Chapter 6: Integrity Policies

1
Chapter 6 Integrity Policies

• Overview
• Requirements
• Bibas models
• Lipners model
• Clark-Wilson model

2
Overview

• Requirements
• Very different than confidentiality policies
• Bibas models
• Low-Water-Mark policy
• Ring policy
• Strict Integrity policy
• Lipners model
• Combines Bell-LaPadula, Biba
• Clark-Wilson model

3
Requirements of Policies

1. Users will not write their own programs, but will
   use existing production programs and databases.
2. Programmers will develop and test programs on a
   non-production system if they need access to
   actual data, they will be given production data
   via a special process, but will use it on their
   development system.
3. A special process must be followed to install a
   program from the development system onto the
   production system.
4. The special process in requirement 3 must be
   controlled and audited.
5. The managers and auditors must have access to
   both the system state and the system logs that
   are generated.

4
Biba Integrity Model

• Basis for all 3 models
• Set of subjects S, objects O, integrity levels I,
  relation ? I ? I holding when second dominates
  first
• min I ? I ? I returns lesser of integrity levels
• i S ? O ? I gives integrity level of entity
• r S ? O means s ? S can read o ? O
• w, x defined similarly

5
Intuition for Integrity Levels

• The higher the level, the more confidence
• That a program will execute correctly
• That data is accurate and/or reliable
• Note relationship between integrity and
  trustworthiness
• Important point integrity levels are not
  security levels

6
Information Transfer Path

• An information transfer path is a sequence of
  objects o1, ..., on1 and corresponding sequence
  of subjects s1, ..., sn such that si r oi and si
  w oi1 for all i, 1 i n.
• Idea information can flow from o1 to on1 along
  this path by successive reads and writes

7
Low-Water-Mark Policy

• Idea when s reads o, i(s) min(i(s), i (o)) s
  can only write objects at lower levels
• Rules
• s ? S can write to o ? O if and only if i(o)
  i(s).
• If s ? S reads o ? O, then i?(s) min(i(s),
  i(o)), where i?(s) is the subjects integrity
  level after the read.
• s1 ? S can execute s2 ? S if and only if i(s2)
  i(s1).

8
Information Flow and Model

• If there is information transfer path from o1 ? O
  to on1 ? O, enforcement of low-water-mark policy
  requires i(on1) i(o1) for all n gt 1.
• Idea of proof Assume information transfer path
  exists between o1 and on1. Assume that each read
  and write was performed in the order of the
  indices of the vertices. By induction, the
  integrity level for each subject is the minimum
  of the integrity levels for all objects preceding
  it in path, so i(sn) i(o1). As nth write
  succeeds, i(on1) i(sn). Hence i(on1) i(o1).

9
Problems

• Subjects integrity levels decrease as system
  runs
• Soon no subject will be able to access objects at
  high integrity levels
• Alternative change object levels rather than
  subject levels
• Soon all objects will be at the lowest integrity
  level
• Crux of problem is model prevents indirect
  modification
• Because subject levels lowered when subject reads
  from low-integrity object

10
Ring Policy

• Idea subject integrity levels static
• Rules
• s ? S can write to o ? O if and only if i(o)
  i(s).
• Any subject can read any object.
• s1 ? S can execute s2 ? S if and only if i(s2)
  i(s1).
• Eliminates indirect modification problem
• Same information flow result holds

11
Strict Integrity Policy

• Similar to Bell-LaPadula model
• s ? S can read o ? O iff i(s) i(o)
• s ? S can write to o ? O iff i(o) i(s)
• s1 ? S can execute s2 ? S iff i(s2) i(s1)
• Add compartments and discretionary controls to
  get full dual of Bell-LaPadula model
• Information flow result holds
• Different proof, though
• Term Biba Model refers to this

12
LOCUS and Biba

• Goal prevent untrusted software from altering
  data or other software
• Approach make levels of trust explicit
• credibility rating based on estimate of
  softwares trustworthiness (0 untrusted, n highly
  trusted)
• trusted file systems contain software with a
  single credibility level
• Process has risk level or highest credibility
  level at which process can execute
• Must use run-untrusted command to run software at
  lower credibility level

