Security Lecture 2
-
Upload
alexandra-rosca -
Category
Documents
-
view
217 -
download
0
Transcript of Security Lecture 2
-
8/7/2019 Security Lecture 2
1/21
1
Computer SecurityComputer Security
Lecture 2
Security ModelsSecurity Models
Syed NaqviSyed Naqvi
[email protected]@ieee.org
09 November 2010 Lecture 2: Security Models 2
Access Control Models
-
8/7/2019 Security Lecture 2
2/21
2
09 November 2010 Lecture 2: Security Models 3
Access Control Access control constrains what a User can do directly, as
well as what programs executing on his behalf are allowedto do.
Activity in the system is initiated by entities known asSubjects. Subjects are typically Users or Programsexecuting on their behalf.
A User may sign on to the system as different Subjects on
different occasions.
Subjects can themselves be Objects. A Subject can createadditional Subjects in order to accomplish its task.
09 November 2010 Lecture 2: Security Models 4
Access Control Types
Discretionary Access Control (DAC)
Mandatory Access Control (MAC)
Role-Based Access Control (RBAC)
-
8/7/2019 Security Lecture 2
3/21
3
09 November 2010 Lecture 2: Security Models 5
Discretionary Access Control
Name AccessName Access
TomTom YesYes
JohnJohn NoNo
CindyCindy YesYes
ApplicationApplication
Access ListAccess List
used to control access by restricting a subject's
access to an object. It is generally used to limit a
user's access to a file. In this type of access
control it is the owner of the file who controls
other users' accesses to the file
IndividualsIndividuals ResourcesResources
Server 1Server 1
Server 3Server 3
Server 2Server 2
09 November 2010 Lecture 2: Security Models 6
Mandatory Access Control
The need for a mandatory access control (MAC)
mechanism arises when the security policy of a system
dictates that:
protection decisions must not be decided by the object owner.
the system must enforce the protection decisions (i.e., the system
enforces the security policy over the wishes or intentions of the
object owner).
-
8/7/2019 Security Lecture 2
4/21
4
09 November 2010 Lecture 2: Security Models 7
Mandatory Access Control
IndividualsIndividuals ResourcesResources
Server 1Server 1Top SecretTop Secret
Server 3Server 3ClassifiedClassified
Server 2Server 2SecretSecret
09 November 2010 Lecture 2: Security Models 8
DAC vs. MAC
DAC
Object owner has full
power
Complete trust in users Decisions are based only
on user id and object
ownerships
Impossible to control data
flow
MAC
Object owner CAN have
some power
Only trust inadministrators
Objects and tasks
themselves can have ids
Makes data flow control
possible
-
8/7/2019 Security Lecture 2
5/21
5
09 November 2010 Lecture 2: Security Models 9
Role-Based Access Control A user has access to an object based on the assigned role.
Roles are defined based on job functions.
Permissions are defined based on job authority and
responsibilities within a job function.
Operations on an object are invocated based on the
permissions.
The object is concerned with the users role and not the
user.
09 November 2010 Lecture 2: Security Models 10
Role-Based Access Control
IndividualsIndividuals RolesRoles ResourcesResources
Role 1Role 1
Role 2Role 2
Role 3Role 3
Server 1Server 1
Server 3Server 3
Server 2Server 2
Users change frequently, Roles donUsers change frequently, Roles dontt
-
8/7/2019 Security Lecture 2
6/21
6
09 November 2010 Lecture 2: Security Models 11
Role-Based Access Control Roles are engineered based on the principle of least
privileged.
A role contains the minimum amount of permissions to
instantiate an object.
A user is assigned to a role that allows him or her to
perform only whats required for that role.
No single role is given more permission than the samerole for another user.
09 November 2010 Lecture 2: Security Models 12
Role-Based Access Control
Permissions
Users Roles Operations Objects
Sessions
user_sessions
(one-to-many)role_sessions
(many-to-many)
An important difference from classical models is that
Subject in other models corresponds to a Session in RBAC
User
Assignment
Permission
Assignment
-
8/7/2019 Security Lecture 2
7/21
7
09 November 2010 Lecture 2: Security Models 13
Role-Based Access Control
Example:Example: Hospital SetupHospital Setup
The role of doctor can include operations to performThe role of doctor can include operations to perform
diagnosis, prescribe medication, and order laboratorydiagnosis, prescribe medication, and order laboratory
tests.tests.
The role of a researcher can be limited to gatheringThe role of a researcher can be limited to gathering
anonymous clinical information for studies.anonymous clinical information for studies.
09 November 2010 Lecture 2: Security Models 14
Confidentiality Model
-
8/7/2019 Security Lecture 2
8/21
8
09 November 2010 Lecture 2: Security Models 15
The Bell-LaPadula Model also called the multi-level model,
was proposed by Bell and LaPadula of MITRE for
enforcing access control in government and military
applications.
