Introduction to Computer SecurityFormal Security Models

Pavel LaskovWilhelm Schickard Institute for Computer Science

Security instruments learned so far

Symmetric and asymmetric cryptographyconfidentiality, integrity, non-repudiation

Cryptographic hash functionsintegrity, non-repudiation

Identity management and authenticationauthentication

Access controlaccountability, integrity

Why do security systems fail?

Systems are complex. Security of single components doesnot necessarily imply security of the whole.Implementations are buggy. Even minor logical weaknessescan significantly undermine security.Users may compromise security by inappropriate use, e.g.weak passwords or falling prey to social engineering attacks.

Can one prove that a system is secure?

Why do security systems fail?

Systems are complex. Security of single components doesnot necessarily imply security of the whole.Implementations are buggy. Even minor logical weaknessescan significantly undermine security.Users may compromise security by inappropriate use, e.g.weak passwords or falling prey to social engineering attacks.

Can one prove that a system is secure?

Objectives of formal security modeling

Facilitate the design of security systems based on imprecisespecifications.Enable automatic verification of relevant properties.Demonstrate to regulatory bodies that a systemimplementation satisfies the design criteria.

Milatary security: sensitivity levels

USA: top secret, secret, classified, unclassified.Germany:

STRENG GEHEIM (str. geh): die Kenntnisnahme durchUnbefugte kann den Bestand oder lebenswichtige Interessender Bundesrepublik Deutschland oder eines ihrer Ländergefährden.GEHEIM (geh.): die Kenntnisnahme durch Unbefugte kann dieSicherheit der Bundesrepublik Deutschland oder eines ihrerLänder gefährden oder ihren Interessen schweren Schadenzufügen.VS-VERTRAULICH (VS-Vertr.): die Kenntnisnahme durchUnbefugte kann für die Interessen der BundesrepublikDeutschland oder eines ihrer Länder schädlich sein.VS-NUR FÜR DEN DIENSTGEBRAUCH (VS-NfD): dieKenntnisnahme durch Unbefugte kann für die Interessen derBundesrepublik Deutschland oder eines ihrer Länder nachteiligsein.

Security clearance

‘Quantification of trust in personnel with respect to handlingof different levels of classified information.Corresponds to certain screening procedures andinvestigations.Connected to certain legal responsibilities and punitiveactions.

Compartmentalization

Fine-grain classification according to job-related“need-to-know”Horizontal division of security clearance levels into specificcompartments with a narrow scope.

Implications of automation for security

Less trust into intermediate tools: can we e.g. ensure that atext editor in which a document was created was nottrojanized?Tampering with a digital document is much easier thantampering with a physically stored document.Difficulty of authentication: less reliance on physicalauthentication.Covert information channels.

Key security models

Finite state machinesBell-La Padula model: access control onlyBiba model: additional integrity verification

Information flow modelsChinese wall model: identification of conflicts of interestIdentification of covert channels

Access matrix modelsPolicy manager: separation of access control into a separateprocessTake-grant model: graph-theoretical interpretation of an accessmatrix

Bell-La Padula (BLP) model

v1v2

v3

v4

allowed?

allowed?

secu

rity

leve

ls

States describe system elements and access rights.Security policies are defined in terms of security levels andtransitions between them.

BLP elements

Objects o ∈ OSubjects s ∈ SAccess rights a(s, o) ∈ A

execute (neither observe nor alter)read (observe but not alter)append (alter but not observe)write (both observe and alter)

Ownership attribute x ∈ {0, 1}.A tuple b = (s, o, a, x) characterizes acurrent access relationship betweens and o.

s1

s2

s3

o1

o2

o3

o4

Access control matrix

BLP security levels

Each element is assigned an integer-valued classification(C) and a set-valued category (K) attribute.A security level is a pair (C, K).A s.l. (C1, K1) dominates (∝) a s.l. (C2, K2) if and only if

C1 ≥ C2 and K1 ⊇ K2

Example:(Top Secret, {nuclear, crypto})

(Secret, {nuclear, crypto})

(Top Secret, {})

(Secret, {})

(Top Secret, {nuclear})

(Secret, {nuclear})

(Top Secret, {crypto})

(Secret, {crypto})

BLP security level functions

BLP defines the following three security level functions:

fS(si): a (maximum) security level of a subject si,fO(oj): a security level of an object oj,fC(si): a current security level of a subject si (if the latteroperates at a lower security level).

A state v of a BLP is a tuple (B, M, FS, FO, FC) that characterizesall current access relationships B, a matrix M of all possibleaccess relationships, and all security level functions.

Simple security property of BLP

For any (s, o, a) such that a = “observe”,

fS(s) ∝ fO(o).

