Chapter 6: Integrity Policies - PowerPoint PPT Presentation

1 / 91
About This Presentation
Title:

Chapter 6: Integrity Policies

Description:

System controllers need to install code (hence downgrade capability) ... Installing a program requires downgrade procedure (from D to PC), so only system ... – PowerPoint PPT presentation

Number of Views:81
Avg rating:3.0/5.0
Slides: 92
Provided by: TheMonarc6
Category:

less

Transcript and Presenter's Notes

Title: Chapter 6: Integrity Policies


1
Chapter 6 Integrity Policies
  • Overview
  • Requirements
  • Bibas models
  • Lipners model
  • Clark-Wilson model

2
Overview
  • Requirements
  • Very different than confidentiality policies
  • Bibas models
  • Low-Water-Mark policy
  • Ring policy
  • Strict Integrity policy
  • Lipners model
  • Combines Bell-LaPadula, Biba
  • Clark-Wilson model

3
Requirements of Policies
  1. Users will not write their own programs, but will
    use existing production programs and databases.
  2. Programmers will develop and test programs on a
    non-production system if they need access to
    actual data, they will be given production data
    via a special process, but will use it on their
    development system.
  3. A special process must be followed to install a
    program from the development system onto the
    production system.
  4. The special process in requirement 3 must be
    controlled and audited.
  5. The managers and auditors must have access to
    both the system state and the system logs that
    are generated.

4
Biba Integrity Model
  • Basis for all 3 models
  • Set of subjects S, objects O, integrity levels I,
    relation ? I ? I holding when second dominates
    first
  • min I ? I ? I returns lesser of integrity levels
  • i S ? O ? I gives integrity level of entity
  • r S ? O means s ? S can read o ? O
  • w, x defined similarly

5
Intuition for Integrity Levels
  • The higher the level, the more confidence
  • That a program will execute correctly
  • That data is accurate and/or reliable
  • Note relationship between integrity and
    trustworthiness
  • Important point integrity levels are not
    security levels

6
Information Transfer Path
  • An information transfer path is a sequence of
    objects o1, ..., on1 and corresponding sequence
    of subjects s1, ..., sn such that si r oi and si
    w oi1 for all i, 1 i n.
  • Idea information can flow from o1 to on1 along
    this path by successive reads and writes

7
Low-Water-Mark Policy
  • Idea when s reads o, i(s) min(i(s), i (o)) s
    can only write objects at lower levels
  • Rules
  • s ? S can write to o ? O if and only if i(o)
    i(s).
  • If s ? S reads o ? O, then i?(s) min(i(s),
    i(o)), where i?(s) is the subjects integrity
    level after the read.
  • s1 ? S can execute s2 ? S if and only if i(s2)
    i(s1).

8
Information Flow and Model
  • If there is information transfer path from o1 ? O
    to on1 ? O, enforcement of low-water-mark policy
    requires i(on1) i(o1) for all n gt 1.
  • Idea of proof Assume information transfer path
    exists between o1 and on1. Assume that each read
    and write was performed in the order of the
    indices of the vertices. By induction, the
    integrity level for each subject is the minimum
    of the integrity levels for all objects preceding
    it in path, so i(sn) i(o1). As nth write
    succeeds, i(on1) i(sn). Hence i(on1) i(o1).

9
Problems
  • Subjects integrity levels decrease as system
    runs
  • Soon no subject will be able to access objects at
    high integrity levels
  • Alternative change object levels rather than
    subject levels
  • Soon all objects will be at the lowest integrity
    level
  • Crux of problem is model prevents indirect
    modification
  • Because subject levels lowered when subject reads
    from low-integrity object

10
Ring Policy
  • Idea subject integrity levels static
  • Rules
  • s ? S can write to o ? O if and only if i(o)
    i(s).
  • Any subject can read any object.
  • s1 ? S can execute s2 ? S if and only if i(s2)
    i(s1).
  • Eliminates indirect modification problem
  • Same information flow result holds

11
Strict Integrity Policy
  • Similar to Bell-LaPadula model
  • s ? S can read o ? O iff i(s) i(o)
  • s ? S can write to o ? O iff i(o) i(s)
  • s1 ? S can execute s2 ? S iff i(s2) i(s1)
  • Add compartments and discretionary controls to
    get full dual of Bell-LaPadula model
  • Information flow result holds
  • Different proof, though
  • Term Biba Model refers to this

