MANDATORY FLOW CONTROL

1
MANDATORY FLOW CONTROL

• Xiao Chen
• Fall2009 CSc 8320

2
INDEX

• Section One Basic Introduction
• Mandatory Flow Control Models
• Information Flow Control
• Lattice Model
• Multilevel Models
• Section Two Contemporary Application
• Windows Vista IE7 Implements Biba Model
• Section Three Future Prospect
• Improvement of P2P
• References

3
Section One Basic Introduction
4
MANDATORY FLOW CONTROL MODELS

• Definition
• Mandatory access control refers to a type of
  access control by which the operating system
  constrains the ability of a subject to access or
  generally perform some sort of operation on an
  object or target.

5
MANDATORY FLOW CONTROL MODELS

• Why is it necessary since we have discretionary
  security model?
• With the advances in networks and distributed
  systems, it is necessary to broaden the scope to
  include the control of information flow between
  distributed nodes on a system wide basis rather
  than only individual basis like discretionary
  control.

6
Difference between Discretionary and Mandatory
access control 4

• Mandatory access control, this security policy is
  centrally controlled by a security policy
  administrator users do not have the ability to
  override the policy and, for example, grant
  access to files that would otherwise be
  restricted.
• By contrast, discretionary access control (DAC),
  which also governs the ability of subjects to
  access objects, allows users the ability to make
  policy decisions and/or assign security
  attributes.

7
Information Flow Control 1

• Definition
• Information Flow control is concerned with how
  information is disseminated or propagated from
  one object to another.
• The security classes of all entities must be
  specified explicitly and the class of an entity
  seldom changes after it has been created

8
The Lattice Model

• The best-known Information Flow Model
• Based upon the concept of lattice whose
  mathematical meaning is a structure consisting of
  a finite partially ordered set together with a
  least upper bound and greatest lower bound
  operator on the set.

9
THE LATTICE MODEL

• Lattice is a Directed Acyclic Graph(DAG) with a
  single source and sink.
• Information is permitted to flow from a lower
  class to upper class.

10
Multilevel Security

• Multilevel Security is a special case of the
  lattice-based information flow model. There are
  two well-known multilevel security models
• The Bell-LaPadula Model focuses on
  confidentiality of information
• The Biba Model focuses on system integrity

11
Bell-LaPadula Model

• Need-to-know principle A subject is given access
  only to the objects that it requires to perform
  its jobs.
• Security with respect to confidentiality in the
  Bell-LaPadula model is described by the following
  two axioms
• Simple security property Reading information
  from an object o by a subject s requires that
  SC(s) dominates SC(o) no read up).
• The -property Writing information to an object
  o by a subject s requires that SC(o) dominates
  SC(s).

12
Biba Model

• Contrary to Bell-LaPadula model, in Biba model
  information can only flow from a higher integrity
  class to a lower integrity class.
• Integrity levels form a linear lattice in which
  each level represents the classification of
  integrity of information an object can contain or
  the clearance of a subject for modifying an
  object.
• Integrity categories form a subset lattice and
  are used to enforce the need-to-have principle.

13
Comparison of two Multilevel Models

• The Bell-LaPadula Model is concerned with
  information confidentiality
• subjects reading from an object must have higher
  security class than the object.
• objects being written to by a subject must have
  higher security class than the subject.
• The Biba model emphasizes information integrity
• subjects writing information to an object must
  have higher security class than the object.
• objects being read from by a subject must have
  higher security class than the subject.

14
SECTION TWO CONTEMPORARY APPLICATION
15
IE7 IMPLEMENTS BIBA MODEL2

• According to the 2 rules of Biba Integrity Model
  
• Simple Security Axiom A subject at a particular
  integrity level must not be able to read from an
  object of a lower integrity level. i.e. "No Read
  Down".
• Star Property Axiom A subject at a particular
  level of integrity must not be able to write on
  to an object of higher integrity level. i.e. "No
  Write Up".

16
IE7 IMPLEMENTS BIBA MODEL 2

• Keeping the integrity level of IE7 (Protected
  Mode) at low makes sure that any thread started
  by IE 7 will bear the same integrity level and
  thus would not be able to write to any
  folder/application in the system, which is at a
  higher integrity level (Star Property Axiom).
  Therefore the only folders where IE7 based
  programs can write into are the following, as
  they are assigned the same integrity level as
  IE7
• Temporary Internet Files
• Cookies
• Recycle Bin
• Various Registry keys, including ones under
  HKCU\Software\Microsoft\Internet Explorer

17
IE7 IMPLEMENTS BIBA MODEL2

• On the other hand, if you want to save a file
  downloaded through IE7 on a local folder like "My
  Documents" , the application warns the user and
  informs him that this will require elevating the
  privileges to save the file on an alternate
  location.
• If it's a .exe file that needs to be installed,
  IE 7 prompts for further elevation by asking for
  admin privilege password.

18
SECTION THREE FUTURE PROSPECT
19
FUTURE WORK

• Multilevel models have been used mostly in
  military systems, although as we will see later,
  they are useful to control attacks to different
  parts of a system.
• In particular, Joshi et al. Jos01 discuss the
  improvement of these models for web-based
  applications. They consider Role-based access
  control as the most suitable model but think that
  in the future it needs to be extended to consider
  dynamic and task-based aspects. This is a good
  direction for future work.3

20
REFERENCE

• 1Distributed Operating Systems Algorithms,
  Randy Chow and Theodore Johnson, Addison Wesley,
  1997.
• 2 IE7 Implements Biba Model http//ranjanajain.
  spaces.live.com/blog/cns!5F09EF6281DD4DB0!221.entr
  y?sa390277086
• 3Eduardo B.Fernandez, Chapter 4. Security
  models, http//www.cse.fau.edu/ed/Ch4SecModels.pd
  f
• 4 http//en.wikipedia.org/wiki/Mandatory_access_
  control