13
Integrity Matrix Model

• Lipner proposed this as first realistic
  commercial model
• Combines Bell-LaPadula, Biba models to obtain
  model conforming to requirements
• Do it in two steps
• Bell-LaPadula component first
• Add in Biba component

14
Bell-LaPadula Clearances

• 2 security clearances/classifications
• AM (Audit Manager) system audit, management
  functions
• SL (System Low) any process can read at this
  level

15
Bell-LaPadula Categories

• 5 categories
• D (Development) production programs in
  development but not yet in use
• PC (Production Code) production processes,
  programs
• PD (Production Data) data covered by integrity
  policy
• SD (System Development) system programs in
  development but not yet in use
• T (Software Tools) programs on production system
  not related to protected data

16
Users and Security Levels
Subjects Security Level
Ordinary users (SL, PC, PD )
Application developers (SL, D, T )
System programmers (SL, SD, T )
System managers and auditors (AM, D, OC, OD, SD, T )
System controllers (SL, D, PC, PD, SD, T) and downgrade privilege
17
Objects and Classifications
Objects Security Level
Development code/test data (SL, D, T )
Production code (SL, PC )
Production data (SL, PC, PD )
Software tools (SL, T )
System programs (SL, ? )
System programs in modification (SL, SD, T )
System and application logs (AM, appropriate )
18
Ideas

• Ordinary users can execute (read) production code
  but cannot alter it
• Ordinary users can alter and read production data
• System managers need access to all logs but
  cannot change levels of objects
• System controllers need to install code (hence
  downgrade capability)
• Logs are append only, so must dominate subjects
  writing them

19
Check Requirements

1. Users have no access to T, so cannot write their
   own programs
2. Applications programmers have no access to PD, so
   cannot access production data if needed, it must
   be put into D, requiring the system controller to
   intervene
3. Installing a program requires downgrade procedure
   (from D to PC), so only system controllers can do
   it

20
More Requirements

• 4. Control only system controllers can
  downgrade audit any such downgrading must be
  altered
• 5. System management and audit users are in AM
  and so have access to system styate and logs

21
Problem

• Too inflexible
• System managers cannot run programs for repairing
  inconsistent or erroneous production database
• System managers at AM, production data at SL
• So add more

22
Adding Biba

• 3 integrity classifications
• ISP(System Program) for system programs
• IO (Operational) production programs,
  development software
• ISL (System Low) users get this on log in
• 2 integrity categories
• ID (Development) development entities
• IP (Production) production entities

23
Simplify Bell-LaPadula

• Reduce security categories to 3
• SP (Production) production code, data
• SD (Development) same as D
• SSD (System Development) same as old SD

24
Users and Levels
Subjects Security Level Integrity Level
Ordinary users (SL, SP ) (ISL, IP )
Application developers (SL, SD ) (ISL, ID )
System programmers (SL, SSD ) (ISL, ID )
System managers and auditors (AM, SP, SD, SSD ) (ISL, IP, ID)
System controllers (SL, SP, SD ) and downgrade privilege (ISP, IP, ID)
Repair (SL, SP ) (ISL, IP )
25
Objects and Classifications
Objects Security Level Integrity Level
Development code/test data (SL, SD ) (ISL, IP )
Production code (SL, SP ) (IO, IP )
Production data (SL, SP ) (ISL, IP )
Software tools (SL, ? ) (IO, ID )
System programs (SL, ? ) (ISP, IP, ID )
System programs in modification (SL, SSD ) (ISL, ID )
System and application logs (AM, appropriate ) (ISL, ? )
Repair (SL, SP) (ISL, IP )
26
Ideas

• Security clearances of subjects same as without
  integrity levels
• Ordinary users need to modify production data, so
  ordinary users must have write access to
  integrity category IP
• Ordinary users must be able to write production
  data but not production code integrity classes
  allow this
• Note writing constraints removed from security
  classes

27
Clark-Wilson Integrity Model

• Integrity defined by a set of constraints
• Data in a consistent or valid state when it
  satisfies these
• Example Bank
• D todays deposits, W withdrawals, YB yesterdays
  balance, TB todays balance
• Integrity constraint D YB W
• Well-formed transaction move system from one
  consistent state to another
• Issue who examines, certifies transactions done
  correctly?

