Security Models - M. E. Kabay

Security Models - M. E. Kabay

Security Models CSH6 Chapter 9 Mathematical Models of Computer Security Matt Bishop Copyright 2014 M. E. Kabay. All rights reserved. Topics Why Models are Important Models & Security Models & Controls Classic Models Other Models

Conclusion Copyright 2014 M. E. Kabay. All rights reserved. Why Models are Important General description of system Definition of protection Conditions for protection Mathematical models allow proof (Assuming model properly implemented) Assumptions are critically important Must verify assumptions to validate applicability of model

Chapter 9 presents different types of model See next slides Copyright 2014 M. E. Kabay. All rights reserved. Types of Model 1) Deciding if a system can be proved to be secure 2) Describing how computer system applies controls 3) Describing confidentiality & integrity 4) Hybrid model mixes requirements Goals of this chapter Study main models in information security

Meaning Applicability Become sensitive to assumptions underlying information assurance Copyright 2014 M. E. Kabay. All rights reserved. So Why are Models Important? Provide framework for Analyzing systems Focusing security efforts in right place Validating assumptions; or

Ensuring assumptions are met in reality Mechanisms Technical Procedural Quality of mechanisms determines security of system Overall: model provides basis for confidence in possibility of effective security Copyright 2014 M. E. Kabay. All rights reserved. Models & Security Terminology Access-Control Matrix Model Harrison, Ruzzo & Ullman et al. Typed Access-Control Model Copyright 2014 M. E. Kabay. All rights reserved.

Terminology Subject: active entity Subject User Object: passive entity File Device Right: relation between subject & object OPEN subject can establish path for I/O READ I/O from file to subject Protection State: {rights(subject)} Instantiation: specific case realizing model

Copyright 2014 M. E. Kabay. All rights reserved. Access-Control Matrix Model (1) Model captures protection state Evolution requires primitive operations Primitives are rules for changing matrix Describe how one adds, changes and removes rights and relations See next slides Copyright 2014 M. E. Kabay. All rights reserved. CSH6 p 9.4

Access-Control Matrix Model (2) Primitives CSH6 p 9.4 Copyright 2014 M. E. Kabay. All rights reserved. Access-Control Matrix Model (3) Commands Mono-operational: 1 primitive CSH6 p 9.4 Conditional

Copyright 2014 M. E. Kabay. All rights reserved. CSH6 p 9.5 Access-Control Matrix Model (4) Applicability Theoretical basis for 2 widely-used mechanisms: Access-control lists (ACLs) Capability lists For modeling Tool Analyze difficulty of determining level of security

Copyright 2014 M. E. Kabay. All rights reserved. Access-Control Matrix Model (5) A few more definitions Command may consist of single primitive operation Called Mono-operational command Command with only 1 condition: monoconditional Command with 2 conditions joined by and: biconditional System has no commands using delete or destroy* primitives = monotonic

* Remember, these operations apply to rules in the matrix, not to data. Copyright 2014 M. E. Kabay. All rights reserved. Harrison, Ruzzo & Ullman (1) How can we test to determine if system is secure? Consider Generic right r for specific entity iff means Access-control matrix if and only if So system is secure with respect to r iff r cannot be added to an entity in matrix Unless particular subject-object relation includes r as permitted

Theorems elaborated to establish bounds of provability (see next slide) Copyright 2014 M. E. Kabay. All rights reserved. Harrison, Ruzzo & Ullman (2) Safety Question: Is there an algorithm to determine whether a given system with initial state is secure with respect to a given right? Theorem (HRU Result): Safety question undecidable Reduce halting problem to safety question Given a description of a program, decide if it will run forever or terminate

Alan Turing proved impossibility of finding general algorithm for this problem Therefore safety question is also undecidable Many other undecidable questions And a few decidable ones Copyright 2014 M. E. Kabay. All rights reserved. Typed Access-Control Model Adding types to access-control model Define types of data Modify rules to allow for finer categories Model called TAM Definition: acyclic rule set

Entity E or descendents cannot create new entity of same type as E Theorem: it is possible to construct an algorithm that will determine if acyclic, monotonic TAMs are secure with respect to generic right r But theres no guarantee of finding such an algorithm Copyright 2014 M. E. Kabay. All rights reserved. Models & Controls Mandatory Access-Control Model Discretionary Access-Control Model Originator-Controlled Access-Control Model Digital Rights Management Role-Based Access-Control Models &

