Computer Security Security models - PowerPoint PPT Presentation

About This Presentation

Title:

Computer Security Security models

Description:

BLP Model. We want to use the state of the system to check its security. ... of a model, it is important that the implementation of the ... – PowerPoint PPT presentation

Number of Views:299

Avg rating:3.0/5.0

Slides: 53

Provided by: mikebur

Learn more at: http://www.cs.fsu.edu

Category:

more less

Transcript and Presenter's Notes

Title: Computer Security Security models

1
Computer SecuritySecurity models an overview.
2
Finite State Machine Models

Automata (Finite State Machines) are a popular
way
Of modeling many aspects of computing systems.
The essential feature of these are then concepts
of
State
State transition

3
Bell-LaPadula (BLP) Model

BLP Structure
Combines,
.Access permission matrices for access control,
a Security lattice, for security levels,
an Automaton, for access operations.
Security policies are reduced to relations in the
BLP
structure.

4
BLP Model

A set of subjects S
A set of objects O
A set of access operations
A execute,read,append,wri
te
A set L of security levels, with a partial
ordering .

5
BLP Model

We want to use the state of the system to check
its security.
The state set is B xM x F, where
B P (SxOxA) the set of current accesses b
.M is the set of permission matrices M
A set of security level assignments F Ls
x Ls x Lo.

6
BLP Model

The security level assignments F Ls x Ls x
Lo.
F has elements f , where

7
BLP Model

Security policies a state (b,M,f ) must
satisfy,
Simple security property (ss-property)
for each access request (s,o,a) in b, with access
operation a read, or write, the security level
of s must dominate the classification of o,
i.e.,
This is a no read/write up security
policy

8
BLP Model

2. Star property (-property)
for each access request (s,o,a) in b, with access
operation a append, or write, the current
security level of s is dominated by the
classification of the object o,
i.e. .
This is a no append/write down policy.
Also, if there is an (s,o,a) in b with a
append or write, then we must have
for all o with (s,o,a ) in b and a
read or write

9
BLP Model

3. Discretionary security property
(ds-property)
-- for each access (s,o,a) in b, we must have
.

10
BLP Model

The -property implies that is not possible to
send messages to
low level subjects.
There are two ways to remedy this.
Temporarily downgrade a high level subject ? this
is why we introduced the current security level
.
Identify a set of subjects that are permitted to
violate the
-property .
These are called trusted subjects.

11
BLP Security

A state v (b,M,f ) is called secure if all
three security properties are satisfied.
A transition from state v1 (b1,M1,f1) to state
v2 (b2,M2,f2) is secure if v2 is
secure whenever v1 is.

12
BLP Security

Theorem
If all state transitions are secure and if the
initial state is
secure then every subsequent state is secure, no
matter which inputs occur.

13
BLP Security

Proof -informal
A formal proof would proceed by induction on the
length of
the input sequences.
It would build on the fact that security is
preserves by state
transitions.
Remark
This theorem means that to check security you
only need to
check that state transitions preserve security.

14
BLP Security

Proof, the ss-property
A state transition from (b1,M1,f1) to (b2,M2,f2)
preserves the ss-property if and only if

15
BLP Security

Proof, the ds-property
Preservation of the -property and the
ds-property can
be described in a similar way.

16
BLP Security

McLean defined a BLP system which
downgrades all subjects to the lowest level,
downgrades all objects to the lowest level,
enters all access rights in all positions of the
access control matrix M.

17
BLP Security

A BLP system is only as good as its state
transitions are.
When a security system is designed within the
framework
of a model, it is important that the
implementation of the
primitives of the model captures correctly the
security
requirements of the system.

18
Limitations of BLP

The BLP model,
only deals with confidentiality, not integrity,
does not address management of access control,
contains covert channels.

19
Limitations of BLP

These are features of BLP, and should not be
regarded as flaws.
Limiting the goals of a model makes it easier to
deal
with security issues
BLP does not state policies for the modification
of access rights.
BLP was originally intended for systems with no
changes
in the security levels.

20
Limitations of BLP

Covert channels are information channels that are
not
controlled by the security mechanism of the
system.
Information can flow (leak) from a high security
level to a low
security level as follows
A low-level subject creates an object dummy.obj
at its own level,
Its high-level accomplice, either upgrades it to
a high level,
or does not.
3. Later the low level subject tries to read
dummy.obj . If it can,
the covert bit is 1 otherwise it is 0.

21
Limitations of BLP

Telling a subject that a certain operation is or
is not
permitted, constitutes information flow.

22
The Harrison-Ruzzo-Ullman (HRU) Model

The BLP model is not dynamic
it does not allow for the creation or deletion of
subjects and objects and for changing access
rights.
The HRU model defines authorization systems that
address this issue.