12
LOCUS and Biba
  • Goal prevent untrusted software from altering
    data or other software
  • Approach make levels of trust explicit
  • credibility rating based on estimate of
    softwares trustworthiness (0 untrusted, n highly
    trusted)
  • trusted file systems contain software with a
    single credibility level
  • Process has risk level or highest credibility
    level at which process can execute
  • Must use run-untrusted command to run software at
    lower credibility level

13
Integrity Matrix Model
  • Lipner proposed this as first realistic
    commercial model
  • Combines Bell-LaPadula, Biba models to obtain
    model conforming to requirements
  • Do it in two steps
  • Bell-LaPadula component first
  • Add in Biba component

14
Bell-LaPadula Clearances
  • 2 security clearances/classifications
  • AM (Audit Manager) system audit, management
    functions
  • SL (System Low) any process can read at this
    level

15
Bell-LaPadula Categories
  • 5 categories
  • D (Development) production programs in
    development but not yet in use
  • PC (Production Code) production processes,
    programs
  • PD (Production Data) data covered by integrity
    policy
  • SD (System Development) system programs in
    development but not yet in use
  • T (Software Tools) programs on production system
    not related to protected data

16
Users and Security Levels
Subjects Security Level
Ordinary users (SL, PC, PD )
Application developers (SL, D, T )
System programmers (SL, SD, T )
System managers and auditors (AM, D, OC, OD, SD, T )
System controllers (SL, D, PC, PD, SD, T) and downgrade privilege
17
Objects and Classifications
Objects Security Level
Development code/test data (SL, D, T )
Production code (SL, PC )
Production data (SL, PC, PD )
Software tools (SL, T )
System programs (SL, ? )
System programs in modification (SL, SD, T )
System and application logs (AM, appropriate )
18
Ideas
  • Ordinary users can execute (read) production code
    but cannot alter it
  • Ordinary users can alter and read production data
  • System managers need access to all logs but
    cannot change levels of objects
  • System controllers need to install code (hence
    downgrade capability)
  • Logs are append only, so must dominate subjects
    writing them

19
Check Requirements
  1. Users have no access to T, so cannot write their
    own programs
  2. Applications programmers have no access to PD, so
    cannot access production data if needed, it must
    be put into D, requiring the system controller to
    intervene
  3. Installing a program requires downgrade procedure
    (from D to PC), so only system controllers can do
    it

20
More Requirements
  • 4. Control only system controllers can
    downgrade audit any such downgrading must be
    altered
  • 5. System management and audit users are in AM
    and so have access to system styate and logs

21
Problem
  • Too inflexible
  • System managers cannot run programs for repairing
    inconsistent or erroneous production database
  • System managers at AM, production data at SL
  • So add more

22
Adding Biba
  • 3 integrity classifications
  • ISP(System Program) for system programs
  • IO (Operational) production programs,
    development software
  • ISL (System Low) users get this on log in
  • 2 integrity categories
  • ID (Development) development entities
  • IP (Production) production entities

23
Simplify Bell-LaPadula
  • Reduce security categories to 3
  • SP (Production) production code, data
  • SD (Development) same as D
  • SSD (System Development) same as old SD

24
Users and Levels
Subjects Security Level Integrity Level
Ordinary users (SL, SP ) (ISL, IP )
Application developers (SL, SD ) (ISL, ID )
System programmers (SL, SSD ) (ISL, ID )
System managers and auditors (AM, SP, SD, SSD ) (ISL, IP, ID)
System controllers (SL, SP, SD ) and downgrade privilege (ISP, IP, ID)
Repair (SL, SP ) (ISL, IP )
25
Objects and Classifications
Objects Security Level Integrity Level
Development code/test data (SL, SD ) (ISL, IP )
Production code (SL, SP ) (IO, IP )
Production data (SL, SP ) (ISL, IP )
Software tools (SL, ? ) (IO, ID )
System programs (SL, ? ) (ISP, IP, ID )
System programs in modification (SL, SSD ) (ISL, ID )
System and application logs (AM, appropriate ) (ISL, ? )
Repair (SL, SP) (ISL, IP )
26
Ideas
  • Security clearances of subjects same as without
    integrity levels
  • Ordinary users need to modify production data, so
    ordinary users must have write access to
    integrity category IP
  • Ordinary users must be able to write production
    data but not production code integrity classes
    allow this
  • Note writing constraints removed from security
    classes

