CS 556 – Computer Security Spring 2018cs556/lecture-notes/chinese-wall.pdf · Dr. Indrajit Ray,...

Preview:

Citation preview

Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 1 / 35

CS 556 – Computer Security

Spring 2018

Dr. Indrajit Ray

Email: indrajit@cs.colostate.edu

Department of Computer Science

Colorado State University

Fort Collins, CO 80523, USA

CHINESE WALL MODEL

CHINESE WALL

MODEL

BREWER NASH MODEL

FOR CHINESE WALL

POLICY

BREWER NASH MODEL

DISCUSSION

CHINESE WALL

POLICY AS INSTANCE

OF LBAC

Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 2 / 35

Chinese Wall Policy

CHINESE WALL

MODEL

BREWER NASH MODEL

FOR CHINESE WALL

POLICY

BREWER NASH MODEL

DISCUSSION

CHINESE WALL

POLICY AS INSTANCE

OF LBAC

Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 3 / 35

● Arises in the financial segment of the commercial sector, which

provides consulting services to other companies

● Consultants have to deal with confidential company information

for their clients

● Objective of the Chinese Wall policy is to prevent information

flow that cause conflict of interest for individual consultants

Chinese Wall Policy

CHINESE WALL

MODEL

BREWER NASH MODEL

FOR CHINESE WALL

POLICY

BREWER NASH MODEL

DISCUSSION

CHINESE WALL

POLICY AS INSTANCE

OF LBAC

Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 4 / 35

● Example of a commercial security policy for confidentiality

● Mixture of free choice (discretionary) and mandatory controls

● Requires some kind of dynamic labeling

● Brewer-Nash model (1989) for Chinese Wall policy

✦ Claim that the Chinese Wall policy cannot be represented

correctly by a lattice based model

Chinese Wall Policy

CHINESE WALL

MODEL

BREWER NASH MODEL

FOR CHINESE WALL

POLICY

BREWER NASH MODEL

DISCUSSION

CHINESE WALL

POLICY AS INSTANCE

OF LBAC

Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 5 / 35

IndividualObjects

Conflict of

Interest Classes

CompanyDatasets

All Objects

BANKS Oil Companies

A B X Y

A consultant can accessinformation about at mostone company in each conflict of interest class

BREWER NASH MODEL FOR CHINESE

WALL POLICY

CHINESE WALL

MODEL

BREWER NASH MODEL

FOR CHINESE WALL

POLICY

BREWER NASH MODEL

DISCUSSION

CHINESE WALL

POLICY AS INSTANCE

OF LBAC

Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 6 / 35

BN Simple Security – Read Access

CHINESE WALL

MODEL

BREWER NASH MODEL

FOR CHINESE WALL

POLICY

BREWER NASH MODEL

DISCUSSION

CHINESE WALL

POLICY AS INSTANCE

OF LBAC

Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 7 / 35

● Subject S can read object O only if

✦ Object O is in the same company dataset as some object O′,

previously read by subject S (that is O is within the wall), OR

✦ Object O belongs to a conflict of interest class within which

subject S has not yet read any object (that is O is in the

open)

BN * Property – Write Access

CHINESE WALL

MODEL

BREWER NASH MODEL

FOR CHINESE WALL

POLICY

BREWER NASH MODEL

DISCUSSION

CHINESE WALL

POLICY AS INSTANCE

OF LBAC

Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 8 / 35

● Subject S can write object O only if

✦ Subject S can read object O by the simple security rule,

AND

✦ No object, O′, can be read which is in a different company

dataset to the one for which write access is required

Reason for BN * Property

CHINESE WALL

MODEL

BREWER NASH MODEL

FOR CHINESE WALL

POLICY

BREWER NASH MODEL

DISCUSSION

CHINESE WALL

POLICY AS INSTANCE

OF LBAC

Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 9 / 35

Bank AOil Company X

Bank BOil Company X

Alices’ Wall Bob’s Wall

Cooperating trojan Horses can transfer Bank A information to Bank Bobjects, and vice versa, using Oil Company X objects as intermediaries

