Lecture 10: Security models and policy - PowerPoint PPT Presentation

1 / 30
About This Presentation
Title:

Lecture 10: Security models and policy

Description:

... if a = b and b = a, then a=b e.g. if a is a factor of b and b is a factor ... Greatest Lower Bound of the pair A,B and B is the Least Upper Bound of the pair A,B ... – PowerPoint PPT presentation

Number of Views:62
Avg rating:3.0/5.0
Slides: 31
Provided by: martin159
Category:

less

Transcript and Presenter's Notes

Title: Lecture 10: Security models and policy


1
Lecture 10 Security models and policy
  • In this lecture we will cover
  • Introduction to lattice based models
  • Bell-La Padula model/policy
  • Biba model/policy
  • Harrison-Ruzzo-Ullman (HRU) model/policy

2
Lattice based models
  • an important group of models are based on the
    concept of a lattice
  • Lattices are defined by a partial ordering of
    items from some set e.g. 1, 2, 3, 4, 5, 6, 10,
    12, 15, 20, 30, 60
  • an example of a partial ordering is the relation
    of X being a factor of Y i.e. Y is divisible by X
    giving an integer result or KX Y, where K is
    an integer e.g. 4 is a factor of 60 15460),
    and so is 2 30260 and so are many others
  • when discussing partial orders the relation
    operation is normally represented by lt even if
    less than or equals in not the operation that is
    being used

3
  • a partial ordering is an ordering of elements in
    a set defined by a relation between the items of
    the set that is
  • 1. antisymmetric - if a lt b and b lt a, then ab
    e.g. if a is a factor of b and b is a factor of
    a then ab 12 is a factor of 12 and 1212
  • 2. transitive - if a lt b and b lt c, then a lt c
    e.g. if a is a factor of b and b is a factor of c
    then a is a factor of c 2 is a factor of 6 and 6
    is a factor of 12 then 2 is a factor of 12
  • 3. reflexive - alta e.g. a is a factor of itself
    20 is a factor of 20

4
  • in a total ordering for each pair of elements in
    the set either altb or blta, but in a partial
    ordering there may be some pairs of elements for
    which neither altb or blta e.g. 4 is a factor of
    60 and 5 is a factor of 60, but 4 is not a factor
    of 5 or 5 of 4
  • a lattice is a set of elements that have been
    ordered by a partial ordering, but ALSO in
    addition
  • for every pair of elements in the set there is a
    greatest lower bound (glb) and and least upper
    bound (lub)

5
  • every element x for which a lt x and blt x, then
    x is said to be an upper bound of a and b e.g.
    for 4 and 20, 60 is an upper bound 4 is a factor
    of 60 and 20 is a factor of 60
  • every element x for which x lt a and x lt b is
    said to be a lower bound of a and b e.g. for 4
    and 20, 2 is a lower bound 2 is a factor of 4
    and 2 is a factor of 20

6
  • a greatest lower bound for a and b is an element
    x for which x lt a and x lt b, but where all
    other lower bounds are lt x e.g. for 4 and 20, 4
    is the greatest lower bound 1, 2 and 4 (4lt4)
    are a lower bounds and 1 lt4 and 2lt4
  • least upper bound for a and b is an element x for
    which a lt x and b lt x, but which is lt all
    other elements that are upper bounds e.g. for 4
    and 20, 20 is the least upper bound 20, 40, 60
    are upper bounds and 20 lt40 and 20lt60

7
  • lattices are often depicted using a graph like
    that over the page - showing lattice based on
    partial ordering is a factor of over set of
    numbers 1, 2, 3, 4, 5, 6, 10, 12, 15, 20, 30,
    60
  • NOTE - a line going from an element A to element
    B where A lt B indicates that A is the Greatest
    Lower Bound of the pair A,B and B is the Least
    Upper Bound of the pair A,B
  • AND
  • no other number C exists such that AltC and CltB
    i.e. the graph effectively shows nearest
    neighbours in the partial order