27
Clark-Wilson Integrity Model
  • Integrity defined by a set of constraints
  • Data in a consistent or valid state when it
    satisfies these
  • Example Bank
  • D todays deposits, W withdrawals, YB yesterdays
    balance, TB todays balance
  • Integrity constraint D YB W
  • Well-formed transaction move system from one
    consistent state to another
  • Issue who examines, certifies transactions done
    correctly?

28
Entities
  • CDIs constrained data items
  • Data subject to integrity controls
  • UDIs unconstrained data items
  • Data not subject to integrity controls
  • IVPs integrity verification procedures
  • Procedures that test the CDIs conform to the
    integrity constraints
  • TPs transaction procedures
  • Procedures that take the system from one valid
    state to another

29
Certification Rules 1 and 2
  • CR1 When any IVP is run, it must ensure all CDIs
    are in a valid state
  • CR2 For some associated set of CDIs, a TP must
    transform those CDIs in a valid state into a
    (possibly different) valid state
  • Defines relation certified that associates a set
    of CDIs with a particular TP
  • Example TP balance, CDIs accounts, in bank
    example

30
Enforcement Rules 1 and 2
  • ER1 The system must maintain the certified
    relations and must ensure that only TPs certified
    to run on a CDI manipulate that CDI.
  • ER2 The system must associate a user with each TP
    and set of CDIs. The TP may access those CDIs on
    behalf of the associated user. The TP cannot
    access that CDI on behalf of a user not
    associated with that TP and CDI.
  • System must maintain, enforce certified relation
  • System must also restrict access based on user ID
    (allowed relation)

31
Users and Rules
  • CR3 The allowed relations must meet the
    requirements imposed by the principle of
    separation of duty.
  • ER3 The system must authenticate each user
    attempting to execute a TP
  • Type of authentication undefined, and depends on
    the instantiation
  • Authentication not required before use of the
    system, but is required before manipulation of
    CDIs (requires using TPs)

32
Logging
  • CR4 All TPs must append enough information to
    reconstruct the operation to an append-only CDI.
  • This CDI is the log
  • Auditor needs to be able to determine what
    happened during reviews of transactions

33
Handling Untrusted Input
  • CR5 Any TP that takes as input a UDI may perform
    only valid transformations, or no
    transformations, for all possible values of the
    UDI. The transformation either rejects the UDI or
    transforms it into a CDI.
  • In bank, numbers entered at keyboard are UDIs, so
    cannot be input to TPs. TPs must validate numbers
    (to make them a CDI) before using them if
    validation fails, TP rejects UDI

34
Separation of Duty In Model
  • ER4 Only the certifier of a TP may change the
    list of entities associated with that TP. No
    certifier of a TP, or of an entity associated
    with that TP, may ever have execute permission
    with respect to that entity.
  • Enforces separation of duty with respect to
    certified and allowed relations

35
Comparison With Requirements
  • Users cant certify TPs, so CR5 and ER4 enforce
    this
  • Procedural, so model doesnt directly cover it
    but special process corresponds to using TP
  • No technical controls can prevent programmer from
    developing program on production system usual
    control is to delete software tools
  • TP does the installation, trusted personnel do
    certification

36
Comparison With Requirements
  • 4. CR4 provides logging ER3 authenticates
    trusted personnel doing installation CR5, ER4
    control installation procedure
  • New program UDI before certification, CDI (and
    TP) after
  • Log is CDI, so appropriate TP can provide
    managers, auditors access
  • Access to state handled similarly

37
Comparison to Biba
  • Biba
  • No notion of certification rules trusted
    subjects ensure actions obey rules
  • Untrusted data examined before being made trusted
  • Clark-Wilson
  • Explicit requirements that actions must meet
  • Trusted entity must certify method to upgrade
    untrusted data (and not certify the data itself)