Groups Summary of Models & Controls Copyright 2014 M. E. Kabay. All rights reserved. Mandatory Access-Control Model MAC sets and enforces access-control rules using a hierarchy of controllers US government classification is a MAC Mandatory because rules must always be followed Authorities (e.g., ISSO = Information Systems Security Officer) determine rules System enforces rules

Other examples MULTICS OS ring-based access-control Public Key Infrastructure Copyright 2014 M. E. Kabay. All rights reserved. Discretionary Access-Control Model Owners of data have power to determine access controls DAC Most common access control on computers Combinations Often see both MAC & DAC

MAC must be applied first Thus if MAC denies access, no further access or consideration of DAC But once access granted by MAC, DAC can modify (restrict) further Copyright 2014 M. E. Kabay. All rights reserved. Originator-Controlled Access-Control Model (1) ORCON Originator of data determines access rights Example

Medical record must be provided to other health-care specialists involved in treatment But must not be accessible to their staff Formal statement CSH6 p 9.7 Copyright 2014 M. E. Kabay. All rights reserved. ORCON (2) MAC doesnt work for these situations Would need to define all possible organizations receiving information To include them in access-control matrix DAC doesnt work either

Originator has no control over granting of access privileges But combination of MAC & DAC works MAC sets limits DAC allows access within limits Copyright 2014 M. E. Kabay. All rights reserved. ORCON & DRM Digital rights management illustrates ORCON Copyright owners want to control distribution after they sell license to use materials Music, video, software. Fundamental problem Access controls apply to entities (files, devices, music)

ORCON applies to information Once information has been accessed, it is not possible to control distribution through alternate channels E.g., CSH6 electronic copy is protected against data extraction but not against screen shots, as you can see in this presentation. Copyright 2014 M. E. Kabay. All rights reserved. Role-Based Access-Control (RBAC) Models & Groups Situations often require access controls defined for functional groups Bookkeepers, doctors, nurses, engineers, researchers,

administrators. So define Authorized roles for each subject One active role per subject at any 1 time Example: separation of duties Multiple roles must combine efforts to perform task signing check for >$50K RBAC defines rule preventing same subject from having same role at same time Copyright 2014 M. E. Kabay. All rights reserved. Summary of Models & Controls Fundamental difference in orientation

MAC, DAC, & ORCON are data-centric RBAC is focused on subjects needs Principle of least privilege Assign minimum set of privileges for successful work RBAC constrains set of commands for each subject MAC, DAC, & ORCON set attributes on data Several models have been created that apply combinations of these approaches (see following) Copyright 2014 M. E. Kabay. All rights reserved.

Classic Models Bell-LaPadula Model Bibas Strict Integrity Policy Model Clark-Wilson Model Chinese Wall Model Summary of Classic Models Copyright 2014 M. E. Kabay. All rights reserved. Bell-LaPadula Model (1) Formalization of government system Looks at confidentiality UNCLASSIFIED, CONFIDENTIAL,

SECRET, & TOP SECRET levels for information Example of multilevel security model Terminology UNCLASSIFIED = lowest security level Subject cleared into level security clearance = level(s) Object classified at level security classification = level(o) Goal: prevent leakage (information flow from high security classification to lower) Copyright 2014 M. E. Kabay. All rights reserved. Bell-LaPadula Model (2) Example Documents are classified

Paper on Norwich U is CONFIDENTIAL Article on Ecoterrorists is SECRET Book on Al Qaeda is TOP SECRET Tom cleared to SECRET level Then Tom can read WHAT? And Tom cannot read WHAT? Copyright 2014 M. E. Kabay. All rights reserved. Bell-LaPadula Model (3) Simple security property Subject s can read object o iff level(o) level(s)

AKA no-reads-up rule Cannot stop leakage if higher-clearance writes to lower-classification medium *-property (pronounced star property) s can write o iff level(s) level(o) AKA no-writes-down rule Discretionary Security Property s can read o iff access-control matrix entry for s & o contains READ right Copyright 2014 M. E. Kabay. All rights reserved.

