Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Introduction to Computer SecurityFormal Security Models
Pavel LaskovWilhelm Schickard Institute for Computer Science
Security instruments learned so far
Symmetric and asymmetric cryptographyconfidentiality, integrity, non-repudiation
Cryptographic hash functionsintegrity, non-repudiation
Identity management and authenticationauthentication
Access controlaccountability, integrity
Why do security systems fail?
Systems are complex. Security of single components doesnot necessarily imply security of the whole.Implementations are buggy. Even minor logical weaknessescan significantly undermine security.Users may compromise security by inappropriate use, e.g.weak passwords or falling prey to social engineering attacks.
Can one prove that a system is secure?
Why do security systems fail?
Systems are complex. Security of single components doesnot necessarily imply security of the whole.Implementations are buggy. Even minor logical weaknessescan significantly undermine security.Users may compromise security by inappropriate use, e.g.weak passwords or falling prey to social engineering attacks.
Can one prove that a system is secure?
Objectives of formal security modeling
Facilitate the design of security systems based on imprecisespecifications.Enable automatic verification of relevant properties.Demonstrate to regulatory bodies that a systemimplementation satisfies the design criteria.
Milatary security: sensitivity levels
USA: top secret, secret, classified, unclassified.Germany:
STRENG GEHEIM (str. geh): die Kenntnisnahme durchUnbefugte kann den Bestand oder lebenswichtige Interessender Bundesrepublik Deutschland oder eines ihrer Ländergefährden.GEHEIM (geh.): die Kenntnisnahme durch Unbefugte kann dieSicherheit der Bundesrepublik Deutschland oder eines ihrerLänder gefährden oder ihren Interessen schweren Schadenzufügen.VS-VERTRAULICH (VS-Vertr.): die Kenntnisnahme durchUnbefugte kann für die Interessen der BundesrepublikDeutschland oder eines ihrer Länder schädlich sein.VS-NUR FÜR DEN DIENSTGEBRAUCH (VS-NfD): dieKenntnisnahme durch Unbefugte kann für die Interessen derBundesrepublik Deutschland oder eines ihrer Länder nachteiligsein.
Security clearance
‘Quantification of trust in personnel with respect to handlingof different levels of classified information.Corresponds to certain screening procedures andinvestigations.Connected to certain legal responsibilities and punitiveactions.
Compartmentalization
Fine-grain classification according to job-related“need-to-know”Horizontal division of security clearance levels into specificcompartments with a narrow scope.
Implications of automation for security
Less trust into intermediate tools: can we e.g. ensure that atext editor in which a document was created was nottrojanized?Tampering with a digital document is much easier thantampering with a physically stored document.Difficulty of authentication: less reliance on physicalauthentication.Covert information channels.
Key security models
Finite state machinesBell-La Padula model: access control onlyBiba model: additional integrity verification
Information flow modelsChinese wall model: identification of conflicts of interestIdentification of covert channels
Access matrix modelsPolicy manager: separation of access control into a separateprocessTake-grant model: graph-theoretical interpretation of an accessmatrix
Bell-La Padula (BLP) model
v1v2
v3
v4
allowed?
allowed?
secu
rity
leve
ls
States describe system elements and access rights.Security policies are defined in terms of security levels andtransitions between them.
BLP elements
Objects o ∈ OSubjects s ∈ SAccess rights a(s, o) ∈ A
execute (neither observe nor alter)read (observe but not alter)append (alter but not observe)write (both observe and alter)
Ownership attribute x ∈ {0, 1}.A tuple b = (s, o, a, x) characterizes acurrent access relationship betweens and o.
s1
s2
s3
o1
o2
o3
o4
Access control matrix
BLP security levels
Each element is assigned an integer-valued classification(C) and a set-valued category (K) attribute.A security level is a pair (C, K).A s.l. (C1, K1) dominates (∝) a s.l. (C2, K2) if and only if
C1 ≥ C2 and K1 ⊇ K2
Example:(Top Secret, {nuclear, crypto})
(Secret, {nuclear, crypto})
(Top Secret, {})
(Secret, {})
(Top Secret, {nuclear})
(Secret, {nuclear})
(Top Secret, {crypto})
(Secret, {crypto})
BLP security level functions
BLP defines the following three security level functions:
fS(si): a (maximum) security level of a subject si,fO(oj): a security level of an object oj,fC(si): a current security level of a subject si (if the latteroperates at a lower security level).
A state v of a BLP is a tuple (B, M, FS, FO, FC) that characterizesall current access relationships B, a matrix M of all possibleaccess relationships, and all security level functions.
Simple security property of BLP
For any (s, o, a) such that a = “observe”,
fS(s) ∝ fO(o).
