Why Security Models?

Similar documents
DAC vs. MAC. Most people familiar with discretionary access control (DAC)

Computer security Lecture 3. Access control

Information Flows and Covert Channels

Access Control Models Part I. Murat Kantarcioglu UT Dallas

Bell & LaPadula Model Security Policy Bell & LaPadula Model Types of Access Permission Matrix

Database Security Part 7

Part III. Access Control Fundamentals

Access Control Matrix

... Lecture 3 Access Control. Information & Communication Security (WS 14/15) Prof. Dr. Kai Rannenberg

Access Control Intro, DAC and MAC. System Security

Introduction to Computer Security

CS 665: Computer System Security. Designing Trusted Operating Systems. Trusted? What Makes System Trusted. Information Assurance Module

Role Based Access Control: Adoption and Implementation in the Developing World

CIS 551 / TCOM 401 Computer and Network Security. Spring 2005 Lecture 4

Access Control Basics. Murat Kantarcioglu

Introduction to Computer Security

File Management. Chapter 12

Session objectives. Access control. Subjects and objects. The request. Information Security

Mandatory Access Control Systems

Outline. INF3510 Information Security University of Oslo Spring Lecture 9 Identity Management and Access Control. The concept of identity

Lecture 14 Towards Trusted Systems Security Policies and Models

CS 4803 Computer and Network Security

Chapter 23. Database Security. Security Issues. Database Security

Identity Management and Access Control

CSE543 - Introduction to Computer and Network Security. Module: Access Control

CS377: Database Systems Data Security and Privacy. Li Xiong Department of Mathematics and Computer Science Emory University

CSE331: Introduction to Networks and Security. Lecture 34 Fall 2006

Operating System Components

Design. Syntactic Issues

Access Control. ITS335: IT Security. Sirindhorn International Institute of Technology Thammasat University ITS335. Access Control.

INF3510 Information Security University of Oslo Spring Lecture 9 Identity Management and Access Control

Access Control: Policies, Models, and Mechanisms

Mandatory Access Control

CIS 551 / TCOM 401 Computer and Network Security

Access Control: Policies, Models, and Mechanisms

CSE543 - Introduction to Computer and Network Security. Module: Reference Monitor

University of Cambridge

Reference Guide for Security in Networks

Trusted RUBIX TM. Version 6. Multilevel Security in Trusted RUBIX White Paper. Revision 2 RELATIONAL DATABASE MANAGEMENT SYSTEM TEL

Information Security Information & Network Security Lecture 2

Applications of Formal Methods in Building High-Assurance Secure Systems

REASONING ABSTRACT. 2. How to Lend Credence to a Security Model

Access Control Lists in Linux & Windows

Chapter 12 File Management

Chapter 12 File Management. Roadmap

CEN 559 Selected Topics in Computer Engineering. Dr. Mostafa H. Dahshan KSU CCIS

Security Enhanced Linux and the Path Forward

CSE543 - Introduction to Computer and Network Security. Module: Operating System Security

Chapter 6, The Operating System Machine Level

Capability-Based Access Control

CIS433/533 - Computer and Network Security Operating System Security

Chapter 23. Database Security. Security Issues. Database Security

The Asbestos Operating System

SELinux Policy Management Framework for HIS

Domain 9 Security Architecture and Design

CS 377: Operating Systems. Outline. A review of what you ve learned, and how it applies to a real operating system. Lecture 25 - Linux Case Study

How do Users and Processes interact with the Operating System? Services for Processes. OS Structure with Services. Services for the OS Itself

Operating system Dr. Shroouq J.

1 File Management. 1.1 Naming. COMP 242 Class Notes Section 6: File Management

Formal Languages and Automata Theory - Regular Expressions and Finite Automata -

Operating Systems CSE 410, Spring File Management. Stephen Wagner Michigan State University

THE UNIVERSITY OF AUCKLAND

SECURITY CHAPTER 24 (6/E) CHAPTER 23 (5/E)

Chapter 3: Operating-System Structures. System Components Operating System Services System Calls System Programs System Structure Virtual Machines

Formal Foundations for Security Architecture

Review from last time. CS 537 Lecture 3 OS Structure. OS structure. What you should learn from this lecture

Confinement Problem. The confinement problem Isolating entities. Example Problem. Server balances bank accounts for clients Server security issues:

