Upload
shaniya-napier
View
220
Download
2
Embed Size (px)
Citation preview
1
ISA 562 Information System Security
Confidentiality PoliciesChapter 5 from Bishop’s Book
2
Overview Review and background
Review - lattices Military systems and Denning’s Axioms
Bell-LaPadula (BLP) Policy Step 1 – clearance/classification Step 2 – categories Example System – DG/UX
Tranquility Controversy
3
Definition: POsetA Poset (Partially ordered set) is a pair (A,<) where
A is a set< is a partial order. Thus < is:
reflexive: x<x for xAtransitive: x<y and y<z x<z for all x,y,zAanti-symmetric: x<y and y<x x=y for all x,yA
Example: A
B C D
E < is a total order iff x<y x,yA
A
B
C
4
Upper and Lower Bounds of POsets
Definition: (A,<) is a POset and B A bA is an upper bound of B iff x<b xB cA is a lower bound of B iff c<x xB
B1, B2,
B3 B4 B5 B6
b
c
The set B
The upper bound
The lower bound
5
Supremas and Infimas of POsetsDefinition: (A,<) is a POset and B A
b0A is a Least upper bound (aka Supremum) of B iff
(1) b0 is an upper bound and
(2) b0<b for all other upper bounds b of B
B1, B2,
B3 B4 B5 B6
b1,b2, b3b0Upper bounds
Lower boundsc0
c2, c3, c4
The set B
c0A is a greatest lower bound (Infimum) iff (1) c0 is an upper
bound (2) c0<b for all other
lower bounds c of B
6
Semi-lattices and LatticesAn upper semi-lattice is a POset in which every
finite subset has a Supremum Notation: Join = /\
A lower semi-lattice is a POset in which every finite subset has an Infimum
Notation: Meet = \/
A lattice is a POset that has an upper semi lattice and a lower semi lattice.
7
Example Lattices – Power Set Lattice
S = {a,b,c} 2S = { ,{a},{b},{c},{a,b},{b,c},{a,c},
{a,b,c} }Arrows mean (informally, included by)
a,b,c
a,b
a
a,b,c
a,b
a
b,c
c
a,b,c
a,b
a
b,c
b
a,c
c
Special case: Total order
Partial order
Special case: Lattice
8
Product LatticesLet (L1, <1, /\1, \/1) and
(L2, <2, /\2, \/2) be two lattices.
Then the product lattice is defined as: (L,<,/\,\/) where:
L = L1 x L2That is L ={(x,y): xL1 and yL2}
(x,y) < (a,b) iff x <1 a and y <2 b
9
Example Product Lattice
2
1
ab
a
b
Lattice 1
(arrow means )
Lattice 2 Lattice 1
x,y x’,y’ means
y’ y and x x’
ab,2
a,2
,2
b,2
ab,1
a,1
,1
b,1
Lattice 2
(arrow means )
10
Military-style systemConfidentiality is most important
Integrity/availability important but incidental
Users have clearance / files are classified [labeled]
Naturally MAC-centric
All information is locked in the systemAsssumes:
You won’t memorize something and go outside to tell others
Disclosure is only possible within the system
11
Military-style system (Cont.)
Denning’s AxiomsSecurity classes (clearance and classification) form a lattice
Top Secret
Secret
Confidential
Unclassified
{EUR,US}
{EUR } { US}
Information can flow
dominate
12
Information Flow
When x reads y, information flows from y to x When x writes y, information flows from x to y
13
Overview Review and background
Lattices Military systems and Denning’s Axioms
Bell-LaPadula (BLP) Policy Step 1 – clearance/classification Step 2 – categories Example System – DG/UX
Tranquility Controversy at a glance
14
The Bell-LaPadula Policy: The Preliminary Version
Security levels are linearly ordered (L) Top Secret: highest Secret Confidential Unclassified: lowest
Subjects and Objects assigned a level in the linear order
Subject: Levels are called security clearance L (s) Object: Levels are called security classification L (o)
Formally they are mapping into L: Ls: Subjects L Lo: Subjects L
15
An Examplesecurity level subject object
Top Secret Tamara Personnel Files
Secret Samuel E-Mail Files
Confidential Claire Activity Logs
Unclassified Ulaley Telephone Lists
• Tamara can read all files• Claire cannot read Personnel or E-Mail Files• Ulaley can only read Telephone Lists
16
The Simple Security Property: The Preliminary version
Simple Security Property: Subject s can read object o iff, L(o) ≤ L(s)
Information flows up, not down “Read up” not allowed, “read down” allowed
Sometimes called “no read up” rule Why?: Otherwise subject can get
information above their level Discretionary control may also be present
17
The *-Property: Preliminary Version
*-Property: Subject s can write object o iff L(s) ≤ L(o)
“Write up” allowed, “write down” not allowed[“no write down” rule]
Why? Cooperation between foreign agents [spies]
18
What is Prevented?
