0% found this document useful (0 votes)
73 views37 pages

2020 Spring CSCI262 S3b2

This document provides an overview of access control models and security concepts. It begins with definitions of lattices and partial orders. It then discusses access control models including the Bell-LaPadula (BLP) model and Biba integrity model. The BLP model focuses on confidentiality and preventing information flow from high to low security levels. The Biba model focuses on integrity and preventing information flow from low to high levels. The document also discusses limitations of these models, covert channels, multi-level security, and the Chinese Wall model.

Uploaded by

Joe Ong Zuokai
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
73 views37 pages

2020 Spring CSCI262 S3b2

This document provides an overview of access control models and security concepts. It begins with definitions of lattices and partial orders. It then discusses access control models including the Bell-LaPadula (BLP) model and Biba integrity model. The BLP model focuses on confidentiality and preventing information flow from high to low security levels. The Biba model focuses on integrity and preventing information flow from low to high levels. The document also discusses limitations of these models, covert channels, multi-level security, and the Chinese Wall model.

Uploaded by

Joe Ong Zuokai
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 37

CSCI262/CSCI862 Spring-2020

System Security (S3b2)

Access control II con’t:

1
 Definition: A lattice (L, ≤) consists of a set L
and a partial order ≤ (generally a reflexive,
antisymmetric, and transitive relation), so
that for every two elements a, b ∈ L there
exists:
– A least upper bound u ∈ L.
This is AND
– A greatest lower bound l ∈ L.
 Formally:
a ≤ u, b ≤ u, and for all v ∈ L : (a ≤ v ∧ b ≤ v)  (u ≤ v)
l ≤ a, l ≤ b, and for all k ∈ L : (k ≤ a ∧ k ≤ b)  (k ≤ l)
2
Properties of the relation ≤
 Reflexive: a ≤ a.
 Antisymmetric: If a ≤ b and b ≤ a then a = b.
 Transitive: If a ≤ b and b ≤ c then a ≤ c.

 An important term:
 If a ≤ b, b dominates a  b dom a
– Domination can be interpreted as meaning
requiring a higher security level. 3
Another example

4
Lattice diagram for S = {1,2,3}

5
S= {1,2,3}

{1,2} {1,3} {2,3}

{1} {2} {3}

{∅}
6
Access Control Models

 Confidentiality based security models


– BLP model
 Integrity based security models
– Biba model

7
BLP Model

 A confidentiality based security model


 Goal: Prevent information flow from
“high” security levels to “low” security
levels.
 Focus on mandatory and discretionary
access control.
 Rule: No write down, no read up

8
BLP Security Policy
 A state is secure if it satisfies
– Simple security condition (no read up):
• S can read O iff fo(O) ≤ fc(S)
– The Start property (no write down):
• S can read O iff fc(S) ≥ fo(O) (no read up)
• S can write O iff fc(S) ≤ fo(O) (no write down)
– Discretionary security property:
• Every access is allowed by the access matrix
 A system is secure if and only if every
reachable state is secure 9
10
Criticism of McLean
 What happens if we
– downgrade all subjects to lowest security level
– downgrade all objects to lowest security level
– enter all access rights in the ACM M
 Is the system secure?

11
Tranquility
 Consider a system with s1,s2,o1,o2
– fs(s1)=fc(s1)=fo(o1)=high
– fs(s2)= fc(s2)= fo(o2) =low
 And the following execution:
– s1 gets access to o1, read something, release
access, then change current level to low, get
write access to o2, write to o2
 Every state is secure
 Solution: tranquillity principle: subject cannot
change current levels, or cannot drop to below the
highest level read so far 12
Covert channels
 is a type of attack that creates a capability
to transfer information objects between
processes that are not supposed to be
allowed to communicate by the computer
security policy.
 Require two active agents, one at a low
level and the other at a high level and an
encoding scheme to pass on information
about the high level to the low level
13
 Low-level subject s1 creates object o
 High-level accomplice s2 either
– reclassifies o to its own level (Message 1)
– leaves o unchanged (Message 0)
 s1 tries to access o, which is either
– success (Message 0)
– access denied (Message 1)
 One bit of information is transmitted s2 → s1

14
 The concern is with subjects not users
– Users are trusted (must be trusted) not to
disclose secret information outside of the
computer system
– Subjects are not trusted because they may
have Trojan Horses embedded in the code
they execute
 Covert channels are typically noisy but
information theory techniques can be
used to achieve error-free
communication
15
Limitations of BLP
 only deals with confidentiality, not integrity
– Confidentiality is not important as integrity in
many situations
– Limits the access and sharing of information
 assumes a fixed rights
– assumes tranquillity
– no model for access management
– no model for policy making
 allows convert channels
16
More on multi-level security
 Used as attributes of both subjects &
objects
– clearance & classification
 Typical military security levels:
– top secret ≥ secret ≥ confidential ≥
unclassified
 Typical commercial security levels
– restricted ≥ proprietary ≥ sensitive ≥ public