8
(No Transcript)
9
  • Characteristics of a lattice are that
  • 1. every element either has an element above them
    or they are the top of the lattice or they have
    an element below them or they are the bottom of
    the lattice
  • 2. a lattice has only one element that is at the
    top and one element that is at the bottom
  • lattices can be used to represent authority
    relationships
  • compartments and security levels can be modelled
    as a lattice with the notion of dominance being
    the partial ordering relation

10
  • For example a system with 2 security levels -
    public and private and 2 compartments - personnel
    and engineering
  • the set of possible security classes i.e. the set
    of possible combinations of the pairs of security
    levels and compartment lists is
  • public, ltgt
  • public, ltEngineeringgt
  • public, ltPersonnelgt
  • public, ltEngineering, Personnelgt
  • private, ltgt
  • private, ltEngineeringgt
  • private, ltPersonnelgt
  • private, ltEngineering, Personnelgt

11
  • remember A is dominated by B means item with
    classification A can be accessed by subject with
    clearance B represented by A lt B
  • the dominance relations that hold between the
    classes is given below
  • i) public, ltPersonnelgt lt private,
    ltPersonnelgt i.e. private clearance permits
    access to public and private in the same
    compartment
  • ii) public, ltPersonnelgt lt public,
    ltEngineering, Personnelgt i.e. a clearance with
    given compartments allows clearance to access any
    single compartment in the list at the same or
    lower security level
  • iii) public, ltPersonnelgt NOT lt private,
    ltEngineeringgt i.e. a clearance for a given list
    of compartments does not allow access to
    compartments not in the list whatever the
    security level

12
Example lattice representation
13
Bell-La Padula model/policy (BLP)
  • this model/policy emphasises the protection of
    confidentiality
  • it models the allowable information flow in a
    system
  • used to define security requirements for systems
    handling information of differing sensitivity
    levels

14
  • Model
  • 1. a set of access rights - organised as an ACM
  • 2. set of subjects - each of whom has a security
    class (clearance level)
  • 3. set of objects - again each has a security
    class (classification level)
  • 4. there is a partial ordering over the security
    classes i.e. there is a hierarchical relationship
    between the security classes with a single top
    level that has highest clearance and where
    information is most sensitive and with a single
    bottom level (e.g. publicly published
    information) that has a lowest clearance (anybody
    can have it) and sensitivity level

15
  • in other words characteristics of a lattice
    structure
  • Policy - this is represented by 2 properties that
    should be enforced if the system is to be secure
  • Warning - the way these are normally presented in
    the literature can be quite confusing because it
    uses the words read for receive information and
    write for send information

16
  • simple security property subject S can read O
    only if security class of O is lt security class
    of S translation S can receive information from
    O only if security class of S is greater than or
    equal to that of O
  • sounds reasonable - this is also known as a no
    read-up policy - meaning no entity can
    read(receive information classed at) a higher
    security level

17
  • -property Subject S can write (send/pass on
    information) to object P only if other objects O
    that S can read (receive information from) have a
    lower or at most equal security class to object P
    translation S can send information to P only if
    S can not receive information from entities with
    higher security level than P
  • cannot send information to entities that have a
    lower security level than the maximum level at
    which S can receive information - also known as a
    no write down policy - meaning no entity can
    write (send information classed at any level) to
    a lower security level

18
  • quite unreasonable in realistic settings - it
    essentially means that entities at a higher
    security level cannot pass on information even
    that classified at a lower security level at all
    e.g. the boffins working on the top secret
    project cannot talk to the catering staff even if
    it is to order their food
  • it means that there is no channel by which
    information can flow from higher levels to lower
    - thus secure but impractical - you must be able
    to pass on lower classified information to
    subordinates - how else can anything get done -
    order passed on etc. - it may be secure but???

