Lattice Based Access Control Models By Reena Cherukuri

1
Lattice Based Access Control ModelsBy Reena
Cherukuri
2
BASICS

• Set A collection of items which may or may not
  be related to each other. The members of a set
  are called elements. The symbol for a set is a
  pair of curly brackets, with the elements of the
  set between them A, B, C
• Cartesian Product The Cartesian product of two
  sets A and B (also called the product set, set
  direct product, or cross product) is defined to
  be the set of all points (a, b) where a ? A and
  b ? B . It is denoted A x B

3
BASICS

• Relation Let A and B be two sets. A relation
  between A and B is a collection of ordered pairs
  (a, b) such that a ? A and b ? B. Often we use
  the notation a b to indicated that a and b are
  related, rather then the order pair notation (a,
  b).
• Functions Let A and B be two sets. A function f
  from A to B is a relation between A and B such
  that for each a A there is one and only one
  associated b B. The set A is called the domain
  of the function, B is called its range. Often a
  function is denoted as y f(x) or simply f(x),
  indicating the relation (x, f(x)) .

4
TOPICS

• Dennings Axioms
• Military Lattice
• Bell- LaPadula Model
• The Biba Model and Duality
• The Chinese Wall Lattice

5
INTRODUCTION

• The objective of information security is divided
  into three separate but interrelated areas as
  follows
• Confidentiality
• Integrity
• Availability
• The Lattice-based access control models were
  developed to deal with information flow in
  computer systems.
• Information flow is clearly central to
  confidentiality and applies to integrity to some
  extent.

6
INFORMATION FLOW POLICIES

• Information flow policies are concerned with flow
  of information from one security class to another
• Information actually flows from one Object to
  another
• Object can be defined as a container of
  information
• Information flow is typically controlled by
  assigning every object a security class (
  Objects security label)

7
Denning Axioms

• The concept of information flow policy was
  formally defined by Denning.
• Information Flow Policy (Definition 1)
• It is a triple
• lt SC, ?, ? gt
• SC set of security classes
• ? ? SC X SC flow relation (i.e., can-flow)
• ? SC X SC -gt SC class-combining operator
• It is understood that all three components of an
  information flow policy are fixed, and do not
  change with time. Objects can be created and
  destroyed dynamically but security classes cannot
  be created or destroyed dynamically.

8
Denning Axioms

• Example 1 Isolated Classes SC A1 An for
  i 1n we have Ai ? Ai and Ai ? Ai Ai and
  for i j 1n, i ? j we have Ai !? Aj and Ai ?
  Aj is undefined.
• The simplest example of a non-trivial information
  flow policy occurs when there are just two
  security classes, called H (for high) and L (for
  low), with all flows allowed excepting that from
  high to low.
• Example 2 High-Low Policy SC H,L, and ?
  (H,H) (L,L) (L,H). Equivalently, in infix
  notation, H? H, L ? L, L ? H, and H ! ? L. The
  join operator is defined as follows H? H H, L
  ? H H, H ? L H, and L? L L.

9
Denning Axioms

• Definition 2 (Dennings Axioms)
• lt SC, ?, ? gt
• SC is finite
• ? is a partial order on SC
• SC has a lower bound L such that L ? A for all A
• ? is a least upper bound (lub) operator on SC
• Example 3 Bounded Isolated Classes
  SC A1 . An L ? H L ? L, L ? H, H ? H, and
  for i 1 .n we have L ? Ai, Ai ? Ai, Ai ? H
  for i 1n we have Ai ? Ai Ai, Ai ? H H, and
  Ai ? L Ai and for I, j 1n, i ? j we have Ai
  ? Aj H.

10
Denning Axioms

• Definition 3 Dominance
• A B (read as A dominates B) if and only if B ?
  A. The strictly dominates relation gt is defined
  by A gt B if and only if A B and A ? B. We say
  that A and B are comparable if A B or B A
  otherwise A and B are incomparable. The strictly
  dominates relation has the following
  significance if A gt B then A ! ? B but B ? A. In
  other words, A is more sensitive than B.

11
MILITARY LATTICE
12
MILITARY LATTICE
13
Subset Lattice

• In this policy can-flow is identical to the
  subset relation, dominance is identical to super
  set, and join is the set of union of labels.
  This is called a subset lattice.
• There are 2n subsets of a set of size n, there
  is an exponential increase in the number of
  security classes as the number of categories
  increase.
• In the military and government the individual set
  elements ( i.e. A and B) are called categories
  while the security classes (i.e. set of
  categories) are known as compartments.

14
EMBEDDING A PARTIAL ORDER IN A LATTICE
It is always possible to embed a partial order in
a lattice by including additional security
classes.
15
PRODUCT LATTICE
16
PRODUCT LATTICE
17
SMITHS LATTICE

• It is possible to generate very large lattices.
  In reality a small subset of the entire lattice
  would be used.
• Smith described a actual lattice based on common
  practice in military.
• The security classes consist of four linearly
  ordered security levels TS gt S gt C gt U, and 8
  categories A,K,L,Q,W,X,Y,Z corresponding to say
  8 different projects in the system.
• It has 21 labels from a possible space of
• 4 28 1028

18
SMITHS LATTICE
19
ACCESS CONTROL MODELS

• The active entities in a system are usually
  processes executing programs on behalf of users.
• Information flow between objects and thereby
  between security classes, is carried out by
  processes.
• There is a potential for information flow from
  every object that a process reads to every object
  that it writes.
• We assume that programs simply do not have the
  ability to cause information flows contrary to
  given policy.