CMSC 421, Operating Systems. Fall Security. URL: Dr. Kalpakis

Hardware Assisted Virtualization

Reading 13 : Finite State Automata and Regular Expressions

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 6

CIS 551 / TCOM 401 Computer and Network Security. Spring 2006 Lecture 7

Introduction to Computer Security

Outline. File Management Tanenbaum, Chapter 4. Files. File Management. Objectives for a File Management System

Document Management System Security

ITM661 Database Systems. Database Security and Administration

TELE 301 Lecture 7: Linux/Unix file

COS 318: Operating Systems. I/O Device and Drivers. Input and Output. Definitions and General Method. Revisit Hardware

The Specification and Modeling of Computer Security

File Management. COMP3231 Operating Systems. Kevin Elphinstone. Tanenbaum, Chapter 4

Using Power to Improve C Programming Education

Audit Trail Administration

Assessment Plan for CS and CIS Degree Programs Computer Science Dept. Texas A&M University - Commerce

? Resource. Access Control and Operating System Security. Access control matrix. Access control. Capabilities. Two implementation concepts.

EVOLVING ENTERPRISE NETWORKS WITH SPB-M APPLICATION NOTE

File Management. Chapter 12

Security Architecture and Design

Operating Systems. Privileged Instructions

Workstation Certification Tool Frequently Asked Questions

Security and Cryptography 1. Stefan Köpsell, Thorsten Strufe. Module 8:Access Control and Authentication

Distributed File Systems Part I. Issues in Centralized File Systems

COS 318: Operating Systems. File Layout and Directories. Topics. File System Components. Steps to Open A File

Guidelines and Procedures for Project Management

System Assurance C H A P T E R 12

Database Security and Authorization

Final Report. Cluster Scheduling. Submitted by: Priti Lohani

Fundamentals of Computer Security

TEL2821/IS2150: INTRODUCTION TO SECURITY Lab: Operating Systems and Access Control

Transcription:

Bell-LaPadula Model

Why Security Models? When we have implemented a security policy, do we know that it will (and can) be enforced? E.g., if policies get too intricate, contradicting rules may apply to a given access request. To prove that a policy will be enforced, the policy has to be formally specified. A security model is a formal description of a security policy. www.wiley.com/go/gollmann 2

Security Models Models are used in high assurance security evaluations (smart cards are currently a fruitful area of application). Models are important historic milestones in computer security (e.g. Bell-LaPadula). The models presented today are not recipes for security but can be a starting point when you have to define a model yourself. www.wiley.com/go/gollmann 3

Agenda State Machine Models (short review) Bell-LaPadula (BLP) model BLP security policies BLP Basic Security Theorem Tranquility Covert channels Case Study: Multics interpretation of BLP www.wiley.com/go/gollmann 4

State Machine Models State Machines (automata) are abstract models that record relevant features, like the security of a computer system, in their state. States change at discrete points in time, e.g. triggered by a clock or an input event. State machine models have numerous applications in computer science: processor design, programming languages, or security. www.wiley.com/go/gollmann 5

Examples Switch: two states, on and off One input press Ticket machine: State: ticket requested, money to be paid inputs: ticket requests, coins; output: ticket, change Microprocessors: state: register contents, inputs: machine instructions www.wiley.com/go/gollmann 6

Basic Security Theorems To design a secure system with the help of state machine models, define state set so that it captures security, check that all state transitions starting in a secure state yield a secure state, check that initial state of system is secure. Security is then preserved by all state transitions. The system will always be secure. This Basic Security Theorem has been derived without any definition of security! www.wiley.com/go/gollmann 7

Bell-LaPadula Model (BLP) State machine model developed in the 1970s for the analysis of MLS operating systems. Subjects and objects labeled with security levels that form a partial ordering. The policy: No information flow from high security levels down to low security level (confidentiality). Only considers information flows that occur when a subject observes or alters an object. Access permissions defined through an access control matrix and security levels. www.wiley.com/go/gollmann 8

Constructing the State Set 1. All current access operations: an access operation is described by a triple (s,o,a), s S, o O, a A E.g.: (Alice, fun.com, read) The set of all current access operations is an element of P (S O A) E.g.: {(Alice, fun.com, read), (Bob, fun.com, write), } www.wiley.com/go/gollmann 9