BREWER NASH MODEL DISCUSSION

CHINESE WALL

MODEL

BREWER NASH MODEL

FOR CHINESE WALL

POLICY

BREWER NASH MODEL

DISCUSSION

CHINESE WALL

POLICY AS INSTANCE

OF LBAC

Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 10 / 35

Implication of BN * Property

CHINESE WALL

MODEL

BREWER NASH MODEL

FOR CHINESE WALL

POLICY

BREWER NASH MODEL

DISCUSSION

CHINESE WALL

POLICY AS INSTANCE

OF LBAC

Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 11 / 35

● Either

✦ Subject S cannot write at all

● Or

✦ Subject S is limited to reading and writing one company

dataset

Dynamic Aspect of Chinese Wall

CHINESE WALL

MODEL

BREWER NASH MODEL

FOR CHINESE WALL

POLICY

BREWER NASH MODEL

DISCUSSION

CHINESE WALL

POLICY AS INSTANCE

OF LBAC

Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 12 / 35

● A fresh new consultant hire can access information about any

company in the database

✦ Thus he/she can start at any level

● As the new hire advances, he/she acquires more information

✦ With BN model therefore we have to have a different

consultant for every company dataset

Why This Impasse?

CHINESE WALL

MODEL

BREWER NASH MODEL

FOR CHINESE WALL

POLICY

BREWER NASH MODEL

DISCUSSION

CHINESE WALL

POLICY AS INSTANCE

OF LBAC

Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 13 / 35

● Failure to clearly distinguish user labels from subject labels

✦ Users should be trusted

✦ Subjects can contain Trojan Horses so cannot be trusted

Users, Principals and Subjects

CHINESE WALL

MODEL

BREWER NASH MODEL

FOR CHINESE WALL

POLICY

BREWER NASH MODEL

DISCUSSION

CHINESE WALL

POLICY AS INSTANCE

OF LBAC

Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 14 / 35

USER

PRINCIPAL 1

PRINCIPAL 2

PRINCIPAL n

PRINCIPAL 1’sSUBJECTS

PRINCIPAL 1’sSUBJECTS

PRINCIPAL 1’sSUBJECTS

Users, Principals and Subjects

CHINESE WALL

MODEL

BREWER NASH MODEL

FOR CHINESE WALL

POLICY

BREWER NASH MODEL

DISCUSSION

CHINESE WALL

POLICY AS INSTANCE

OF LBAC

Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 15 / 35

● A principal is basically a login session

● A user is essentially a collection of principals

● A subject is basically a process running on behalf of the principal

✦ A principal can be a collection of several subjects

Users, Principals and Subjects

CHINESE WALL

MODEL

BREWER NASH MODEL

FOR CHINESE WALL

POLICY

BREWER NASH MODEL

DISCUSSION

CHINESE WALL

POLICY AS INSTANCE

OF LBAC

Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 16 / 35

Alice.BANK A Alice.OIL COMPANY X

Alice.OIL COMPANY X

Alice.BANK A

Alice.novice

Alice

USER PRINCIPALS

CHINESE WALL POLICY AS INSTANCE OF

LBAC

CHINESE WALL

MODEL

BREWER NASH MODEL

FOR CHINESE WALL

POLICY

BREWER NASH MODEL

DISCUSSION

CHINESE WALL

POLICY AS INSTANCE

OF LBAC

Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 17 / 35

Chinese Wall Lattice

CHINESE WALL

MODEL

BREWER NASH MODEL

FOR CHINESE WALL

POLICY

BREWER NASH MODEL

DISCUSSION

CHINESE WALL

POLICY AS INSTANCE

OF LBAC

Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 18 / 35

● To properly understand and enforce information security policies

we must distinguish between

✦ policy applied to user and

✦ policy applied to pricipals and subjects

● The Brewer-Nash star property should apply to Alice’s pricipals

not to Alice the user

● A lattice implementation of Chinese Wall should allow dynamic

creation of principals rather than dynamic labelling of subjects

Chinese Wall Lattice

CHINESE WALL

MODEL

BREWER NASH MODEL

FOR CHINESE WALL

POLICY

BREWER NASH MODEL

DISCUSSION

CHINESE WALL

POLICY AS INSTANCE

OF LBAC

Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 19 / 35

● We have to define

✦ The set of security classes

✦ The security class combining operator

✦ The can-flow relation

● Achieved with the help of 9 Axioms

Axioms 1 and 2

CHINESE WALL

MODEL

BREWER NASH MODEL

FOR CHINESE WALL

POLICY

BREWER NASH MODEL

DISCUSSION

CHINESE WALL

POLICY AS INSTANCE

OF LBAC

Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 20 / 35

● Axiom 1:

