1 TOPIC LATTICE-BASED ACCESS-CONTROL MODELS …profsandhu.com/cs6393_s12/lbac-blp-biba.pdf · 2...
Transcript of 1 TOPIC LATTICE-BASED ACCESS-CONTROL MODELS …profsandhu.com/cs6393_s12/lbac-blp-biba.pdf · 2...
![Page 1: 1 TOPIC LATTICE-BASED ACCESS-CONTROL MODELS …profsandhu.com/cs6393_s12/lbac-blp-biba.pdf · 2 LATTICE-BASED MODELS • Denning's axioms • Bell-LaPadula model (BLP) • Biba model](https://reader031.fdocuments.net/reader031/viewer/2022030511/5abbd3627f8b9a567c8d10ae/html5/thumbnails/1.jpg)
1
TOPIC
LATTICE-BASEDACCESS-CONTROL MODELS
Ravi Sandhu
![Page 2: 1 TOPIC LATTICE-BASED ACCESS-CONTROL MODELS …profsandhu.com/cs6393_s12/lbac-blp-biba.pdf · 2 LATTICE-BASED MODELS • Denning's axioms • Bell-LaPadula model (BLP) • Biba model](https://reader031.fdocuments.net/reader031/viewer/2022030511/5abbd3627f8b9a567c8d10ae/html5/thumbnails/2.jpg)
2
LATTICE-BASED MODELS
• Denning's axioms
• Bell-LaPadula model (BLP)
• Biba model and its duality • Biba model and its duality (or equivalence) to BLP
• Dynamic labels in BLP
![Page 3: 1 TOPIC LATTICE-BASED ACCESS-CONTROL MODELS …profsandhu.com/cs6393_s12/lbac-blp-biba.pdf · 2 LATTICE-BASED MODELS • Denning's axioms • Bell-LaPadula model (BLP) • Biba model](https://reader031.fdocuments.net/reader031/viewer/2022030511/5abbd3627f8b9a567c8d10ae/html5/thumbnails/3.jpg)
3
DENNING'S AXIOMS
< SC, →, ⊕ >
SC set of security classesSC set of security classes
→ ⊆ → ⊆ → ⊆ → ⊆ SC X SC flow relation (i.e., can-flow)
⊕: ⊕: ⊕: ⊕: SC X SC -> SC class-combining operator
![Page 4: 1 TOPIC LATTICE-BASED ACCESS-CONTROL MODELS …profsandhu.com/cs6393_s12/lbac-blp-biba.pdf · 2 LATTICE-BASED MODELS • Denning's axioms • Bell-LaPadula model (BLP) • Biba model](https://reader031.fdocuments.net/reader031/viewer/2022030511/5abbd3627f8b9a567c8d10ae/html5/thumbnails/4.jpg)
4
DENNING'S AXIOMS
< SC, →, ⊕ >
1 SC is finite
2 →→→→ is a partial order on SC2 →→→→ is a partial order on SC
3 SC has a lower bound L such that L →→→→ A for all A ∈∈∈∈ SC
4 ⊕⊕⊕⊕ is a least upper bound (lub) operator on SC
Justification for 1 and 2 is stronger than for 3 and 4. In practice we may therefore end up with a partially ordered set (poset) rather than a lattice.
