Special systems: MLS

1
Special systems MLS

• Multilevel security Red book US-DOD 1987
• Considers the assurance risk when composing
  multilevel secure systems evaluated under
  security evaluation criteria.
• Analyzing the security of interoperating and
  individually secure systems can be done in
  polynomial time.
• Given a non-secure network configuration, then
  re-configuring the connections in an optimal way
  (to minimize the impact on interoperability) is
  NP.

2
Multilevel Security (MLS)Bell LaPadula Model

• Security levels L define classification of
  subjects (processes) and objects.
• eg, Unclassified, Secret, Top-Secret.
• Policy lattice of security levels (L,lt)
• xlty level x information may flow to level y.
• Unclassified lt Secret lt Top-Secret

3
Evaluation CriteriaOrange Red Books

• MLS systems assured to different levels of
  assurance based on evaluation criteria.
• (worst) DltC1ltC2ltC3ltB1ltB2ltB3ltA1 (best).
• Evaluated systems must meet minimum risk
  requirements.
• Systems storing high-risk combinations of data
  need high levels of assurance.

System Stores Minimum Assurance
topsecretunclassified B3
topsecretsecret B2
secretunclassified B1
4
Configuring MLS NetworksChannel Cascade Attacks
B
C
A

• Each evaluated system meets criteria.
• However, network has cascading risk
• Attacker breaks system A, copies TS data to S,
• copies this data from System A to B to C,
• breaks system C, copies S(TS) data to U.
• B3 assurance required when protecting TS and U,
  but cascade attack breaks B2 and lower systems.

5
Modeling MLS networksStrategy
B
C
A

• effort((s,l),(s,l))
• The minimum effort required to compromise the
  network and copy/downgrade level l information
  held on system s to level l on system s
• Cascade problem if exists s,s and l, l
• effort((s,l),(s,l)) lt system-assurance

6
Modeling MLS networksStrategy (using Constraints)
B
C
A

• Systems as flow-constraints between the levels of
  data that they store.

7
Modeling MLS networksStrategy (using Constraints)
B
C
A

• Systems as flow-constraints between the levels of
  data that they store.
• Networks as flow-constraints that represent the
  channels that connect systems

8
Modeling MLS networksStrategy (using Constraints)
B
3
C
2
A
0
0
3
1

• Systems as flow-constraints between the levels of
  data that they store.
• Networks as flow-constraints that represent the
  channels that connect systems
• Soft constraint semi-ring as assurance levels

9
Modeling MLS networksStrategy (using Constraints)
B
C
2
A
0
3
3

• Systems as flow-constraints between the levels of
  data that they store.
• Networks as flow-constraints that represent the
  channels that connect systems
• Soft constraint semi-ring as assurance levels
• Cascade Detection finding cascades.

10
Modeling MLS networksStrategy (using Constraints)
B
C
2
A
0
0
1
3

• Systems as flow-constraints between the levels of
  data that they store.
• Networks as flow-constraints that represent the
  channels that connect systems
• Soft constraint semi-ring as assurance levels
• Cascade Detection finding cascades.

11
Ex1 Cascade Free Path
12
Ex1 Cascade Free Path
TsA
TsB
SsC
1s
TdA
SdB
UdC
1d
B2
B3
TS
TS
C
A
B1
S
S
S
U
U
13
Ex1 Cascade Free Path
14
Ex2 Cascading Path
15
Ex2 Cascading Path
B2
TS
D
C2
C
A
B1
S
S
S
U
16
Ex2 Cascading Path
TsA
SsD
SsC
1s
SdA
SdD
UdC
1d
17
Conclusion

• Secure interoperation is difficult!
• Remember when you compose two secure systems you
  could obtain a not secure system!
• In real life
• Add comunications only when really needed!

18
(No Transcript)
19
Questions?

• Thank you for your attention

20
Crisp toward soft constraints
P
combination
projection
21
Crisp toward soft constraints
22
The Semiring Framework

• A c-semiring is a tuple ltA,,,0,1gt such that
• A is the set of all consistency values and 0,
  1?A. 0 is the lowest consistency value and 1 is
  the highest consistency value
• , the additive operator, is a closed,
  commutative, associative and idempotent operation
  such that 1 is its absorbing element and 0 is its
  unit element
• , the multiplicative operator, is a closed and
  associative operation such that 0 is its
  absorbing element, 1 is its unit element and
  distributes over .

Stefano Bistarelli, Ugo Montanari, and Francesca
Rossi, Semiring-based Constraint Solving and
Optimization Journal of the ACM, 44(2)201236,
Mar 1997.
23
Semiring-based Constraints

• Given a semiring ltA,,, 0, 1gt , an ordered set
  of variables V over a finite domain D, a
  constraint is a function which maps an assignment
  ? of the variables in the support of c, supp(c)
  to an element of A.
• Notation c? represents the constraint function c
  evaluated under instantiation ?, returning a
  semiring value.
• Given two constraints c1 and c2, their
  combination is defined as (c1?c2)? c1?c2? .
• The operation ?C represents the combination of a
  set of constraints C.
• a b iff abb
• c1 v c2 iff 8 ? c1? c2?

Stefano Bistarelli, Ugo Montanari and Francesca
Rossi, Soft Concurrent Constraint
Programming, Proceedings of ESOP-2002, LNCS,
April 2002.