Transcript Chapter 5-1
Chapter 5 – Designing Trusted Operating Systems
In this section
What is a trusted system?
Security Policy
Military
Commercial
Clark-Wilson
Separation of Duty
Chinese Wall
Models
Lattice Model
Bell-La Padula
Biba
Graham-Denning
Take-Grant
Designing Trusted OS
Primary security in computing systems
Primary Security
Memory
File
Objects/Access Control
User Authentication
Trusted – We are confident that services are provided
consistently and effectively
Making of a trusted OS
Policy – requirements statement of what is should do
Model – model of the environment to be secured;
represents the policy to be enforced
Design – the means of implementation; functionality
and construction
Trust – assurance of meeting expectation through the
features offered
What is a trusted system?
What makes something secure?
For how long?
Trusted Software – rigorously developed and analyzed
Key Characteristics of Trusted Software:
Functional Correctness
Enforcement of Integrity
Limited Privilege
Appropriate Confidence Level
We speak in terms of trusted and not secure
Many types of Trust:
Trusted Process
Trusted Product
Trusted Software
Trusted Computing Base
Trusted System
Through:
Enforcement of Security Policy
Sufficiency of Measures and Mechanism
Evaluation
Security Policy
Security Policy – statement of the security we expect
the system to enforce
A trusted system can be trusted only in relation to its
security policy…. To the security needs the system
expected to satisfy
Military Security Policy
Basis of many OS security policies
Based on protecting classified information
Top Secret (most sensitive), Secret, Confidential,
Restricted, Unclassified (least sensitive)
Limited by the Need-to-Know rule: Access is allowed
only to subjects who need to know data to perform job.
Compartments- classification information may be
associated with one or more projects describing the
subject matter of the information
Classification - <rank; compartments>
This enforces need-to-know both by security level and by
topic
Clearance – person is trusted to access information up to a
given level of sensitivity with need-to-know
Dominance, on a set of Objects (0) and Subjects (s)
s ≤ o if and only if
rank(s) ≤ rank (0) and
compartments (s) ⊆ compartments(0)
We say 0 dominates s (or s is dominated by o)
Dominance is used to limit the sensitivity and content of
information a subject can access
As subject can read an object only if:
clearance level of the subject is at least as high as the
information
Subject has a need-to-know about all compartments for
which the information is classified
Commercial Security Policies
Worried about espionage
Degrees of sensitivity:
Public
Proprietary
Internal
No dominance function for most commercial policies
since no formal clearance is needed
Integrity and availability are just, not if more,
important than confidentiality
Clark-Wilson Commercial Security
Policy
This is based on Integrity
Policy on well-formed transactions
Sequence of activities
Performing steps in order, performing exactly the steps
listed, and authentication of individuals in the steps
(well-formed transactions)
Goal: maintain consistency between internal data and
external (users’) expectation of data
Constrained data items which are processed by
transformation procedures
Separation of Duty
The required division of responsibilities is called
separation of duty
Accomplished manually by means of dual signatures
Chinese Wall Security Policy
Used in legal, medical, investment and accounting
firms
Addresses the conflict of interest
Security Policy Builds on:
Objects – low level
Company Groups – mid level
Conflict Classes – high level, groups of objects of
competing companies are clusterd
Models of Security
Security Models are used to:
Test a particular policy for completeness and consistency
Document policy
Help conceptualize and design an implementation
Check whether an implementation meets its
requirements
Policy is established outside any model
Model is only a mechanism that enforces the policy
Multilevel Security
Build a model to represent a range of sensitivities and
to reflect the need to separate subjects rigorously from
objects to which they should not have access
The generalized model is called the Lattice Model of
Security
Bell-La Padula Confidentiality
Model
Formal description of allowable paths of flow in a
secure system
Formalization of the military security policy
Two properties:
Simple Security Property – A subject s may have read
access to object o only if C(o) ≤ C(s)
*-Property – A subject s who has read access to an object
o may have write access to an object p only if C(o) ≤ C(p)
C(s) – clearance; c(0) classification
Write-down – high level subjects transfers high level
data to a low level object (prevented by star property)
Figure 5-7 Secure Flow of Information.
Biba Integrity Model
Bell-La Padula model applies only to secrecy
Biba is about Integrity and defines integrity levels
Properties:
Simple Integrity Property – Subject s can modify (have
write access to) object o only if I(s) ≥ I(o)
*-Property – if subject s has read access to object o with
integrity level I(0), s can have write access to object p
only if I(o) ≥ I(p) [write-down]
Totally ignores secrecy
Graham-Denning Model
Formal System of Protection Rules
Access Control Mechanism (matrix) of a protection system
Eight Privative Protection Rights
Create object, Create subject, Delete object and Delete
subject
Read Access
Grant Access
Delete Access Right
Transfer Access Right
Matrix: A[s,o]
Take-Grant Systems
Four primitives: create, revoke, take and grant