Tamara reads personnel files of all spooks working in country X, and then writes them into activity log
Claire reads activity log and sells it to country X[exit spooks]
security level subject object
Top Secret Tamara Personnel Files
Secret Samuel E-Mail Files
Confidential Claire Activity Logs
Unclassified Ulaley Telephone Lists
Not possible with *-property
19
The Basic Security Theorem: The Preliminary Version
If a system is initially in a secure state, and every transition of the system satisfies1. the simple security condition, and 2. the *-property
Then every state of the system is secure
To state and prove this theorem formally:1. Need to formalize secure state2. Need to formalize state transition
20
The BLP Model: Final version
Expand notion of security level to include categories Based on the need to know principle
Security level is (clearance, category set)Example:
( Top Secret, { NUC, EUR, ASI } ) ( Confidential, { EUR, ASI } ) ( Secret, { NUC, ASI } ) (unclassified {NUC})
21
Security Levels as a Product Lattice
(A, C) dom (A, C) iff A ≤ A and C CExamples (Top Secret, {NUC, ASI}) dom (Secret, {NUC}) (Secret, {NUC, EUR}) dom (Confidential,
{NUC, EUR}) (Top Secret, {NUC}) dom (Confidential,
{EUR})
Let C be set of classifications, K set of categories. Set of security levels L = C K, dom form lattice
Levels are the product lattice
ab,2
a,2
,2
b,2
ab,1
a,1
,1
b,1
22
Levels and Ordering Security levels partially ordered
Any pair of security levels may (or may not) be related by dom
“dominates” serves the role of “greater than” in step 1 “greater than” is a total ordering, though Total ordering is a special lattice
23
The Simple Security Property: The final Version
Simple Security Property: Subject s can read object o iff L (s) dom L (o)
L(s) dom L(o) iff C(s) > C(o) and K(s) > K(o) Information flows up, not down
“Read up” not allowed, “read down” allowed Sometimes called no read up rule
24
The *-Property: The Final Version
*-Property: Subject s can write object o iff L(s) dom L(o)
Information flows up, not down “Write up” allowed, “write down” not allowed
Sometimes called no write down rule
25
The Basic Security Theorem: The Final Version
If a system is initially in a secure state, and every transition of the system satisfies
(1) the simple security condition, and (2) the *-property
Then every state of the system is secure
26
Applying BLP: Example 1 Colonel has (Secret, {NUC, EUR}) clearance Major has (Secret, {EUR}) clearance
Major can talk to colonel (“write up” or “read down”)
Colonel cannot talk to major (“read up” or “write down”)
Interferes with functionality! Colonel is a user, and he can login with a
different Id (as a different principle) with reduced clearance Alias1 (Secret, {NUC, EUR}) Alias2 (Secret, {EUR})
27
BLP: Problem
If I can write up, then how about writing files with blanks? Blind writing up may cause integrity problems,
but not a confidentiality breach
28
Key Points Confidentiality models restrict flow of
information Bell-LaPadula (BLP) models multilevel
securityCornerstone of much work in computer security Simple security property says no read up and *-property says no write down Both ensure information can only flow up
29
DG/UX System A real (and well-regarded) Unix operating
system by Data General Provides mandatory access controls
MAC label identify security level Initially
Subjects assigned MAC label of parent Initial label assigned to user, kept in Authorization
and Authentication database Object assigned label at creation
Explicit labels stored as (part of the set of) attributes Implicit labels determined from parent directory
30
MAC Regions
Administrative RegionA&A database, audit
User data and applications User RegionHierarchylevels
VP1
VP2VP3
VP4
Site executables
Trusted data
Executables not part of the TCB
Reserved for future use
Virus Prevention Region
Categories
VP5
Executables part of the TCB
•Admin region no write/read except by administrative process•User cannot write to system programs but can read/execute
31
A Directory Problem Process p at MAC_A tries to create file /tmp/x If /tmp/x exists but has MAC label MAC_B where
MAC_B dom MAC_A Create must fail:
Now p knows a file named x with a higher label exists LEAK!
Solution: only programs with same MAC label as directory can create files in the directory
If this was only way to create files, them /tmp would have problems.