Taken from slides of Ninghui Li at Purdue University 17


Security categories
 Also known as compartments
 Typical military security categories
– army, navy, air force
– nato, nasa, noforn
 Typical commercial security categories
– Sales, R&D, HR
– Dept A, Dept B, Dept C

18
Security labels

19
Example

20
A lattice we could work with…
(pri, {P,E})

(pri, {P}) (pri, {E})

(pri, {∅})

(pub, {P,E})

(pub, {P}) (pub, {E})

See Haase diagrams (pub, {∅}) 21


22
Biba integrity model
 In BLP: no-read-up and no-write-down for
confidentiality.
– But: write-up and read-down can introduce integrity
problems.
 Biba proposed a class of integrity models with the
opposite rules:
– Mandatory integrity model: no-read-down and no-write-
up.
– Relax no-read-down (“subject low watermark
property”): Allow a subject to read down, but first lower
its integrity level to that of the object being read.
– Relax no-write-up (“object low watermark property”):
Lower object level to that of subject doing the write.
23
Taken from slides of Alessandro Armando
 Addresses integrity in terms of access by
subjects to objects using a model similar to
that of BLP.
– A lattice (L, ≤) of security levels.
– fs : S → L and fo : O → L assign integrity levels to
subjects and objects.
– Information may only flow downwards in the
integrity lattice.
 Unlike BLP, there is no single high-level
integrity policy but rather a variety of policies
– Static integrity levels.
– Dynamic integrity levels
– Policies for invocation 24
Static integrity levels
 Policies where integrity levels never
change (mirroring BLP’s tranquility)
 No write up: s can modify o iff fs(s) ≥ fo(o)
 No read down: s can read o iff fo(o) ≥ fs(s)

25
Dynamic integrity levels
 Subject low watermark property: relax no-
read-down. Allow a subject to read down,
but first lower its integrity level to that of the
object being read. Write operations are
constrained according to the no-write-up
principle.
 Object low watermark property: relax no-
write-up. Lower object level to that of
subject doing the write. Read operations are
constrained according to the no-read-down
principle 26
Subject low watermark property
 s can read an o at any integrity level
 The new integrity level of s is greatest
lower bound of fs (s) and fs(o), where
fs(s) and fo(o) are the integrity levels
before the operation.

27
Object low watermark property
 s can modify an o at any integrity level.
 The new integrity level of o is greatest
lower bound of fs (s) and fs(o), where
fs(s) and fo(o) are the integrity levels
before the operation.

28
Advantages
 Simple and easy to implement
 Provides a number of different policies
that can be selected based on need

29
Disadvantages
 Does not support confidentiality.
 Doesn’t support the granting and
revocation of authorization.
 Problematic for use in network
environment: need labelling of integrity
for both objects and subjects, and to
date, no network protocol supports this
labelling

30
The Chinese Wall Model
 Hybrid model: addresses integrity and
confidentiality
 Addresses conflict of interest
– Models a consultancy business where
analysts have to make sure that no
conflicts arise when dealing with different
clients (companies)
– Conflicts arise when clients are direct
competitors in the same market, or
because of the ownership of companies
31
Model elements
 A set of subjects S: active entities
interested in accessing protected objects
 A set of companies C
 A set of objects O:
– individual data items, each about a company
– The objects concerning the same company are
called company datasets (DS)
– The function y: O -> C gives the company
dataset for each object
 The function x: O -> L(C) gives the conflict
32
of interest classes for each object
 The security label of an object o is the
pair (x(o), y(o))
 An object is sanitised if x(o) is empty
 Conflicts of interest may also arise from
objects that have been accessed in then
past.
 Let N(s,o) be true, if subject s has had
access to object o, and false, if subject
s never had access to object o

33
ss- property
 A subject s is granted access to an
object o only if for all objects o’ with
N(s,o’)=true: either y(o) = y(o’) or y(o)
does not belong to x(o’)
 That is, access is granted only if the
object requested belongs to:
– a company dataset already held by the
subject (the analyst), or
– an entirely different conflict of interest
class. 34
Star property
 A subject s is granted write access to an
object o only if s has no read access to
an object o’ with y(o)≠y(o’) and x(o’) is
not empty
 That is, write access to an object is only
granted if no other object can be read
which is in a different company dataset
and contains unsanitised information.

35
The Chinese Wall Model
 Not a true multi-level secure model
 The history of a subject’s access
determines access control
 Subject are only allowed access to info that
is not held to conflict with any other info
they already possess
 Once a subject accesses info from one
dataset, a wall is set up to protect info in
other datasets in the same conflict of
interest 36
Figure 27.6 in the book 37

You might also like