28
Entities

• CDIs constrained data items
• Data subject to integrity controls
• UDIs unconstrained data items
• Data not subject to integrity controls
• IVPs integrity verification procedures
• Procedures that test the CDIs conform to the
  integrity constraints
• TPs transaction procedures
• Procedures that take the system from one valid
  state to another

29
Certification Rules 1 and 2

• CR1 When any IVP is run, it must ensure all CDIs
  are in a valid state
• CR2 For some associated set of CDIs, a TP must
  transform those CDIs in a valid state into a
  (possibly different) valid state
• Defines relation certified that associates a set
  of CDIs with a particular TP
• Example TP balance, CDIs accounts, in bank
  example

30
Enforcement Rules 1 and 2

• ER1 The system must maintain the certified
  relations and must ensure that only TPs certified
  to run on a CDI manipulate that CDI.
• ER2 The system must associate a user with each TP
  and set of CDIs. The TP may access those CDIs on
  behalf of the associated user. The TP cannot
  access that CDI on behalf of a user not
  associated with that TP and CDI.
• System must maintain, enforce certified relation
• System must also restrict access based on user ID
  (allowed relation)

31
Users and Rules

• CR3 The allowed relations must meet the
  requirements imposed by the principle of
  separation of duty.
• ER3 The system must authenticate each user
  attempting to execute a TP
• Type of authentication undefined, and depends on
  the instantiation
• Authentication not required before use of the
  system, but is required before manipulation of
  CDIs (requires using TPs)

32
Logging

• CR4 All TPs must append enough information to
  reconstruct the operation to an append-only CDI.
• This CDI is the log
• Auditor needs to be able to determine what
  happened during reviews of transactions

33
Handling Untrusted Input

• CR5 Any TP that takes as input a UDI may perform
  only valid transformations, or no
  transformations, for all possible values of the
  UDI. The transformation either rejects the UDI or
  transforms it into a CDI.
• In bank, numbers entered at keyboard are UDIs, so
  cannot be input to TPs. TPs must validate numbers
  (to make them a CDI) before using them if
  validation fails, TP rejects UDI

34
Separation of Duty In Model

• ER4 Only the certifier of a TP may change the
  list of entities associated with that TP. No
  certifier of a TP, or of an entity associated
  with that TP, may ever have execute permission
  with respect to that entity.
• Enforces separation of duty with respect to
  certified and allowed relations

35
Comparison With Requirements

• Users cant certify TPs, so CR5 and ER4 enforce
  this
• Procedural, so model doesnt directly cover it
  but special process corresponds to using TP
• No technical controls can prevent programmer from
  developing program on production system usual
  control is to delete software tools
• TP does the installation, trusted personnel do
  certification

36
Comparison With Requirements

• 4. CR4 provides logging ER3 authenticates
  trusted personnel doing installation CR5, ER4
  control installation procedure
• New program UDI before certification, CDI (and
  TP) after
• Log is CDI, so appropriate TP can provide
  managers, auditors access
• Access to state handled similarly

37
Comparison to Biba

• Biba
• No notion of certification rules trusted
  subjects ensure actions obey rules
• Untrusted data examined before being made trusted
• Clark-Wilson
• Explicit requirements that actions must meet
• Trusted entity must certify method to upgrade
  untrusted data (and not certify the data itself)

38
UNIX Implementation

• Considered allowed relation
• (user, TP, CDI set )
• Each TP is owned by a different user
• These users are actually locked accounts, so no
  real users can log into them but this provides
  each TP a unique UID for controlling access
  rights
• TP is setuid to that user
• Each TPs group contains set of users authorized
  to execute TP
• Each TP is executable by group, not by world