38
UNIX Implementation
  • Considered allowed relation
  • (user, TP, CDI set )
  • Each TP is owned by a different user
  • These users are actually locked accounts, so no
    real users can log into them but this provides
    each TP a unique UID for controlling access
    rights
  • TP is setuid to that user
  • Each TPs group contains set of users authorized
    to execute TP
  • Each TP is executable by group, not by world

39
CDI Arrangement
  • CDIs owned by root or some other unique user
  • Again, no logins to that users account allowed
  • CDIs group contains users of TPs allowed to
    manipulate CDI
  • Now each TP can manipulate CDIs for single user

40
Examples
  • Access to CDI constrained by user
  • In allowed triple, TP can be any TP
  • Put CDIs in a group containing all users
    authorized to modify CDI
  • Access to CDI constrained by TP
  • In allowed triple, user can be any user
  • CDIs allow access to the owner, the user owning
    the TP
  • Make the TP world executable

41
Problems
  • 2 different users cannot use same copy of TP to
    access 2 different CDIs
  • Need 2 separate copies of TP (one for each user
    and CDI set)
  • TPs are setuid programs
  • As these change privileges, want to minimize
    their number
  • root can assume identity of users owning TPs, and
    so cannot be separated from certifiers
  • No way to overcome this without changing nature
    of root

42
Key Points
  • Integrity policies deal with trust
  • As trust is hard to quantify, these policies are
    hard to evaluate completely
  • Look for assumptions and trusted users to find
    possible weak points in their implementation
  • Biba, Lipner based on multilevel integrity
  • Clark-Wilson focuses on separation of duty and
    transactions

43
Chapter 7 Hybrid Policies
  • Overview
  • Chinese Wall Model
  • Clinical Information Systems Security Policy
  • ORCON
  • RBAC

44
Overview
  • Chinese Wall Model
  • Focuses on conflict of interest
  • CISS Policy
  • Combines integrity and confidentiality
  • ORCON
  • Combines mandatory, discretionary access controls
  • RBAC
  • Base controls on job function

45
Chinese Wall Model
  • Problem
  • Tony advises American Bank about investments
  • He is asked to advise Toyland Bank about
    investments
  • Conflict of interest to accept, because his
    advice for either bank would affect his advice to
    the other bank

46
Organization
  • Organize entities into conflict of interest
    classes
  • Control subject accesses to each class
  • Control writing to all classes to ensure
    information is not passed along in violation of
    rules
  • Allow sanitized data to be viewed by everyone

47
Definitions
  • Objects items of information related to a
    company
  • Company dataset (CD) contains objects related to
    a single company
  • Written CD(O)
  • Conflict of interest class (COI) contains
    datasets of companies in competition
  • Written COI(O)
  • Assume each object belongs to exactly one COI
    class

48
Example
49
Temporal Element
  • If Anthony reads any CD in a COI, he can never
    read another CD in that COI
  • Possible that information learned earlier may
    allow him to make decisions later
  • Let PR(S) be set of objects that S has already
    read

50
CW-Simple Security Condition
  • s can read o iff either condition holds
  • There is an o? such that s has accessed o? and
    CD(o?) CD(o)
  • Meaning s has read something in os dataset
  • For all o? ? O, o? ? PR(s) ? COI(o?) ? COI(o)
  • Meaning s has not read any objects in os
    conflict of interest class
  • Ignores sanitized data (see below)
  • Initially, PR(s) ?, so initial read request
    granted

51
Sanitization
  • Public information may belong to a CD
  • As is publicly available, no conflicts of
    interest arise
  • So, should not affect ability of analysts to read
  • Typically, all sensitive data removed from such
    information before it is released publicly
    (called sanitization)
  • Add third condition to CW-Simple Security
    Condition
  • 3. o is a sanitized object

52
Writing
  • Anthony, Susan work in same trading house
  • Anthony can read Bank 1s CD, Gas CD
  • Susan can read Bank 2s CD, Gas CD
  • If Anthony could write to Gas CD, Susan can read
    it
  • Hence, indirectly, she can read information from
    Bank 1s CD, a clear conflict of interest

53
CW--Property
  • s can write to o iff both of the following hold
  • The CW-simple security condition permits s to
    read o and
  • For all unsanitized objects o?, if s can read
    o?, then CD(o?) CD(o)
  • Says that s can write to an object if all the
    (unsanitized) objects it can read are in the same
    dataset

