Information Security
Download
Report
Transcript Information Security
INFORMATION SECURITY:
CONFIDENTIALITY POLICIES
(CHAPTER 4)
Dr. Shahriar Bijani
Shahed University
SLIDES REFERENCES
Matt Bishop, Computer Security: Art and
Science, the author homepage, 2002-2004.
Chris Clifton, CS 526: Information Security
course, Purdue university, 2010.
2
CHAPTER 5: CONFIDENTIALITY POLICIES
Overview
What is a confidentiality model
Bell-LaPadula
Model
General idea
Informal description of rules
Formal description of rules
Tranquility
Controversy
†-property
System Z
3
OVERVIEW
Bell-LaPadula
Informally
Formally
Example Instantiation
Tranquility
Controversy
System Z
4
CONFIDENTIALITY POLICY
Goal: prevent the unauthorized disclosure of
information
Deals with information flow
Multi-level security models are best-known
examples
Bell-LaPadula Model basis for many, or most, of these
5
BACKGROUND
Clearance
Top Secret
In-depth background check; highly trusted individual
Secret
levels
Routine background check; trusted individual
For Official Use Only/Sensitive
No background check, but limited distribution;
minimally trusted individuals
May be exempt from disclosure
Unclassified
Unlimited distribution
Untrusted individuals
6
BELL-LAPADULA MODEL (STEP 1)
Security levels arranged in linear ordering
Top Secret: highest
Secret
Confidential
Unclassified: lowest
Levels consist of:
Subject has security clearance L(s) = ls
Object has security classification L(o) = lo
Clearance/Classification ordered:
l < li+1
i
Mandatory access control
7
EXAMPLE
security level
subject
object
l4: Top Secret
Bill
Personnel Files
l3: Secret
Samuel
E-Mail Files
l2: Confidential Claire
Activity Logs
l1: Unclassified John
Telephone Lists
• Bill can read all files
• Claire cannot read Personnel or E-Mail Files
• John can only read Telephone Lists
READING INFORMATION
Information flows up, not down
“Reads up” disallowed, “reads down” allowed
Simple Security Condition (Step 1)
Subject s can read object o iff, L(o) ≤ L(s) and s
has permission to read o
Note: combines mandatory control (relationship of security
levels) and discretionary control (the required permission)
Sometimes called “no reads up” rule
9
WRITING INFORMATION
Information flows up, not down
“Writes up” allowed, “writes down” disallowed
*-Property (Step 1)
Subject s can write object o iff L(s) ≤ L(o) and s
has permission to write o
Note: combines mandatory control (relationship of security
levels) and discretionary control (the required permission)
Sometimes called “no writes down” rule
10
BASIC SECURITY THEOREM, STEP 1
If a system is initially in a secure state, and
every transition of the system satisfies the simple
security condition, step 1, and the *-property,
step 1, then every state of the system is secure
Proof: induct on the number of transitions
11
BASICS: PARTIALLY ORDERED SET
A Set S with relation (written (S, ) is called a
partially ordered set if is
Anti-symmetric
Reflexive
If a b and b a then a = b
For all a in S, a a
Transitive
For all a, b, c. a b and b c implies a c
12
BACKGROUND: POSET EXAMPLES
Natural numbers with less than (total order)
Sets under the subset relation (not a total order)
Natural numbers ordered by divisibility
13
BACKGROUND: LATTICE
Partially
greatest lower bound (glb X)
ordered set (S, ) and two operations:
Greatest element less than all elements of set X
least upper bound (lub X)
Least element greater than all elements of set X
Every
lattice has
bottom (glb L) a least element
top (lub L) a greatest element
14
BACKGROUND: LATTICE EXAMPLES
Natural numbers in an interval (0 .. n) with less than
Also the linear order of clearances
(U FOUO S TS)
The powerset of a set of generators under inclusion
E.g. Powerset of security categories
