Computer Security Security Policies

1
Computer SecuritySecurity Policies
2
Security Policies

• We view a computer system as a finite-state
  machine
• Definition
• A security policy is a statement that partitions
  the states
• of a system into a set of authorized or secure
  states and
• a set of unauthorized or nonsecure states.
• A secure system is a system that starts in an
  authorized
• state and cannot enter an unauthorized state.

3
Example
t1
s1
s2
t5
t4
s3
s4
t2
t3
An insecure system Authorized states are s1 and
s2 Unauthorized states are s3 and s4
4
Security Policies

• Definition
• A breach of security occurs when a system enters
  an unauthorized state.
• Let X be a set of entities I be some
  information.
• I has the property of confidentiality
  wrt X if no member of X can obtain information
  about I.
• I has the property of integrity wrt X if
  all members of X trust I.
• Let I be a resource. I has the property of
  availability wrt X if all member of X can access
  I.
• A security mechanism is an entity or procedure
  that enforces some part of a security policy.

5
Types of Policies

• Definition
• Military security policies or governmental
  security policies.
• Commercial security policies
• Confidentiality policies
• Integrity policies
• Transaction policies
• Discuss issues regarding trust.

6
The role of trust

• The role of trust is fundamental in understanding
  the
• nature of computer security.
• Examples see textbook

7
Types of Access Control

• Discretionary Access Control (DAC) or
• identity based access control.
• Mandatory Access Control (MAC) or
• rule-based access control.
• An originator access control (ORCON or ORGON)
• bases access on the creator of an object.

8
Discretionary Access Control (DAC)

• Access control is left to the discretion of the
  owner.
• Based on the identity of the subject.
• Example see textbook

9
Mandatory Access Control (MAC)

• The operating system enforces mandatory access
• controls.
• Neither the subject nor even the owner can
  determine
• access control.
• Example see textbook

10
ORiginator access CONtrol (ORCON or ORGON)

• The originator of the file (or its information)
  has control
• the dissemination of its information.
• Example see textbook

11
Policy languages

• High level policy languages independent of the
  mechanisms used.
• Low level policy languages

12
High level policy languages

• Express policy constraints on entities using
  abstraction
• and are independent of the security mechanisms.
• This requires
• An unambiguous expression of policy
• A mathematical or programming formulation
• Details see textbook.

13
Low level policy languages

• A set of inputs or arguments to commands that set
  or
• check constraints on a system.
• For examples, see textbook.

14
Security and Precision

• Earlier security and precision was defined in
  terms of the states
• of the system. We said that security policies
  were enforced by
• security mechanisms and that such mechanisms were
  either
• secure, precise or broad.
• Let P be the set of all states, Q the set of
  secure states
• and suppose that the mechanism restricts the
  system to
• the set of states R .
• A security mechanism was secure if R ? Q ,
  precise if R Q
• and broad if there are states such that r ?R and
  r ?Q .

15
Security and Precision

• We now consider the possibility of devising a
  generic
• procedure for developing a mechanism that is
  security
• and precise.
• For this, we will use programs, which will be
  viewed as
• abstract functions that encode the information
  that
• needs to be controlled.

16
Security and Precision

• Definition
• A program p is a function p I1 ? ? In ? R.
• p has n inputs ij e Ij and one output r e R
• We say that p encodes all available information
  about i1,,in
• (observability postulate).
• Example
• Suppose p does not alter information but merely
  provides a view
• of its inputs. A confidentiality policy seeks to
  control what views
• are available.

17
Security and Precision

• Definitions
• Let p I1 ? ? In ? R.
• A protection mechanism m is a function m I1?
  ?In ? R ? E
• (E is an error message) for which, when (
  i1,...,in ) e I1? ?In, either
• a. m (i1,...,ik) p (i1,...,ik) or
• b. m (i1,...,ik) e E .
• That is, every legal input to m produces either
  the same value as p or an
• error message.
• The set of output values of p that are excluded
  by m are those outputs that
• would impart confidential information.

18
Security and Precision

• Definitions
• A confidentiality policy for the program p I1 ?
  ? In ? R is a function c I1 ? ? In ? A, where
  A is a subset of I1 ? ? In .
• Here the set A corresponds to those inputs that
  may be revealed.
• The complement of A to the confidential inputs.

19
Security and Precision

• Definitions
• Let c be a confidentiality policy for a
  confidentiality program p.
• Let m I1 ? ? In ? R ? E be a security
  mechanism for p.
• The mechanism m is secure iff there is a
  function
• m I1 ? ? In ? R ? E such that for
  all (i1,...,in ) eI1 ? ? In
• m (i1,...,ik) m(c (i1,...,ik)) .
• That is, given any set of inputs, the protection
  mechanism m
• returns values consistent with the stated policy
  c
• (here secure confidential )

20
Security and Precision

• Definitions
• Let m1, m2 protection mechanisms for program p
• under policy c.
• m1 is as precise as m2 if for all inputs
  (i1,...,in)
• m2 (i1,...,ik) p (i1,...,ik) -gt m1
  (i1,...,ik) p (i1,...,ik)
• m1 is more precise than m2 if there is an input
  
• (i1',...,in' ) such that
• m2 (i1',...,in' ) p (i1',...,in' )
  m1 (i1',...,in' ) ? p (i1',...,in' )

21
Security and Precision

• Theorems
• For any program p there exists a precise secure
  mechanism m such that for all secure mechanisms
  m associated with p and c we have m m.
• There is no effective way that determines a
  (maximally) precise secure mechanism for any
  policy and program.