Transcript Access Control Models and Bell
Access Control and the Bell-LaPadula Model
CS 4235
Historical Background
• • • • • • Physical Access Control No mixing of data (sensitive vs not) Hardwired terminal access No multiplexing of users and data What happens when all the data is stored in the same place and users with different trust levels are allowed to access?
Multi-level security problem
Documents vs People
• • Documents have classifications – Top Secret – – Secret Confidential – Unclassified • Sensitive • Non sensitive People have Clearances – Top Secret – Secret – Q
• • There are also code words that are not classifications ULTRA identified information encrypted with Enigma machines Categories – now material is handled – Sensitive compartmented information (SCI) - Intelligence • Operations and methods • Nuclear secrets • Stealth – Special Access Programs (SAP) -- Defense • Acknowledged • Unacknowledged • Waived – Solves two logistical problems • Collateral clearances for everyone would be expensive • Need to limit information to those with need to know – SIGMA (Department of Energy) – SAP/SCI requires Secure Compartmented Information Facility (SCIF)
Caveats and Other Codes
• • • • • • • • NOFORN RESTRICTED NO CONTRACTOR REL TO
People are cleared to
• • • Classification levels Categories Other Labels
Discretionary Access Control
• • • E.g., Unix permissions Set access conditions on a file so that only a group of your choosing can read it Anyone with access can propagate the information by resetting permissions
Mandatory Access Control
• • • Security authority sets permissions Only security authority can propagate information Violations are very serious
Orderings
• • TS > S > C How about – (S//NUC//NOFORN) vs TS?
– (TS//EUR/25x1) vs (TS//CRYPTO//PROPIN)?
S1 S2 S3 S4
Access Control Models
(S,O,R) YES/NO
O1 O2
operation
O3 O4
Read (observe) Write (observe, alter) Execute (no observe, no alter) Append (alter, no observe)
Accesses take system from state to state
All accesses must be allowed by MAC rules
σ 2 (T,b, append) σ 1 (S,a, read) σ 3 If you start in a secure state do you end up in a secure state?
Granting Access Should Not Violate MAC Subject ?
READ Object Flow of information High Level WRITE Object LowLevel
Simple Security Property
• • • The current level of a subject dominates the level of every object that it observes Like paper systems “No read up”
*-Property
• • If S can observe a and alter b, then a ≤ b “No write down”
Partial Orders
• • • • S = {a 1 ,a 2 ,…,a n } P = (S, ≤) is a PO iff – If a ≤ b and b ≤ a, then a = b (anti-symmetric) – If a ≤ b and b ≤ c, then a ≤ c (transitive) – a ≤ a (reflexive) Examples – Natural numbers under ≤ – Subsets under How about – Choices on a ballot under “is preferred to”?
– People under “trusts”?
Lattices
• • • A POSET S Every subset of S has a greatest lower bound Every subset of S has a least upper bound These are all upper bounds
S
x3 x4 x1 x2 x Subset of S x5 LUB
Security Levels
• • • A security level is a pair (c,s) where – c is a classification from a POSET of classifications (e.g., U,S,TS but the exact classfications don’t matter) – (c 1 s is a set of categories (e.g., NUC,CRYPTO,… but the exact categories don’t matter) ,s 1 ) ≥ (c 2 ,s 2 ) iff c 1 ≥ c 2 and s 2 s 1 Levels form a lattice
Assigning Security Levels to Subjects and Objects • • • • level(S), level(O) = security level of S,O current-level(S) = levels at which S can operate current-level(S) ≤ level(S) level(S) = max(current-level(S)) is called S’s clearance
Security Properties
• • SS-property: For any (S,O,A) if A includes observation then level(S) ≥ level(O) *-property For any (S,O,A) r A implies current-level(S) ≥ level(O) a A implies current-level(S)≤level(O) w A implies current-level(S) = level(O) No read up No write down If a subject can observe O1 and modify O2 the level(O2)≥level(O1)
Lattice Model
Information only flows up the lattice System enforces SS and * properties
A MAC Implementation
• • • • • • • • Unix file system Label all files and directory with levels Assign level(u) to each user u u is initially assigned the lowest current-level Allow current-level(u) to float as higher level files are observed If level(u) < current-level(u) issue kill(u) If level(f) < level(u) and u writes to f issue kill(u) Is this secure?