39
CDI Arrangement

• CDIs owned by root or some other unique user
• Again, no logins to that users account allowed
• CDIs group contains users of TPs allowed to
  manipulate CDI
• Now each TP can manipulate CDIs for single user

40
Examples

• Access to CDI constrained by user
• In allowed triple, TP can be any TP
• Put CDIs in a group containing all users
  authorized to modify CDI
• Access to CDI constrained by TP
• In allowed triple, user can be any user
• CDIs allow access to the owner, the user owning
  the TP
• Make the TP world executable

41
Problems

• 2 different users cannot use same copy of TP to
  access 2 different CDIs
• Need 2 separate copies of TP (one for each user
  and CDI set)
• TPs are setuid programs
• As these change privileges, want to minimize
  their number
• root can assume identity of users owning TPs, and
  so cannot be separated from certifiers
• No way to overcome this without changing nature
  of root

42
Key Points

• Integrity policies deal with trust
• As trust is hard to quantify, these policies are
  hard to evaluate completely
• Look for assumptions and trusted users to find
  possible weak points in their implementation
• Biba, Lipner based on multilevel integrity
• Clark-Wilson focuses on separation of duty and
  transactions

43
Chapter 7 Hybrid Policies

• Overview
• Chinese Wall Model
• Clinical Information Systems Security Policy
• ORCON
• RBAC

44
Overview

• Chinese Wall Model
• Focuses on conflict of interest
• CISS Policy
• Combines integrity and confidentiality
• ORCON
• Combines mandatory, discretionary access controls
• RBAC
• Base controls on job function

45
Chinese Wall Model

• Problem
• Tony advises American Bank about investments
• He is asked to advise Toyland Bank about
  investments
• Conflict of interest to accept, because his
  advice for either bank would affect his advice to
  the other bank

46
Organization

• Organize entities into conflict of interest
  classes
• Control subject accesses to each class
• Control writing to all classes to ensure
  information is not passed along in violation of
  rules
• Allow sanitized data to be viewed by everyone

47
Definitions

• Objects items of information related to a
  company
• Company dataset (CD) contains objects related to
  a single company
• Written CD(O)
• Conflict of interest class (COI) contains
  datasets of companies in competition
• Written COI(O)
• Assume each object belongs to exactly one COI
  class

48
Example
49
Temporal Element

• If Anthony reads any CD in a COI, he can never
  read another CD in that COI
• Possible that information learned earlier may
  allow him to make decisions later
• Let PR(S) be set of objects that S has already
  read

50
CW-Simple Security Condition

• s can read o iff either condition holds
• There is an o? such that s has accessed o? and
  CD(o?) CD(o)
• Meaning s has read something in os dataset
• For all o? ? O, o? ? PR(s) ? COI(o?) ? COI(o)
• Meaning s has not read any objects in os
  conflict of interest class
• Ignores sanitized data (see below)
• Initially, PR(s) ?, so initial read request
  granted

51
Sanitization

• Public information may belong to a CD
• As is publicly available, no conflicts of
  interest arise
• So, should not affect ability of analysts to read
• Typically, all sensitive data removed from such
  information before it is released publicly
  (called sanitization)
• Add third condition to CW-Simple Security
  Condition
• 3. o is a sanitized object

52
Writing

• Anthony, Susan work in same trading house
• Anthony can read Bank 1s CD, Gas CD
• Susan can read Bank 2s CD, Gas CD
• If Anthony could write to Gas CD, Susan can read
  it
• Hence, indirectly, she can read information from
  Bank 1s CD, a clear conflict of interest

53
CW--Property

• s can write to o iff both of the following hold
• The CW-simple security condition permits s to
  read o and
• For all unsanitized objects o?, if s can read
  o?, then CD(o?) CD(o)
• Says that s can write to an object if all the
  (unsanitized) objects it can read are in the same
  dataset

54
Formalism

• Goal figure out how information flows around
  system
• S set of subjects, O set of objects, L C?D set
  of labels
• l1O?C maps objects to their COI classes
• l2O?D maps objects to their CDs
• H(s, o) true iff s has or had read access to o
• R(s, o) ss request to read o

55
Axioms

• Axiom 7-1. For all o, o? ? O, if l2(o)
  l2(o?), then l1(o) l1(o?)
• CDs do not span COIs.
• Axiom 7-2. s ? S can read o ? O iff, for all o?
  ? O such that H(s, o?), either l1(o?) ? l1(o)
  or l2(o?) l2(o)
• s can read o iff o is either in a different COI
  than every other o? that s has read, or in the
  same CD as o.