Bell-LaPadula Model (4) Basic Security Theorem If a system starts in a secure state And if every command obeys all of these: Simple security property *-property Discretionary security property Then the system will remain secure CSH6 p 9.10 Copyright 2014 M. E. Kabay. All rights reserved. Bell-LaPadula Model (5) Compartments

Category = expansion of security level Security compartment = (level, category set) E.g., level(EurDoc)=(CONFIDENTIAL, {EUR}) level(EurAsiaDoc)=(SECRET,{EUR, ASIA}) Cannot talk about > or < because categories no longer linearly ordered Define relation dominates = dom Copyright 2014 M. E. Kabay. All rights reserved. Bell-LaPadula Model (6) Determining highest security compartment that two subjects can read and lowest they can both write Properties of compartments

Reflexive property: level(s) dom level(s) Antisymmetric property: If both level(s) dom level(o) & level(o) dom level(s) are true, then level(s)=level(o) Transitive property: If level(s1) dom level(o) & level(o) dom level(s2), then level(s1) dom level(s2) Copyright 2014 M. E. Kabay. All rights reserved. Bell-LaPadula Model (7) Turning it into plain English Reflexive: If accounting files are confidential Then any accounting file is confidential

Antisymmetric: If Alice can access the accounting files And accounting files are at the security level of Alice, Then Alices security level and the accounting files security level are equivalent Transitive: If Alice can access the accounting files And the accounting files are of higher security than the personnel files Then Alice can access the personnel files Copyright 2014 M. E. Kabay. All rights reserved. Bell-LaPadula Model (8) Prof Matt Bishop writes:

The influence of the Bell-LaPadula Model permeates all policy modeling in computer security. It was the first mathematical model to capture attributes of a real system in its rules. It formed the basis for several standards, including the [DoDs] Trusted Computer System Evaluation Criteria (the TCSEC or the Orange Book.) Even in controversy, the model spurred further studies in the foundations of computer security. Bishop, M. (2003). Computer Security: Art and Science. Addison-Wesley (ISBN 0-201-44099-7). xli + 1084. Index. P 148. Copyright 2014 M. E. Kabay. All rights reserved. Bibas Strict Integrity

Policy Model (1) Instead of confidentiality, consider trustworthiness Define integrity classes i-level(s) Simple integrity property: Subject s can read object o iff i-level-(o) dom i-level(s) Allows reads up and disallows reads down *-integrity property WHY? Explain. Subject s can write to object o iff i-level(s) dom i-level-o Allows writes down and disallows writes up

WHY? Explain. Copyright 2014 M. E. Kabay. All rights reserved. Bibas Model (2) Execution integrity property Subject s can execute subject s iff i-level(s) dom i-level(s) So process can pass data only to less trustworthy (or equally trustworthy) process Cannot pass data to more trustworthy process

WHY? Explain. CSH6 p 9.13 Copyright 2014 M. E. Kabay. All rights reserved. Bibas Model (3) Suggests method for testing programs Label all data with tags indicating level of trust Logic in program keeps track of trustworthiness Changes label according to Bibas model Violations of rules exceptions Abort Log warning

Error message Useful in improving security of programming Copyright 2014 M. E. Kabay. All rights reserved. Clark-Wilson Model (1) Lipners Rules for Commercial Integrity Models CSH6 p 9.14 Copyright 2014 M. E. Kabay. All rights reserved. Clark-Wilson Model (2) Concepts and terminology Integrity constraints: rules about data relations (e.g., grades in gradebook must match grades on tests)

Consistent state: all integrity constraints met Well-formed transactions (WFTs): moving from one consistent state to another (e.g., filling in all the grades from a test, not just some) Integrity verification procedures (IVPs): methods for checking that integrity constraints are met Constrained data items (CDIs): data subject to integrity constraints (all others are unconstrained data items UDIs) Transformation procedures (TPs): Functions defining WFTs must be certified to be well formed and correctly implemented Copyright 2014 M. E. Kabay. All rights reserved. Clark-Wilson Model (3)

Nine rules 5 for certification of data & TPs 4 for enforcement of certifications Certification Rule 1: IVP ensures consistent state at all times Certification Rule 2: TP maintain valid states Enforcement Rule 1: Only certified TPs may manipulate associated CDIs Enforcement Rule 2: Every user must be associated with specific TPs and CDIs to be granted access implies identification & authentication Copyright 2014 M. E. Kabay. All rights reserved.

