Security Policies

1
Security Policies

• CS 4803 Fall 03

2
Security Policies

• A security policy is a statement that partitions
  the state of the system into a set of authorized
  (or secure) states, and a set of unauthorized (or
  nonsecure) states
• A secure system is a system that starts in an
  authorized state and cannot enter an unauthorized
  state
• A breach of security occurs when a system enters
  an unauthorized state

3
Confidentiality, Integrity, and Availability

• Let X be a set of entities and let I be some
  information. Then I has the property of
  confidentiality with respect to X if no member of
  X can obtain information about I
• Let X be a set of entities and let I be some
  information or a resource. Then I has the
  property of integrity with respect to X if all
  members of X trust I
• Let X be a set of entities and I be a resource.
  Then I has the property of availability with
  respect to X if all members of X can access I

4
Access Control

• If an individual user can set an access control
  mechanism to allow or deny access to an object,
  that mechanism is a discretionary access control
  (or identity-based access control)
• When a system mechanism controls access to an
  object and an individual user cannot alter that
  access, the control is a mandatory access control
  (or rule-based access control)
• A originator controlled access control bases
  access on the creator of the object

5
Security Model

• A security model is a model that represents a
  particular policy or set of policies
• Abstracts details relevant for analysis
• Analysis focuses on specific characteristics of
  policies

6
Confidentiality Policies

• A confidentiality policy (or information flow
  policy) prevents unauthorized disclosure of
  information
• The Bell-LaPadula Model
• Military-style classifications
• A subject has security clearance
• An object has security classification
• The goal is to prevent read access to objects at
  a security classification higher than the
  subjects clearance

7
Security Levels

• A security level is (L,C) where L is the
  clearance level, and C is the set of categories
• The security level (L,C) dominates the security
  level (L,C) if L L and C ? C

8
Basic Security Theorem

• Simple Security Condition S can read O if and
  only if S dominates O and S has discretionary
  read access to O
• -Property (Star Property) S can write to O if
  and only if O dominates S and S has discretionary
  write access to O
• Basic Security Theorem Let ? be a system with a
  secure initial state ?0, let T be a set of state
  transition. If every element of T preserves the
  simple security condition and the -property,
  then every ?i is secure

9
Tranquility

• The principle of tranquility states that subjects
  and objects may not change their security levels
  once they have been instantiated
• The principle of strong tranquility states that
  security levels do not change during the lifetime
  of the system
• The principle of weak tranquility states that
  security levels do not change in a way that
  violates the rules of a given security policy

10
Biba Integrity Model

• I is a set of integrity levels
• Function i S ? O ?I
• Integrity labels are different from security
  labels
• Security labels limit the flow of information
  integrity labels inhibit modification of
  information
• An information transfer path is a sequence of
  object o1, on1 and a corresponding sequence of
  subjects s1, sn, such that si r oi and si w
  oi1 for all i, 1? i ?n

11
Low-Water-Mark Policy

• s ? S can write to o ? O if and only if i(o) ?
  i(s)
• If s ? S reads o ? O, then i(s) min (i(s),
  i(o)), where i(s) is the subjects integrity
  level after the read
• s1 ? S can execute to s2 ? S if and only if i(s2)
  ? i(s1)
• Theorem If there is an information transfer path
  from object o1 ? O to object on1 ? O, then the
  enforcement of low-water-mark policy requires
  that i(on1) ? i(o1)

12
Ring Policy

• Any subject may read any object, regardless
  integrity levels
• s ? S can write to o ? O if and only if i(o) ?
  i(s)
• s1 ? S can execute to s2 ? S if and only if i(s2)
  ? i(s1)

13
Bibas Model (Strict Integrity Policy)

• s ? S can read o ? O if and only if i(s) ? i(o)
• s ? S can write to o ? O if and only if i(o) ?
  i(s)
• s1 ? S can execute to s2 ? S if and only if i(s2)
  ? i(s1)

14
Lipners Integrity Matrix Model

• Define classifications and categories for both
  security and integrity
• Define for each subject, its security clearance
  and integrity clearance
• Define for each object its security class and
  integrity class

15
Clark-Wilson Integrity Model

• Constrained data items, CDIs
• Data subject to integrity controls
• Unconstrained data items, UDIs
• Data not subject to integrity controls
• Integrity constraints
• Constraint the values of the CDIs
• Integrity verification procedures, IVPs
• Test that the CDIs conform to the integrity
  constraints at the time the IVPs are run
• The system is then in a valid state
• Transformation procedures, TPs,
• Change the state of the data in the system from
  one valid state to another