54
Formalism
  • Goal figure out how information flows around
    system
  • S set of subjects, O set of objects, L C?D set
    of labels
  • l1O?C maps objects to their COI classes
  • l2O?D maps objects to their CDs
  • H(s, o) true iff s has or had read access to o
  • R(s, o) ss request to read o

55
Axioms
  • Axiom 7-1. For all o, o? ? O, if l2(o)
    l2(o?), then l1(o) l1(o?)
  • CDs do not span COIs.
  • Axiom 7-2. s ? S can read o ? O iff, for all o?
    ? O such that H(s, o?), either l1(o?) ? l1(o)
    or l2(o?) l2(o)
  • s can read o iff o is either in a different COI
    than every other o? that s has read, or in the
    same CD as o.

56
More Axioms
  • Axiom 7-3. ?H(s, o) for all s ? S and o ? O is an
    initially secure state
  • Description of the initial state, assumed secure
  • Axiom 7-4. If for some s ? S and all o ? O, ?H(s,
    o), then any request R(s, o) is granted
  • If s has read no object, it can read any object

57
Which Objects Can Be Read?
  • Suppose s ? S has read o ? O. If s can read o? ?
    O, o? ? o, then l1(o? ) ? l1(o) or l2(o? )
    l2(o).
  • Says s can read only the objects in a single CD
    within any COI

58
Lemma
  • Suppose a subject s ? S can read an object o ?
    O. Then s can read no o? for which l1(o?)
    l1(o) and l2(o?) ? l2(o).
  • So a subject can access at most one CD in each
    COI class
  • Sketch of proof Initial case follows from Axioms
    7-3, 7-4. If o? ? o, theorem immediately gives
    lemma.

59
COIs and Subjects
  • Theorem Let c ? C and d ? D. Suppose there are n
    objects oi ? O, 1 i  n, such that l1(oi) d
    for 1 i n, and l2(oi) ? l2(oj), for 1 i, j
    n, i ? j. Then for all such o, there is an s ?
    S that can read o iff n S.
  • If a COI has n CDs, you need at least n subjects
    to access every object
  • Proof sketch If s can read o, it cannot read any
    o? in another CD in that COI (Axiom 7-2). As
    there are n such CDs, there must be at least n
    subjects to meet the conditions of the theorem.

60
Sanitized Data
  • v(o) sanitized version of object o
  • For purposes of analysis, place them all in a
    special CD in a COI containing no other CDs
  • Axiom 7-5. l1(o) l1(v(o)) iff l2(o) l2(v(o))

61
Which Objects Can Be Written?
  • Axiom 7-6. s ? S can write to o ? O iff the
    following hold simultaneously
  • H(s, o)
  • There is no o? ? O with H(s, o?), l2(o) ? l2(o?),
    l2(o) ? l2(v(o)), l2(o?) l2(v(o)).
  • Allow writing iff information cannot leak from
    one subject to another through a mailbox
  • Note handling for sanitized objects

62
How Information Flows
  • Definition information may flow from o to o? if
    there is a subject such that H(s, o) and H(s,
    o?).
  • Intuition if s can read 2 objects, it can act on
    that knowledge so information flows between the
    objects through the nexus of the subject
  • Write the above situation as (o, o?)

63
Key Result
  • Set of all information flows is
  • (o, o?) o ? O ? o? ? O ? l2(o) l2(o?) ?
    l2(o) l2(v(o))
  • Sketch of proof Definition gives set of flows
  • F (o, o?) o ? O ? o? ? O ? ? s ? S such that
    H(s, o) ? H(s, o?))
  • Axiom 7-6 excludes the following flows
  • X (o, o?) o ? O ? o? ? O ? l2(o) ? l2(o?) ?
    l2(o) ? l2(v(o))
  • So, letting F be transitive closure of F,
  • F X (o, o?) o ? O ? o? ? O ? ?(l2(o) ?
    l2(o?) ? l2(o) ? l2(v(o)))
  • which is equivalent to the claim.

