12/4/20151 Computer Security Security models – an overview.
-
Upload
shanon-shaw -
Category
Documents
-
view
220 -
download
0
Transcript of 12/4/20151 Computer Security Security models – an overview.
![Page 1: 12/4/20151 Computer Security Security models – an overview.](https://reader038.fdocuments.net/reader038/viewer/2022103122/56649f525503460f94c75b9e/html5/thumbnails/1.jpg)
04/18/23 1
Computer SecuritySecurity models – an overview.
![Page 2: 12/4/20151 Computer Security Security models – an overview.](https://reader038.fdocuments.net/reader038/viewer/2022103122/56649f525503460f94c75b9e/html5/thumbnails/2.jpg)
04/18/23 2
Finite State Machine Models
Automata (=Finite State Machines) are a popular way Of modeling many aspects of computing systems. The essential feature of these are then concepts of:• State• State transition
![Page 3: 12/4/20151 Computer Security Security models – an overview.](https://reader038.fdocuments.net/reader038/viewer/2022103122/56649f525503460f94c75b9e/html5/thumbnails/3.jpg)
04/18/23 3
Bell-LaPadula (BLP) Model
BLP StructureCombines,• .Access permission matrices for access control,• a Security lattice, for security levels,• an Automaton, for access operations.
Security policies are reduced to relations in the BLP structure.
![Page 4: 12/4/20151 Computer Security Security models – an overview.](https://reader038.fdocuments.net/reader038/viewer/2022103122/56649f525503460f94c75b9e/html5/thumbnails/4.jpg)
04/18/23 4
BLP Model• A set of subjects S• A set of objects O• A set of access operations A = {execute,read,append,write}• A set L of security levels, with a partial ordering .
![Page 5: 12/4/20151 Computer Security Security models – an overview.](https://reader038.fdocuments.net/reader038/viewer/2022103122/56649f525503460f94c75b9e/html5/thumbnails/5.jpg)
04/18/23 5
BLP ModelWe want to use the state of the system to check its security.
The state set is: B xM x F, where
• B = P (SxOxA) the set of current accesses b
• .M is the set of permission matrices M
• A set of security level assignments F Ls x Ls x Lo.
![Page 6: 12/4/20151 Computer Security Security models – an overview.](https://reader038.fdocuments.net/reader038/viewer/2022103122/56649f525503460f94c75b9e/html5/thumbnails/6.jpg)
04/18/23 6
BLP Model
The security level assignments F Ls x Ls x Lo.
F has elements f = , where
objects. of tionclassificasecurity the gives O :–subject, each of levelsecurity current the gives :–
have, cansubject eachsecurity maximal the gives :–
L fLS fLS f
O
C
S
level.current the dominates level maximal the is,that , :require We SC ff
),,( OCS fff
![Page 7: 12/4/20151 Computer Security Security models – an overview.](https://reader038.fdocuments.net/reader038/viewer/2022103122/56649f525503460f94c75b9e/html5/thumbnails/7.jpg)
04/18/23 7
BLP Model
Security policies: a state (b,M,f ) must satisfy,
1. Simple security property (ss-property): – for each access request (s,o,a) in b, with access
operation a = read, or write, the security level of s must dominate the classification of o, i.e.,
This is a no read/write up security policy
)()( sfof SO
![Page 8: 12/4/20151 Computer Security Security models – an overview.](https://reader038.fdocuments.net/reader038/viewer/2022103122/56649f525503460f94c75b9e/html5/thumbnails/8.jpg)
04/18/23 8
BLP Model2. Star property (*-property):
– for each access request (s,o,a) in b, with access operation a = append, or write, the current security level of s is dominated by the classification of the object o,
i.e. . This is a no append/write down policy.
Also, if there is an (s,o,a) in b with a = append or write, then we must have
for all o’ with (s,o’,a’ ) in b and a’ = read or write
)()( ofsf OC
(o)f(o')f OO
![Page 9: 12/4/20151 Computer Security Security models – an overview.](https://reader038.fdocuments.net/reader038/viewer/2022103122/56649f525503460f94c75b9e/html5/thumbnails/9.jpg)
04/18/23 9
BLP Model
3. Discretionary security property (ds-property):
-- for each access (s,o,a) in b, we must have .soMa
![Page 10: 12/4/20151 Computer Security Security models – an overview.](https://reader038.fdocuments.net/reader038/viewer/2022103122/56649f525503460f94c75b9e/html5/thumbnails/10.jpg)
04/18/23 10
BLP Model
The *-property implies that is not possible to send messages to
low level subjects. There are two ways to remedy this.• Temporarily downgrade a high level subject this is why we
introduced the current security level .• Identify a set of subjects that are permitted to violate the
*-property .