This relationship is known as “no-read-up”: a subject cannotobserve (read or write) an object for which is has insufficientclearance.

“Star” security property of BLP

For any pair (s, o1, a1) and (s, o2, a2) such that a1 = “alter” anda2 = “observe”,

fO(o1) ∝ fO(o2).

This relationship is known as “no-write-down”: a subject cannotuse the knowledge from observing more restricted objects whilealtering less restricted objects.

Discretionary security property of BLP

For a tuple (si, oj, a, x), if si is an owner of oj, i.e. x = 1, he canpass a to sk, provided that a ∈ Mkj.

This relationship is known as “discretionary” security, as it allowsaccess relationships to be passed between objects provided thisis allowed by an access control matrix.

BLP model example

Consider the following service hierarchy:

Colonel X (Secret, {nuclear, crypto})

General Z (Top Secret, {crypto})

Major Y (Secret, {crypto})

General Z is substituted during his vacation by a colonel X. MajorY must complete a report R according to an instruction set I.Permissions on these documents are set as follows:

I : {X : ’RW’, Y : ’R’, Z : ’RW’}R : {X : ’RW’, Y : ’RW’, Z : ’RW’}

BLP model example (ctd.)

Security level functions are set as follows:

fS(X) = (S, {N, C})fS(Y) = (S, {C})fS(Z) = (TS, {C})fO(I) = (S, {C})

fO(R) = (S, {C})Q: Are the security properties satisfied?

BLP model example: SSP

We have to verify that:

(s, o, a) : a = ’R’ ⇒ fS(s) ∝ fO(o)

For example:

(X, I, ’RW’) : fS(X) = (S, {N, C})fO(I) = (S, {C}) OK

(Y, I, ’R’) : fS(Y) = (S, {C})fO(I) = (S, {C}) OK

BLP model example: *SP

We have to verify that:

((s, o1, a1), (s, o2, a2)) s.t. a1 = ’W’, a2 = ’R’ ⇒ fO(o1) ∝ fO(o2)

For example:

(Y, R, ’RW’), (Y, I, ’R’) : fO(R) = (S, {C})fO(I) = (S, {C}) OK

BLP model example: extended scenario

Consider an extended service hierarchy below:

Colonel X (Secret, {nuclear, crypto})

General Z (Top Secret, {crypto})

Major Y (Secret, {crypto})Major V (Secret, {nuclear})

Q: Can X reuse an instruction set I for V?

BLP model example (ctd.)

add V : ’R’ to I’s ACL...

(V, I, ’R’) : fS(V) = (S, {N})fO(I) = (S, {C}) !!!

change fO(I) to (S, {N, C})...(Y, R, ’RW’), (Y, I, ’R’) : fO(R) = S, {C})

fO(I) = (S, {N, C}) !!!

BLP model example (ctd.)

add V : ’R’ to I’s ACL...

(V, I, ’R’) : fS(V) = (S, {N})fO(I) = (S, {C}) !!!

change fO(I) to (S, {N, C})...(Y, R, ’RW’), (Y, I, ’R’) : fO(R) = S, {C})

fO(I) = (S, {N, C}) !!!

BLP model example: correct action

clone I into I′

set fO(I′) = (S, {N})set ACL(I′) = (X : ’RW’, V : ’R’)

BLP model example: correct action

clone I into I′

set fO(I′) = (S, {N})set ACL(I′) = (X : ’RW’, V : ’R’)

Transition functions in BLP

Altering current accessget access (add (s, o, a, x) to B)release access (remove (s, o, a, x) from B)

Altering level functionschange object level fO(o)change current subject level fC(o)

Altering access permissions:give access permission (add a to M)rescind access permissions (remove a from M)

Altering the data hierarchycreate an objectdelete an object

The basic security theorem of BLP

A state b, M, f is called secure if it satisfies all three securityproperties of BLP.A transition from v1 = (b1, M1, f1) to v2 = (b2, M2, f2) issecure if both v1 and v2 are secure.Necessary and sufficient conditions for secure transitionsvary for different security properties. For example, atransition (b1, M1, f1)→ (b2, M2, f2) satisfies the simplesecurity property if and only if:

each (s, o, a) ∈ b2\b1 satisfies f2, and(s, o, a) does not satisfy f2 implies that (s, o, a) /∈ b2.

Basic Security Theorem: given a secure initial state, everysecure transition brings a system into a secure state on anyinput.

Summary

Formal security models allow one to formally verify securityproperties of computer systems.The Bell-La Padula (BLP) model uses the finite statemachine to verify access control properties inspired bymilitary security.BLP was realized in a real operating systems (MULTICS)which, however, suffered from insufficient usability and highmaintenance workload.