Lecture 9: Security models and policy

1
Lecture 9 Security models and policy

• In this lecture we will cover
• concepts of trust and trustworthiness
• security policy, security model and security
  level
• begin examination of a number of security models
  - Clark-Wilson, Chinese Wall,
• continue with more next lecture

2
ownership and security

• owners access to item owned is always secure
• by definition owner of item is authorised to use
  item
• the owner of an item is the final arbiter of who
  has access to item and how, etc
• but the problem is the owner cannot, in a complex
  and fast changing computer system environment,
  control directly all usages by processes on the
  system to items owned - this needs to be managed
  by OS on owners behalf.

3

• The mechanisms of OS that attempt to ensure
  security and enforce owner defined usage
  permissions constitute the security mechanisms of
  the OS
• a process may access some item in the computer
  system by use of some access mechanism, because
  the access may be unauthorised typically we want
  to have a mechanism in place that will check that
  the process is authorised to access the item in
  the given mode - a first tier security mechanism

4

• in turn that checking mechanism may have errors
  in it (accidental or deliberate) - this means
  that it is possible that it will fail to properly
  check and enforce the usage permissions. This
  implies that you may want another mechanism that
  checks the access permission mechanism to ensure
  that it does not permit access when it
  shouldnt.- a second tier security mechanism.
• of course any such second tier mechanism may
  itself be faulty and in need of checking leading
  to third tier mechanisms - this process could be
  endless and lead to an infinite hierarchy of
  security mechanisms - it is based on the
  reasonable notion that any mechanism could be
  faulty and should therefore be checked

5
Trust and trustworthiness

• BUT infinite hierarchy of security checking
  mechanisms is impossible
• if the owner is not to directly control usage of
  items owned then at some point the owner must
  trust some component of the security mechanism to
  properly carry out its job
• Thus we are lead to central concepts of trust and
  trustworthiness
• an entity (e.g. security mechanism) is said to be
  trusted by a subject if the subject acts as if
  entity will obey/respect the usage permissions of
  all items it interacts with

6

• other common definition of trusted is - an entity
  is trusted if the entity could effect system
  security - i.e. it is trusted not to effect
  system security - the definitions are equivalent
  but the first is more explicit about what a
  subject is expecting from a trusted entity
• an entity is Trustworthy if it is worthy of trust
  i.e. if it is the case (it is true) that the
  entity will obey/respect the usage permissions of
  items it interacts with
• But of course an entity may be trusted but not
  trustworthy and vice versa

7
Security policy

• the security policy of a computer system is a
  high level specification about the security to be
  achieved, not about the mechanism used to achieve
  that security
• a security system is not a security system unless
  it attempts to enforce compliance with the usage
  permissions of the items in the computer system
• Thus a security policy could simply state that
  the security system will enforce compliance with
  the usage permissions as defined by owners of
  items in the computer system on the entities in
  the system

8

• Some security policies do just state something
  similar to the previous bullet point but using
  more words - very woolly - however, as a
  statement of a security policy it is inadequate -
  there is a lot of ambiguity that needs resolving
• some more obvious considerations are on next slide

9

• what components of the OS will enforce this
  policy
• what do we mean by compliance
• what exact usage permissions are to be valid i.e.
  available for owners to define - read, write,
  execute, append, revoke, delete, create, change
  usage permissions, etc.- any defaults to be
  set,etc.
• how do we identify who are the owners of items in
  the system
• how do we identify what are the valid items that
  are owned and are in need of protection - any
  constraints imposed by owners of computer system
  itself
• what is the computer system i.e. boundary of the
  system that the security system is securing
• who are the entities and how do we identify them
  as those against whom we will ensure that the
  usage permissions are enforced

10
Security levels

• the security policy will be enforced by a
  security mechanism - but the use of mechanisms
  involves costs so you must consider whether to
  spend the same amount on securing all items in
  the system or whether different mechanisms (with
  different costs and possibly with different
  levels of effectiveness) may be used to protect
  different items (possibly based on value of the
  item concerned)
• i.e. is the protection to have different levels
  of security

11

• notion of different levels of security has it
  origin in military/governmental secrecy
  arrangements - there is some notion of
  individuals having a security level (e.g. 4
  security levels - top secret, secret,
  confidential, public)
• a security level allows an individual to access
  material at that level or below
• there is also the notion of compartments - which
  are collections of information that belong
  together and may be accessed together - obviously
  an individual must not be allowed access to
  information at a given level or from compartments
  unless they need-to-know it so

