0% found this document useful (0 votes)
7 views

CSDD_L2

The document discusses the concept of security policy, which is a formal document outlining how an organization protects its assets and evolves with changing technologies and vulnerabilities. It introduces the Bell-LaPadula Security Policy Model, which enforces access control through classifications and clearances, ensuring that information flows appropriately based on sensitivity levels. Additionally, it covers the implementation of multilevel security systems and the challenges associated with maintaining security against malicious code.

Uploaded by

matterm75
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
7 views

CSDD_L2

The document discusses the concept of security policy, which is a formal document outlining how an organization protects its assets and evolves with changing technologies and vulnerabilities. It introduces the Bell-LaPadula Security Policy Model, which enforces access control through classifications and clearances, ensuring that information flows appropriately based on sensitivity levels. Additionally, it covers the implementation of multilevel security systems and the challenges associated with maintaining security against malicious code.

Uploaded by

matterm75
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 15

Cybersecurity

and Defense- in
Depth

Lecture 2
9 Oct 2024

: ‫ﺗﺟ ﻣ ﯾﻊ وإ ﻋد ا د‬
‫أ ﺣ ﻣ د ﺣ ﺳ ﯾن‬
Security Policy
What is security policy?
• A Security Policy constitutes a formal document that articulates,
in written form, the methodology by which an organization intends
to safeguard its tangible and information technology (IT) assets.
• Briefly: A document that states clearly the goal of the protection
mechanisms.
• Security policies are dynamic documents that undergo perpetual
revisions and modifications in response to evolving technologies,
emerging vulnerabilities, and shifting security imperatives.
• Security policy describes which principal may access which data.
An example:
• Security policy model a short document (page or less) stating
essential system's protection properties.

• Security target more details about protection mechanism


provided by a specific implementation. Testing and evaluation
of a product could be performed with reference to the security
target.

• Protection profile A security target but in an implementation-


independent way. It works across different vendors/products.
The Bell-LaPadula Security Policy Model
• BLP model Proposed by Bell and LaPadula in 1973.
• Motivated by US Air Force concerns over the security of time-
sharing mainframe systems.
• It was discovered that the Pentagon’s Worldwide Military
Command and Control System was vulnerable to Trojan Horse
attacks. Thus, its use restricted to people with 'Top Secret'
clearance.
BLP model
• Reference monitor
• OS component that mediates the access control decisions
• Small enough to facilitate analysis and verification.
• Completeness could be assured.
• Now known as Trusted Computing Base (TCB)
• Correct functioning of TCB means the security policy is enforced.
• Failure of TCB could cause a breach of the security policy.
Classifications and
Clearances

• The need for a


common protective
marking scheme for
labelling the
sensitivity of
documents.
• Classifications:
Unclassified,
Confidential, Secret,
and Top Secret.
Access Control Policy
• A document could only be read by an official if his clearance was
at least as high as the document' classification.
• Information may only flow upwards (i.e. from unclassified to top
secret)
Document Handling Rules:
• Confidential documents could be stored
in a locked filing cabinet in a government
office.
• Higher level documents may require
approved safes, guarded rooms, … etc.
• Journalists could be prosecuted for
leaking any classified document.
Wiretapping and multilevel security

• The old way: Adding a physical wire to an


exchange.
• The new way: Replacing target calls into a silent
conference calls with an extra participant.
• The extra participant (wiretapper) should remain
silent and pay for the conference call charges.
• `High` principal can see `Low` data, but a
`Low` principal can't tell whether `High` is
reading any data at all, let alone what data.
BLP properties
BLP enforces two properties:
• Simple security property: No process may read data at a higher
level a.k.a. `no read up` (NRU)
• Star property: No process may write data to a lower-level a.k.a.
`no write down` (NWD)
BLP Model
Assumptions:
• Codes are buggy
• Some codes are malicious
• Most staff are careless
• Some staff are dishonest
How BLP protects against malicious code?
• NWD was suggested to protect against malicious code attacks.
• An uncleared user could write a Trojan.
• Leave it until a cleared user might execute it.
• It then could copy itself into the `Secret` part of the system, read
the data, and try to signal it down somehow.
• If the Trojan could write down where its creator could read it, the
security policy would have been violated.
Implementation of Multilevel Security
Systems
• First approach: Reference Monitor
Implement a reference monitor as part of OS kernel that
supervises all system calls and checks access permissions to
decide whether the call can be serviced. (Hard to make it small
enough)
• Second approach: System replication
• Physical replications in the 1990s.
• Virtual machines since about 2005.
• Multiple systems (VMs) at different security levels on the same PC.
• Pump: constantly copies information from Low up to High, all running on
VMware on top of SELinux (Security-Enhanced Linux).

You might also like