{NUC, Crypto, ASI, EUR}
The divisors of a natural number under divisibility
15
BELL-LAPADULA MODEL (STEP 2)
Total order of classifications not flexible enough
Solution: Categories
S can access O if C(O) C(S)
Combining with clearance:
(L,C) dominates (L’,C’) L’ = L and C’ C
Induces lattice instead of levels
Expand notion of security level to include categories
Security level is (clearance, category set)
16
BELL-LAPADULA MODEL (BLP)
Lattice Example1
{NUC, EUR}
{NUC}
{NUC, EUR, US}
{NUC, US}
{EUR}
{EUR, US}
{US}
Lattice Example2
( Top Secret, { NUC, EUR, ASI } )
( Confidential, { EUR, ASI } )
( Secret, { NUC, ASI } )
17
LEVELS AND LATTICES
dom (dominates) relation
(L, C) dom (L, C) iff L ≤ L and C C
Examples
(Top Secret, {NUC, ASI}) dom (Secret, {NUC})
(Secret, {NUC, EUR}) dom (Confidential,{NUC, EUR})
(Top Secret, {NUC}) dom (Confidential, {EUR})
Let C be set of clearances, K set of categories. Set of
security levels L = C K, dom form lattice
lub(L) = (max(L), C)
glb(L) = (min(L), )
18
LEVELS AND ORDERING
Security levels partially ordered
Any pair of security levels may (or may not) be
related by dom
“dominates” serves the role of “greater than” in
step 1
But “greater than” is a total ordering,
19
READING INFORMATION
Information flows up, not down
“Reads up” disallowed, “reads down” allowed
Simple Security Condition (Step 2)
Subject s can read object o iff L(s) dom L(o) and
s has permission to read o
Note: combines mandatory control (relationship of security
levels) and discretionary control (the required permission)
Sometimes called “no reads up” rule
20
WRITING INFORMATION
Information flows up, not down
“Writes up” allowed, “writes down” disallowed
*-Property (Step 2)
Subject s can write object o iff L(o) dom L(s) and
s has permission to write o
Note: combines mandatory control (relationship of security
levels) and discretionary control (the required permission)
Sometimes called “no writes down” rule
21
BASIC SECURITY THEOREM (STEP 2)
If a system is initially in a secure state, and
every transition of the system satisfies the simple
security condition (step 2) and the *-property
(step 2) then every state of the system is secure
Proof: induct on the number of transitions
22
EXAMPLE
George is cleared into security level (SECRET,{NUC, EUR}),
DocA is classified as ( CONFIDENTIAL, { NUC } ), DocB is classified
as ( SECRET, { EUR, US}), and DocC is classified as (SECRET, {
EUR }). Then:
George dom DocA as CONFIDENTIAL ≤ SECRET and
{ NUC } { NUC, EUR }
George ¬dom DocB as { EUR, US } { NUC, EUR }
George dom DocC as SECRET ≤ SECRET and { EUR } { NUC, EUR }
George can read DocA and DocC but not DocB (assuming the
discretionary access controls allow such access).
Suppose Paul is cleared as (SECRET, { EUR, US, NUC }) and has
discretionary read access to DocB. Paul can read DocB; were he to
copy its contents to DocA and set its access permissions accordingly.
George could then read DocB!?
*-property (step 2) prevents this
23
PROBLEM
Colonel has (Secret, {NUC, EUR}) clearance
Major has (Secret, {EUR}) clearance
Major can talk to colonel (“write up” or “read down”)
Colonel cannot talk to major (“read up” or “write down”)
Not Desired!
24
SOLUTION
Define maximum, current levels for subjects
maxlevel(s) dom curlevel(s)
Example
Treat Major as an object (Colonel is writing to him)
Colonel has maxlevel (Secret, { NUC, EUR })
Colonel sets curlevel to (Secret, { EUR })
Now L(Major) dom curlevel(Colonel)
Colonel can write to Major without violating “no writes down”
25
SYSTEMS BUILT ON BELL-LAPADULA (BLP)
BLP was a simple model
Intent was that it could be enforced by simple
mechanisms
File system access control was the obvious choice
Multics (1965) implemented BLP
Unix inherited its discretionary AC from Multics
26