03_IntegrityPolicies
Transcript of 03_IntegrityPolicies
-
7/30/2019 03_IntegrityPolicies
1/19
Slide #6-1
Chapter 3: Chnh sch ton vn
Tng quan
Cc yu cu
M hnh Biba
M hnh Clark-Wilson
-
7/30/2019 03_IntegrityPolicies
2/19
Slide #6-2
Yu cu ca chnh sch
1. Ngi dng khng t vit phn mm
2. Cc lp trnh vin pht trin v kim th chng trnh trn cc hthng khng sn xut; nu h cn cc d liu thc, h s c cung
cp qua mt quy trnh c bit, v s s dng chng trn h thngang pht trin.
3. Mt quy trnh t bit phi c tun th khi ci t mt chngtrnh t h thng pht trin vo h thng sn xut.
4. Quy trnh c bit trong yu cu 3 phi c iu khin v kim
sot.5. Ngi qun l v ngi kim sot phi c quyn truy cp vo c 2
h thng.
-
7/30/2019 03_IntegrityPolicies
3/19
Slide #6-3
Nguyn tc
Separation of Duty: Tch bit hot ng Separation of Function: Tch bit chc nng
Auditing: Kim sot
-
7/30/2019 03_IntegrityPolicies
4/19
Slide #6-4
M hnh ton vn Biba
Set of subjects S, objects O, integrity levelsI, relation IIholding when second
dominates first min:IIIreturns lesser of integrity
levels
i: SOIgives integrity level of entity r: SO meanssScan read oO w, x defined similarly
-
7/30/2019 03_IntegrityPolicies
5/19
Slide #6-5
Cp ton vn
Cp cng cao, cng tin cyThat a program will execute correctly
That data is accurate and/or reliable
Mi quan h gia tnh ton vn v tnh ngtin cy
Ch : integrity levels are not securitylevels
-
7/30/2019 03_IntegrityPolicies
6/19
Slide #6-6
M hnh Biba
Tng t m hnh Bell-LaPadula1. sScan read oO iffi(s) i(o)2. sScan write to oO iffi(o) i(s)3. s1Scan executes2Siffi(s2) i(s1)
-
7/30/2019 03_IntegrityPolicies
7/19
Slide #6-7
V d: HH LOCUS
Mc tiu: Ngn chn cc phn mm ko tin cy tinhnh thay i d liu hoc cc phn mm khc
Phng php: Lm r cp tin cy credibility ratingbased on estimate of softwarestrustworthiness (0 untrusted, n highly trusted)
trusted file systems contain software with a singlecredibility level
Process has risk levelor highest credibility level atwhich process can execute
Must use run-untrustedcommand to run software atlower credibility level
-
7/30/2019 03_IntegrityPolicies
8/19
Slide #6-8
M hnh ton vn Clark-Wilson
Tnh ton vn c nh ngha bi cc rng buc Data in a consistentor valid state when it satisfies these
V d: BankDtodays deposits, Wwithdrawals, YByesterdaysbalance, TBtodays balance
Integrity constraint:D + YBW = TB
Giao dch chun: move system from oneconsistent state to another Vn : who examines, certifies transactions done
correctly?
