LATTICE-BASED ACCESS - PowerPoint PPT Presentation

About This Presentation
Title:

LATTICE-BASED ACCESS

Description:

Denning's axioms and lattices. Bell-LaPadula model (BLP) Integrity and information flow ... Tranquility (most common): SECURE. label is static for subjects and objects ... – PowerPoint PPT presentation

Number of Views:133
Avg rating:3.0/5.0
Slides: 35
Provided by: rav67
Category:

less

Transcript and Presenter's Notes

Title: LATTICE-BASED ACCESS


1
SESSION
LATTICE-BASED ACCESS CONTROL MODELS Ravi
Sandhu George Mason University Fairfax,
Virginia USA
2
LATTICE-BASED MODELS
  • Denning's axioms and lattices
  • Bell-LaPadula model (BLP)
  • Integrity and information flow
  • The Chinese Wall lattice

3
DENNING'S AXIOMS
lt SC, ?, ? gt
  • SC set of security classes
  • ????SC X SC flow relation (i.e., can-flow)
  • ??? SC X SC -gt SC class-combining operator

4
DENNING'S AXIOMS
lt SC, ?, ? gt
  • SC is finite
  • ? is a partial order on SC
  • SC has a lower bound L such that L ? A for all A
    ? SC
  • ? is a least upper bound (lub) operator on SC

Justification for 1 and 2 is stronger than for 3
and 4. In practice we may therefore end up with
a partially ordered set (poset) rather than a
lattice.
5
LATTICE STRUCTURES
Compartments and Categories
ARMY, NUCLEAR, CRYPTO
NUCLEAR, CRYPTO
ARMY, NUCLEAR
ARMY, CRYPTO
NUCLEAR
CRYPTO
ARMY

6
LATTICE STRUCTURES
Hierarchical Classes with Compartments
A,B
TS
B
A

S
product of 2 lattices is a lattice
7
LATTICE STRUCTURES
A,B
TS,
Hierarchical Classes with Compartments
B
A
TS,
TS,

TS,
A,B
S,
A
B
S,
S,

S,
8
SMITH'SLATTICE
TS-AKLQWXYZ
TS-KLX
TS-KQZ
TS-KY
TS-KL
TS-X
TS-W
TS-X
TS-Q
TS-Z
TS-L
TS-Y
TS-K
S-LW
TS
S-L
S-A
S-W
S
C
U
9
SMITH'S LATTICE
  • With large lattices a vanishingly small fraction
    of the labels will actually be used
  • Smith's lattice 4 hierarchical levels, 8
    compartments, therefore
  • number of possible labels 428 1024
  • Only 21 labels are actually used (2)
  • Consider 16 hierarchical levels, 64 compartments
    which gives 1020 labels

10
EMBEDDING A POSET IN A LATTICE
A,B,C,D
A,B,D
A,B,C
A,B,D
A,B,C
?
A,B
B
A
B
A
such embedding is always possible

11
BELL LAPADULA (BLP) MODEL
  • SIMPLE-SECURITY
  • Subject S can read object O only if
  • label(S) dominates label(O)
  • information can flow from label(O) to label(S)
  • STAR-PROPERTY
  • Subject S can write object O only if
  • label(O) dominates label(S)
  • information can flow from label(S) to label(O)

12
BLP MODEL
Top Secret
Secret
Confidential
Unclassified
can-flow
dominance ?
13
DYNAMIC LABELS IN BLP
  • Tranquility (most common) SECURE
  • label is static for subjects and objects
  • High water mark on subjects SECURE
  • label is static for objects
  • ?label may increase but not decrease for
    subjects
  • High water mark on objects INSECURE
  • label is static for subjects
  • label may increase but not decrease for objects

14
BIBA MODEL
High Integrity
Some Integrity
Suspicious
Garbage
can-flow
dominance ?
15
BIBA MODEL
  • SIMPLE-INTEGRITY
  • Subject S can read object O only if
  • label(O) dominates label(S)
  • information can flow from label(O) to label(S)
  • STAR-PROPERTY
  • Subject S can write object O only if
  • label(S) dominates label(O)
  • information can flow from label(S) to label(O)

