Upload
naoko
View
56
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Access Control and the Bell- LaPadula Model. CS 4235. Historical Background. Physical Access Control No mixing of data (sensitive vs not) Hardwired terminal access No multiplexing of users and data - PowerPoint PPT Presentation
Citation preview
Historical Background
• Physical Access Control• No mixing of data (sensitive vs not)• Hardwired terminal access• No multiplexing of users and data• What happens when all the data is stored in
the same place and users with different trust levels are allowed to access?
• Multi-level security problem
Documents vs People
• Documents have classifications– Top Secret– Secret– Confidential– Unclassified
• Sensitive• Non sensitive
• People have Clearances– Top Secret– Secret– Q
There are also code words that are not classifications
• ULTRA identified information encrypted with Enigma machines• Categories – now material is handled
– Sensitive compartmented information (SCI) - Intelligence• Operations and methods• Nuclear secrets• Stealth
– Special Access Programs (SAP) -- Defense• Acknowledged• Unacknowledged• Waived
– Solves two logistical problems• Collateral clearances for everyone would be expensive• Need to limit information to those with need to know
– SIGMA (Department of Energy)– SAP/SCI requires Secure Compartmented Information Facility (SCIF)
Caveats and Other Codes
• NOFORN• RESTRICTED• NO CONTRACTOR• REL TO <Country Code>• ORCON• FOUO• PROPIN• SECRET//<compartment
name>//NOFORN//ORCON//25X1
Discretionary Access Control
• E.g., Unix permissions• Set access conditions on a file so that only a
group of your choosing can read it• Anyone with access can propagate the
information by resetting permissions
Mandatory Access Control
• Security authority sets permissions• Only security authority can propagate
information• Violations are very serious
Access Control Models
O1 O2 O3 O4
S1
S2 operation
S3
S4
Read (observe)Write (observe, alter)
Execute (no observe, no alter)Append (alter, no observe)
(S,O,R) YES/NO
Accesses take system from state to state
(S,a, read)
(T,b, append)
σ1
σ2
σ3
If you start in a secure state do you end up in a secure state?
All accesses must be allowed by MAC rules
Granting Access Should Not Violate MAC
Object
Object
High Level
LowLevel
Subject
WRITE
? READ
Flow of information
Simple Security Property
• The current level of a subject dominates the level of every object that it observes
• Like paper systems• “No read up”
Partial Orders
• S = {a1,a2,…,an}• P = (S, ≤) is a PO iff
– If a ≤ b and b ≤ a, then a = b (anti-symmetric)– If a ≤ b and b ≤ c, then a ≤ c (transitive)– a ≤ a (reflexive)
• Examples– Natural numbers under ≤– Subsets under
• How about– Choices on a ballot under “is preferred to”?– People under “trusts”?
Lattices
• A POSET S• Every subset of S has a greatest lower bound• Every subset of S has a least upper bound
x
x1 x2
x3 x4 x5
SSubset of S
LUBThese are all upper bounds
Security Levels
• A security level is a pair (c,s) where– c is a classification from a POSET of classifications
(e.g., U,S,TS but the exact classfications don’t matter)
– s is a set of categories (e.g., NUC,CRYPTO,… but the exact categories don’t matter)
• (c1,s1) ≥ (c2,s2) iff c1 ≥ c2 and s2s1
• Levels form a lattice
Assigning Security Levels to Subjects and Objects
• level(S), level(O) = security level of S,O• current-level(S) = levels at which S can operate• current-level(S) ≤ level(S)• level(S) = max(current-level(S)) is called S’s
clearance
Security Properties
• SS-property:For any (S,O,A) if A includes observation then
level(S) ≥ level(O)• *-property
For any (S,O,A)r A implies current-level(S) ≥ level(O) a A implies current-level(S)≤level(O)w A implies current-level(S) = level(O)
No read up
No write down
If a subject can observe O1 and modify O2 the level(O2)≥level(O1)
A MAC Implementation
• Unix file system• Label all files and directory with levels• Assign level(u) to each user u• u is initially assigned the lowest current-level• Allow current-level(u) to float as higher level files
are observed• If level(u) ≥ current-level(u) issue kill(u)• If level(f) ≥ level(u) and u writes to f issue kill(u)• Is this secure?
/
/