20
ACCESS CONTROL MODELS

• To understand the access control and computer
  security, we must first understand the
  distinction between user and subject.
• User Human being
• Subject Process in the system.
• Each authorized human user is known as a unique
  user to the system who can have several subjects
  executing on the users behalf, but each subject
  is associated with only one user.
• The access rights to subjects to objects in a
  system are conceptually represented by access
  Matrix.
• The matrix has a row for every subject and a
  column for every object.

21
ACCESS CONTROL MODELS

• A subject can also be an object in the system
  (e.g. process may have suspend and resume
  operations executed on it by some other process.)
  
• In General the subjects are viewed as a subset of
  objects.
• For Example read ? s, o.
• For the purpose of access matrix, every user is
  also regarded as a subject in its own rights. The
  subject will retain the access rights of the
  user, even if the user is not engaged in any
  activity in the system.
• The access matrix is usually sparse and is stored
  in a system using access control list and,
  capabilities, relations, or other data structure
  suitable for efficient storage of a sparse matrix.

22
ACCESS CONTROL MODELS

• The access matrix is a dynamic entity. The
  individual cells of the access matrix can be
  modified by subjects.
• For Example own ? s, o
• The owner of object has complete discretionary
  regarding the access by other subjects to the
  owned object. Such access controls are said to be
  discretionary.
• Discretionary access controls are inadequate to
  enforce information flow policies.
• In summary, even if users are trusted not to
  deliberately breach security we have to contend
  Trojan Horses which have been programmed to
  deliberately do so.
• The solution is to impose mandatory controls
  which cannot be even by passed Trojan Horses.

23
BELL-LAPADULA MODEL

• The concept of mandatory access controls was
  first formalized by Bell and LA Padula
• The key idea in BLP is to augment discretionary
  access controls with mandatory access controls,
  so as to ensure the information flow policies.
• The mandatory access control policy is expressed
  in terms of security labels attached to subjects
  and objects. A label on an object is called a
  security classification, while a label on a user
  is called security clearance.
• Security labels once assigned to the subjects and
  objects cannot be changed. This is known as
  tranquility.

24
BLP BASIC ASSUMPTIONS
25
BLP MODEL

• The specific mandatory access rules given in BLP
  are as follows, where ? signifies the security
  label of the indicated subject or object.
• Simple-Security Property Subject s can read
  object o only if ?(s) ? (o).
• -Property Subject s can write object o only
  if ?(s) ?(o). (The -property is pronounced as
  the star-property.)

26
STAR-PROPERTY

• Applies to subjects not to users
• Users are trusted (must be trusted) not to
  disclose secret information outside of the
  computer system
• Subjects are not trusted because they may have
  Trojan Horses embedded in the code they execute
• Star-property prevents overt leakage of
  information and does not address the covert
  channel problem

27
BLP MODEL
28
BLP MODEL

• Unfortunately, the mandatory controls do not
  solve the Trojan Horse problem completely.
• Covert Channels present a formidable problem for
  enforcement of information flow policies.
• They are difficult to detect and once detected
  are difficult to close without incurring
  significant performance penalties.
• Covert Channels do tend to be noisy due to
  interference.

29
BIBA MODEL

• Formulated for the purpose of integrity.
• The basic concept of BIBA model is that
  low-integrity information should not be allowed
  to flow to high-integrity objects, whereas the
  opposite is acceptable.
• In Biba Model the high integrity is placed
  towards the top of the lattice of security labels
  and low integrity to bottom.
• The information flow is from top to bottom.

30
BIBA MODEL

• Simple-Integrity Property Subject s can read
  object o only if ?(s) ?(o).
• Integrity -Property Subject s can write object
  o only if ?(s) ?(o).
• These properties are called the duals of the
  corresponding properties of BLP.
• BIBA and BLP models can be combined in situations
  where both confidentiality and integrity are
  concerned.

31
COMPOSITE MODEL

• The combined mandatory controls are as follows
• Subject s can read object o only if ?(s) ?(o)
  and ?(s) ?(o).
• Subject s can write object o only if ?(s) ?(o)
  and ?(s) ?(o).
• It is a popular model and has been implemented in
  several OS, database and network products.
• It is the simultaneous application of two
  lattices, in which the information flow occurs in
  opposite direction.

32
Composite Model
33
EQUIVALENCE OF BLP AND BIBA

• Information flow in the Biba model is from top to
  bottom
• Information flow in the BLP model is from bottom
  to top
• Since top and bottom are relative terms, the two
  models are fundamentally equivalent and
  interchangeable
• Lattice-based access control is a mechanism for
  enforcing one-way information flow, which can be
  applied to confidentiality or integrity goals
• We will use the BLP formulation with high
  confidentiality at the top of the lattice, and
  high integrity at the bottom

34
EQUIVALENCE OF BLP AND BIBA
35
EQUIVALENCE OF BLP AND BIBA
36
COMBINATION OF DISTINCT LATTICES
37
Chinese Walls

• Access Control model for the financial
  segment of the commercial sector.
• Prevention of Information Flow which cause
  Conflicts of Interest (COI) for individual
  consultants.

• Access Rule Subject (S) can access Object (O)
  only if
• O is in the same company Data Set as some
  Object previously read by S.
• O belongs to a COI class within which S has
  not read any Object.

38
Chinese Walls
39
Chinese Walls

• A newly enrolled user in the system is
  assigned the clearance ? ?. (This assumes that
  the user is entering the system with a clean
  slate.
• A user who has had prior exposure to company
  information in some other system should enter
  with an appropriate clearance reflecting the
  extent of this prior exposure.
• As the user reads various company information
  the user's clearance floats up in the lattice.

40
Questions and Suggestions!!!!!
41
THANK YOU