56
More Axioms

• Axiom 7-3. ?H(s, o) for all s ? S and o ? O is an
  initially secure state
• Description of the initial state, assumed secure
• Axiom 7-4. If for some s ? S and all o ? O, ?H(s,
  o), then any request R(s, o) is granted
• If s has read no object, it can read any object

57
Which Objects Can Be Read?

• Suppose s ? S has read o ? O. If s can read o? ?
  O, o? ? o, then l1(o? ) ? l1(o) or l2(o? )
  l2(o).
• Says s can read only the objects in a single CD
  within any COI

58
Lemma

• Suppose a subject s ? S can read an object o ?
  O. Then s can read no o? for which l1(o?)
  l1(o) and l2(o?) ? l2(o).
• So a subject can access at most one CD in each
  COI class
• Sketch of proof Initial case follows from Axioms
  7-3, 7-4. If o? ? o, theorem immediately gives
  lemma.

59
COIs and Subjects

• Theorem Let c ? C and d ? D. Suppose there are n
  objects oi ? O, 1 i  n, such that l1(oi) d
  for 1 i n, and l2(oi) ? l2(oj), for 1 i, j
  n, i ? j. Then for all such o, there is an s ?
  S that can read o iff n S.
• If a COI has n CDs, you need at least n subjects
  to access every object
• Proof sketch If s can read o, it cannot read any
  o? in another CD in that COI (Axiom 7-2). As
  there are n such CDs, there must be at least n
  subjects to meet the conditions of the theorem.

60
Sanitized Data

• v(o) sanitized version of object o
• For purposes of analysis, place them all in a
  special CD in a COI containing no other CDs
• Axiom 7-5. l1(o) l1(v(o)) iff l2(o) l2(v(o))

61
Which Objects Can Be Written?

• Axiom 7-6. s ? S can write to o ? O iff the
  following hold simultaneously
• H(s, o)
• There is no o? ? O with H(s, o?), l2(o) ? l2(o?),
  l2(o) ? l2(v(o)), l2(o?) l2(v(o)).
• Allow writing iff information cannot leak from
  one subject to another through a mailbox
• Note handling for sanitized objects

62
How Information Flows

• Definition information may flow from o to o? if
  there is a subject such that H(s, o) and H(s,
  o?).
• Intuition if s can read 2 objects, it can act on
  that knowledge so information flows between the
  objects through the nexus of the subject
• Write the above situation as (o, o?)

63
Key Result

• Set of all information flows is
• (o, o?) o ? O ? o? ? O ? l2(o) l2(o?) ?
  l2(o) l2(v(o))
• Sketch of proof Definition gives set of flows
• F (o, o?) o ? O ? o? ? O ? ? s ? S such that
  H(s, o) ? H(s, o?))
• Axiom 7-6 excludes the following flows
• X (o, o?) o ? O ? o? ? O ? l2(o) ? l2(o?) ?
  l2(o) ? l2(v(o))
• So, letting F be transitive closure of F,
• F X (o, o?) o ? O ? o? ? O ? ?(l2(o) ?
  l2(o?) ? l2(o) ? l2(v(o)))
• which is equivalent to the claim.