16
Certification and Enforcement

• CR1 When any IVP is run, it must ensure that all
  CDIs are in a valid state
• CR2 For some associated set of CDIs, a TP must
  transform those CDIs in a valid state to a valid
  state
• ER1 The system must maintain the certified
  relations, and must ensure that only TPs
  certified to run on a CDI manipulate that CDI
• ER2 The system must associate a user with each
  TP and set of CDIs. The TP may access those CDIs
  on behalf of the associated user. If the user is
  not associated with a particular TP and CDI, then
  the TP cannot access that CDI on behalf of that
  user
• CR3 The allowed relations must meet the
  requirements imposed by the principles of
  separation of duty

17
Certification and Enforcement (contd)

• ER3 The system must authenticate each user
  attempting to execute a TP
• CR4 All TPs must append enough information to
  reconstruct the operation to an append-only CDI
• CR5 Any TP that takes as input a UDI may perform
  only valid transformations, or no
  transformations, for all possible values of the
  UDI. The transformation either rejects the UDI or
  transforms it into a CDI
• ER4 Only the certifier of a TP may change the
  list of entities associated with that TP. No
  certifier of a TP, or of an entity associated
  with that TP, may ever have execute permission
  with respect to that entity

18
Chinese Wall Model

• A model of a security policy that refers equally
  to confidentiality and integrity
• Deals with conflict of interest situations
• Definitions
• The objects are items of information related to a
  company
• A company dataset (CD) contains objects related
  to a single company
• A conflict of interest (COI) class contains the
  datasets of companies in competition
• CD(O) the company dataset that contains object
  O COI(O) the COI class that contains object O

19
Chinese Wall Model (contd)

• CW-Simple Security Condition S and read O if and
  only if any of the following holds
• There is an object O such that S has accessed O
  and CD(O) CD(O)
• For all objects O, O ? PR(S) ? COI(O) ? COI(O)
• PR(S) is the set of objects S has read
• O is a sanitized object

20
Chinese Wall Model (contd)

• CW--Property A subject S may write to an object
  O is and only if both of the following conditions
  hold
• The CW-Simple Security Conditions permits S to
  read O
• For all unsanitized objects O, S can read O ?
  CD(O) CD(O)

21
Role-Based Access Control

• Definitions
• A role is a collection of job functions. Each
  role r is authorized to perform one or more
  transactions. The set of authorized transactions
  for r is trans(r)
• The active role of subject s, actr(s), is the
  role that s is currently performing
• The authorized roles of a subject s, authr(s), is
  the set of roles that s is authorized to assume

22
Role-Based Access Control

• Axioms
• If a subject can execute any transaction, then
  that subject has an active role
• Binds the notion of execution to role rather than
  user
• A subject must be authorized to assume its active
  role
• Cannot assume an unauthorized role
• A subject cannot execute a transaction for which
  its current role is not authorized

23
Noninterference and Policy Composition

• Covert channel
• All channels must be closed
• Compositing systems with different policies
• Principle of autonomy any access allowed by the
  security policy of a component must be allowed by
  the composition of the components
• Principle of security any access forbidden by
  the security policy of a component must be
  forbidden by the composition of the components

24
Noninterference

• A system is secure if groups of subjects cannot
  interfere with each other
• A state machine model
• Subjects S, states ?, outputs O, and commands Z,
  State transition commands C S ? Z
• State transition function T C ? ? ? ?
• Output function P C ? ? ? O

25
Noninterference (contd)

• proj(s, cs, ?i) is the list of outputs resulting
  from removing the outputs s is not authorized to
  see
• Each command may produce some output, but
  subjects with insufficient may not be able to see
  the output
• pG,A(cs) is the sequence of cs obtained by
  deleting all elements (s,z) in cs such that both
  s ?G and z ?A, where G is a group of subjects and
  A is a set of commands
• Purge function p certain command executions must
  be invisible to some subjects.

26
Noninterference (contd)

• Let G and G are two distinct groups of subjects
  and A be a set of commands. Subjects in G
  executing commands A are noninterferering with
  users in G if and only if, for all sequences cs
  and for all s ?G, proj(s, cs, ?i) proj(s,
  pG,A(cs), ?i)
• If the set of outputs that any user can see
  corresponds to the set of inputs that that user
  can see, then the system is secure
• A security policy is the set of noninterference
  assertions