12

• there is a notion of clearance - individual is
  permitted to access items in a given compartment
  and at up to a given level
• an item to be secured has a classification - a
  security level and a compartment
• a similar structure can be created for a computer
  system with multiple levels of security
• items in the system will have both a security
  level and belong to some group/compartment -
  actually most systems do have a very simple 2
  tier security hierarchy of user and
  super-user/system administrator

13

• notion of levels and compartments are very
  similar to Access Control Matrix - a level
  identifies a group of users and compartments a
  grouping of items, the ith, jth entry in
  matrix/table indicates that an item is only
  accessible to individuals who have clearance gt
  level i and for compartment j
• can have a similar table for individuals - entry
  in table represents clearance of individual -
  ith,jth individual is cleared to access items in
  compartment j at levels lti
• a dominance relation (as it is called - you can
  tell it has military origins) is defined -
  subject dominates item basically if the subject
  has clearance to access item

14
Security models

• Access Control Matrix is a very general
  representation of the usage permissions on all
  items held by all users within the computer
  system
• if implemented in the software of the OS and used
  to control access to items then it is a access
  control mechanism, however, given its generality
  it is useful to use the idea of an access control
  matrix as a general way of representing usage
  permissions in a system even if it is not
  implemented in software - if it used as a tool
  for helping people think about security it is
  part of a security model

15

• a security model is simply a way of representing
  the security of a system at the level of a
  security policy i.e. it does not try and
  represent the exact mechanisms used to enforce
  security, it is used to represent the the
  security policy in a computer system
• thus it represents the items to be protected, the
  owners/users, the permissions - the policy is
  represented by various conditions/constraints
  that are placed upon the various entities and
  their relationships

16

• such models help us to
• document a policy
• evaluate a security policy i.e. determine
  whether the policy will manage to enforce the
  security it is supposed to
• understand how different security policies work
• The level/compartment matrix is a simple example
  of a security model

17
Beware of confusion

• in the literature there is often some confusion
  between policies and models
• this is because most general security policies
  are introduced by use of a specific security
  model that is used to represent and explain the
  security policy
• thus people then become confused between the
  security model used to represent the policy and
  the particular policy that is being advocated

18
Clark-Wilson commercial model/policy

• Clark-Wilson - is a commercial security
  policy/model that is most concerned with ensuring
  the integrity (accuracy) of data items
• Model - this models items in a way very similar
  to objects in an OO system
• items to be protected are known as constrained
  data items - these items can only be accessed via
  transformation procedures and cannot be accessed
  any other way - i.e. an interface to the data
  item is defined by the transformation procedures
  - analogous to method interface to data held in
  an object

19

• if all accesses are via transformation procedures
  then the mechanism of access can then be
  controlled
• and as with methods for an object - access rights
  can be defined to methods or transformation
  procedures i.e. only given individuals are
  allowed to carry out a given transformation
  procedure on a data item
• this is achieved via integrity verification
  procedures checking validity of Access Triples
  that are constituted by (action on data item,
  data items to be acted on, user using action) -
  uses a list of permitted Access Triples to define
  valid access

20

• Policy - this involves separation of duties - in
  order to complete the processing of a data item
  through various stages a number of different
  individuals are involved none of whom have access
  to all the stages and preferably to only one
  stage. They interface with other individuals who
  act on other stages - at each stage actors are
  required to check consistency of data that has
  been passed on to them - thus corruption in
  system has to involve co-ordination and collusion
  of a number of individuals

21
Chinese wall model/policy

• commercial security model/policy that is
  concerned with ensuring confidentiality between
  different groups/individuals who might have
  competing interests but that may be using a
  common service e.g law firm might serve 2 firms
  which are commercial rivals - thus there is a
  risk of a conflict of interest among those who
  provide the legal service to those clients
• model involves - 1. objects - items to be
  protected e.g. files, 2. client groups - grouping
  of all objects that concern a given client, and
  3. conflict classes - each conflict class
  contains list of all client groups where clients
  have competing interests

22

• those who service the clients need to access
  items of information that relate to the client
• the policy requires that access permissions are
  assigned dynamically
• if a user needs to access an item in a particular
  clients group then system first checks if the
  user has ever accessed items that belong to
  another client in the same conflict class, if so
  then the user cannot access the item from that
  client group, if not the user can access the
  desired item, but if this is the first time the
  user has accessed items from that client group
  then thereafter the user cannot access any items
  that belong to client groups of any client in the
  same conflict class