64
Compare to Bell-LaPadula
  • Fundamentally different
  • CW has no security labels, B-LP does
  • CW has notion of past accesses, B-LP does not
  • Bell-LaPadula can capture state at any time
  • Each (COI, CD) pair gets security category
  • Two clearances, S (sanitized) and U (unsanitized)
  • S dom U
  • Subjects assigned clearance for compartments
    without multiple categories corresponding to CDs
    in same COI class

65
Compare to Bell-LaPadula
  • Bell-LaPadula cannot track changes over time
  • Susan becomes ill, Anna needs to take over
  • C-W history lets Anna know if she can
  • No way for Bell-LaPadula to capture this
  • Access constraints change over time
  • Initially, subjects in C-W can read any object
  • Bell-LaPadula constrains set of objects that a
    subject can access
  • Cant clear all subjects for all categories,
    because this violates CW-simple security
    condition

66
Compare to Clark-Wilson
  • Clark-Wilson Model covers integrity, so consider
    only access control aspects
  • If subjects and processes are
    interchangeable, a single person could use
    multiple processes to violate CW-simple security
    condition
  • Would still comply with Clark-Wilson Model
  • If subject is a specific person and includes
    all processes the subject executes, then
    consistent with Clark-Wilson Model

67
Clinical Information Systems Security Policy
  • Intended for medical records
  • Conflict of interest not critical problem
  • Patient confidentiality, authentication of
    records and annotators, and integrity are
  • Entities
  • Patient subject of medical records (or agent)
  • Personal health information data about patients
    health or treatment enabling identification of
    patient
  • Clinician health-care professional with access
    to personal health information while doing job

68
Assumptions and Principles
  • Assumes health information involves 1 person at a
    time
  • Not always true OB/GYN involves father as well
    as mother
  • Principles derived from medical ethics of various
    societies, and from practicing clinicians

69
Access
  • Principle 1 Each medical record has an access
    control list naming the individuals or groups who
    may read and append information to the record.
    The system must restrict access to those
    identified on the access control list.
  • Idea is that clinicians need access, but no-one
    else. Auditors get access to copies, so they
    cannot alter records

70
Access
  • Principle 2 One of the clinicians on the access
    control list must have the right to add other
    clinicians to the access control list.
  • Called the responsible clinician

71
Access
  • Principle 3 The responsible clinician must
    notify the patient of the names on the access
    control list whenever the patients medical
    record is opened. Except for situations given in
    statutes, or in cases of emergency, the
    responsible clinician must obtain the patients
    consent.
  • Patient must consent to all treatment, and must
    know of violations of security

72
Access
  • Principle 4 The name of the clinician, the date,
    and the time of the access of a medical record
    must be recorded. Similar information must be
    kept for deletions.
  • This is for auditing. Dont delete information
    update it (last part is for deletion of records
    after death, for example, or deletion of
    information when required by statute). Record
    information about all accesses.

73
Creation
  • Principle A clinician may open a record, with
    the clinician and the patient on the access
    control list. If a record is opened as a result
    of a referral, the referring clinician may also
    be on the access control list.
  • Creating clinician needs access, and patient
    should get it. If created from a referral,
    referring clinician needs access to get results
    of referral.

74
Deletion
  • Principle Clinical information cannot be
    deleted from a medical record until the
    appropriate time has passed.
  • This varies with circumstances.

75
Confinement
  • Principle Information from one medical record
    may be appended to a different medical record if
    and only if the access control list of the second
    record is a subset of the access control list of
    the first.
  • This keeps information from leaking to
    unauthorized users. All users have to be on the
    access control list.

76
Aggregation
  • Principle Measures for preventing aggregation of
    patient data must be effective. In particular, a
    patient must be notified if anyone is to be added
    to the access control list for the patients
    record and if that person has access to a large
    number of medical records.
  • Fear here is that a corrupt investigator may
    obtain access to a large number of records,
    correlate them, and discover private information
    about individuals which can then be used for
    nefarious purposes (such as blackmail)

77
Enforcement
  • Principle Any computer system that handles
    medical records must have a subsystem that
    enforces the preceding principles. The
    effectiveness of this enforcement must be subject
    to evaluation by independent auditors.
  • This policy has to be enforced, and the
    enforcement mechanisms must be auditable (and
    audited)

78
Compare to Bell-LaPadula
  • Confinement Principle imposes lattice structure
    on entities in model
  • Similar to Bell-LaPadula
  • CISS focuses on objects being accessed B-LP on
    the subjects accessing the objects
  • May matter when looking for insiders in the
    medical environment

