL(s) ≥ IL(o) a subject s can read any object o after the access IL(s) = glb(IL(s),IL(o)) low-water-mark for objects (no read down) a subject s can read object o only if IL(o) ≥ IL(s) a subject s can write any object o after the access IL(o) = glb(IL(s),IL(o))

17 06/10/2008DTM course - Daniel Trivellato17 Biba weaknesses flow controls may result too restrictive in the commercial domain authorizations are linked to programs, rather than subjects enforces integrity only by preventing information flows from lower to higher classifications the integrity problem is much more than this integrity has to prevent also improper use of data concurrency control and recovery techniques integrity constraints (limitations on values)

18 06/10/2008DTM course - Daniel Trivellato18 Biba in the real world – Windows Vista Microsoft Windows Vista adopts a multi-level integrity policy file objects marked with an integrity level Low, Medium, High, System (critical Vista files) Internet Explorer runs by default at Low things downloaded with IE can read but not write system files or anything else with higher integrity level dropped the no-read-down constraint

19 06/10/2008DTM course - Daniel Trivellato19 Alternative models for integrity Well-formed transaction rules are based on the ACID principles Atomicity: either all actions of a transactions are performed or none of them Consistency: a transaction must preserve the integrity constraints on the data Isolation: the concurrent execution of a set of transactions must have the same effects of the serial execution of them Durability: results of committed transactions are permanent ACID do not take into consideration the subject

20 06/10/2008DTM course - Daniel Trivellato20 Clark and Wilson (1/2) Four basic criteria to safeguard integrity Authentication: the system must separately authenticate and identify the user Audit: the system must log programs executed and the name of the authorizing user Well-formed transactions: data items can be manipulated only by a restricted set of programs that meet the well-formed transaction rule Separation of duty: each user is associated with a set of programs to be run, and the set must meet the separation of duty rule

21 06/10/2008DTM course - Daniel Trivellato21 Clark and Wilson (2/2) Advantages addresses integrity in a more complete way models commercial environments Shortcomings not well formalized  it is difficult to reason about security properties

22 06/10/2008DTM course - Daniel Trivellato22 Outline Review of BLP The Biba model Multi-lateral security: the Chinese wall Exercises and discussion

23 06/10/2008DTM course - Daniel Trivellato23 The Chinese wall Brewer and Nash (1989) arises in the commercial sector (consultancy) goal: prevent information flows which cause conflict of interests for individual consultants mandatory dynamic separation of duty

24 06/10/2008DTM course - Daniel Trivellato24 Chinese wall - Motivation consultants deal with confidential companies’ information for their clients a consultant should not have access to information about, for example, two banks or oil companies this would create a conflict of interests influence in the analysis  disservice to the client potential use for personal profit

25 06/10/2008DTM course - Daniel Trivellato25 Objects classification The model makes a first distinction between public objects company information: need to be protected Company information is organized hierarchically in 3 levels: basic objects (e.g. files) company datasets: group objects referring to the same corporation conflict of interest classes: groups all company datasets whose corporations are in competition

26 06/10/2008DTM course - Daniel Trivellato26 Object classification - Example Public information Conflict of Interest Class 1Conflict of Interest Class 2 Company ACompany B Company CCompany D ObjA-1 ObjA-2 ObjA-3 ObjB-1 ObjB-2 ObjC-1 ObjC-2 ObjD-3 ObjD-1 ObjD-4 ObjD-2 public bulletin boards, public databases, etc.