Clark-Wilson Model (4) Enforcement Rule 3: Every user must be authenticated before executing a TP Certification Rule 3: Separation of duty is essential Certification Rules 4: Logging is essential and must allow reconstruction of transactions Certification Rule 5: Any TP working with UDI must either reject the UDI or transform it into a CDI Enforcement Rule 4: As part of the separation of duties principle, only the certifier of a TP may modify its scope; and no certifier may execute the TP. The Clark-Wilson model reflects real-world security policies But a certifier may fraudulently claim to have applied proper certification procedures

Copyright 2014 M. E. Kabay. All rights reserved. Chinese Wall Model AKA Brewer-Nash model Goal: prevent conflicts of interest How? Group data into company data sets Group company data sets into conflict-of-interest classes Rule: if entities are in same conflict-of-interest class, subject cannot read both classes Typical application: attorneys Sanitized class has all confidential

content removed Copyright 2014 M. E. Kabay. All rights reserved. Summary of Classic Models Bell LaPadula model describes widely-used scheme for protecting confidentiality Biba model focuses on trustworthiness and trust Clark-Wilson model incorporates process integrity Chinese Wall model includes conflicts of interest The Birth of Venus (Nascita di Venere) Sandro Botticelli c. 1486 Uffizi Gallery, Florence, Italy

Copyright 2014 M. E. Kabay. All rights reserved. Other Models Specific models applied in specific contexts Clinical Information Systems Security Model Traducement model for real estate Noninterference security prevent LOW subject from acquiring HIGH data at particular time but allow HIGH subject to choose to send HIGH data later Deducibility security prevent inference by LOW subjects Copyright 2014 M. E. Kabay. All rights reserved.

Conclusions Usefulness of the models depends on thoroughness of systems analysis Missing details may invalidate application of model Crucial role in advanced theoretical research in todays information security Especially important for mathematical proof of security in specific welldefined systems Copyright 2014 M. E. Kabay. All rights reserved.

DISCUSSIO N Copyright 2014 M. E. Kabay. All rights reserved.

Recently Viewed Presentations

  • Aufnahmetechniken Dr. Adrienn Dobai / Dr Bence Szab/

    Aufnahmetechniken Dr. Adrienn Dobai / Dr Bence Szab/

    Aufnahmetechniken Dr. Adrienn Dobai / Dr Bence Szabó/ Dr. Krisztián Csomó
  • XV SQUADRON ASSOCIATION President: Air Marshal Sir Michael

    XV SQUADRON ASSOCIATION President: Air Marshal Sir Michael

    Gp Capt Graham Bowerman has very kindly offered to organise this event again as he still flies from Wittering. At the time of writing the MT transport to/from the designated local hotel is expected to be free. If this situation...
  • Intro

    Intro

    Submit a request for SWAT to make the necessary updates to ORBIT. Reuse an existing in-house developed tool. Due to several factors, the team decided to re-use an existing in-house developed tool. Several in-house options were considered; however, the SMART...
  • Slope - Kentucky Academy of Technology Education

    Slope - Kentucky Academy of Technology Education

    To Slope Slope is a measure of Steepness. Types of Slope Positive Negative Zero Undefined or No Slope Slope is sometimes referred to as the "rate of change" between 2 points. The letter "m" is used to represent slope. ......
  • Armour of God (Pictures) - Bible Teaching Program

    Armour of God (Pictures) - Bible Teaching Program

    Shield - The Faith of Christ Helmet - The Salvation of Christ Sword - The 'Rhema' Word of Christ. Put on the whole armour of God means to put on Christ Illustration from the book: 'The Roman Soldier' (1928) by...
  • Everett, Washington Districting Commission

    Everett, Washington Districting Commission

    When are the public forums to present your plan? When does it have to be approved? Who is responsible for the development of the plans? State Leg, Gov. Appointed Committee, City Council, Mayor, Independent Committee, etc. How does your jurisdiction...
  • Polygons - Denver School of the Arts

    Polygons - Denver School of the Arts

    Congruent Polygons. Polygons can be congruent but corresponding parts need to be congruent. Corresponding - same location in the two polygons. Congruent angles and sides. Congruency Statement - name the polygons congruent in the correct order of congruent vertices
  • Advanced Higher Physics

    Advanced Higher Physics

    Advanced Higher Physics. Introduction to Quantum Mechanics. History. Phenomena observed in early 20th century did not follow 'classical' physical laws. New theories were developed to account for these phenomena. Starting point taken as atomic structure.