Computer Security Security models

1
Computer SecuritySecurity models an overview.
2
Finite State Machine Models

• Automata (Finite State Machines) are a popular
  way
• Of modeling many aspects of computing systems.
• The essential feature of these are then concepts
  of
• State
• State transition

3
Bell-LaPadula (BLP) Model

• BLP Structure
• Combines,
• .Access permission matrices for access control,
• a Security lattice, for security levels,
• an Automaton, for access operations.
• Security policies are reduced to relations in the
  BLP
• structure.

4
BLP Model

• A set of subjects S
• A set of objects O
• A set of access operations
• A execute,read,append,wri
  te
• A set L of security levels, with a partial
  ordering .

5
BLP Model

• We want to use the state of the system to check
  its security.
• The state set is B xM x F, where
• B P (SxOxA) the set of current accesses b
• .M is the set of permission matrices M
• A set of security level assignments F Ls
  x Ls x Lo.

6
BLP Model

• The security level assignments F Ls x Ls x
  Lo.
• F has elements f , where
  

7
BLP Model

• Security policies a state (b,M,f ) must
  satisfy,
• Simple security property (ss-property)
• for each access request (s,o,a) in b, with access
  operation a read, or write, the security level
  of s must dominate the classification of o,
  i.e.,
• This is a no read/write up security
  policy

8
BLP Model

• 2. Star property (-property)
• for each access request (s,o,a) in b, with access
  operation a append, or write, the current
  security level of s is dominated by the
  classification of the object o,
• i.e. .
• This is a no append/write down policy.
• Also, if there is an (s,o,a) in b with a
  append or write, then we must have
  
• for all o with (s,o,a ) in b and a
  read or write

9
BLP Model

• 3. Discretionary security property
  (ds-property)
• -- for each access (s,o,a) in b, we must have
  .

10
BLP Model

• The -property implies that is not possible to
  send messages to
• low level subjects.
• There are two ways to remedy this.
• Temporarily downgrade a high level subject ? this
  is why we introduced the current security level
  .
• Identify a set of subjects that are permitted to
  violate the
• -property .
• These are called trusted subjects.

11
BLP Security

• A state v (b,M,f ) is called secure if all
  three security properties are satisfied.
• A transition from state v1 (b1,M1,f1) to state
  v2 (b2,M2,f2) is secure if v2 is
  secure whenever v1 is.

12
BLP Security

• Theorem
• If all state transitions are secure and if the
  initial state is
• secure then every subsequent state is secure, no
• matter which inputs occur.

13
BLP Security

• Proof -informal
• A formal proof would proceed by induction on the
  length of
• the input sequences.
• It would build on the fact that security is
  preserves by state
• transitions.
• Remark
• This theorem means that to check security you
  only need to
• check that state transitions preserve security.

14
BLP Security

• Proof, the ss-property
• A state transition from (b1,M1,f1) to (b2,M2,f2)
• preserves the ss-property if and only if

15
BLP Security

• Proof, the ds-property
• Preservation of the -property and the
  ds-property can
• be described in a similar way.

16
BLP Security

• McLean defined a BLP system which
• downgrades all subjects to the lowest level,
• downgrades all objects to the lowest level,
• enters all access rights in all positions of the
  access control matrix M.

17
BLP Security

• A BLP system is only as good as its state
• transitions are.
• When a security system is designed within the
  framework
• of a model, it is important that the
  implementation of the
• primitives of the model captures correctly the
  security
• requirements of the system.

18
Limitations of BLP

• The BLP model,
• only deals with confidentiality, not integrity,
• does not address management of access control,
• contains covert channels.

19
Limitations of BLP

• These are features of BLP, and should not be
• regarded as flaws.
• Limiting the goals of a model makes it easier to
  deal
• with security issues
• BLP does not state policies for the modification
  of access rights.
• BLP was originally intended for systems with no
  changes
• in the security levels.

20
Limitations of BLP

• Covert channels are information channels that are
  not
• controlled by the security mechanism of the
  system.
• Information can flow (leak) from a high security
  level to a low
• security level as follows
• A low-level subject creates an object dummy.obj
  at its own level,
• Its high-level accomplice, either upgrades it to
  a high level,
• or does not.
• 3. Later the low level subject tries to read
  dummy.obj . If it can,
• the covert bit is 1 otherwise it is 0.

21
Limitations of BLP

• Telling a subject that a certain operation is or
  is not
• permitted, constitutes information flow.

22
The Harrison-Ruzzo-Ullman (HRU) Model

• The BLP model is not dynamic
• it does not allow for the creation or deletion of
  
• subjects and objects and for changing access
• rights.
• The HRU model defines authorization systems that
• address this issue.

23
HRU Model

• A set of subjects S
• A set of objects O
• A set of access rights R
• An access matrix

24
HRU Model

• We also have six primitive operations,

25
HRU Model

• Commands in HRU are of type,

26
HRU Model

• Basic operations are of type,
• The owner s of file f grants read access to s?,

27
HRU Model -security

• Definitions
• An access matrix M leaks the right r if there
  is a command
• that adds the right
  r in a position of M that did not previously
  contain r, that is,
• An access matrix M is safe with respect to the
  right r if no sequence of commands can transform
  M into a state that leaks r.
• So, verifying HRU security reduces to verifying
  safety properties.

28
HRU Model -security

• Theorems
• Given an access matrix M and a right r, verifying
  the safety of M with respect to the right r is an
  undecidable problem.
• Given a mono-operational authorization system,
  an access matrix M and a right r, verifying the
  safety of M with respect to the right r is
  decidable.
• Even if two operations per command are allowed we
  get
• undecidability.
• The safety problem for authorization systems is
  decidable if the number of subjects is bounded.
• Commands
  contain a single operation are mono-operational

29
The Chinese Wall Model

• This models a consultancy business where analysts
  
• have to make sure that no conflicts arise when
  dealing with
• different clients (companies).
• Informally, a conflict arises when clients are
  direct competitors
• in the same market, or because of the ownership
  of
• companies.