These are called trusted subjects.
)(sfC
![Page 11: 12/4/20151 Computer Security Security models – an overview.](https://reader038.fdocuments.net/reader038/viewer/2022103122/56649f525503460f94c75b9e/html5/thumbnails/11.jpg)
04/18/23 11
BLP Security
• A state v = (b,M,f ) is called secure if all three security properties are satisfied.
• A transition from state v1 = (b1,M1,f1) to state v2 = (b2,M2,f2) is secure if v2 is secure whenever v1 is.
![Page 12: 12/4/20151 Computer Security Security models – an overview.](https://reader038.fdocuments.net/reader038/viewer/2022103122/56649f525503460f94c75b9e/html5/thumbnails/12.jpg)
04/18/23 12
BLP Security
TheoremIf all state transitions are secure and if the initial state is secure then every subsequent state is secure, no matter which inputs occur.
![Page 13: 12/4/20151 Computer Security Security models – an overview.](https://reader038.fdocuments.net/reader038/viewer/2022103122/56649f525503460f94c75b9e/html5/thumbnails/13.jpg)
04/18/23 13
BLP Security
Proof -informal
A formal proof would proceed by induction on the length of the input sequences. It would build on the fact that security is preserves by state transitions.
RemarkThis theorem means that to check security you only need to check that state transitions preserve security.
![Page 14: 12/4/20151 Computer Security Security models – an overview.](https://reader038.fdocuments.net/reader038/viewer/2022103122/56649f525503460f94c75b9e/html5/thumbnails/14.jpg)
04/18/23 14
BLP Security
Proof, the ss-property
A state transition from (b1,M1,f1) to (b2,M2,f2)
preserves the ss-property if and only if:
.ba)o,(s, then ,fto respectwith
property-ssthe satisfy notdoes ba)o,(s, if
.fto respectwith property-ss
the satisfies ba)o,(s,with ba)o,(s, every
22
1
2
12
![Page 15: 12/4/20151 Computer Security Security models – an overview.](https://reader038.fdocuments.net/reader038/viewer/2022103122/56649f525503460f94c75b9e/html5/thumbnails/15.jpg)
04/18/23 15
BLP Security
Proof, the * & ds-property
Preservation of the *-property and the ds-property can
be described in a similar way.
![Page 16: 12/4/20151 Computer Security Security models – an overview.](https://reader038.fdocuments.net/reader038/viewer/2022103122/56649f525503460f94c75b9e/html5/thumbnails/16.jpg)
04/18/23 16
BLP Security
McLean defined a BLP system which• downgrades all subjects to the lowest level,• downgrades all objects to the lowest level,• enters all access rights in all positions of the access
control matrix M.
![Page 17: 12/4/20151 Computer Security Security models – an overview.](https://reader038.fdocuments.net/reader038/viewer/2022103122/56649f525503460f94c75b9e/html5/thumbnails/17.jpg)
04/18/23 17
BLP Security
A BLP system is only as good as its state
transitions are.
When a security system is designed within the framework
of a model, it is important that the implementation of the
primitives of the model captures correctly the security
requirements of the system.
![Page 18: 12/4/20151 Computer Security Security models – an overview.](https://reader038.fdocuments.net/reader038/viewer/2022103122/56649f525503460f94c75b9e/html5/thumbnails/18.jpg)
04/18/23 18
Limitations of BLP
The BLP model,
1. only deals with confidentiality, not integrity,2. does not address management of access control,3. contains covert channels.
![Page 19: 12/4/20151 Computer Security Security models – an overview.](https://reader038.fdocuments.net/reader038/viewer/2022103122/56649f525503460f94c75b9e/html5/thumbnails/19.jpg)
04/18/23 19
Limitations of BLP
• These are features of BLP, and should not be regarded as flaws.• Limiting the goals of a model makes it easier to deal with security issues • BLP does not state policies for the modification of access
rights.
BLP was originally intended for systems with no changes in the security levels.
![Page 20: 12/4/20151 Computer Security Security models – an overview.](https://reader038.fdocuments.net/reader038/viewer/2022103122/56649f525503460f94c75b9e/html5/thumbnails/20.jpg)
04/18/23 20
Limitations of BLP
Covert channels are information channels that are not controlled by the security mechanism of the system.Information can flow (leak) from a high security level to a low security level as follows:
1. A low-level subject creates an object dummy.obj at its own level,
2. Its high-level accomplice, either upgrades it to a high level,
or does not.
3. Later the low level subject tries to read dummy.obj . If it can,
the covert bit is 1; otherwise it is 0.
![Page 21: 12/4/20151 Computer Security Security models – an overview.](https://reader038.fdocuments.net/reader038/viewer/2022103122/56649f525503460f94c75b9e/html5/thumbnails/21.jpg)
04/18/23 21
Limitations of BLP
Telling a subject that a certain operation is or is not
permitted, constitutes information flow.
![Page 22: 12/4/20151 Computer Security Security models – an overview.](https://reader038.fdocuments.net/reader038/viewer/2022103122/56649f525503460f94c75b9e/html5/thumbnails/22.jpg)
04/18/23 22
The Harrison-Ruzzo-Ullman (HRU) Model
The BLP model is not dynamic: it does not allow for the creation or deletion of subjects and objects and for changing access rights.
The HRU model defines authorization systems that address this issue.
![Page 23: 12/4/20151 Computer Security Security models – an overview.](https://reader038.fdocuments.net/reader038/viewer/2022103122/56649f525503460f94c75b9e/html5/thumbnails/23.jpg)
04/18/23 23
HRU Model
• A set of subjects S• A set of objects O• A set of access rights R• An access matrix RMMM soOoSsso with ,)( ,
![Page 24: 12/4/20151 Computer Security Security models – an overview.](https://reader038.fdocuments.net/reader038/viewer/2022103122/56649f525503460f94c75b9e/html5/thumbnails/24.jpg)
04/18/23 24
HRU Model
We also have six primitive operations,
- -
into/from -
os
Mr so
object etecreate/delsubject etecreate/del
enter
![Page 25: 12/4/20151 Computer Security Security models – an overview.](https://reader038.fdocuments.net/reader038/viewer/2022103122/56649f525503460f94c75b9e/html5/thumbnails/25.jpg)
04/18/23 25
HRU ModelCommands in HRU are of type,
end
. . .
then
if
. . .
and if
and if
),...,( command
2
1
2
1
1
22
11
.
n
osk
os
os
k
op
op
op
Minr
Minr
Minr
xxc
mm
![Page 26: 12/4/20151 Computer Security Security models – an overview.](https://reader038.fdocuments.net/reader038/viewer/2022103122/56649f525503460f94c75b9e/html5/thumbnails/26.jpg)
04/18/23 26
HRU ModelBasic operations are of type,
The owner s of file f grants read access to s,
end
enter
enter
enter
create
),(_ command
,
,
,
.
fs
fs
fs
Minw
Minr
Mino
f
fsfilecreate
end
enter then if
command
fs
fs
Minr
Mino
fssreadgrant
,'
,
.),',(_
![Page 27: 12/4/20151 Computer Security Security models – an overview.](https://reader038.fdocuments.net/reader038/viewer/2022103122/56649f525503460f94c75b9e/html5/thumbnails/27.jpg)
04/18/23 27
HRU Model -securityDefinitions
• An access matrix M leaks the right r if there is a command that adds the right r in a position of M that did
not previously contain r, that is,
• An access matrix M is safe with respect to the right r if no sequence of commands can transform M into a state that leaks r.
So, verifying HRU security reduces to verifying safety properties.
osos MrMros ,, ' and such that ,
': MMc
![Page 28: 12/4/20151 Computer Security Security models – an overview.](https://reader038.fdocuments.net/reader038/viewer/2022103122/56649f525503460f94c75b9e/html5/thumbnails/28.jpg)
04/18/23 28
HRU Model -securityTheorems
1. Given an access matrix M and a right r, verifying the safety of M with respect to the right r is an undecidable problem.
2. Given a mono-operational * authorization system, an access matrix M and a right r, verifying the safety of M with respect to the right r is decidable.
Even if two operations per command are allowed we get undecidability.3. The safety problem for authorization systems is decidable if the
number of subjects is bounded.
* Commands contain a single operation are mono-operational
![Page 29: 12/4/20151 Computer Security Security models – an overview.](https://reader038.fdocuments.net/reader038/viewer/2022103122/56649f525503460f94c75b9e/html5/thumbnails/29.jpg)
04/18/23 29
The Chinese Wall Model
This models a consultancy business where analysts have to make sure that no conflicts arise when dealing with different clients (companies).Informally, a conflict arises when clients are direct competitors in the same market, or because of the ownership of companies.
![Page 30: 12/4/20151 Computer Security Security models – an overview.](https://reader038.fdocuments.net/reader038/viewer/2022103122/56649f525503460f94c75b9e/html5/thumbnails/30.jpg)
04/18/23 30
The Chinese Wall Model1. A set of subjects S 2. A set of companies C3. A set of objects O
– the objects concerning the same company are called company datasets.
– the function gives the company dataset for each object.
4. The function gives the conflict of interest classes for each object.
COy :
): COx (P
![Page 31: 12/4/20151 Computer Security Security models – an overview.](https://reader038.fdocuments.net/reader038/viewer/2022103122/56649f525503460f94c75b9e/html5/thumbnails/31.jpg)
04/18/23 31
The Chinese Wall Model
.emptyis)( if isobject An oxsanitised
)).(),((pair theis object an of labelsecurity The oyoxo
Conflicts of interest may also arise from objects
that have been accessed in then past.
Let Ns,o = true, if subject s has had access to object o
false, if subject s never had access to object o
![Page 32: 12/4/20151 Computer Security Security models – an overview.](https://reader038.fdocuments.net/reader038/viewer/2022103122/56649f525503460f94c75b9e/html5/thumbnails/32.jpg)
04/18/23 32
The Chinese Wall Model
ss – property:
That is, access is granted only if the object requested
belongs to:• a company dataset already held by the subject
(the analyst), or • an entirely different conflict of interest class.
)()(or )()(either
: with objects
ifonly object an toaccess granted is subject A
o's,
o'xoyo'yoy
trueNo'
os
![Page 33: 12/4/20151 Computer Security Security models – an overview.](https://reader038.fdocuments.net/reader038/viewer/2022103122/56649f525503460f94c75b9e/html5/thumbnails/33.jpg)
04/18/23 33
The Chinese Wall Model
* - property:
That is, write access to an object is only granted if no other
object can be read which is in a different company dataset
and contains unsanitised information.
.is)( and )()(
with object an toaccess no has ifonly
object an toaccess granted is subject A
emptynoto'xo'yoy
o'reads
owrites
![Page 34: 12/4/20151 Computer Security Security models – an overview.](https://reader038.fdocuments.net/reader038/viewer/2022103122/56649f525503460f94c75b9e/html5/thumbnails/34.jpg)
04/18/23 34
The Biba Model
This model addresses integrity by using a state machine
model in a similar way to BLP.
Unlike BLP there is no single high-level integrity policy.
Instead, there is a variety of approaches.
objects. and subjects tolevelsintegrity assign which
: and : functions
and levels,integrity of ),( lattice a
usesIt
LOfLSf
L
OS
![Page 35: 12/4/20151 Computer Security Security models – an overview.](https://reader038.fdocuments.net/reader038/viewer/2022103122/56649f525503460f94c75b9e/html5/thumbnails/35.jpg)
04/18/23 35
The Biba Model
• The integrity policies guarantee that information only flows downwards.
• In particular, “clean” high level entities cannot be corrupted by “dirty” low level entities.
![Page 36: 12/4/20151 Computer Security Security models – an overview.](https://reader038.fdocuments.net/reader038/viewer/2022103122/56649f525503460f94c75b9e/html5/thumbnails/36.jpg)
04/18/23 36
The Biba Model – static integrity
up)- write(no
).()( then object (alter)modify can subject a If ofsfos OS
Simple integrity property :
“first try’’ : Integrity * - property :
These properties prevent clean subjects and objects from
being contaminated by dirty information.
down).-read no(
).()( then object (observe) readcan subject a If ofs fos OS
![Page 37: 12/4/20151 Computer Security Security models – an overview.](https://reader038.fdocuments.net/reader038/viewer/2022103122/56649f525503460f94c75b9e/html5/thumbnails/37.jpg)
04/18/23 37
The Biba Model – static integrity
up)- write(no
).()( then object (alter)modify can subject a If ofsfos OS Simple integrity property :
Integrity * - property :
).()( ifonly object an toaccess write
havecan then object (observe) readcan subject a If
ofo' fo'
sos
OO
![Page 38: 12/4/20151 Computer Security Security models – an overview.](https://reader038.fdocuments.net/reader038/viewer/2022103122/56649f525503460f94c75b9e/html5/thumbnails/38.jpg)
04/18/23 38
The Biba Model – dynamic integrity
This uses an approach similar to the Chinese Wall model,
in which the integrity of a subject is adjusted if the subject
comes into contact with low-level information.
![Page 39: 12/4/20151 Computer Security Security models – an overview.](https://reader038.fdocuments.net/reader038/viewer/2022103122/56649f525503460f94c75b9e/html5/thumbnails/39.jpg)
04/18/23 39
The Biba Model – dynamic integrity
.operation
thebefore levelsintegrity theare )( and )( where
)),()(inf( is of levelintegrity new The
level.integrity any at object an )( can Subject
ofsf
o,fsfs
os
OS
OS
observereadSubject low watermark property:
Object low watermark property:
.operation
thebefore levelsintegrity are )( and )( where
)),()(inf( is of levelintegrity new The
level.integrity any at object an can Subject
ofsf
o,fsfo
os
OS
OS
modify
![Page 40: 12/4/20151 Computer Security Security models – an overview.](https://reader038.fdocuments.net/reader038/viewer/2022103122/56649f525503460f94c75b9e/html5/thumbnails/40.jpg)
04/18/23 40
The Clark - Wilson Model
This model addresses the security requirements of commercial applications.
The requirements of this model are to secure data integrity.
Integrity requirements are divided into,• internal consistency: properties of the internal state that
can be enforced by the computer system.• external consistency: the relation of the internal state to
the real world: enforced by means outside the system, e.g. auditing.
![Page 41: 12/4/20151 Computer Security Security models – an overview.](https://reader038.fdocuments.net/reader038/viewer/2022103122/56649f525503460f94c75b9e/html5/thumbnails/41.jpg)
04/18/23 41
The CW Model
Integrity is enforced by,• well formed transactions: data items can be manipulated only by a specific set of programs; users have access to programs rather than data items.• separation of duties: users have to collaborate to
manipulate data and collude to penetrate the system.
![Page 42: 12/4/20151 Computer Security Security models – an overview.](https://reader038.fdocuments.net/reader038/viewer/2022103122/56649f525503460f94c75b9e/html5/thumbnails/42.jpg)
04/18/23 42
The CW Model
In the Clark-Wilson model,• Subjects must be identified and authenticated,• Objects can be manipulated only by a restricted set of
programs,• Subjects can execute only a restricted set of programs,• A proper audit log has to be maintained,• The system must be certified to work properly.
![Page 43: 12/4/20151 Computer Security Security models – an overview.](https://reader038.fdocuments.net/reader038/viewer/2022103122/56649f525503460f94c75b9e/html5/thumbnails/43.jpg)
04/18/23 43
The CW Model
In the Clark-Wilson model,• Data items governed by the security policy are called
Constrained Data Items (CDIs),• Inputs captured as Unconstrained Data Items (UDIs),• Conversion of UDIs to CDIs is a critical part of the system which
cannot be controlled solely by the security mechanisms in the system,
• CDIs can be manipulated by Transformation Procedures (TPs)• The integrity of a state is checked by Integrity Verification
Procedure (IVPs)
![Page 44: 12/4/20151 Computer Security Security models – an overview.](https://reader038.fdocuments.net/reader038/viewer/2022103122/56649f525503460f94c75b9e/html5/thumbnails/44.jpg)
04/18/23 44
The CW Model
Security procedures are defined by 5 certification rules:1. Integrity Verification Procedures must ensure that all Constrained Data
Items are in a valid state when the IVP is run.2. Transformation Procedures must be certified to be valid, i.e. CDIs must
always be transformed into CDIs.3. The access rules must certify any separation of duties requirements.4. All TPs must write to an append-only log.5. Any TP that takes a UDI as input must either convert it into a CDI or
reject it.
![Page 45: 12/4/20151 Computer Security Security models – an overview.](https://reader038.fdocuments.net/reader038/viewer/2022103122/56649f525503460f94c75b9e/html5/thumbnails/45.jpg)
04/18/23 45
The CW ModelSecurity procedures are enforced by the 4 rules:1. The system must maintain and protect the list of entries:
(TPi:CDIa,CDIb, … ) giving the CDIs that the TP is certified to access.2. The system must maintain and protect the list of entries:
(UserID,TPi:CDIa,CDIb, … ) specifying the TPs that users can execute.3. The system must authenticate each user requesting to execute a TP.4. Only a subject that may certify an access rule for a TP may modify
the respective entry in the list. This subject must not have execute rights on that TP.
![Page 46: 12/4/20151 Computer Security Security models – an overview.](https://reader038.fdocuments.net/reader038/viewer/2022103122/56649f525503460f94c75b9e/html5/thumbnails/46.jpg)
04/18/23 46
In the BLP model information can flow from a low security level to a high security level through access operations without any loss of confidential information.
Informally, a state transition from one object x to another object y causes
information flow if we learn more about x by observing y.
Information - Flow Models
![Page 47: 12/4/20151 Computer Security Security models – an overview.](https://reader038.fdocuments.net/reader038/viewer/2022103122/56649f525503460f94c75b9e/html5/thumbnails/47.jpg)
04/18/23 47
If you already know x then no information can flow
from x. Otherwise we have:
• Explicit information flow
-- Observing y after the assignment y:=x tells you the value of x.
• Implicit information flow
-- Observing y after the conditional statement • If x=0 then y:=1
may tell you something about x even if y is not 1,
e.g. if y = 2. Then we deduce that x is not 0.
Information - Flow Models
![Page 48: 12/4/20151 Computer Security Security models – an overview.](https://reader038.fdocuments.net/reader038/viewer/2022103122/56649f525503460f94c75b9e/html5/thumbnails/48.jpg)
04/18/23 48
A precise quantitative definition for information
flow can be given in terms of Information Theory.– The information flow from x to y is measured by
the equivocation (conditional entropy)
H (x | y) of x, given y.
Information - Flow Models
![Page 49: 12/4/20151 Computer Security Security models – an overview.](https://reader038.fdocuments.net/reader038/viewer/2022103122/56649f525503460f94c75b9e/html5/thumbnails/49.jpg)
04/18/23 49
Information - Flow Models
The components of the information flow model are:• A lattice• A set of labeled objects
•
(covert). illegal is this violates thatflow ninformatioAny
.
:ifonly permitted is label withobject an to label
withobject an fromflow ninformatio :policysecurity The
21
21
cc
cc
![Page 50: 12/4/20151 Computer Security Security models – an overview.](https://reader038.fdocuments.net/reader038/viewer/2022103122/56649f525503460f94c75b9e/html5/thumbnails/50.jpg)
04/18/23 50
Information - Flow Models
An IF system is secure if there is no illegal information flow.
• Advantages: it covers all kinds of information flow.• Disadvantages: far more difficult to design such systems.
E.g. checking whether a given system in the IF model is secure is an undecidable problem.
![Page 51: 12/4/20151 Computer Security Security models – an overview.](https://reader038.fdocuments.net/reader038/viewer/2022103122/56649f525503460f94c75b9e/html5/thumbnails/51.jpg)
04/18/23 51
Information - Flow Models
One must also distinguish between – static enforcement and – dynamic enforcement
of the information flow policies.
![Page 52: 12/4/20151 Computer Security Security models – an overview.](https://reader038.fdocuments.net/reader038/viewer/2022103122/56649f525503460f94c75b9e/html5/thumbnails/52.jpg)
04/18/23 52
Information - Flow Models
An alternative to information flow models are – non-interference models.
These provide a different formalism to describe the
knowledge of subjects regarding the state of the system.
system.
theof views'on influence no have of actions
theif subject with interferenot doesSubject
21
21
ss
s s