27 06/10/2008DTM course - Daniel Trivellato27 Policy rules (1/2) simple security rule: a subject s can access an object o only if: o is in the same company dataset as all the objects that s has already accessed (within the wall) o belongs to a different conflict of interest class but…users may need to compare information from different corporations! sanitization: disguising a corporate information, preventing the discovery of its identity

28 06/10/2008DTM course - Daniel Trivellato28 Policy rules (2/2) *-property: a subject s can write an object o only if access is permitted by the simple security rule no object can be read by s (no authorization) which (i) is in a different company dataset than o and (ii) contains unsanitized information Example: Alice reads ObjA-1 and writes ObjC-1, Bob reads ObjC-1 and writes ObjB-1 Conflict of Interest Class 1Conflict of Interest Class 2 Company ACompany B Company CCompany D ObjA-1 ObjA-2 ObjA-3 ObjB-1 ObjA-2 ObjC-1 ObjC-2 ObjD-3 ObjD-1 ObjD-4 ObjD-2

29 06/10/2008DTM course - Daniel Trivellato29 Chinese wall axioms the simple security property prevents flow by a single user the *-property rule prevents indirect flows that can be enacted by collusions between users sanitization provides more flexibility w.r.t. the application of the policy discretionary access is assumed to be enforced

30 06/10/2008DTM course - Daniel Trivellato30 Policy model assume there are n conflict of interest classes (COI) each object o is labeled with the set of companies of which it contains information L(o) = {c 1,c 2,…c n }, where c i is in COI i u, i = {1,…,n} the clearance of a user is a high-water mark that can float up in the lattice but not down

31 06/10/2008DTM course - Daniel Trivellato31 Chinese wall - Example consider 2 conflict of interest classes: Banks = {Bank A, Bank B} Oil Companies = {OC1, OC2} then labels such as {Bank A, OC1, OC2} are contrary to the Chinese wall policy a new consultant starts with no mandatory restriction on access rights (i.e. clearance {, }) if he reads a file about Bank A, his clearance becomes {Bank A, }

32 06/10/2008DTM course - Daniel Trivellato32 The lattice labels are compared according to the dominance relation, defined as follows Let L 1 = {c 1 1,c 1 2,…,c 1 n } and L 1 = {c 2 1,c 2 2,…,c 2 n } L 1 ≥ L 2 iff c 1 i = c 2 i or c 2 i =, for i = {1,…,n} label {, } corresponds to public information label SysHigh dominates all other labels combines information from different companies in the same COI class (access to all) contrary to the Chinese wall policy no user gets this clearance exceptions: system administration and audit

33 06/10/2008DTM course - Daniel Trivellato33 The lattice - Example {, } {Bank A, } {Bank B, } {, OC1} {, OC2} {Bank A, OC1}{Bank A, OC2}{Bank B, OC1}{Bank B, OC2} SysHigh

34 06/10/2008DTM course - Daniel Trivellato34 Chinese wall weaknesses not completely formalized leaves open problems, such as keep and manage history of access ensure accessibility (e.g. if all the users read the same datasets, the system become unusable) data sanitization is not addressed (complex)

35 06/10/2008DTM course - Daniel Trivellato35 Summary Biba: mandatory policy for integrity. Principles are dual to BLP combined with BLP to deal with both secrecy and integrity does not take into account all aspects of integrity Chinese wall: multi-lateral security model to prevent conflicts of interests for consultants users can not access (neither directly nor indirectly) to information about competing companies

36 06/10/2008DTM course - Daniel Trivellato36 Outline Review of BLP The Biba model Multi-lateral security: the Chinese wall Exercises and discussion

37 06/10/2008DTM course - Daniel Trivellato37 Exercises (lecture 1) Construct a lattice of security classes for security levels {public, secret, top-secret} and compartments {army, politics, business} P,{} S,{}P,{A}P,{P} P,{B} TS,{}P,{A,B}P,{A,P}P,{P,B}S,{A}S,{P}S,{B} TS,{A}TS,{P}TS,{B}S,{A,B}S,{A,P}S,{P,B}P,{A,P,B} TS,{A,B}TS,{A,P}TS,{P,B}S,{A,P,B} TS,{A,P,B} Security levels = n = 3 Compartments = m = 3 Lattice nodes = n * 2 m = 3 * 2 3 = 24

38 06/10/2008DTM course - Daniel Trivellato38 Exercises Is it reasonable for an object to have security label “unclassified” and integrity label “high”? Give an example in which it makes sense. How can we combine BLP and Biba in such a way that they both allow information to flow only upwards? Can we combine MAC with RBAC? How?