79
Compare to Clark-Wilson
  • CDIs are medical records
  • TPs are functions updating records, access
    control lists
  • IVPs certify
  • A person identified as a clinician is a
    clinician
  • A clinician validates, or has validated,
    information in the medical record
  • When someone is to be notified of an event, such
    notification occurs and
  • When someone must give consent, the operation
    cannot proceed until the consent is obtained
  • Auditing (CR4) requirement make all records
    append-only, notify patient when access control
    list changed

80
ORCON
  • Problem organization creating document wants to
    control its dissemination
  • Example Secretary of Agriculture writes a memo
    for distribution to her immediate subordinates,
    and she must give permission for it to be
    disseminated further. This is originator
    controlled (here, the originator is a person).

81
Req uirements
  • Subject s ? S marks object o ? O as ORCON on
    behalf of organization X. X allows o to be
    disclosed to subjects acting on behalf of
    organization Y with the following restrictions
  • o cannot be released to subjects acting on
    behalf of other organizations without Xs
    permission and
  • Any copies of o must have the same restrictions
    placed on it.

82
DAC Fails
  • Owner can set any desired permissions
  • This makes 2 unenforceable

83
MAC Fails
  • First problem category explosion
  • Category C contains o, X, Y, and nothing else. If
    a subject y ? Y wants to read o, x ? X makes a
    copy o?. Note o? has category C. If y wants to
    give z ? Z a copy, z must be in Yby definition,
    its not. If x wants to let w ? W see the
    document, need a new category C? containing o, X,
    W.
  • Second problem abstraction
  • MAC classification, categories centrally
    controlled, and access controlled by a
    centralized policy
  • ORCON controlled locally

84
Combine Them
  • The owner of an object cannot change the access
    controls of the object.
  • When an object is copied, the access control
    restrictions of that source are copied and bound
    to the target of the copy.
  • These are MAC (owner cant control them)
  • The creator (originator) can alter the access
    control restrictions on a per-subject and
    per-object basis.
  • This is DAC (owner can control it)

85
RBAC
  • Access depends on function, not identity
  • Example
  • Allison, bookkeeper for Math Dept, has access to
    financial records.
  • She leaves.
  • Betty hired as the new bookkeeper, so she now has
    access to those records
  • The role of bookkeeper dictates access, not the
    identity of the individual.

86
Definitions
  • Role r collection of job functions
  • trans(r) set of authorized transactions for r
  • Active role of subject s role s is currently in
  • actr(s)
  • Authorized roles of a subject s set of roles s
    is authorized to assume
  • authr(s)
  • canexec(s, t) iff subject s can execute
    transaction t at current time

87
Axioms
  • Let S be the set of subjects and T the set of
    transactions.
  • Rule of role assignment (?s ? S)(?t ? T)
    canexec(s, t) ? actr(s) ? ?.
  • If s can execute a transaction, it has a role
  • This ties transactions to roles
  • Rule of role authorization (?s ? S) actr(s)
    ? authr(s).
  • Subject must be authorized to assume an active
    role (otherwise, any subject could assume any
    role)

88
Axiom
  • Rule of transaction authorization (?s ? S)(?t
    ? T) canexec(s, t) ? t ? trans(actr(s)).
  • If a subject s can execute a transaction, then
    the transaction is an authorized one for the role
    s has assumed

89
Containment of Roles
  • Trainer can do all transactions that trainee can
    do (and then some). This means role r contains
    role r? (r gt r?). So
  • (?s ? S) r? ? authr(s) ? r gt r? ? r ? authr(s)

90
Separation of Duty
  • Let r be a role, and let s be a subject such that
    r ? auth(s). Then the predicate meauth(r) (for
    mutually exclusive authorizations) is the set of
    roles that s cannot assume because of the
    separation of duty requirement.
  • Separation of duty
  • (?r1, r2 ? R) r2 ? meauth(r1) ?
  • (?s ? S) r1? authr(s) ? r2 ? authr(s)

91
Key Points
  • Hybrid policies deal with both confidentiality
    and integrity
  • Different combinations of these
  • ORCON model neither MAC nor DAC
  • Actually, a combination
  • RBAC model controls access based on functionality
Write a Comment
User Comments (0)
About PowerShow.com