64
Compare to Bell-LaPadula

• Fundamentally different
• CW has no security labels, B-LP does
• CW has notion of past accesses, B-LP does not
• Bell-LaPadula can capture state at any time
• Each (COI, CD) pair gets security category
• Two clearances, S (sanitized) and U (unsanitized)
• S dom U
• Subjects assigned clearance for compartments
  without multiple categories corresponding to CDs
  in same COI class

65
Compare to Bell-LaPadula

• Bell-LaPadula cannot track changes over time
• Susan becomes ill, Anna needs to take over
• C-W history lets Anna know if she can
• No way for Bell-LaPadula to capture this
• Access constraints change over time
• Initially, subjects in C-W can read any object
• Bell-LaPadula constrains set of objects that a
  subject can access
• Cant clear all subjects for all categories,
  because this violates CW-simple security
  condition

66
Compare to Clark-Wilson

• Clark-Wilson Model covers integrity, so consider
  only access control aspects
• If subjects and processes are
  interchangeable, a single person could use
  multiple processes to violate CW-simple security
  condition
• Would still comply with Clark-Wilson Model
• If subject is a specific person and includes
  all processes the subject executes, then
  consistent with Clark-Wilson Model

67
Clinical Information Systems Security Policy

• Intended for medical records
• Conflict of interest not critical problem
• Patient confidentiality, authentication of
  records and annotators, and integrity are
• Entities
• Patient subject of medical records (or agent)
• Personal health information data about patients
  health or treatment enabling identification of
  patient
• Clinician health-care professional with access
  to personal health information while doing job

68
Assumptions and Principles

• Assumes health information involves 1 person at a
  time
• Not always true OB/GYN involves father as well
  as mother
• Principles derived from medical ethics of various
  societies, and from practicing clinicians

69
Access

• Principle 1 Each medical record has an access
  control list naming the individuals or groups who
  may read and append information to the record.
  The system must restrict access to those
  identified on the access control list.
• Idea is that clinicians need access, but no-one
  else. Auditors get access to copies, so they
  cannot alter records

70
Access

• Principle 2 One of the clinicians on the access
  control list must have the right to add other
  clinicians to the access control list.
• Called the responsible clinician

71
Access

• Principle 3 The responsible clinician must
  notify the patient of the names on the access
  control list whenever the patients medical
  record is opened. Except for situations given in
  statutes, or in cases of emergency, the
  responsible clinician must obtain the patients
  consent.
• Patient must consent to all treatment, and must
  know of violations of security

72
Access

• Principle 4 The name of the clinician, the date,
  and the time of the access of a medical record
  must be recorded. Similar information must be
  kept for deletions.
• This is for auditing. Dont delete information
  update it (last part is for deletion of records
  after death, for example, or deletion of
  information when required by statute). Record
  information about all accesses.

73
Creation

• Principle A clinician may open a record, with
  the clinician and the patient on the access
  control list. If a record is opened as a result
  of a referral, the referring clinician may also
  be on the access control list.
• Creating clinician needs access, and patient
  should get it. If created from a referral,
  referring clinician needs access to get results
  of referral.

74
Deletion

• Principle Clinical information cannot be
  deleted from a medical record until the
  appropriate time has passed.
• This varies with circumstances.

75
Confinement

• Principle Information from one medical record
  may be appended to a different medical record if
  and only if the access control list of the second
  record is a subset of the access control list of
  the first.
• This keeps information from leaking to
  unauthorized users. All users have to be on the
  access control list.

76
Aggregation

• Principle Measures for preventing aggregation of
  patient data must be effective. In particular, a
  patient must be notified if anyone is to be added
  to the access control list for the patients
  record and if that person has access to a large
  number of medical records.
• Fear here is that a corrupt investigator may
  obtain access to a large number of records,
  correlate them, and discover private information
  about individuals which can then be used for
  nefarious purposes (such as blackmail)

77
Enforcement

• Principle Any computer system that handles
  medical records must have a subsystem that
  enforces the preceding principles. The
  effectiveness of this enforcement must be subject
  to evaluation by independent auditors.
• This policy has to be enforced, and the
  enforcement mechanisms must be auditable (and
  audited)

78
Compare to Bell-LaPadula

• Confinement Principle imposes lattice structure
  on entities in model
• Similar to Bell-LaPadula
• CISS focuses on objects being accessed B-LP on
  the subjects accessing the objects
• May matter when looking for insiders in the
  medical environment