It corresponds to military-style classifications.
In such applications, subjects and objects are often
partitioned into different security levels.
09 November 2010 Lecture 2: Security Models 16
The Bell-LaPadula Model
A subject can only access objects at certain levelsdetermined by his security level.
For instance, the following are two typical accessspecifications: ''Unclassified personnel cannot read data atconfidential levels'' and '' Top-Secret data cannot bewritten into the files at unclassified levels''
-
8/7/2019 Security Lecture 2
9/21
9
09 November 2010 Lecture 2: Security Models 17
The Bell-LaPadula Model Simplest type of confidentiality classification is a set of
security clearances arranged in a linear (total) ordering.
Clearances represent the security levels.
The higher the clearance, the more sensitive the info.
Basic confidential classification system:
individuals documents
Top Secret (TS) Peter, Thomas Personnel Files
Secret (S) Sally, Samuel Electronic Mails
Confidential (C) Claire, Clarence Activity Log Files
Unclassified (UC) Hannah, John Telephone Lists
09 November 2010 Lecture 2: Security Models 18
The Bell-LaPadula Model
Let L(S)=ls be the security clearance of subject S.
Let L(O)=lo be the security classification of object O.
Simple Security Condition: (No Read Up)S can read O if and only if lo
-
8/7/2019 Security Lecture 2
10/21
10
09 November 2010 Lecture 2: Security Models 19
The Bell-LaPadula Model
Basic Security Theorem:
Let be a system with secure initial state 0
Let T be the set of state transformations.
If every element of T preserves the simple
security condition, preliminary version, and the
*-property, preliminary version,
Then every state i, i0, is secure.
09 November 2010 Lecture 2: Security Models 20
The Bell-LaPadula Model
Total order of classifications not flexible enough
Alice cleared for missiles; Bob cleared for warheads; Both cleared
for targets
Solution: Categories
Each category describe a kind of information.
These category arise from the need to know principle
no subject should be able to read objects unless reading them is
necessary for that subject to perform its function.
Example: three categories: NUC, EUR, US.
Each security level and category form a security level or
compartment.
Subjects have clearance at(are cleared into, or are in) a security
level.
Objects are at the level of(or are in) a security level.
-
8/7/2019 Security Lecture 2
11/21
11
09 November 2010 Lecture 2: Security Models 21
The Bell-LaPadula Model Security Lattice
{NUC, EUR, US}{NUC, EUR, US}
{NUC, EUR}{NUC, EUR} {NUC, US}{NUC, US} {EUR, US}{EUR, US}
{NUC}{NUC} {EUR}{EUR} {US}{US}
William may be cleared into level (SECRET, {EUR})
George into level (TS, {NUC, US}).
A document may be classified as (C, {EUR})
Someone with clearance at (TS, {NUC, US}) will be denied access to
document with category EUR.
09 November 2010 Lecture 2: Security Models 22
The Bell-LaPadula Model
The security level (L, C) dominates the security level(L, C) if and only if L L and C C
Dom dominate relation is false.
Geroge is cleared into security level (S, {NUC, EUR})
DocA is classified as (C, {NUC})
DocB is classified as (S, {EUR, US})
DocC is classified as (S, {EUR})
George ______ DocA
George ______ DocB
George ______ DocC
dom dom
dom
-
8/7/2019 Security Lecture 2
12/21
12
09 November 2010 Lecture 2: Security Models 23
The Bell-LaPadula Model Let C(S) be the category set of subject S.
Let C(O) be the category set of object O.
Simple Security Condition (not read up):S can read O if and only if S dom O andS has discretionary read access to O.
*-Property (not write down):S can write to O if and only if O dom S andS has discretionary write access to O.
Basic Security Theorem:
Let be a system with secure initial state 0Let T be the set of state transformations.If every element of T preserves the simple securitycondition, preliminary version, and the *-property,preliminary version,Then every state i, i0, is secure.
09 November 2010 Lecture 2: Security Models 24
The Bell-LaPadula Model
Bell-LaPadula allows higher-level subject to write into
lower level object that low level subject can read.
A subject has a maximum security level and a current
security level. maximum security level must dominate
current security level. A subject may (effectively) decrease its security level from
the maximum in order to communicate with entities at
lower security levels.
Colonels maximum security level is (S, {NUC, EUR}).
She changes her current security level to (S, {EUR}). Now
she can create document at Major is clearance level (S,
{EUR}).