30
The Chinese Wall Model

• A set of subjects S
• A set of companies C
• A set of objects O
• the objects concerning the same company are
  called company datasets.
• the function gives the
  company dataset for each object.
• The function gives the
  conflict of interest classes for each object.

31
The Chinese Wall Model
Conflicts of interest may also arise from objects
that have been accessed in then past. Let Ns,o
true, if subject s has had access to object o
false, if subject s never had
access to object o
32
The Chinese Wall Model

• ss property
• That is, access is granted only if the object
  requested
• belongs to
• a company dataset already held by the subject
  (the analyst), or
• an entirely different conflict of interest class.

33
The Chinese Wall Model
- property That is, write access to an
object is only granted if no other object can be
read which is in a different company dataset and
contains unsanitised information.
34
The Biba Model

• This model addresses integrity by using a state
  machine
• model in a similar way to BLP.
• Unlike BLP there is no single high-level
  integrity policy.
• Instead, there is a variety of approaches.

35
The Biba Model

• The integrity policies guarantee that information
  only flows downwards.
• In particular, clean high level entities cannot
  be corrupted by dirty low level entities.

36
The Biba Model static integrity
Simple integrity property first try
Integrity - property These properties
prevent clean subjects and objects from being
contaminated by dirty information.
37
The Biba Model static integrity
Simple integrity property Integrity -
property
38
The Biba Model dynamic integrity
This uses an approach similar to the Chinese Wall
model, in which the integrity of a subject is
adjusted if the subject comes into contact with
low-level information.
39
The Biba Model dynamic integrity
Subject low watermark property Object low
watermark property
40
The Clark - Wilson Model

• This model addresses the security requirements of
  commercial applications.
• The requirements of this model are to secure data
  integrity.
• Integrity requirements are divided into,
• internal consistency properties of the internal
  state that can be enforced by the computer
  system.
• external consistency the relation of the
  internal state to the real world enforced by
  means outside the system, e.g. auditing.

41
The CW Model

• Integrity is enforced by,
• well formed transactions data items can be
• manipulated only by a specific set of
  programs
• users have access to programs rather than
  data
• items.
• separation of duties users have to collaborate
  to manipulate data and collude to penetrate the
• system.

42
The CW Model

• In the Clark-Wilson model,
• Subjects must be identified and authenticated,
• Objects can be manipulated only by a restricted
  set of programs,
• Subjects can execute only a restricted set of
  programs,
• A proper audit log has to be maintained,
• The system must be certified to work properly.

43
The CW Model

• In the Clark-Wilson model,
• Data items governed by the security policy are
  called Constrained Data Items (CDIs),
• Inputs captured as Unconstrained Data Items
  (UDIs),
• Conversion of UDIs to CDIs is a critical part of
  the system which cannot be controlled solely by
  the security mechanisms in the system,
• CDIs can be manipulated by Transformation
  Procedures (TPs)
• The integrity of a state is checked by Integrity
  Verification Procedure (IVPs)

44
The CW Model

• Security procedures are defined by 5
  certification rules
• Integrity Verification Procedures must ensure
  that all Constrained Data Items are in a valid
  state when the IVP is run.
• Transformation Procedures must be certified to be
  valid, i.e. CDIs must always be transformed into
  CDIs.
• The access rules must certify any separation of
  duties requirements.
• 4. All TPs must write to an append-only log.
• 5. Any TP that takes a UDI as input must
  either convert it into a CDI or reject it.

45
The CW Model

• Security procedures are enforced by the 4 rules
• The system must maintain and protect the list of
  entries (TPiCDIa,CDIb, )
• giving the CDIs that the TP is certified
  to access.
• The system must maintain and protect the list of
  entries (UserID,TPiCDIa,CDIb, )
• specifying the TPs that users can
  execute.
• The system must authenticate each user requesting
  to execute a TP.
• Only a subject that may certify an access rule
  for a TP may modify the respective entry in the
  list.
• This subject must not have execute rights
  on that TP.

46
Information - Flow Models

• In the BLP model information can flow from a low
  security level to a high security level through
  access operations without any loss of
  confidential information.
• Informally, a state transition from one object x
  to another object y causes
• information flow
• if
• we learn more about x by observing y.

47
Information - Flow Models

• If you already know x then no information can
  flow
• from x. Otherwise we have
• Explicit information flow
• -- Observing y after the assignment yx tells
  you the value of x.
• Implicit information flow
• -- Observing y after the conditional statement
• If x0 then y1
• may tell you something about x even if y is not
  1,
• e.g. if y 2. Then we deduce that x is not 0.

48
Information - Flow Models

• A precise quantitative definition for information
  
• flow can be given in terms of Information Theory.
• The information flow from x to y is measured by
• the equivocation (conditional entropy)
• H (x y) of x, given y.

49
Information - Flow Models

• The components of the information flow model are
• A lattice
• A set of labeled objects

50
Information - Flow Models

• An IF system is secure if there is no illegal
• information flow.
• Advantages it covers all kinds of information
  flow.
• Disadvantages far more difficult to design such
  systems.
• E.g. checking whether a given system in the IF
  
• model is secure is an undecidable problem.

51
Information - Flow Models

• One must also distinguish between
• static enforcement and
• dynamic enforcement
• of the information flow policies.

52
Information - Flow Models

• An alternative to information flow models are
• non-interference models.
• These provide a different formalism to describe
  the
• knowledge of subjects regarding the state of the
  system.