![Page 5: 1 TOPIC LATTICE-BASED ACCESS-CONTROL MODELS …profsandhu.com/cs6393_s12/lbac-blp-biba.pdf · 2 LATTICE-BASED MODELS • Denning's axioms • Bell-LaPadula model (BLP) • Biba model](https://reader031.fdocuments.net/reader031/viewer/2022030511/5abbd3627f8b9a567c8d10ae/html5/thumbnails/5.jpg)
5
DENNING'S AXIOMS IMPLY
• SC is a universally bounded lattice
• there exists a Greatest Lower Bound • there exists a Greatest Lower Bound (glb) operator ⊗⊗⊗⊗ (also called meet)
• there exists a highest security class H
![Page 6: 1 TOPIC LATTICE-BASED ACCESS-CONTROL MODELS …profsandhu.com/cs6393_s12/lbac-blp-biba.pdf · 2 LATTICE-BASED MODELS • Denning's axioms • Bell-LaPadula model (BLP) • Biba model](https://reader031.fdocuments.net/reader031/viewer/2022030511/5abbd3627f8b9a567c8d10ae/html5/thumbnails/6.jpg)
6
LATTICE STRUCTURES
Secret
Top Secret
HierarchicalClasses
Unclassified
Confidential
Secret
can-flow
reflexive and reflexive and transitive edges are implied but not shown
![Page 7: 1 TOPIC LATTICE-BASED ACCESS-CONTROL MODELS …profsandhu.com/cs6393_s12/lbac-blp-biba.pdf · 2 LATTICE-BASED MODELS • Denning's axioms • Bell-LaPadula model (BLP) • Biba model](https://reader031.fdocuments.net/reader031/viewer/2022030511/5abbd3627f8b9a567c8d10ae/html5/thumbnails/7.jpg)
7
LATTICE STRUCTURES
Secret
Top Secret
Unclassified
Confidential
Secret
can-flowdominance≥≥≥≥
![Page 8: 1 TOPIC LATTICE-BASED ACCESS-CONTROL MODELS …profsandhu.com/cs6393_s12/lbac-blp-biba.pdf · 2 LATTICE-BASED MODELS • Denning's axioms • Bell-LaPadula model (BLP) • Biba model](https://reader031.fdocuments.net/reader031/viewer/2022030511/5abbd3627f8b9a567c8d10ae/html5/thumbnails/8.jpg)
8
LATTICE STRUCTURES
ARMY, CRYPTO
Compartmentsand Categories
ARMY CRYPTO
![Page 9: 1 TOPIC LATTICE-BASED ACCESS-CONTROL MODELS …profsandhu.com/cs6393_s12/lbac-blp-biba.pdf · 2 LATTICE-BASED MODELS • Denning's axioms • Bell-LaPadula model (BLP) • Biba model](https://reader031.fdocuments.net/reader031/viewer/2022030511/5abbd3627f8b9a567c8d10ae/html5/thumbnails/9.jpg)
9
LATTICE STRUCTURES
ARMY, NUCLEAR, CRYPTO
Compartmentsand Categories
ARMY, NUCLEAR ARMY, CRYPTO NUCLEAR, CRYPTO
ARMY NUCLEAR CRYPTO
![Page 10: 1 TOPIC LATTICE-BASED ACCESS-CONTROL MODELS …profsandhu.com/cs6393_s12/lbac-blp-biba.pdf · 2 LATTICE-BASED MODELS • Denning's axioms • Bell-LaPadula model (BLP) • Biba model](https://reader031.fdocuments.net/reader031/viewer/2022030511/5abbd3627f8b9a567c8d10ae/html5/thumbnails/10.jpg)
10
LATTICE STRUCTURES
HierarchicalClasses with
Compartments
TS
A,B
A B
S
A B
product of 2 lattices is a lattice
![Page 11: 1 TOPIC LATTICE-BASED ACCESS-CONTROL MODELS …profsandhu.com/cs6393_s12/lbac-blp-biba.pdf · 2 LATTICE-BASED MODELS • Denning's axioms • Bell-LaPadula model (BLP) • Biba model](https://reader031.fdocuments.net/reader031/viewer/2022030511/5abbd3627f8b9a567c8d10ae/html5/thumbnails/11.jpg)
11
LATTICE STRUCTURES
HierarchicalClasses with
Compartments
A,B
A BTS, TS,
TS,
S,