19
  • There are 2 methods to escape from the -property
  • 1. temporarily downgrade a high-level subject
  • 2. identify a set of subject who are allowed to
    violate the -property - these would be trusted
    subjects
  • If all subjects were at the same security level
    and all objects were at the same security level
    and total access permissions were granted on each
    object for each subject - everyone could access
    and modify anything - this would appear to be a
    system that lacks security

20
  • But one criticism of the BLP policy is the above
    is consistent with both the simple security
    property and the more draconian -property
  • Thus how can such a policy claim to define a
    secure system
  • the response to that criticism is that if the
    needs of the system are such that everyone should
    have complete access to everything, then the
    security policy should permit that, strange
    though that might seem i.e. It is not insecure if
    the owners of the system want it that way

21
  • it is also an issue that users and objects once
    they acquire a security level cannot have that
    security level changed without violating the
    policy - the requirement that security levels and
    access rights never change is known as
    tranquillity
  • BLP played an important role in the development
    of security in early operating systems that lead
    to the development of ACLs, etc.
  • however, it only focuses on confidentiality -
    information flows and ignores integrity issues
    and denial of service

22
Biba model/policy
  • the Biba model/policy attempts to address the
    needs of integrity rather than confidentiality
  • the model is structured in the same way BLP with
    subjects, objects and an ACM, the security levels
    are named Integrity levels
  • it is effectively a complement to BLP
  • the policy also mirrors the confidentiality
    properties of the BLP policy
  • to confuse matters Biba uses read and write, but
    differently from BLP - it uses more traditional
    sense

23
  • Policy is based on properties like BLP
  • simple integrity property subject S can write
    to (modify) O only if Integrity (security) level
    of S is gt Integrity (security) level of O
    translation - S cannot modify O if O is at a
    higher security level than S
  • also known as no write up

24
  • Integrity -property subject S can write to
    (modify) P only if other objects S can read are
    at the same or higher integrity level than P
    translation - S cannot modify an object unless S
    can read objects at that security level or
    higher
  • No standard also known as for this property but
    we can call it - no write unless you can read
  • Biba policy is trying to protect a system against
    untrustworthy sources of information and
    modification

25
Procedure based models
  • a criticism of BLP and Biba is that they only
    model the static situation of a set of
    users.objects and access rights, it does not
    attempt to model the more dynamic situation where
    access rights may change and objects may be
    created and destroyed, etc,
  • they do not model the transformations in the
    security situation
  • the following model may be called procedural
    because it attempts to model processes by which
    security situation changes

26
Harrison-Ruzzo-Ullman (HRU)
  • model has a set of subjects, objects, and access
    rights held in an Access Control Matrix (ACM) -
    note however that in HRU ACM subjects are also
    treated as objects
  • but in addition there are a set of 6 primitive
    operations
  • create subject s
  • create object o
  • delete subject s
  • delete object o
  • enter right r into ACM for s and o
  • delete right r from ACM for s and o

27
  • from these primitives commands can be constructed
  • structure of a command is
  • command name(o1, ....oi....on)
  • if r1 in ACMs1,o1 and
  • if r2 in ACMs2,o2 .......
  • ..............
  • then
  • op1
  • op2
  • .............
  • End

28
example command
  • s1 grants read access to s2 to file1
  • command grant-read(s1,s2,file1)
  • if owner in ACMs1,file1
  • then enter read in ACMS2,file1
  • end
  • in HRU a protection system is a collection of
    subjects, objects, rights and commands

29
  • this model can be used to model a number of real
    protection mechanisms
  • Use of HRU has produced 2 significant general
    results
  • 1. if commands in a system are restricted to
    commands which guard (through the conditions) the
    execution of single primitive operations, then it
    is possible to determine whether a given subject
    can ever obtain a particular right to an object -
    so we can determine whether some person who
    should not have access actually gets access to
    some object

30
  • 2. if commands in a system are unrestricted i.e.
    The conditions guard the execution of multiple
    primitive operations, it is impossible for every
    case to determine whether a given protection
    system can confer a given right on an individual
    - so we can never be sure whether the system is
    successful in providing the protection we need
  • however, it may be possible for some cases
    (quite a large number) to determine this, but we
    can never do so in general
Write a Comment
User Comments (0)
About PowerShow.com