16
EQUIVALENCE OF BLP AND BIBA
HI (High Integrity)
LI (Low Integrity)
?
LI (Low Integrity)
HI (High Integrity)
BIBA LATTICE
EQUIVALENT BLP LATTICE
17
EQUIVALENCE OF BLP AND BIBA
HS (High Secrecy)
LS (Low Secrecy)
?
LS (Low Secrecy)
HS (High Secrecy)
BLP LATTICE
EQUIVALENT BIBA LATTICE
18
COMBINATION OF DISTINCT LATTICES
HI
HS, LI
HS
?
LS, LI
HS, HI
LI
LS, HI
LS
BLP
BIBA
EQUIVALENT BLP LATTICE
GIVEN
19
BLP AND BIBA
  • BLP and Biba are fundamentally equivalent and
    interchangeable
  • Lattice-based access control is a mechanism for
    enforcing one-way information flow, which can be
    applied to confidentiality or integrity goals
  • We will use the BLP formulation with high
    confidentiality at the top of the lattice, and
    high integrity at the bottom

20
LIPNER'SLATTICE
S System Managers O Audit Trail
S System Control
S Application Programmers O Development Code
and Data
S System Programmers O System Code in
Development
S Repair S Production Users O Production Data
O Tools
O Repair Code
O Production Code
LEGEND S Subjects O Objects
O System Programs
21
LIPNER'S LATTICE
  • Uses 9 labels from a possible space of 192 labels
  • Audit trail is at lowest integrity
  • Production users are only allowed to execute
    production code
  • System control subjects are allowed to
  • write down (with respect to confidentiality)
  • or equivalently
  • write up (with respect to integrity)

22
CHINESE WALL POLICY
  • Example of a commercial security policy for
    confidentiality
  • Mixture of free choice (discretionary) and
    mandatory controls
  • Introduced by Brewer-Nash in Oakland '89

23
CHINESE WALL EXAMPLE
ALL OBJECTS
CONFLICT OF INTEREST CLASSES
OIL COMPANIES
BANKS
X
Y
A
B
COMPANY DATASETS
  • A consultant can access information about at most
    one company in each conflict of interest class

24
READ ACCESS
  • BREWER-NASH SIMPLE SECURITY
  • S can read O only if
  • O is in the same company dataset as some object
    previously read by S (i.e., O is within the wall)
  • or
  • O belongs to a conflict of interest class within
    which S has not read any object (i.e., O is in
    the open)

25
WRITE ACCESS
  • BREWER-NASH STAR-PROPERTY
  • S can write O only if
  • S can read O by the simple security rule
  • and
  • no object can be read which is in a different
    company dataset to the one for which write access
    is requested

26
REASON FOR BN STAR-PROPERTY
ALICE'S WALL BOB'S WALL Bank A Bank B Oil Company
X Oil Company X
  • cooperating Trojan Horses can transfer Bank A
    information to Bank B objects, and vice versa,
    using Oil Company X objects as intermediaries

27
IMPLICATIONS OF BN STAR-PROPERTY
  • Either
  • S cannot write at all
  • or
  • S is limited to reading and writing one company
    dataset

28
WHY THIS IMPASSE?
  • Failure to clearly distinguish user labels from
    subject labels.

29
CHINESE WALL LATTICE
SYSHIGH
A, Y
A, X
B, X
B, Y
  • The high water mark of a user's principal can
    float up so long as it remain below SYSHIGH

B, -
-, X
-, Y
A, -
SYSLOW
30
USERS, PRINCIPALS, SUBJECTS
ALICE.BANK A OIL COMPANY X
ALICE.OIL COMPANY X
ALICE
ALICE.BANK A
ALICE.nothing
USER
PRINCIPALS
31
USERS, PRINCIPALS, SUBJECTS
JOE.TOP-SECRET
JOE.SECRET
JOE
JOE.CONFIDENTIAL
JOE.UNCLASSIFIED
USER
PRINCIPALS
32
USERS, PRINCIPALS, SUBJECTS
  • The Bell-LaPadula star-property is applied not to
    Joe but rather to Joe's principals
  • Similarly, the Brewer-Nash star-property applies
    not to Alice but to Alice's principals

33
CONCLUSION
  • So long as Dennings axioms are satisfied we will
    get a lattice-based information flow policy
  • One-directional information flow in a lattice can
    be used for secrecy as well as for integrity but
    does not solve either problem completely
  • To properly understand and enforce Information
    Security policies we must distinguish between
  • policy applied to users, and
  • policy applied to principals and subjects

34
REFERENCES
  • Ravi Sandhu, "Lattice-Based Access Control
    Models."
  • IEEE Computer, November 1993, pages 9-19
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "LATTICE-BASED ACCESS" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!