A,B
A BS, S,
S,
TS,
![Page 12: 1 TOPIC LATTICE-BASED ACCESS-CONTROL MODELS …profsandhu.com/cs6393_s12/lbac-blp-biba.pdf · 2 LATTICE-BASED MODELS • Denning's axioms • Bell-LaPadula model (BLP) • Biba model](https://reader031.fdocuments.net/reader031/viewer/2022030511/5abbd3627f8b9a567c8d10ae/html5/thumbnails/12.jpg)
TS-W TS-X
TS-L TS-K TS-YTS-Q TS-Z TS-X
TS-KL
TS-KLXTS-KY TS-KQZ
TS-AKLQWXYZ
SMITH'SSMITH'SLATTICE
S-W
TS
S
C
U
S-L
S-LW
S-A
TS-K
![Page 13: 1 TOPIC LATTICE-BASED ACCESS-CONTROL MODELS …profsandhu.com/cs6393_s12/lbac-blp-biba.pdf · 2 LATTICE-BASED MODELS • Denning's axioms • Bell-LaPadula model (BLP) • Biba model](https://reader031.fdocuments.net/reader031/viewer/2022030511/5abbd3627f8b9a567c8d10ae/html5/thumbnails/13.jpg)
13
SMITH'S LATTICE
• With large lattices a vanishingly small fraction of the labels will actually be used
• Smith's lattice: 4 hierarchical levels, 8 compartments, thereforecompartments, therefore
number of possible labels = 4*2^8 = 1024
Only 21 labels are actually used (2%)
• Consider 16 hierarchical levels, 64 compartments which gives 10^20 labels
![Page 14: 1 TOPIC LATTICE-BASED ACCESS-CONTROL MODELS …profsandhu.com/cs6393_s12/lbac-blp-biba.pdf · 2 LATTICE-BASED MODELS • Denning's axioms • Bell-LaPadula model (BLP) • Biba model](https://reader031.fdocuments.net/reader031/viewer/2022030511/5abbd3627f8b9a567c8d10ae/html5/thumbnails/14.jpg)
14
EMBEDDING A POSET IN A LATTICE
• Smith's subset of 21 labels do form a lattice. In general, however, selecting a subset of labels from a given lattice
• may not yield a lattice, but• may not yield a lattice, but
• is guaranteed to yield a partial ordering
• Given a partial ordering we can always add extra labels to make it a lattice
![Page 15: 1 TOPIC LATTICE-BASED ACCESS-CONTROL MODELS …profsandhu.com/cs6393_s12/lbac-blp-biba.pdf · 2 LATTICE-BASED MODELS • Denning's axioms • Bell-LaPadula model (BLP) • Biba model](https://reader031.fdocuments.net/reader031/viewer/2022030511/5abbd3627f8b9a567c8d10ae/html5/thumbnails/15.jpg)
15
EMBEDDING A POSET IN A LATTICE
⇒⇒⇒⇒
A,B,C A,B,D
A,B,C A,B,D
A,B,C,D
A B
⇒⇒⇒⇒
such embedding is such embedding is always possible
A B
A,B,C A,B,D
A,B
![Page 16: 1 TOPIC LATTICE-BASED ACCESS-CONTROL MODELS …profsandhu.com/cs6393_s12/lbac-blp-biba.pdf · 2 LATTICE-BASED MODELS • Denning's axioms • Bell-LaPadula model (BLP) • Biba model](https://reader031.fdocuments.net/reader031/viewer/2022030511/5abbd3627f8b9a567c8d10ae/html5/thumbnails/16.jpg)
16
BLP BASIC ASSUMPTIONS
• SUB = S1, S2, ..., Sm, a fixed set of subjects
• OBJ = O1, O2, ..., On, a fixed set of objects
• R ⊃⊃⊃⊃ r, w, a fixed set of rights• R ⊃⊃⊃⊃ r, w, a fixed set of rights
• D, an m × × × × n discretionary access matrix with D[i,j] ⊆⊆⊆⊆ R
• M, an m × × × × n current access matrix with M[i,j] ⊆⊆⊆⊆ r, w
![Page 17: 1 TOPIC LATTICE-BASED ACCESS-CONTROL MODELS …profsandhu.com/cs6393_s12/lbac-blp-biba.pdf · 2 LATTICE-BASED MODELS • Denning's axioms • Bell-LaPadula model (BLP) • Biba model](https://reader031.fdocuments.net/reader031/viewer/2022030511/5abbd3627f8b9a567c8d10ae/html5/thumbnails/17.jpg)