23
HRU Model

A set of subjects S
A set of objects O
A set of access rights R
An access matrix

24
HRU Model

We also have six primitive operations,

25
HRU Model

Commands in HRU are of type,

26
HRU Model

Basic operations are of type,
The owner s of file f grants read access to s?,

27
HRU Model -security

Definitions
An access matrix M leaks the right r if there
is a command
that adds the right
r in a position of M that did not previously
contain r, that is,
An access matrix M is safe with respect to the
right r if no sequence of commands can transform
M into a state that leaks r.
So, verifying HRU security reduces to verifying
safety properties.

28
HRU Model -security

Theorems
Given an access matrix M and a right r, verifying
the safety of M with respect to the right r is an
undecidable problem.
Given a mono-operational authorization system,
an access matrix M and a right r, verifying the
safety of M with respect to the right r is
decidable.
Even if two operations per command are allowed we
get
undecidability.
The safety problem for authorization systems is
decidable if the number of subjects is bounded.
Commands
contain a single operation are mono-operational

29
The Chinese Wall Model

This models a consultancy business where analysts
have to make sure that no conflicts arise when
dealing with
different clients (companies).
Informally, a conflict arises when clients are
direct competitors
in the same market, or because of the ownership
of
companies.

30
The Chinese Wall Model

A set of subjects S
A set of companies C
A set of objects O
the objects concerning the same company are
called company datasets.
the function gives the
company dataset for each object.
The function gives the
conflict of interest classes for each object.

31
The Chinese Wall Model
Conflicts of interest may also arise from objects
that have been accessed in then past. Let Ns,o
true, if subject s has had access to object o
false, if subject s never had
access to object o
32
The Chinese Wall Model

ss property
That is, access is granted only if the object
requested
belongs to
a company dataset already held by the subject
(the analyst), or
an entirely different conflict of interest class.

33
The Chinese Wall Model
- property That is, write access to an
object is only granted if no other object can be
read which is in a different company dataset and
contains unsanitised information.
34
The Biba Model

This model addresses integrity by using a state
machine
model in a similar way to BLP.
Unlike BLP there is no single high-level
integrity policy.
Instead, there is a variety of approaches.

35
The Biba Model

The integrity policies guarantee that information
only flows downwards.
In particular, clean high level entities cannot
be corrupted by dirty low level entities.

36
The Biba Model static integrity
Simple integrity property first try
Integrity - property These properties
prevent clean subjects and objects from being
contaminated by dirty information.
37
The Biba Model static integrity
Simple integrity property Integrity -
property
38
The Biba Model dynamic integrity
This uses an approach similar to the Chinese Wall
model, in which the integrity of a subject is
adjusted if the subject comes into contact with
low-level information.
39
The Biba Model dynamic integrity
Subject low watermark property Object low
watermark property
40
The Clark - Wilson Model

This model addresses the security requirements of
commercial applications.
The requirements of this model are to secure data
integrity.
Integrity requirements are divided into,
internal consistency properties of the internal
state that can be enforced by the computer
system.
external consistency the relation of the
internal state to the real world enforced by
means outside the system, e.g. auditing.

41
The CW Model

Integrity is enforced by,
well formed transactions data items can be
manipulated only by a specific set of
programs
users have access to programs rather than
data
items.
separation of duties users have to collaborate
to manipulate data and collude to penetrate the
system.

42
The CW Model

In the Clark-Wilson model,
Subjects must be identified and authenticated,
Objects can be manipulated only by a restricted
set of programs,
Subjects can execute only a restricted set of
programs,
A proper audit log has to be maintained,
The system must be certified to work properly.

43
The CW Model

In the Clark-Wilson model,
Data items governed by the security policy are
called Constrained Data Items (CDIs),
Inputs captured as Unconstrained Data Items
(UDIs),
Conversion of UDIs to CDIs is a critical part of
the system which cannot be controlled solely by
the security mechanisms in the system,
CDIs can be manipulated by Transformation
Procedures (TPs)
The integrity of a state is checked by Integrity
Verification Procedure (IVPs)

44
The CW Model

Security procedures are defined by 5
certification rules
Integrity Verification Procedures must ensure
that all Constrained Data Items are in a valid
state when the IVP is run.
Transformation Procedures must be certified to be
valid, i.e. CDIs must always be transformed into
CDIs.
The access rules must certify any separation of
duties requirements.
4. All TPs must write to an append-only log.
5. Any TP that takes a UDI as input must
either convert it into a CDI or reject it.

45
The CW Model

Security procedures are enforced by the 4 rules
The system must maintain and protect the list of
entries (TPiCDIa,CDIb, )
giving the CDIs that the TP is certified
to access.
The system must maintain and protect the list of
entries (UserID,TPiCDIa,CDIb, )
specifying the TPs that users can
execute.
The system must authenticate each user requesting
to execute a TP.
Only a subject that may certify an access rule
for a TP may modify the respective entry in the
list.
This subject must not have execute rights
on that TP.

46
Information - Flow Models

In the BLP model information can flow from a low
security level to a high security level through
access operations without any loss of
confidential information.
Informally, a state transition from one object x
to another object y causes
information flow
if
we learn more about x by observing y.

47
Information - Flow Models