Covert Channels
• • • Low bandwidth Outside the models – Channel not designed for communication – Shared resource – Allows information to be transmitted from High to Low (*-property violation) Semantics Scotland Yard Detective Gregory : "Is there any other point to which you would wish to draw my attention?“ Holmes: "To the curious incident of the dog in the night time.“ Gregory: "The dog did nothing in the night time.“ Holmes: "That was the curious incident
Example
• • High Process: If bit i of protected file is 1 then position disk head at time t = i outside the current volume Low Process: detect position of head at time t=i
Types of Channels
• • • • • • • Storage channel Timing channel Sequential process ids Shared file locks File access times Application channels IRC Signalling
Other Access Control Models
• • • • Biba Integrity Model Lampson-Graham-Denning Harrison-Ruzzo-Ullman Take-Grant
Trusted Systems
• • • • Orange Book Trusted Network Interpretation Common Criteria European and Candadian Criteria
Trust Levels
• • • • D – no requirements C1/C2/B1 – commercial strength security features B2 – rigorous demonstration of security by mathematical analysis (“proof”) B3/A1 – formal designs and mathematical proof
Commercial Protection
• • • B1 – – – – C1 – – – – C2 – – – Discretionary security protection Cooperating users All data at same senistivity level Tamper-resistant Controlled access protection Finer grained than C1 Audit trails Labeled security protection Each subject and object assigned its own level Bell-Lapadula DAC to provide further controls
• • Structured Protection and Security Domains B2 = B1 + Design Requirement – Verifiable Top Level Design – – – Testing to verify that implementation satisfies design Design consisting of well-defined independent modules Principle of Least Privilege enforced B3 = B2 + Testing Requirements – Small, tamperproof security functions – Audit functions required – High level design that is complete and conceptually simple – Convincing argument that system implements design – Exhibits good design practice • Layering • Abstraction • Information hiding
• • • • • A1 = Formally Verified = B3 + the following Formal model of the protection systems and a mathematical proof of its consistency and adequacy Formal top-level specification of the protection system Demonstration that the specification conforms to the model Implementation informally shown to be consistent with the specifications Formal analysis of covert channels
Modern Trust Models
• • • • • Capability-based MAC and DAC Implemented using same mechanisms Heavy reliance on application trust features Hardware enforced separation Virtualization and Hypervisors
An Early Hypervisor
TCPA
Itanium ® Processor (IA-64) Architecture • High performance on encryption protocols • Fine-grained memory protection • Two additional levels of privilege protection
IA-64 Privilege Level 0
• • Access to – Privileged system registers – Privileged instructions • Page creation • Direct access to physical memory Invoking PL-0 from PL-1 to PL-3 – Interrupts – Explicit PL-0 request “epc”
Secure platform architecture • Root of trust in protected memory of trusted platform • Secure Platform Kernel (SPK) loaded by secure boot • Operating systems are ported to the SPA
Structure of Secure Platform
• • • • • Abstracts ABI, physical resources and interrupts PL-0 reserved for SPK: minimal certified code (known to CRTM) PL-1 hosts global services for – I/O notification – Multiple OS images – – Protection domains Non-OS applications PL-2 hosts OS images Applications reside in PL-3
SP Characteristics • • • • • Secure paging Operating systems and device drivers run as unprivileged tasks Privileged operations are authenticated and performed by secure platform kernel Self-healing data structures “Baileys” separate SPK, SPGS and OS
“How does it work?” • • • • • multiple containment rings inherently limit intrusion operating systems and device drivers run as unprivileged tasks privileged operations are authenticated and performed by secure platform kernel code and data are protected from inadvertent and malicious execution or modification multiple OS images run securely on the same system
SP Virtual Addressing
• • • • • Region ID’s provide – Memory isolation – Protection keys – Fine-grain permission control Upper half of Region 7 reserved for SPK/SPGS Operating Systems run virtual in lower half of Region 7 Regions 0-6 available for OS assignment SPK – manages region ID assignments – Allocates pages for mapping virtual addresses
Privileged Operations
• • • OS executes as unprivileged task at PL-2 Privileged functions invoked by epc call Lightweight paths are implemented for simple operations
Unprivileged Callbacks
• • • • Similar to Unix signals Interrupts handled by SPK UPC mechanism enables asynchronous notification to a less privileged level Exceptions and faults that cannot be handled by SPK are passed to the SPGS
Secure paging
• • • • Protection for data on paging device – Device theft – Raw device access Requires pre-allocated shadow page pool Penaly: 1 cycle per bit using 128 bit key Keys are hidden in SPK, accessed through handles
Denial of Service Attacks
• • • • SPK signals PL-2 which never returns Attacker repeats instruction path Context stack grows until SPK fault Asynchronous UPC thwarts attack – SPK executes single thread – Eventually fails to allocate space for UPC list entry – PL-2 process fails – SPK never has to unwind context stack
Services
• • • • • • • • • • • • • Data protection Client integrity Authorized network connection Remote attestation Web administration Connected laptop Mobile services Virus definition reporting Remote management Smart card function (eg two factor authorization) Public hot desking Trusted kiosk First responder Services