✦ There are “n” conflict of interest classes COI1, COI2, . . .,

COIn

● Axiom 2:

✦ Each conflict of interest class COIi consists of mi companies

■ That is COIi = {1, 2, . . ., mi}

Axiom 3

CHINESE WALL

MODEL

BREWER NASH MODEL

FOR CHINESE WALL

POLICY

BREWER NASH MODEL

DISCUSSION

CHINESE WALL

POLICY AS INSTANCE

OF LBAC

Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 21 / 35

● Labels for Objects

✦ Label each object in the system with the companies from

which it contains information. Obviously an object cannot

contain information from two companies from the same

conflict of interest class

● A security label is an “n” element vector [i1, i2, . . ., in], where

each ik ∈ COIk or ik = ⊥ (null)

✦ LABELS = {[i1, i2, . . ., in] | i1 ∈ COI′1, . . ., in ∈ COI′n, where

COI′1= COI1 ∪ {⊥}, . . ., COI′n = COIn ∪ {⊥}

Axiom 3 – Illustration

CHINESE WALL

MODEL

BREWER NASH MODEL

FOR CHINESE WALL

POLICY

BREWER NASH MODEL

DISCUSSION

CHINESE WALL

POLICY AS INSTANCE

OF LBAC

Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 22 / 35

● Example

✦ Assume 5 different COI classes

✦ An object which contains information only from company #4

in COI3 will be labeled by the vector [⊥, ⊥, 4, ⊥, ⊥]

● Note

✦ A label which has all ⊥ elements corresponds to public

information

Axiom 4

CHINESE WALL

MODEL

BREWER NASH MODEL

FOR CHINESE WALL

POLICY

BREWER NASH MODEL

DISCUSSION

CHINESE WALL

POLICY AS INSTANCE

OF LBAC

Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 23 / 35

● Special label for system high

✦ EXTLABELS = LABELS ∪ {SYSHIGH}

Axiom 5

CHINESE WALL

MODEL

BREWER NASH MODEL

FOR CHINESE WALL

POLICY

BREWER NASH MODEL

DISCUSSION

CHINESE WALL

POLICY AS INSTANCE

OF LBAC

Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 24 / 35

● Dominance relation among labels

✦ Let l j[ik] represent the ikth element of label l j

✦ (∀lp,lq ∈ LABELS)[(lp ≥ lq ⇐⇒ ∀ik = 1, . . ., n (lp[ik] = lq[ik])

∨ (lq[ik] = ⊥)]

✦ That is lp dominates lq provided that lp and lq agree

wherever lq 6= ⊥

Axiom 5 - Examples

CHINESE WALL

MODEL

BREWER NASH MODEL

FOR CHINESE WALL

POLICY

BREWER NASH MODEL

DISCUSSION

CHINESE WALL

POLICY AS INSTANCE

OF LBAC

Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 25 / 35

● [1,3,2] is a label for an object with information from company #1

in COI1, company #3 in COI2 and company #2 in COI3

● [1,3,⊥] is a label for an object with information from company #1

in COI1, company #3 in COI2 and no information from any

company in COI3

● [1,3,2] > [1,3,⊥]

Axiom 5 - More Examples

CHINESE WALL

MODEL

BREWER NASH MODEL

FOR CHINESE WALL

POLICY

BREWER NASH MODEL

DISCUSSION

CHINESE WALL

POLICY AS INSTANCE

OF LBAC

Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 26 / 35

● [1,3,1] > [⊥,⊥,1]

● [⊥,3,⊥] and [⊥,2,⊥] are incomparable (that is none dominates

the other)

Axiom 6

CHINESE WALL

MODEL

BREWER NASH MODEL

FOR CHINESE WALL

POLICY

BREWER NASH MODEL

DISCUSSION

CHINESE WALL

POLICY AS INSTANCE

OF LBAC

Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 27 / 35

● To account for system high

✦ (∀l ∈ EXTLABELS)[SYSHIGH ≥ l]

✦ That is SYSHIGH dominates all other labels

Axiom 7

CHINESE WALL

MODEL

BREWER NASH MODEL

FOR CHINESE WALL

POLICY

BREWER NASH MODEL

DISCUSSION

CHINESE WALL

POLICY AS INSTANCE

OF LBAC

Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 28 / 35

● Compatible labels

✦ lp, lq ∈ LABELS are compatible iff (∀k = 1, . . ., n)[(lp[ik] =lq[ik]) ∨ (lp[ik] = ⊥) ∨ (lq[ik] = ⊥)]

