Bell & LaPadula Model Security Policy Bell & LaPadula Model Types of Access Permission Matrix



Similar documents
Access Control Models Part I. Murat Kantarcioglu UT Dallas

Access Control: Policies, Models, and Mechanisms

Computer security Lecture 3. Access control

Access Control: Policies, Models, and Mechanisms

Database Security Part 7

... Lecture 3 Access Control. Information & Communication Security (WS 14/15) Prof. Dr. Kai Rannenberg

Part III. Access Control Fundamentals

Big Data and Scripting. Part 4: Memory Hierarchies

Access Control Intro, DAC and MAC. System Security

Introduction to Computer Security

Chapter 23. Database Security. Security Issues. Database Security

CSE543 - Introduction to Computer and Network Security. Module: Reference Monitor

Redo Recovery after System Crashes

CSE543 - Introduction to Computer and Network Security. Module: Access Control

Security Enhanced Linux and the Path Forward

A binary heap is a complete binary tree, where each node has a higher priority than its children. This is called heap-order property

Algorithms Chapter 12 Binary Search Trees

Analysis of Algorithms I: Binary Search Trees

Completeness, Versatility, and Practicality in Role Based Administration

Access Control Fundamentals

Security Models: Past, Present and Future

Chapter 12 File Management. Roadmap

Chapter 12 File Management

Operating Systems CSE 410, Spring File Management. Stephen Wagner Michigan State University


CS377: Database Systems Data Security and Privacy. Li Xiong Department of Mathematics and Computer Science Emory University

Comparing Microsoft SQL Server 2005 Replication and DataXtend Remote Edition for Mobile and Distributed Applications

A logical approach to dynamic role-based access control

Software Engineering

Concurrency Control. Chapter 17. Comp 521 Files and Databases Fall

Session objectives. Access control. Subjects and objects. The request. Information Security

Access Control. ITS335: IT Security. