Definitions
-
Upload
martena-richardson -
Category
Documents
-
view
20 -
download
4
description
Transcript of Definitions
_____--_____-- a particular collection of value assignments (i.e. to computerregisters, memory, secondary stores, relevant network devices, etc.
____ --____ --the set of all possible protection states (i.e., a universal set)
______________--______________-- a state that deals only with assignments relevant to security/protection
____ --____ -- the set of all authorized protection states
_________--_________-- state s is safe iff s ______ --______ -- security has been breached whenever a system enters state
s for which s _____________--_____________-- a security policy should define what constitutes Pauth
__________________--__________________--a security mechanism should ensure that a systemnever reaches a state in
If a policy is Pauth, then why is it impractical to enumerate Pauth?
a better solution: define policy in terms of who has access to whatSubject(s) and Asset (a).
a is confidential to s iff other subjects ____________________ a. Confidentiality Policy
a has integrity to s iff s _________ a. Integrity Policy
a is available to s iff s is __________________ a. Availability Policy
Consider a policy for maintaining the confidentiality of government documents.
policy model --policy model -- a set of policies (abstractly, a set of policy properties)
level numeric
equivalent
Top Secret 4
Secret 3
Confidential 2
Unclassified 1
-- assets -- subjects
Simple Security Propertylevel numeric
equivalent
Top Secret 4
Secret 3
Confidential 2
Unclassified 1
Subject s can read asset aiff clearance(s) ≥ classification(a)
This property has been widely used for years.
However, the Simple Security Property only applies to reads.What about writes?
Simple Security Propertylevel numeric
equivalent
Top Secret 4
Secret 3
Confidential 2
Unclassified 1
Subject s can read asset aiff clearance(s) ≥ classification(a)
Another Issue: Why does the Simple Security Property not enforce a Need-to-know policy?
*-PropertySubject s can write to asset a
iff clearance(s) classification(a)
a multi-level confidentiality model circa 1986
It is common to include codewords in addition toclassification and clearance. (e.g., DesertStorm, Umbra)
In this system a security classification/clearance consists of an ordered pair: ( level, set of codewords )
We can define access using a dominance relation, dom, as follows:let clearance(s) = ( sLevel, sCodewords ) classification(a) = ( aLevel, aCodewords )
dom(s, a) means sLevel ≥ aLevel and c [(c aCodewords) (c sCodewords)]
Examplev = (TopSecret, {Iraq, Iran, Nato, China)}w = (Secret, {Iraq})x = (TopSecret, {Nato})y = (Confidential, {Nato})z = (Confidential, {Iran, Iraq, Nato})
Simple Security PropertySubject s can read asset a
iff ( dom(s, a) and read acm[s, a] )
A system is said to be secure (in the sense of confidentiality) giventhat it maintains the following two properties:
*-PropertySubject s can write to asset a
iff ( dom(a, s) and write acm[s, a] )
Simple Security PropertySubject s can read asset a
iff ( dom(s, a) and read acm[s, a] )
*-PropertySubject s can write to asset a
iff ( dom(a, s) and write acm[s, a] )
Following these properties is it possible for someone write to a document they cannot read?
Following these properties is it possible for someone read a document they cannot write?
How can a superior communicate with a subordinate?
Raising an asset’s security levelThis has little impact except for future limited access.
Solution:
Neither clearances nor classifications change throughout the system’s lifetime.
Lowering an asset’s security levelThis violates the *-property.
Two Types of TranquilityStrong Tranquility
Weak TranquilityClearances and classifications can only change in a way that preserves both the simple security property and the *-property.
Simple Security PropertySubject s can write asset a
iff integrity(s) integrity(a)
*-PropertySubject s can read to asset a
iff integrity(s) integrity(a)
Ken Biba, 1975
read only up
write only down
Low water mark principle
High water mark principle
Execute PropertyAction p1 can execute an action p2
iff integrity(p1) integrity(p2)
Multi-level Models
Multi-lateral Models
Top SecretTop Secret
SecretSecret
ConfidentialConfidential
UnclassifiedUnclassified
Asset Group 1Asset Group 1 Asset Group 2Asset Group 2 Asset Group 3Asset Group 3
S1S1 S2S2 S3S3 S4S4
This model is often used in the service industry where knowledge of sensitive informationcomes from multiple different competing and non-competing companies.(e.g. consulting companies, law practices, insurance companies)
a multi-lateral hybrid model, Brewer & Nash 1989
ExampleA financial consulting firm has the following clients: Oracle, Microsoft, General Motors, Ford Motor Co. and Toyota.
Consider the potential conflicts of interest.
Simple Security PropertySubject s can read asset a iff a' (a’ readable by s)[ company(a) competitors(company(a')) ]
OR company(a) = company(a') ]
Consider that assets are partitioned into conflict of interest groups (industrial competitors).
*-PropertySubject s can write to asset a iff a satisfies the Simple Security Property for s AND a' (a’ readable by s)[ competitors(company(a')) =
OR company(a) = company(a') ] ]
Rules (numbered to match Bishop)
CR1. The system has procedures to verify the integrity of every constrained data item (CDI).
a security model of double-entry book keeping, 1987
CR2. A CDI’s integrity must be maintained whenever a transformation procedure (TP) is applied.
ER1. The only way to change a CDI is by applying a proper TP.
ER2. Subjects can only initiate selected TPs on selected CDIs.
CR3. The Rule ER2 restrictions must enforce an appropriate separation of duty policy on subjects.
CR5. Certain special TPs can produce CDIs from unrestricted data.
CR4. The application of a TP must store enough info in an append-only CDI to be able to reconstruct the transaction.
ER3. The system must authenticate subjects attempting to initiate a TP.
ER4. Only special subjects (i.e., security officers) are permitted to alter authorized-related data.