Models of Security

Models of SecurityModels of Security

Security models are used toSecurity models are used to• Test a particular policy for completeness Test a particular policy for completeness

and consistencyand consistency• Document a policyDocument a policy• Help conceptualize and design an Help conceptualize and design an

implementationimplementation• Check whether an implementation Check whether an implementation

meets its requirementsmeets its requirements

Multilevel SecurityMultilevel Security

Want to build a model to represent a Want to build a model to represent a range of sensitivities and to reflect need to range of sensitivities and to reflect need to separate subjects from objects to which separate subjects from objects to which they should not have access.they should not have access.

Use the Use the lattice modellattice model of security of security• military security model where <= in the model military security model where <= in the model

is the relation operator in the lattice (transitive, is the relation operator in the lattice (transitive, antisymmetric)antisymmetric)

• Commercial security model (public, Commercial security model (public, proprietary, internal)proprietary, internal)

Bell-La Padula Confidentiality ModelBell-La Padula Confidentiality Model

Formal description of allowable paths of Formal description of allowable paths of information flow in a secure systeminformation flow in a secure system• Simple Security Property. Simple Security Property. A subject A subject ss may may

have have readread access to an object access to an object oo only if C(o) <= only if C(o) <= C(s)C(s)

• *-Property*-Property – A subject – A subject ss who has who has readread access access to an object to an object oo may have may have writewrite access to an access to an object object pp only if C(o) <= C(p) only if C(o) <= C(p)

The *-property is used to prevent The *-property is used to prevent write-down write-down (subject with access to high-level data transfers that (subject with access to high-level data transfers that data by writing it to a low-level object.data by writing it to a low-level object.

Bibb Integrity ModelBibb Integrity Model

Simple Integrity PropertySimple Integrity Property. Subject . Subject ss can modify (have can modify (have writewrite access to) access to) object object oo only if I(s) >= I(o) only if I(s) >= I(o)

Integrity *-PropertyIntegrity *-Property. If subject . If subject ss has has readread access to object access to object oo with with integrity level I(o), integrity level I(o), ss can have can have writewrite access to object access to object pp only if I(o) >= I(p) only if I(o) >= I(p)

Models Proving Theoretical Models Proving Theoretical Limitations of Security SystemsLimitations of Security Systems

Graham-Denning ModelGraham-Denning Model – introduced – introduced concept of a formal system of protection concept of a formal system of protection rules; constructs a model having generic rules; constructs a model having generic protection propertiesprotection properties

Harrison-Ruzzo-Ullman ModelHarrison-Ruzzo-Ullman Model – uses – uses commands involving conditions and commands involving conditions and primitive operations where a primitive operations where a protection protection systemsystem is a set of subjects, objects, is a set of subjects, objects, rights, and commandsrights, and commands

Take-Grant SystemsTake-Grant Systems

Four operations performed by Four operations performed by subjects on objects with rightssubjects on objects with rights• Create(o,r) subject creates an object Create(o,r) subject creates an object

with certain rightswith certain rights• Revoke(o,r) subject removes rights from Revoke(o,r) subject removes rights from

objectobject• Grant(o,p,r) subject grants to o access Grant(o,p,r) subject grants to o access

rights on prights on p• Take (o,p,r) subject removes from o Take (o,p,r) subject removes from o

access rights on paccess rights on p

Trusted System Design ElementsTrusted System Design Elements

Least privilegeLeast privilege Economy of mechanismEconomy of mechanism Open designOpen design Complete mediationComplete mediation Permission basedPermission based Separation of privilegeSeparation of privilege Least common mechanismLeast common mechanism Ease of useEase of use

Security Features of Ordinary Security Features of Ordinary Operating SystemsOperating Systems

Authentication of usersAuthentication of users Protection of memoryProtection of memory File and I/O device access controlFile and I/O device access control Allocation and access control to general Allocation and access control to general

objectsobjects Enforcement of sharingEnforcement of sharing Guarantee of fair serviceGuarantee of fair service Interprocess communications and Interprocess communications and

synchronizationsynchronization Protection of operating system protection Protection of operating system protection

datadata

Security Features of Trusted Security Features of Trusted Operating SystemsOperating Systems

Trusted systems incorporate technology to Trusted systems incorporate technology to address both features and assuranceaddress both features and assurance

Objects are accompanied (surrounded) by Objects are accompanied (surrounded) by an access control mechanisman access control mechanism

Memory is separated by user, and data Memory is separated by user, and data and program libraries have controlled and program libraries have controlled sharing and separationsharing and separation


Identification and AuthenticationIdentification and Authentication• Require secure id of individuals, each Require secure id of individuals, each

individual must be uniquely identifiedindividual must be uniquely identified Mandatory and Discretionary Access Mandatory and Discretionary Access

ControlControl• MAC – access control policy decisions are made MAC – access control policy decisions are made

beyond the control of the individual owner of beyond the control of the individual owner of the objectthe object

• DAC – leaves access control to the discretion of DAC – leaves access control to the discretion of the object’s ownerthe object’s owner

• MAC has precedence over DACMAC has precedence over DAC


Object Reuse ProtectionObject Reuse Protection• Prevent object reuse leakagePrevent object reuse leakage• OS clears (overwrites) all space to be OS clears (overwrites) all space to be

reassignedreassigned• Problem of Problem of magnetic remanencemagnetic remanence

Complete MediationComplete Mediation• All accesses must be controledAll accesses must be controled

Trusted PathTrusted Path• For critical operations (setting password, etc.), For critical operations (setting password, etc.),

users want unmistakable communicationsusers want unmistakable communications


Accountability and AuditAccountability and Audit• Maintain a log of security relevant eventsMaintain a log of security relevant events• Audit log must be protected from outsidersAudit log must be protected from outsiders

Audit Log ReductionAudit Log Reduction• Audit only open and close of files/objectsAudit only open and close of files/objects

Intrusion detectionIntrusion detection• Build patterns of normal system usage, Build patterns of normal system usage,

triggering an alarm any time usage seems triggering an alarm any time usage seems abnormalabnormal

• Intrusion preventionIntrusion prevention

Kernelized DesignKernelized Design

Kernel – part of OS that performs Kernel – part of OS that performs lowest-level functionslowest-level functions• Synchronization, interprocess Synchronization, interprocess

communications, message passing, communications, message passing, interrupt handlinginterrupt handling

• Security kernel – responsible for Security kernel – responsible for enforcing security mechanism for entire enforcing security mechanism for entire OS; provides interface among the OS; provides interface among the hardware, OS, and other parts of hardware, OS, and other parts of computer systemcomputer system

Documents

Models of Security