17
BLP MODEL (LIBERAL STAR-PROPERTY)
• Lattice of confidentiality labels
Λ = λ1, λ2, ..., λΛ = λ1, λ2, ..., λΛ = λ1, λ2, ..., λΛ = λ1, λ2, ..., λp
• Static assignment of confidentiality labels
λ: λ: λ: λ: SUB ∪∪∪∪ OBJ → Λ→ Λ→ Λ→ Λ
• M, an m × × × × n current access matrix with
• r ∈∈∈∈ M[i,j] ⇒⇒⇒⇒ r ∈∈∈∈ D[i,j] ∧ λ ∧ λ ∧ λ ∧ λ(Si) ≥ λ ≥ λ ≥ λ ≥ λ (Oj) simple security
• w ∈∈∈∈ M[i,j] ⇒⇒⇒⇒ w ∈∈∈∈ D[i,j] ∧ λ ∧ λ ∧ λ ∧ λ(Si) ≤≤≤≤ λ λ λ λ (Oj) star-property
![Page 18: 1 TOPIC LATTICE-BASED ACCESS-CONTROL MODELS …profsandhu.com/cs6393_s12/lbac-blp-biba.pdf · 2 LATTICE-BASED MODELS • Denning's axioms • Bell-LaPadula model (BLP) • Biba model](https://reader031.fdocuments.net/reader031/viewer/2022030511/5abbd3627f8b9a567c8d10ae/html5/thumbnails/18.jpg)
18
BLP MODEL (STRICT STAR-PROPERTY)
• Lattice of confidentiality labels
Λ = λ1, λ2, ..., λΛ = λ1, λ2, ..., λΛ = λ1, λ2, ..., λΛ = λ1, λ2, ..., λp
• Static assignment of confidentiality labels
λ: λ: λ: λ: SUB ∪∪∪∪ OBJ → Λ→ Λ→ Λ→ Λ
• M, an m × × × × n current access matrix with
• r ∈∈∈∈ M[i,j] ⇒⇒⇒⇒ r ∈∈∈∈ D[i,j] ∧ λ ∧ λ ∧ λ ∧ λ(Si) ≥ λ ≥ λ ≥ λ ≥ λ (Oj) simple security
• w ∈∈∈∈ M[i,j] ⇒⇒⇒⇒ w ∈∈∈∈ D[i,j] ∧ λ ∧ λ ∧ λ ∧ λ(Si) ==== λ λ λ λ (Oj) star-property
![Page 19: 1 TOPIC LATTICE-BASED ACCESS-CONTROL MODELS …profsandhu.com/cs6393_s12/lbac-blp-biba.pdf · 2 LATTICE-BASED MODELS • Denning's axioms • Bell-LaPadula model (BLP) • Biba model](https://reader031.fdocuments.net/reader031/viewer/2022030511/5abbd3627f8b9a567c8d10ae/html5/thumbnails/19.jpg)
19
BLP MODEL
Secret
Top Secret
Unclassified
Confidential
Secret
can-flowdominance≥≥≥≥
![Page 20: 1 TOPIC LATTICE-BASED ACCESS-CONTROL MODELS …profsandhu.com/cs6393_s12/lbac-blp-biba.pdf · 2 LATTICE-BASED MODELS • Denning's axioms • Bell-LaPadula model (BLP) • Biba model](https://reader031.fdocuments.net/reader031/viewer/2022030511/5abbd3627f8b9a567c8d10ae/html5/thumbnails/20.jpg)
20
STAR-PROPERTY
• applies to subjects not to users
• users are trusted (must be trusted) not to disclose secret information outside of the computer system
• subjects are not trusted because they may have • subjects are not trusted because they may have Trojan Horses embedded in the code they execute
• star-property prevents overt leakage of information and does not address the covert channel problem
![Page 21: 1 TOPIC LATTICE-BASED ACCESS-CONTROL MODELS …profsandhu.com/cs6393_s12/lbac-blp-biba.pdf · 2 LATTICE-BASED MODELS • Denning's axioms • Bell-LaPadula model (BLP) • Biba model](https://reader031.fdocuments.net/reader031/viewer/2022030511/5abbd3627f8b9a567c8d10ae/html5/thumbnails/21.jpg)
21
BIBA MODEL
• Lattice of integrity labels
Ω = ω1, ω2, ..., ωΩ = ω1, ω2, ..., ωΩ = ω1, ω2, ..., ωΩ = ω1, ω2, ..., ωq
• Assignment of integrity labels
ω: ω: ω: ω: SUB ∪∪∪∪ OBJ → Ω→ Ω→ Ω→ Ω
• M, an m × × × × n current access matrix with