39 06/10/2008DTM course - Daniel Trivellato39 Exercises What is the conceptual difference between the BLP and the Chinese wall policy? Why does the Chinese wall policy prohibit a consultant to access information about 2 competing companies? For which purpose do we need a SysHigh label dominating all other labels in the Chinese wall lattice?

40 06/10/2008DTM course - Daniel Trivellato40 Discussion Questions Issues

41 06/10/2008DTM course - Daniel Trivellato41 The most important lesson… 100% security is impossible to achieve …and it would not be flexible enough for ANY real world system!!! When designing security establish YOUR security goals find good compromises keep in mind the weaknesses of your system

42 06/10/2008DTM course - Daniel Trivellato42 References Ravi S. Sandhu – Lattice-Based Access Control Models (strongly recommended) Carl E. Landwehr – Formal Models for Computer Security (strongly recommended) Pierangela Samarati, Sabrina De Capitani di Vimercati - Access Control: Policies, Models, and Mechanisms (recommended) Ross Anderson – Security Engineering (2 nd Edition) (suggested)

43 Thank you for your attention! Questions? d.trivellato@tue.nl

Download ppt "Lattice-based Access Control Models 2 Daniel Trivellato."

Similar presentations

George Mason University

George Mason University
ACCESS-CONTROL MODELS

ACCESS-CONTROL MODELS
Information Flow and Covert Channels November, 2006.

Information Flow and Covert Channels November, 2006.
Operating System Security

Operating System Security
Multilevel Security (MLS) Database Security and Auditing.

Multilevel Security (MLS) Database Security and Auditing.
Lecture 8 Access Control (cont)

Lecture 8 Access Control (cont)
1 Access Control Models Prof. Ravi Sandhu Executive Director and Endowed Chair January 25, 2013 & February 1, 2013

1 Access Control Models Prof. Ravi Sandhu Executive Director and Endowed Chair January 25, 2013 & February 1, 2013
Access Control Intro, DAC and MAC System Security.

Access Control Intro, DAC and MAC System Security.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
Chinese wall model in the internet Environment

Chinese wall model in the internet Environment
Verifiable Security Goals

Verifiable Security Goals
CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz.
CS526Topic 21: Integrity Models1 Information Security CS 526 Topic 21: Integrity Protection Models.

CS526Topic 21: Integrity Models1 Information Security CS 526 Topic 21: Integrity Protection Models.
User Domain Policies.

User Domain Policies.
Policy, Models, and Trust 1. Security Policy A security policy is a well-defined set of rules that include the following: Subjects: the agents who interact.

Policy, Models, and Trust 1. Security Policy A security policy is a well-defined set of rules that include the following: Subjects: the agents who interact.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
Li Xiong CS573 Data Privacy and Security Access Control.

Li Xiong CS573 Data Privacy and Security Access Control.
1 Confidentiality Policies September 21, 2006 Lecture 4 IS 2150 / TEL 2810 Introduction to Security.

1 Confidentiality Policies September 21, 2006 Lecture 4 IS 2150 / TEL 2810 Introduction to Security.
1 IS 2150 / TEL 2810 Information Security & Privacy James Joshi Associate Professor, SIS Lecture 6 Oct 2-9, 2013 Security Policies Confidentiality Policies.

1 IS 2150 / TEL 2810 Information Security & Privacy James Joshi Associate Professor, SIS Lecture 6 Oct 2-9, 2013 Security Policies Confidentiality Policies.
© G. Dhillon, IS Department Virginia Commonwealth University Principles of IS Security Formal Models.

© G. Dhillon, IS Department Virginia Commonwealth University Principles of IS Security Formal Models.

Similar presentations

Ads by Google