MANDATORY FLOW CONTROL

Xiao Chen

Fall2009 CSc 8320

INDEX Section One: Basic Introduction

Mandatory Flow Control ModelsInformation Flow ControlLattice ModelMultilevel Models

Section Two: Contemporary ApplicationWindows Vista IE7 Implements Biba

Model Section Three: Future Prospect

Improvement of P2P References

SECTION ONE: BASIC INTRODUCTION

MANDATORY FLOW CONTROL MODELS Definition : Mandatory access control refers to a type of

access control by which the operating system constrains the ability of a subject to access or generally perform some sort of operation on an object or target.

MANDATORY FLOW CONTROL MODELS

Why is it necessary since we have discretionary security model?

With the advances in networks and distributed systems, it is necessary to broaden the scope to include the control of information flow between distributed nodes on a system wide basis rather than only individual basis like discretionary control.

DIFFERENCE BETWEEN DISCRETIONARY AND MANDATORY ACCESS CONTROL [4]

Mandatory access control, this security policy is centrally controlled by a security policy administrator; users do not have the ability to override the policy and, for example, grant access to files that would otherwise be restricted.

By contrast, discretionary access control (DAC), which also governs the ability of subjects to access objects, allows users the ability to make policy decisions and/or assign security attributes.

INFORMATION FLOW CONTROL [1] Definition

Information Flow control is concerned with how information is disseminated or propagated from one object to another.

The security classes of all entities must be specified explicitly and the class of an entity seldom changes after it has been created

THE LATTICE MODEL

The best-known Information Flow Model

Based upon the concept of lattice whose mathematical meaning is a structure consisting of a finite partially ordered set together with a least upper bound and greatest lower bound operator on the set.

THE LATTICE MODEL Lattice is a Directed Acyclic Graph(DAG) with

a single source and sink.

Information is permitted to flow from a lower class to upper class.

MULTILEVEL SECURITY

Multilevel Security is a special case of the lattice-based information flow model. There are two well-known multilevel security models:

The Bell-LaPadula Model focuses on confidentiality of information

The Biba Model focuses on system integrity

BELL-LAPADULA MODEL Need-to-know principle: A subject is given

access only to the objects that it requires to perform its jobs.

Security with respect to confidentiality in the Bell-LaPadula model is described by the following two axioms:

Simple security property: Reading information from an object o by a subject s requires that SC(s) dominates SC(o) ”no read up”).

The *-property: Writing information to an object o by a subject s requires that SC(o) dominates SC(s).

BIBA MODEL Contrary to Bell-LaPadula model, in Biba

model information can only flow from a higher integrity class to a lower integrity class.

Integrity levels form a linear lattice in which each level represents the classification of integrity of information an object can contain or the clearance of a subject for modifying an object.

Integrity categories form a subset lattice and are used to enforce the need-to-have principle.

COMPARISON OF TWO MULTILEVEL MODELS

The Bell-LaPadula Model is concerned with information confidentialitysubjects reading from an object must have

higher security class than the object.objects being written to by a subject must

have higher security class than the subject. The Biba model emphasizes information

integritysubjects writing information to an object

must have higher security class than the object.

objects being read from by a subject must have higher security class than the subject.

SECTION TWO: CONTEMPORARY APPLICATION

IE7 IMPLEMENTS BIBA MODEL[2]

According to the 2 rules of Biba Integrity Model :

Simple Security Axiom – A subject at a particular integrity level must not be able to read from an object of a lower integrity level. i.e. "No Read Down".

Star Property Axiom – A subject at a particular level of integrity must not be able to write on to an object of higher integrity level. i.e. "No Write Up".

IE7 IMPLEMENTS BIBA MODEL [2]

Keeping the integrity level of IE7 (Protected Mode) at low makes sure that any thread started by IE 7 will bear the same integrity level and thus would not be able to write to any folder/application in the system, which is at a higher integrity level (Star Property Axiom). Therefore the only folders where IE7 based programs can write into are the following, as they are assigned the same integrity level as IE7:

Temporary Internet Files Cookies Recycle Bin Various Registry keys, including ones under :

HKCU\Software\Microsoft\Internet Explorer

IE7 IMPLEMENTS BIBA MODEL[2]

On the other hand, if you want to save a file downloaded through IE7 on a local folder like "My Documents" , the application warns the user and informs him that this will require elevating the privileges to save the file on an alternate location.

If it's a .exe file that needs to be installed, IE 7 prompts for further elevation by asking for admin privilege password.

SECTION THREE: FUTURE PROSPECT

FUTURE WORK

Multilevel models have been used mostly in military systems, although as we will see later, they are useful to control attacks to different parts of a system.

In particular, Joshi et al. [Jos01] discuss the improvement of these models for web-based applications. They consider Role-based access control as the most suitable model but think that in the future it needs to be extended to consider dynamic and task-based aspects. This is a good direction for future work.[3]

REFERENCE [1]Distributed Operating Systems & Algorithms, Randy

Chow and Theodore Johnson, Addison Wesley, 1997. [2] IE7 Implements Biba Model

http://ranjanajain.spaces.live.com/blog/cns!5F09EF6281DD4DB0!221.entry?sa=390277086

[3]Eduardo B.Fernandez, Chapter 4. Security models, http://www.cse.fau.edu/~ed/Ch4SecModels.pdf

[4] http://en.wikipedia.org/wiki/Mandatory_access_control