• r ∈∈∈∈ M[i,j] ⇒⇒⇒⇒ r ∈∈∈∈ D[i,j] ∧ ω ∧ ω ∧ ω ∧ ω(Si) ≤ ω ≤ ω ≤ ω ≤ ω (Oj) simple integrity
• w ∈∈∈∈ M[i,j] ⇒⇒⇒⇒ w ∈∈∈∈ D[i,j] ∧ ω ∧ ω ∧ ω ∧ ω(Si) ≥ ω ≥ ω ≥ ω ≥ ω(Oj) integrity
confinement
![Page 22: 1 TOPIC LATTICE-BASED ACCESS-CONTROL MODELS …profsandhu.com/cs6393_s12/lbac-blp-biba.pdf · 2 LATTICE-BASED MODELS • Denning's axioms • Bell-LaPadula model (BLP) • Biba model](https://reader031.fdocuments.net/reader031/viewer/2022030511/5abbd3627f8b9a567c8d10ae/html5/thumbnails/22.jpg)
22
EQUIVALENCE OF BLP AND BIBA
• Information flow in the Biba model is from top to bottom
• Information flow in the BLP model is from bottom to top
• Information flow in the BLP model is from bottom to top
• Since top and bottom are relative terms, the two models are fundamentally equivalent
![Page 23: 1 TOPIC LATTICE-BASED ACCESS-CONTROL MODELS …profsandhu.com/cs6393_s12/lbac-blp-biba.pdf · 2 LATTICE-BASED MODELS • Denning's axioms • Bell-LaPadula model (BLP) • Biba model](https://reader031.fdocuments.net/reader031/viewer/2022030511/5abbd3627f8b9a567c8d10ae/html5/thumbnails/23.jpg)
23
EQUIVALENCE OF BLP AND BIBA
HI (High Integrity)
⇒⇒⇒⇒
LI (Low Integrity)
LI (Low Integrity)
⇒⇒⇒⇒
BIBA LATTICE EQUIVALENT BLP LATTICE
HI (High Integrity)
![Page 24: 1 TOPIC LATTICE-BASED ACCESS-CONTROL MODELS …profsandhu.com/cs6393_s12/lbac-blp-biba.pdf · 2 LATTICE-BASED MODELS • Denning's axioms • Bell-LaPadula model (BLP) • Biba model](https://reader031.fdocuments.net/reader031/viewer/2022030511/5abbd3627f8b9a567c8d10ae/html5/thumbnails/24.jpg)
24
EQUIVALENCE OF BLP AND BIBA
HS (High Secrecy)
⇒⇒⇒⇒
LS (Low Secrecy)
LS (Low Secrecy)
BLP LATTICE EQUIVALENT BIBA LATTICE
HS (High Secrecy)
![Page 25: 1 TOPIC LATTICE-BASED ACCESS-CONTROL MODELS …profsandhu.com/cs6393_s12/lbac-blp-biba.pdf · 2 LATTICE-BASED MODELS • Denning's axioms • Bell-LaPadula model (BLP) • Biba model](https://reader031.fdocuments.net/reader031/viewer/2022030511/5abbd3627f8b9a567c8d10ae/html5/thumbnails/25.jpg)
25
COMBINATION OF DISTINCT LATTICES
HS HI
⇒⇒⇒⇒
HS, LI
HS, HI LS, LI
LS LI
GIVEN
BLP BIBA
⇒⇒⇒⇒ HS, HI LS, LI
LS, HI
EQUIVALENT BLP LATTICE
![Page 26: 1 TOPIC LATTICE-BASED ACCESS-CONTROL MODELS …profsandhu.com/cs6393_s12/lbac-blp-biba.pdf · 2 LATTICE-BASED MODELS • Denning's axioms • Bell-LaPadula model (BLP) • Biba model](https://reader031.fdocuments.net/reader031/viewer/2022030511/5abbd3627f8b9a567c8d10ae/html5/thumbnails/26.jpg)
26
BLP AND BIBA
• BLP and Biba are fundamentally equivalent and interchangeable
• Lattice-based access control is a mechanism for enforcing one-way mechanism for enforcing one-way information flow, which can be applied to confidentiality or integrity goals
• We will use the BLP formulation with high confidentiality at the top of the lattice, and high integrity at the bottom
![Page 27: 1 TOPIC LATTICE-BASED ACCESS-CONTROL MODELS …profsandhu.com/cs6393_s12/lbac-blp-biba.pdf · 2 LATTICE-BASED MODELS • Denning's axioms • Bell-LaPadula model (BLP) • Biba model](https://reader031.fdocuments.net/reader031/viewer/2022030511/5abbd3627f8b9a567c8d10ae/html5/thumbnails/27.jpg)
