Presentation is loading. Please wait.

Presentation is loading. Please wait.

Materials credits: M. Bishop, UC Davis T. Jaeger, Penn State U.

Published byNathan Lawrence Modified over 9 years ago

Similar presentations

Presentation on theme: "Materials credits: M. Bishop, UC Davis T. Jaeger, Penn State U."— Presentation transcript:

1 Materials credits: M. Bishop, UC Davis T. Jaeger, Penn State U.
Security Policy Model Materials credits: M. Bishop, UC Davis T. Jaeger, Penn State U.

2 Integrity Policy

3 Background (1) Business tends to Focus on integrity rather than confidentiality Subjects and objects may be labeled with integrity levels I, where i1 ≤ i2 means i2 dominates i1. Higher level = more trustworthy = higher integrity Subject: program on Windows CD (trusted) vs. downloaded Java applet (untrusted) Object: system logs (trusted) vs attachment from unknown sender (untrusted)

4 Background (2) Integrity policy vs. confidentiality policy
Integrity levels ≠ security levels (they may overlap) A General with secret clearance is trusted A company like GE is trusted but not normally allowed to upload military secrets (unless they have a contract) Information flows differently: Information is disclosed (flows down) when: Read-up: a visitor (unclassified) reads personnel files (secret) Write-down: a cryptographer (secret) writes an activity log (unclassified) Information is corrupted (flows up) when: Read-down: IE (trusted) opens a file having a virus (untrusted) Write-up: a downloaded Java applet (untrusted) writes something into Windows registry (trusted) secret unclassified trusted untrusted

5 Strict Integrity policy: The Biba Model
If BLP prevents information from flowing down (disclosed) BLP-upside-down will prevent information from flowing up (getting corrupted) Biba  or dominate information flow High Integrity Some integrity Suspicious Garbage

6 Biba = BLP Upside-down BLP=read-down and write-up,
Biba= read-up and write-down Biba High Integrity Some integrity Suspicious Garbage information flow write read

7 Notation S=Subjects, O=objects, I= integrity levels
i1 ≤ i2 says i2 dominates i1 min(i1 , i2 ) is the lesser of i1 and i2 i (s), i (o) = integrity level of s  S and o  O. s r o says s can read o s w o says s can write o, s x s’ says s can execute s’

8 Strict Integrity Policy (formal)
Biba’s Model For any s  S and o  O s r o iff I (s) ≤ I (o) (read-up) s w o iff I (o) ≤ I (s) (write-down) s1 x s2 iff I (s2) ≤ I (s1) (execute-up) execute is a special type of read Why? = execution does not corrupt code! Can add compartments and discretionary controls to get full dual of BLP

9 Combining Biba and BLP Important: security levels (BLP) and integrity levels (Biba) are two different things Whether they overlap one another depends on applications When they do overlap, enforcement of BLP and Biba may conflict

10 Combining Biba and BLP (Cont’d)
What if they are exactly reversed? Secret and un-trusted: a downloaded software is un-trusted and should not be read/executed by everyone Unclassified and trusted: system binaries are trusted and can be executed by anyone Then both rules and the levels are dual, so BLP and Biba work in the same way Read-down in BLP becomes read-up in Biba Write-up in BLP becomes write-down in Biba

11

12 Combining Biba and BLP (Cont’d)
Suppose that an object is a top-secret, user object Only subjects that are authorized to read both top-secret objects (BLP) and user objects (Biba) neither secret, low nor top-secret, appl are allowed to read this object As for writing, a subject’s integrity and secrecy classes must individually permit the subject to write to the object for writes to be authorized

13 Typical Commercial Requirements
Users do not write their own programs, but use existing production programs and databases. Programmers develop and test programs on a non-production system; if they need access to production data, they are given data via a special process and can only use it on the development system. A special process must be followed to transfer a program from the development system onto the production system. The special process of requirement 3 must be controlled and audited. The managers and auditors must have access to both the system state and system logs that are generated.