-
7/30/2019 03_IntegrityPolicies
9/19
Slide #6-9
Cc thc th
CDIs: constrained data itemsd liu c rng buc Data subject to integrity controls
UDIs: unconstrained data itemskhng cn rng buc Data not subject to integrity controls IVPs: integrity verification proceduresquy trnh xc
minh s ton vn
Procedures that test the CDIs conform to the integrity constraints TPs: transaction proceduresquy trnh thc hin giao dch
Procedures that take the system from one valid state to another
-
7/30/2019 03_IntegrityPolicies
10/19
Slide #6-10
Certification Rules 1 and 2
CR1 Khi IVP chy, n phi m bo tt c CDIs ltrong trng thi hp l
CR2 Vi mt tp kt hp cc CDIs, mt TP phichuyn i cc CDIs t trng thi hp l nysang trng thi hp l khc Defines relation certifiedthat associates a set of
CDIs with a particular TP
Example: TP balance, CDIs accounts, in bankexample
-
7/30/2019 03_IntegrityPolicies
11/19
Slide #6-11
Enforcement Rules 1 and 2
ER1 H thng phi duy tr cc mi quan h c xcnhn v phi m bo ch cc TP c xc nhnchy trn cc CDIs thao tc vi cc CDIs
ER2 H thng phi gn kt mi ngi dng vi TPv tp CDIs. TP c th truy cp cc CDIS vivai tr ca ngi dng c gn kt v khngc truy cp vi vai tr ca ngi dng khc System must maintain, enforce certified relation System must also restrict access based on user ID
(allowedrelation)
-
7/30/2019 03_IntegrityPolicies
12/19
Slide #6-12
Users and Rules
CR3 Cc mi quan h c php phi p ng yucu ca nguyn tc phn chia cng vic
ER3 H thng phi xc thc mi ngi dng khithc thi TP Type of authentication undefined, and depends on
the instantiation
Authentication notrequired before use of thesystem, but is required before manipulation ofCDIs (requires using TPs)
-
7/30/2019 03_IntegrityPolicies
13/19
Slide #6-13
Logging
CR4 Tt c TPs phi ni thm thng tin y xy dng phi thao tc vo cc CDI
(append-only)This CDI is the log
Auditor needs to be able to determine what
happened during reviews of transactions
-
7/30/2019 03_IntegrityPolicies
14/19
Slide #6-14
X l cc u vo khng tin cy
CR5 TP thc hin trn d liu u vo UDI c ththc hin vic chuyn i hp l hoc khng
chuyn i cho tt c cc gi tr c th caUDI. Vic chuyn i c th t chi UDI hocchuyn n thnh CDI. In bank, numbers entered at keyboard are UDIs, so
cannot be input to TPs. TPs must validate numbers(to make them a CDI) before using them; if
validation fails, TP rejects UDI
-
7/30/2019 03_IntegrityPolicies
15/19
Slide #6-15
Vn tch bit nhim v
ER4 Ch ngi xc nhn ca TP mi c ththay i danh sch thc th kt hp vi
TP . Ngi xc nhn TP hoc thc thkhng c quyn thc thi i vi thc thEnforces separation of duty with respect to
certified and allowed relations
-
7/30/2019 03_IntegrityPolicies
16/19
Slide #6-16
So snh vi cc yu cu
1. Ngi dng khng t vit PM: Users cant certifyTPs, so CR5 and ER4 enforce this
2. Khng pht trin PM trn h thng sn xut:Procedural, so model doesnt directly cover it; butspecial process corresponds to using TP
No technical controls can prevent programmer from
developing program on production system;
3. Ci t h thng pht trin v h thng SX:TP doesthe installation, trusted personnel do certification
-
7/30/2019 03_IntegrityPolicies
17/19
Slide #6-17
So snh vi cc yu cu
4. iu khin v kim sot: CR4 provideslogging; ER3 authenticates trusted
personnel doing installation; CR5, ER4control installation procedure
5. Log is CDI, so appropriate TP can provide
managers, auditors access Access to state handled similarly
-
7/30/2019 03_IntegrityPolicies
18/19
Slide #6-18
So snh vi m hnh Biba
BibaNo notion of certification rules; trusted subjects
ensure actions obey rulesUntrusted data examined before being made
trusted
Clark-WilsonExplicit requirements that actions must meetTrusted entity must certify methodto upgrade
untrusted data (and not certify the data itself)
-
7/30/2019 03_IntegrityPolicies
19/19
Slide #6-19
Key Points
Integrity policies deal with trustAs trust is hard to quantify, these policies are
hard to evaluate completelyLook for assumptions and trusted users to find
possible weak points in their implementation
Biba based on multilevel integrity Clark-Wilson focuses on separation of duty
and transactions