Constructing the State Set 2. Current assignment of security levels: maximal security level: f S : S L (L labels) current security level: f C : S L classification: f o : O L The security level of a user is the user s clearance. Current security level allows subjects to be down-graded temporarily (more later). F L S L S L O is the set of security level assignments; f = (f S, f C, f O ) denotes an element of F. www.wiley.com/go/gollmann 10

Constructing the State Set 3. Current permissions: defined by the access control matrix M. M is the set of access control matrices. The state set of BLP: V = B M F B is our shorthand for P(S O A) b denotes a set of current access operations a state is denoted by (b,m,f) www.wiley.com/go/gollmann 11

BLP Policies Discretionary Security Property (ds-property): Access must be permitted by the access control matrix: (s,o,a) M so Simple Security (ss)-property (no read-up): if (s,o,a) b, then f S (s) f O (o) if access is in observe mode. The ss-property is a familiar policy for controlling access to classified paper documents. www.wiley.com/go/gollmann 12

On Subjects In the ss-property, subjects act as observers. In a computer system, subjects are processes and have no memory of their own. Subjects have access to memory objects. Subjects can act as channels by reading one memory object and transferring information to another memory object. In this way, data may be declassified improperly. www.wiley.com/go/gollmann 13

Subjects as Channels illegal information flow to a lower level alter observe high low www.wiley.com/go/gollmann 14

Star Property -Property (star property) (no write-down): if (s,o,a) b and access is in alter mode then f C (s) f O (o); also, if subject s has access to object o in alter mode, then f O (o ) f O (o) for all objects o accessed by s in observe mode. The very first version of BLP did not have the -property. Mandatory BLP policies: ss-property and -property. www.wiley.com/go/gollmann 15

Blocking the Channel blocked by -property alter observe high low www.wiley.com/go/gollmann 16

No Write-Down The -property prevents high level subjects from sending legitimate messages to low level subjects. Two ways to escape from this restriction: Temporarily downgrade high level subject; hence the current security level f C ; BLP subjects have no memory of their own! Exempt trusted subjects from the -property. Redefine the -property and demand it only for subjects that are not trusted. www.wiley.com/go/gollmann 17

Trusted Subjects Trusted subjects may violate security policies! Distinguish between trusted subjects and trustworthy subjects. www.wiley.com/go/gollmann 18

Basic Security Theorem A state is secure, if all current access tuples (s,o,a) are permitted by the ss-, -, and ds-properties. A state transition is secure if it goes from a secure state to a secure state. Basic Security Theorem: If the initial state of a system is secure and if all state transitions are secure, then the system will always be secure. www.wiley.com/go/gollmann 19

Basic Security Theorem This Basic Security Theorem has nothing to do with the BLP security policies, only with state machine modeling. www.wiley.com/go/gollmann 20

BLP & Security Construct system with operation downgrade: downgrades all subjects and objects to system low. enters all access rights in all positions of the access control matrix. As a result, any state is secure in the BLP model. Should such a system be regarded secure? McLean: no, everybody is allowed to do everything. Bell: yes, if downgrade was part of the system specification. www.wiley.com/go/gollmann 21

Tranquility No BLP policies for changing access control data. BLP assumes tranquility: access control data do not change. Operational model: users get clearances and objects are classified following given rules. The system is set up to enforce MLS policies for the given clearances and classifications. Changes to clearances and classifications requires external input. www.wiley.com/go/gollmann 22

Covert Channels Communications channels that allow transfer of information in a manner that violates the system s security policy. Storage channels: e.g. through operating system messages, file names, etc. Timing channels: e.g. through monitoring system performance Orange Book: 100 bits per second is high bandwidth for storage channels, no upper limit on timing channels. www.wiley.com/go/gollmann 23

Covert Channels The bandwidth of some covert channels can be reduced by reducing the performance of the system. Covert channels are not detected by BLP modeling. www.wiley.com/go/gollmann 24

Applying BLP

Multics Multics was designed to be a secure, reliable,..., multi-user O/S. Multics became too cumbersome for some project members, who then created something much simpler, viz Unix. The history of the two systems illustrates for relation between commercial success and the balance between usability and security. We will sketch how the Bell-LaPadula model can be used in the design of a secure O/S. www.wiley.com/go/gollmann 26

Multics Interpretation of BLP The inductive definition of security in BLP makes it relatively easy to check whether a system is secure. To show that Multics is secure, we have to find a description of the O/S which is consistent with BLP, and verify that all state transitions are secure. www.wiley.com/go/gollmann 27