This relationship is known as “no-read-up”: a subject cannotobserve (read or write) an object for which is has insufficientclearance.
“Star” security property of BLP
For any pair (s, o1, a1) and (s, o2, a2) such that a1 = “alter” anda2 = “observe”,
fO(o1) ∝ fO(o2).
This relationship is known as “no-write-down”: a subject cannotuse the knowledge from observing more restricted objects whilealtering less restricted objects.
Discretionary security property of BLP
For a tuple (si, oj, a, x), if si is an owner of oj, i.e. x = 1, he canpass a to sk, provided that a ∈ Mkj.
This relationship is known as “discretionary” security, as it allowsaccess relationships to be passed between objects provided thisis allowed by an access control matrix.
BLP model example
Consider the following service hierarchy:
Colonel X (Secret, {nuclear, crypto})
General Z (Top Secret, {crypto})
Major Y (Secret, {crypto})
General Z is substituted during his vacation by a colonel X. MajorY must complete a report R according to an instruction set I.Permissions on these documents are set as follows:
I : {X : ’RW’, Y : ’R’, Z : ’RW’}R : {X : ’RW’, Y : ’RW’, Z : ’RW’}
BLP model example (ctd.)
Security level functions are set as follows:
fS(X) = (S, {N, C})fS(Y) = (S, {C})fS(Z) = (TS, {C})fO(I) = (S, {C})
fO(R) = (S, {C})Q: Are the security properties satisfied?
BLP model example: SSP
We have to verify that:
(s, o, a) : a = ’R’ ⇒ fS(s) ∝ fO(o)
For example:
(X, I, ’RW’) : fS(X) = (S, {N, C})fO(I) = (S, {C}) OK
(Y, I, ’R’) : fS(Y) = (S, {C})fO(I) = (S, {C}) OK
BLP model example: *SP
We have to verify that:
((s, o1, a1), (s, o2, a2)) s.t. a1 = ’W’, a2 = ’R’ ⇒ fO(o1) ∝ fO(o2)
For example:
(Y, R, ’RW’), (Y, I, ’R’) : fO(R) = (S, {C})fO(I) = (S, {C}) OK
BLP model example: extended scenario
Consider an extended service hierarchy below:
Colonel X (Secret, {nuclear, crypto})
General Z (Top Secret, {crypto})
Major Y (Secret, {crypto})Major V (Secret, {nuclear})
Q: Can X reuse an instruction set I for V?
BLP model example (ctd.)
add V : ’R’ to I’s ACL...
(V, I, ’R’) : fS(V) = (S, {N})fO(I) = (S, {C}) !!!
change fO(I) to (S, {N, C})...(Y, R, ’RW’), (Y, I, ’R’) : fO(R) = S, {C})
fO(I) = (S, {N, C}) !!!
BLP model example (ctd.)
add V : ’R’ to I’s ACL...
(V, I, ’R’) : fS(V) = (S, {N})fO(I) = (S, {C}) !!!
change fO(I) to (S, {N, C})...(Y, R, ’RW’), (Y, I, ’R’) : fO(R) = S, {C})
fO(I) = (S, {N, C}) !!!
BLP model example: correct action
clone I into I′
set fO(I′) = (S, {N})set ACL(I′) = (X : ’RW’, V : ’R’)
BLP model example: correct action
clone I into I′
set fO(I′) = (S, {N})set ACL(I′) = (X : ’RW’, V : ’R’)
Transition functions in BLP
Altering current accessget access (add (s, o, a, x) to B)release access (remove (s, o, a, x) from B)
Altering level functionschange object level fO(o)change current subject level fC(o)
Altering access permissions:give access permission (add a to M)rescind access permissions (remove a from M)
Altering the data hierarchycreate an objectdelete an object
The basic security theorem of BLP
A state b, M, f is called secure if it satisfies all three securityproperties of BLP.A transition from v1 = (b1, M1, f1) to v2 = (b2, M2, f2) issecure if both v1 and v2 are secure.Necessary and sufficient conditions for secure transitionsvary for different security properties. For example, atransition (b1, M1, f1)→ (b2, M2, f2) satisfies the simplesecurity property if and only if:
each (s, o, a) ∈ b2\b1 satisfies f2, and(s, o, a) does not satisfy f2 implies that (s, o, a) /∈ b2.
Basic Security Theorem: given a secure initial state, everysecure transition brings a system into a secure state on anyinput.
Summary
Formal security models allow one to formally verify securityproperties of computer systems.The Bell-La Padula (BLP) model uses the finite statemachine to verify access control properties inspired bymilitary security.BLP was realized in a real operating systems (MULTICS)which, however, suffered from insufficient usability and highmaintenance workload.