For example, compilation, mail won’t work Solution: Multi-level directory
32
DG B2-Multilevel Directory Directory with a set of subdirectories, one
per label Not normally visible to user p creating /tmp/x actually creates /tmp/d/x
where d is directory corresponding to MAC_A All p’s references to /tmp go to /tmp/d
p cd’s to /tmp/a, then to .. System call stat(“.”, &buf) returns inode
number of real directory System call dg_stat(“.”, &buf) returns inode
of /tmp
33
Using MAC Labels Simple security condition implemented *-property not fully implemented
Process MAC must equal object MAC Writing allowed only at same security level
Overly restrictive in practice
34
Overview Review and background
Review - lattices Military systems and denning’s Axioms
Bell-LaPadula (BLP) Policy Step 1 – clearance/classification Step 2 – categories Example System – DG/UX
Tranquility Controversy at a glance
35
Principle of Tranquility Raising object’s security level
Information once available to some subjects is no longer available
Usually assume information has already been accessed, so this does nothing
Lowering object’s security level The declassification problem Essentially, a “write down” violating *-property
Solution: define set of trusted subjects that sanitize or remove sensitive information before security level is lowered
36
Types of Tranquility
Strong Tranquility The clearances of subjects, and the
classifications of objects, do not change during the lifetime of the system
Weak Tranquility The clearances of subjects, and the
classifications of objects, do not change in a way that violates the simple security condition or the *-property during the lifetime of the system
Pros and Cons: Strong tranquility enforces MLS principles, but is inflexibleWeak tranquility moderates restrictions
37
Example DG/UX System
Only a trusted user (security administrator) can lower object’s security level
In general, process MAC labels cannot change If a user wants a new MAC label, needs to initiate
new process Cumbersome, so user can be designated as able to
change process MAC label within a specified range
38
Controversy McLean:
“value of the BLP is much overrated since there is a great deal more to security than it captures. Further, what is captured by the BST is so trivial that it is hard to imagine a realistic security model for which it does not hold.”
given assumptions known to be non-secure, BST can prove a non-secure system to be secure
He invented a completely reversed version of BLP, which is non-secure and yet self-consistent
39
Discussion
The Basic Security Theorem show that obeying stated rules preserve security
Key question: what is security? Bell-LaPadula defines it in terms of 3
properties (simple security condition, *-property, discretionary security property)
Theorems are assertions about these properties
Rules describe changes to a particular system instantiating the model
Showing system is secure requires proving that rules preserve these 3 properties
40
Rules and Model Nature of rules is irrelevant to model Model treats “security” as axiomatic Policy defines “security”
This instantiates the model Policy reflects the requirements of the systems
McLean’s definition differs from BLP and is not suitable for a confidentiality policy
Analysts cannot prove “security” definition is appropriate through the model
41
What Is Modeling?Two types of models
1. Abstract physical phenomenon to fundamental properties
2. Begin with axioms and construct a structure to examine the effects of the axioms
BLP Model was developed as a model of the first type
McLean assumed it was developed as a model of the second type
42
Towards Proving the Basic Security Theorem
System security state: (b,m,f,h) b P(SxOxP): Rights that may be exercised m M: AC Matrix of the current state f F: Current subject and object clearances +
categories h H: Current hierarchy of objects R: Requests D = {y, n, I (illegal) e (error)} : outputs V: set of states W R x D x V x V : set of runs RN, DN, VN : sequences of requests, answers, states (R,D,W,z0): a run of the system
43
Example: State 1, and transition L ={high, low}, K={all} S={s}, O={o}, P={r, w} For every f F, fc(s)=(high,{all}) or (low,{all}) For every f F, fo(o)=(high,{all}) or (low,
{all})Changes to S={s,s’}, (s’,w,o) m1
Before writing s’ writing, b1 does not change
44
Example: processing requests Suppose s’ requests r1 to write to o: succeed Transition from v0 to v1=(b2,m1,f1) where
b2={(s,o,r),(s’,o,w)} so x=r1,y=yes,z-(vo,v1)
S request r2, writing to o: denied, so x=(r1,r2) Y=(yes, no) Z=(v0,v1,v2) where v2=v1
45
The Simple Security Property
Simple Security Property: (s,o,p) SxOxP satisfies the simple security property relative to f (written scc REL f ) iff
P=e or p=a /* asking for empty or read */ R=r or p=w and fs(s) dom fo(o)
/*asking for read or read/write and the subjects level dominates that of the object */
46
More notation A state satisfies the simple security
condition if all elements of B satisfy the simple security condition
Define b(s:p1,..,pn) the set of all objects that have access to p1,…pn. That is:
b(s:p1,..,pn)={oO| (s,o,p1)b\/…\/(s,o,pn)b}
47
The *- Property
*-Property: (b,m,f,h) satisfy sS b(s:a)≠ø oO b(s:a) fo(o) dom fc(s)
b(s:w)≠ø oO b(s:w) fo(o) = fc(s)
b(s:r)≠ø oO b(s:r) fc(s) dom fo(s)
Says:•If a subject can write an object, then the objects classification
dominates that of the subject clearance (write up)•If a subject can also read then they must be the same•If a subject can read then subject clearance must dominate
objects classification