Subjects Subjects in Multics are processes. Each subject has a descriptor segment containing information about the process The security level of subjects are kept in a process level table and a current-level table. The active segment table records all active processes; only active processes have access to an object. www.wiley.com/go/gollmann 28

Objects For each object the subject currently has access to, there is a segment descriptor word (SDW) in the subject s descriptor segment. The SDW contains the name of the object, a pointer to the object, and flags for read, execute, and write access. segment descriptor word Segment_id pointer r: on e: off w: on www.wiley.com/go/gollmann 29

Directories Objects are memory segments, I/O devices,... Objects are organized hierarchically in a directory tree; directories are again segments. Information about an object, like its security level or its access control list (ACL), are kept in the object s parent directory. To change an object s access control parameters and to create or delete an object requires write or append access rights to the parent directory. www.wiley.com/go/gollmann 30

Compatibility To access an object, a process has to traverse the directory tree from the root directory to the target object. If any directory in this path is not accessible to the process, the target object is not accessible either. Compatibility: The security level of an object must always dominate the security level of its parent directory. www.wiley.com/go/gollmann 31

BLP State in Multics Current access b: stored in the SDWs in the descriptor segments of the active processes; the active processes are found in the active segment table. The descriptor segment base register (DSBR) points to the descriptor segment of the current process. Level function f: security levels of the subjects are stored in the process level table and the current-level table; the security level of an object is stored in its parent directory. Access control matrix M: represented by the ACLs; for each object, the ACL is stored in its parent directory; each ACL entry specifies a process and the access rights the process has on that object. www.wiley.com/go/gollmann 32

current process DSBR subject segment-id ptr w:off r:on e:off descriptor segment of current process segment-id object current pro. L c L C L O? segment-id L O current-level table parent directory www.wiley.com/go/gollmann 33

MAC in Multics Multics access attributes for data segments with translation to BLP access rights: read r execute e, r read & write w write a www.wiley.com/go/gollmann 34

The -property for Multics For any SDW in the descriptor segment of an active process, the current level of the process dominates the level of the segment if the read or execute flags are on and the write flag is off, is dominated by the level of the segment if the read flag is off and the write flag is on, is equal to the level of the segment if the read flag is on and the write flag is on. www.wiley.com/go/gollmann 35

Kernel Primitives Kernel primitives are the input operations in Multics Example: the get-read primitive requests read access to an object It takes as its parameters a process-id and a segment-id. If the state transitions in an abstract model of the Multics kernel preserve the BLP security policies, then the BLP Basic Security Theorem proves the security of Multics. www.wiley.com/go/gollmann 36

Conditions for get-read The O/S has to check whether the ACL of segment-id, stored in the segment's parent directory, lists process-id with read permission, the security level of process-id dominates the security level of segment-id, process-id is a trusted subject, or the current security level of process-id dominates the security level of segment-id. If all three conditions are met, access is permitted and a SDW in the descriptor segment of process-id is added/updated. www.wiley.com/go/gollmann 37

More Kernel Primitives release-read: release an object; the read flag in the corresponding SDW is turned off; if thereafter no flag is on, the SDW is removed from the descriptor segment. give-read: grant read access to another process (DAC). rescind-read: withdraw a read permission given to another process. www.wiley.com/go/gollmann 38

More Kernel Primitives create-object: create an object; the O/S has to check that write access on the object's directory segment is permitted and that the security level of the segment dominates the security level of the process. change-subject-current-security-level: the O/S has to check that no security violations are created by the change This kernel primitive, as well as the primitive changeobject-security-level were not intended for implementation (tranquility). www.wiley.com/go/gollmann 39

Aspects of BLP Descriptive capability of its state machine model: can be used for other properties, e.g. for integrity. Its access control structures, access control matrix and security levels: can be replaced by other structures, e.g. by S S O to capture delegation. The actual security policies, the ss-, -, and ds-properties: can be replaced by other policies (see Biba model). A specific application of BLP, e.g. its Multics interpretation. www.wiley.com/go/gollmann 40

Limitations of BLP Restricted to confidentiality. No policies for changing access rights; a complete general downgrade is secure; BLP intended for systems with static security levels. BLP contains covert channels: a low subject can detect the existence of high objects when it is denied access. Sometimes, it is not sufficient to hide only the contents of objects. Also their existence may have to be hidden. www.wiley.com/go/gollmann 41

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information