✦ Intuitively information from compatible incomparable classes

can be combined without violating the Chinese Wall policy

Axiom 7 Example

CHINESE WALL

MODEL

BREWER NASH MODEL

FOR CHINESE WALL

POLICY

BREWER NASH MODEL

DISCUSSION

CHINESE WALL

POLICY AS INSTANCE

OF LBAC

Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 29 / 35

● [⊥,3,⊥] and [⊥,2,⊥] are incompatible

✦ They are also incomparable

● [1,⊥,2] and [1,2,⊥] are compatible

✦ They are incomparable, though

● [1,3,1] and [⊥,⊥,1] are compatible

✦ They are also comparable

✦ By definition comparable labels are compatible

Axiom 8

CHINESE WALL

MODEL

BREWER NASH MODEL

FOR CHINESE WALL

POLICY

BREWER NASH MODEL

DISCUSSION

CHINESE WALL

POLICY AS INSTANCE

OF LBAC

Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 30 / 35

● Class combining (or ⊕) operation

✦ Compatible labels are combined as follows – if lp is

compatible with lq then lp ⊕ lq = ls, where

ls[ik] =

{

lp[ik] if lp[ik] 6= ⊥lq[ik] otherwise

Axiom 8 (continued)

CHINESE WALL

MODEL

BREWER NASH MODEL

FOR CHINESE WALL

POLICY

BREWER NASH MODEL

DISCUSSION

CHINESE WALL

POLICY AS INSTANCE

OF LBAC

Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 31 / 35

● Class combining (or ⊕) operation

✦ Incompatible classes are combined as follows – if lp is

incompatible with lq then

lp ⊕ lq = SYSHIGH

✦ If lp ≥ lq then lp ⊕ lq = lp

✦ If lq ≥ lp then lp ⊕ lq = lq

Axiom 8 Example

CHINESE WALL

MODEL

BREWER NASH MODEL

FOR CHINESE WALL

POLICY

BREWER NASH MODEL

DISCUSSION

CHINESE WALL

POLICY AS INSTANCE

OF LBAC

Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 32 / 35

● [1,⊥,2] is compatible with [1,2,⊥]

✦ [1,⊥,2] ⊕ [1,2,⊥] = [1,2,2]

● [1,2,⊥] ≥ [1,⊥,⊥]

✦ [1,2,⊥] ⊕ [1,⊥,⊥] = [1,2,⊥]

Axiom 9

CHINESE WALL

MODEL

BREWER NASH MODEL

FOR CHINESE WALL

POLICY

BREWER NASH MODEL

DISCUSSION

CHINESE WALL

POLICY AS INSTANCE

OF LBAC

Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 33 / 35

● Class combining with respect to SYSHIGH

✦ (∀l ∈ EXTLABELS)[l ⊕ SYSHIGH = SYSHIGH]

Example of a Chinese Wall Lattice

CHINESE WALL

MODEL

BREWER NASH MODEL

FOR CHINESE WALL

POLICY

BREWER NASH MODEL

DISCUSSION

CHINESE WALL

POLICY AS INSTANCE

OF LBAC

Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 34 / 35

[1, 1] [1, 2] [2, 1] [2, 2]

SYSHIGH

[⊥, ⊥]

[1, ⊥] [⊥, 1] [⊥, 2] [2, ⊥]

Assigning Labels to Users

CHINESE WALL

MODEL

BREWER NASH MODEL

FOR CHINESE WALL

POLICY

BREWER NASH MODEL

DISCUSSION

CHINESE WALL

POLICY AS INSTANCE

OF LBAC

Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 35 / 35

● The label of a user is a high water mark that can float up in the

Chinese Wall lattice starting with [⊥, ⊥, . . ., ⊥]

● With each user a set of principals are associated, one at at each

label dominated by a user’s label

✦ For example if Alice, the user, has a label [1, 2], then Alice

has the following set of principals – Alice.[1, ⊥], Alice.[⊥, 2]

and Alice.[⊥, ⊥]

✦ Alice can log in as any one of these pricipals at any given

time.

Recommended