LIPNER'SLIPNER'SLATTICE
S: RepairS: Production UsersO: Production Data
S: Application Programmers
O: Development Code and Data
S: System Programmers
O: System Code in Development
S: System ManagersO: Audit Trail
S: System Control
O: Repair Code
O: System Programs
O: Production Code O: Tools
LEGENDLEGEND
S: SubjectsO: Objects
![Page 28: 1 TOPIC LATTICE-BASED ACCESS-CONTROL MODELS …profsandhu.com/cs6393_s12/lbac-blp-biba.pdf · 2 LATTICE-BASED MODELS • Denning's axioms • Bell-LaPadula model (BLP) • Biba model](https://reader031.fdocuments.net/reader031/viewer/2022030511/5abbd3627f8b9a567c8d10ae/html5/thumbnails/28.jpg)
28
LIPNER'S LATTICE
• Lipner's lattice uses 9 labels from a possible space of 192 labels (3 integrity levels, 2 integrity compartments, 2 confidentiality levels, and 3 confidentiality compartments)levels, and 3 confidentiality compartments)
• The single lattice shown here can be constructed directly from first principles
![Page 29: 1 TOPIC LATTICE-BASED ACCESS-CONTROL MODELS …profsandhu.com/cs6393_s12/lbac-blp-biba.pdf · 2 LATTICE-BASED MODELS • Denning's axioms • Bell-LaPadula model (BLP) • Biba model](https://reader031.fdocuments.net/reader031/viewer/2022030511/5abbd3627f8b9a567c8d10ae/html5/thumbnails/29.jpg)
29
LIPNER'S LATTICE
• The position of the audit trail at lowest integrity demonstrates the limitation of an information flow approach to integrity
• System control subjects are exempted from the star-property and allowed to
• write down (with respect to confidentiality)
or equivalently
• write up (with respect to integrity)
![Page 30: 1 TOPIC LATTICE-BASED ACCESS-CONTROL MODELS …profsandhu.com/cs6393_s12/lbac-blp-biba.pdf · 2 LATTICE-BASED MODELS • Denning's axioms • Bell-LaPadula model (BLP) • Biba model](https://reader031.fdocuments.net/reader031/viewer/2022030511/5abbd3627f8b9a567c8d10ae/html5/thumbnails/30.jpg)
30
DYNAMIC LABELS IN BLP
• Tranquility (most common):λλλλ is static for subjects and objects
• BLP without tranquility may be secure or insecure depending upon the specific insecure depending upon the specific dynamics of labelling
• Noninterference can be used to prove the security of BLP with dynamic labels
![Page 31: 1 TOPIC LATTICE-BASED ACCESS-CONTROL MODELS …profsandhu.com/cs6393_s12/lbac-blp-biba.pdf · 2 LATTICE-BASED MODELS • Denning's axioms • Bell-LaPadula model (BLP) • Biba model](https://reader031.fdocuments.net/reader031/viewer/2022030511/5abbd3627f8b9a567c8d10ae/html5/thumbnails/31.jpg)
31
DYNAMIC LABELS IN BLP
• High water mark on subjects:λλλλ is static for objectsλλλλ may increase but not decrease for subjects
Is secure and is usefulIs secure and is useful
• High water mark on objects:λλλλ is static for subjectsλλλλ may increase but not decrease for subjects
Is insecure due to disappearing object signaling channel