Computer Security Security Policies ..

1
Computer SecuritySecurity Policies ..
2
Security Policies

• We view a computer system as a finite-state
  machine
• Definition
• A security policy is a statement that partitions
  the states
• of a system into a set of authorized or secure
  states and
• a set of unauthorized or nonsecure states.
• A secure system is a system that starts in an
  authorized
• state and cannot enter an unauthorized state.

3
Example
t1
s1
s2
t5
t4
s3
s4
t2
t3
An insecure system Authorized states are s1 and
s2 Unauthorized states are s3 and s4
4
Security Policies

• Definition
• A breach of security occurs when a system enters
  an unauthorized state.
• Let X be a set of entities and I be some
  information.
• I has the property of confidentiality
  with respect to X if no member of X can obtain
  information about I.
• I has the property of integrity with
  respect to X if all members of X trust I.
• Let I be a resource I has the property of
  availability with respect to X if all member of
  X can access I.
• A security mechanism is an entity or procedure
  that enforces some part of a security policy.

5
Types of Policies

• Definition
• Military security policies or governmental
  security policies.
• Commercial security policies
• Confidentiality policies
• Integrity policies
• Transaction policies
• Discuss issues regarding trust.

6
The role of trust

• The role of trust is fundamental in understanding
  the
• nature of computer security.
• Examples see textbook
• Example 1-2-3-4, pp 101-102 (high level)
• 1-2-3-4 102-103 (low-level, formal)

7
Types of Access Control

• Discretionary Access Control (DAC) or
• identity based access control.
• Mandatory Access Control (MAC) or
• role-based access control.
• An originator access control (ORCON or ORGON)
  bases access on the creator of an object.
• Examples pp 103-104

8
Discretionary Access Control (DAC)

• Access control is left to the discretion of the
  owner.
• Based on the identity of the subject.
• Example see textbook pp 104-105

9
Mandatory Access Control (MAC)

• The operating system enforces mandatory access
• controls.
• Neither the subject nor even the owner can
  determine
• access control.
• Example see textbook

10
ORiginator access CONtrol (ORCON or ORGON)

• The originator of the file (or its information)
  has control
• the dissemination of its information.
• Example see textbook

11
Policy languages

• High level policy languages independent of the
  mechanisms used.
• Low level policy languages
• Examples pp 104-105

12
High level policy languages

• Express policy constraints on entities using
  abstraction and are independent of the security
  mechanisms.
• This requires
• An unambiguous expression of policy
• A mathematical or programming formulation
• Details see textbook.
• Examples pp105-106

13
Low level policy languages

• A set of inputs or arguments to commands that set
  or check constraints on a system.
• For examples, see textbook
• Examples pp109-110

14
Security and Precision

• Earlier security and precision was defined in
  terms of the states of the system.
• We said that security policies were enforced by
  security mechanisms and that such mechanisms were
  either
• secure, precise or broad.
• Let P be the set of all states, Q the set of
  secure states
• and suppose that the mechanism restricts the
  system to
• the set of states R .
• A security mechanism was secure if R ? Q ,
  precise if R Q
• and broad if there are states such that r ?R and
  r ?Q .

15
Security and Precision

• We now consider the possibility of devising a
  generic procedure for developing a mechanism that
  is security and precise.
• For this, we will use programs, which will be
  viewed as abstract functions that encode the
  information that needs to be controlled.

16
Security and Precision

• Definition
• A program p is a function p I1 ? ? In ? R
  .
• p has n inputs ij e Ij and one output r e R
• Axiom (observability postulate)
• Suppose p does not alter information but merely
  provides a view
• of its inputs. We say that p encodes all
  available information
• about i1, ,in
• Example
• A confidentiality policy seeks to control what
  views are available.

17
Security and Precision

• Definition
• Let p I1 ? ??? ?In ? R be a function
• A protection mechanism m for p is a function m
  I1???? ?In ? R ? E
• (E is an error message) for which, when (
  i1, ..., in ) ? I1???? ? In , either
• a. m (i1,...,ik) p (i1, ... ,ik) or
• b. m (i1,...,ik) ? E .
• That is, every legal input to m produces
  either the same value as p or an
• error message.
• The set of output values of p that are excluded
  by m are those outputs that
• would impart confidential information.
• Examples p 115

18
Security and Precision

• Definition
• A confidentiality policy for the program p I1
  ?????In ? R is a function c I1???? ?In ? A,
  where A is a subset of I1???? ?In .
• Here the set A corresponds to those inputs that
  may be revealed.
• The complement of A to the confidential inputs.

19
Security and Precision

• Definitions
• Let c be a confidentiality policy for a program
  p.
• Let m I1???? ?In ? R ? E be a security
  mechanism for p.
• The mechanism m is secure iff there is a
  function
• m I1???? ?In ? R ? E such that for all
  (i1,...,in ) ? I1???? ?In
• m (i1,...,ik) m(c (i1,...,ik)) .
• That is, given any set of inputs, the protection
  mechanism m
• returns values consistent with the stated policy
  c
• (here secure confidential )

20
Security and Precision

• Definitions
• Let m1, m2 protection mechanisms for program p
• under policy c.
• m1 is as precise as m2 if for all inputs
  (i1,...,in)
• m2 (i1,...,ik) p (i1,...,ik) -gt m1
  (i1,...,ik) p (i1,...,ik)
• m1 is more precise than m2 if there is an input
  
• (i1',...,in' ) such that
• m2 (i1',...,in' ) p (i1',...,in' )
  m1 (i1',...,in' ) ? p (i1',...,in' )

21
Security and Precision

• Theorems
• For any program p there exists a precise secure
  mechanism m such that for all secure mechanisms
  m associated with p and c we have m m.
• There is no effective way that determines a
  (maximally) precise secure mechanism for any
  policy and program.