-
8/7/2019 Security Lecture 2
13/21
13
09 November 2010 Lecture 2: Security Models 25
The Bell-LaPadula Model Example:
Alices level is secret, Bobs level is unclassified, Carols levelis classified
Memo1 is classified and Memo2 is top secret
The simple security property specifies that:
Memo2 should not be read by Alice, Bob, or Carol
Bob is not allowed to read memo1, but both Alice andCarol are allowed to read it
The *-property specifies that:
Bob and Carol can write to memo1, since its level is not
lower than theirs Alices level is secret, so she is not permitted to write to
memo1
Alice, Bob, and Carol are all at a lower level than memo2and can therefore write to it
09 November 2010 Lecture 2: Security Models 26
Integrity Model
-
8/7/2019 Security Lecture 2
14/21
14
09 November 2010 Lecture 2: Security Models 27
The Biba Model
Based on Bell-LaPadula
Subject, Objects
Integrity Levels with dominance relation
Higher levels more reliable/trustworthy
More accurate
Information transfer path:
Sequence of subjects, objects where
si r oi si w oi+1
09 November 2010 Lecture 2: Security Models 28
The Biba Model
Characterized by the phrase: no write up, no read down.
Users can only create content at or below their own
security level.
Users can only view content at or above their own securitylevel
Information may only flow downwards.
-
8/7/2019 Security Lecture 2
15/21
15
09 November 2010 Lecture 2: Security Models 29
The Biba Model Prevents corruption of clean higher level entities by dirty
lower level entities. Biba model addresses integrity whereas Bell-La Padula concerns
disclosure of information
Notations Subjects and objects are ordered by an integrity scheme denoted
I(s) and I(o)
Properties Simple Integrity Property: Subject s can modify (or have write
access to) object o iff I(s)
I(o) Integrity *-property: If subject s has read access to object o withintegrity level I(o), s can have write access to object p iff I(o) I(p)
Problem: Ignores secrecy
09 November 2010 Lecture 2: Security Models 30
The Biba Model
Low-Water-Mark Policy
s w o i(o) i(s) prevents writing to higher level
s r o i(s) = min(i(s), i(o)) drops subjects level
s1 x s2 i(s2) i(s1) prevents executing higher level objects
Ring Policy
s r o allows any subject to read any object
s w o i(o) i(s) (same as above)
s1 x s2 i(s2) i(s1)
-
8/7/2019 Security Lecture 2
16/21
16
09 November 2010 Lecture 2: Security Models 31
The Biba Model Bibas Model: Strict Integrity Policy (dual of
Bell-LaPadula)
s r o i(s) i(o) (no read-down)
s w o i(o) i(s) (no write-up)
s1 x s2 i(s2) i(s1)
Theorem for each: If there is an information transfer path from object o1 to
object on+1, then the enforcement of the policy requiresthat i(on+1) i(o1) for all n>1
09 November 2010 Lecture 2: Security Models 32
Data Isolation Model
-
8/7/2019 Security Lecture 2
17/21
17
09 November 2010 Lecture 2: Security Models 33
The Chinese Wall Model Used mainly by services and consultancy firms
Effective in securing data/information that may lead to
conflict of interests within an organization/corporation
Intended to prevent unauthorized flow of information from
one organization to another via consultant working at both
Introduces concept of separation of duty into access
control GENERAL RULE: there must be no information flow that
causes a conflict of interest
09 November 2010 Lecture 2: Security Models 34
The Chinese Wall Model
Company A Company B
Bank X
Analyst A Analyst B
competitors
has account inhas account in
consults for consults forupdates Banks
portfolio w/ info
on Company A
has access to
Banks portfolio
-
8/7/2019 Security Lecture 2
18/21
18
09 November 2010 Lecture 2: Security Models 35
The Chinese Wall Model
The simple security policy
A subject has access to a particular object incompany X only if such subject has had accessto such object
The * property
A subject can write to an object in a givencompany X only if such subject cannot read anydata (or objects) from any company that iscompetitor of X unless such objects have beensanitized
09 November 2010 Lecture 2: Security Models 36
The Chinese Wall Model
Object
File containing commercial information
If an object contains information that is not
commercially sensitive it is said to be sanitized
Company dataset
Set of files belonging to a particular organization
Conflict of interest class
Set of companies whose owners are competitors
Oil companies
-
8/7/2019 Security Lecture 2
19/21
19
09 November 2010 Lecture 2: Security Models 37
The Chinese Wall Model Set of subjects S
Set of objects O
Set of companies C
Set of conflict of interest classes K
Each company belongs to at least one conflict of interest class
Every unsanitized object has a security label (x(o),y(o))
y : O ! Cidentifies the owner of an object
x : O ! Kidentifies the objects conflict of interest class
Every sanitized object has the same security label
A history matrix H
09 November 2010 Lecture 2: Security Models 38
The Chinese Wall Model
The Chinese Wall model must address confidentiality
requirements over time
The history matrix is used to record a history of past access
to objects
Rows indexed by subjects
Columns indexed by objects
Entries 0 or 1
[s, o] = 1 indicates that subject s has accessed object o
-
8/7/2019 Security Lecture 2
20/21
-
8/7/2019 Security Lecture 2
21/21