14 Lipner’s Lattice (BLP+Biba)
A realistic example showing that BLP and Biba can be combined to meet commercial requirements How does it combine BLP and Biba? Uses disjoint sets of security levels and integrity levels BLP goes first, and adds in Biba only when necessary

15 The BLP Part 2 security clearances/classifications
AM (Audit Manager): system audit, management functions SL (System Low): any process can read at this level 3 Security categories SP (Production): production code, data SD (Development): production code in dev. SSD (System Development): system code in dev. Security level=(classification,category)

16 The Biba Part 3 integrity classifications 2 integrity categories
ISP (System Program): for system programs IO (Operational): production programs, development software ISL (System Low): users get this on log in 2 integrity categories ID (Development): development entities IP (Production): production entities Integrity level=(classification,category)

17 Subjects’ Levels at a Glance
Security Level Integrity Level Ordinary users (SL, { SP }) (ISL, { IP }) Application developers (SL, { SD }) (ISL, { ID }) System programmers (SL, { SSD }) System managers and auditors (AM, { SP, SD, SSD }) (ISL,  ) System controllers (SL, { SP, SD, SSD }) and downgrade privilege (ISP, { IP, ID}) Repair

18 Objects’ Levels at a Glance
Security Level Integrity Level Development code/test data (SL, { SD }) (ISL, { ID} ) Production code (SL, { SP }) (IO, { IP }) Production data (ISL, { IP }) Software tools (SL,  ) (IO, { ID }) System programs (ISP, { IP, ID }) System programs in modification (SL, { SSD }) (ISL, { ID }) System and application logs (AM, {SP, SD, SSD}) (ISL,  ) Repair (SL, {SP})

19 The Lattice (Lipner’s Lattice)
Only 9 out of 192 labels are used LEGEND S: Subjects O: Objects

20 What Does it Achieve? Ordinary users can execute (read) production code but cannot alter it Ordinary users can alter and read production data System managers need access to all logs but cannot change levels of objects System controllers need to install code (hence downgrade capability) Logs are append only, so must dominate subjects writing them These meet stated requirements (verify if you want)

21 Key Points Commercial world needs integrity Biba model
Dual of BLP (or BLP-upside-down) Integrity levels distinct from security levels Information flows differently Can be combined with BLP Lipner’s lattice combines the two to meet commercial requirements

Download ppt "Materials credits: M. Bishop, UC Davis T. Jaeger, Penn State U."

Similar presentations

George Mason University

George Mason University
ACCESS-CONTROL MODELS

ACCESS-CONTROL MODELS
Information Flow and Covert Channels November, 2006.

Information Flow and Covert Channels November, 2006.
1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.

1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.
CS691 – Chapter 6 of Matt Bishop

CS691 – Chapter 6 of Matt Bishop
Lecture 8 Access Control (cont)

Lecture 8 Access Control (cont)
1 Review for Exam 1 First Six Chapters of Bishop The nature of the exam: 4-5 questions Similar to the homework. Pseudo-code, modeling, etc.

1 Review for Exam 1 First Six Chapters of Bishop The nature of the exam: 4-5 questions Similar to the homework. Pseudo-code, modeling, etc.
CMSC 414 Computer (and Network) Security Lecture 12 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 12 Jonathan Katz.
Access Control Intro, DAC and MAC System Security.

Access Control Intro, DAC and MAC System Security.
Confidentiality Policies  Overview  What is a confidentiality model  Bell-LaPadula Model  General idea  Informal description of rules  Formal description.

Confidentiality Policies  Overview  What is a confidentiality model  Bell-LaPadula Model  General idea  Informal description of rules  Formal description.
Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson model Introduction to Computer Security ©2004 Matt Bishop.

Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson model Introduction to Computer Security ©2004 Matt Bishop.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
June 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #6-1 Chapter 6: Integrity Policies Overview Requirements Biba’s models Lipner’s.

June 1, 2004Computer Security: Art and Science © Matt Bishop Slide #6-1 Chapter 6: Integrity Policies Overview Requirements Biba’s models Lipner’s.
Verifiable Security Goals

Verifiable Security Goals
Courtesy of Professors Chris Clifton & Matt Bishop INFSCI 2935: Introduction of Computer Security1 September 18, 2003 Introduction to Computer Security.

Courtesy of Professors Chris Clifton & Matt Bishop INFSCI 2935: Introduction of Computer Security1 September 18, 2003 Introduction to Computer Security.
Courtesy of Professors Chris Clifton & Matt Bishop INFSCI 2935: Introduction of Computer Security1 October 7, 2004 Introduction to Computer Security Lecture.

Courtesy of Professors Chris Clifton & Matt Bishop INFSCI 2935: Introduction of Computer Security1 October 7, 2004 Introduction to Computer Security Lecture.
1 Integrity Policies CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 22, 2004.

1 Integrity Policies CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 22, 2004.
CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz.
User Domain Policies.

User Domain Policies.

Similar presentations

Ads by Google