79
Compare to Clark-Wilson

• CDIs are medical records
• TPs are functions updating records, access
  control lists
• IVPs certify
• A person identified as a clinician is a
  clinician
• A clinician validates, or has validated,
  information in the medical record
• When someone is to be notified of an event, such
  notification occurs and
• When someone must give consent, the operation
  cannot proceed until the consent is obtained
• Auditing (CR4) requirement make all records
  append-only, notify patient when access control
  list changed

80
ORCON

• Problem organization creating document wants to
  control its dissemination
• Example Secretary of Agriculture writes a memo
  for distribution to her immediate subordinates,
  and she must give permission for it to be
  disseminated further. This is originator
  controlled (here, the originator is a person).

81
Req uirements

• Subject s ? S marks object o ? O as ORCON on
  behalf of organization X. X allows o to be
  disclosed to subjects acting on behalf of
  organization Y with the following restrictions
• o cannot be released to subjects acting on
  behalf of other organizations without Xs
  permission and
• Any copies of o must have the same restrictions
  placed on it.

82
DAC Fails

• Owner can set any desired permissions
• This makes 2 unenforceable

83
MAC Fails

• First problem category explosion
• Category C contains o, X, Y, and nothing else. If
  a subject y ? Y wants to read o, x ? X makes a
  copy o?. Note o? has category C. If y wants to
  give z ? Z a copy, z must be in Yby definition,
  its not. If x wants to let w ? W see the
  document, need a new category C? containing o, X,
  W.
• Second problem abstraction
• MAC classification, categories centrally
  controlled, and access controlled by a
  centralized policy
• ORCON controlled locally

84
Combine Them

• The owner of an object cannot change the access
  controls of the object.
• When an object is copied, the access control
  restrictions of that source are copied and bound
  to the target of the copy.
• These are MAC (owner cant control them)
• The creator (originator) can alter the access
  control restrictions on a per-subject and
  per-object basis.
• This is DAC (owner can control it)

85
RBAC

• Access depends on function, not identity
• Example
• Allison, bookkeeper for Math Dept, has access to
  financial records.
• She leaves.
• Betty hired as the new bookkeeper, so she now has
  access to those records
• The role of bookkeeper dictates access, not the
  identity of the individual.

86
Definitions

• Role r collection of job functions
• trans(r) set of authorized transactions for r
• Active role of subject s role s is currently in
• actr(s)
• Authorized roles of a subject s set of roles s
  is authorized to assume
• authr(s)
• canexec(s, t) iff subject s can execute
  transaction t at current time

87
Axioms

• Let S be the set of subjects and T the set of
  transactions.
• Rule of role assignment (?s ? S)(?t ? T)
  canexec(s, t) ? actr(s) ? ?.
• If s can execute a transaction, it has a role
• This ties transactions to roles
• Rule of role authorization (?s ? S) actr(s)
  ? authr(s).
• Subject must be authorized to assume an active
  role (otherwise, any subject could assume any
  role)

88
Axiom

• Rule of transaction authorization (?s ? S)(?t
  ? T) canexec(s, t) ? t ? trans(actr(s)).
• If a subject s can execute a transaction, then
  the transaction is an authorized one for the role
  s has assumed

89
Containment of Roles

• Trainer can do all transactions that trainee can
  do (and then some). This means role r contains
  role r? (r gt r?). So
• (?s ? S) r? ? authr(s) ? r gt r? ? r ? authr(s)

90
Separation of Duty

• Let r be a role, and let s be a subject such that
  r ? auth(s). Then the predicate meauth(r) (for
  mutually exclusive authorizations) is the set of
  roles that s cannot assume because of the
  separation of duty requirement.
• Separation of duty
• (?r1, r2 ? R) r2 ? meauth(r1) ?
• (?s ? S) r1? authr(s) ? r2 ? authr(s)
  

91
Key Points

• Hybrid policies deal with both confidentiality
  and integrity
• Different combinations of these
• ORCON model neither MAC nor DAC
• Actually, a combination
• RBAC model controls access based on functionality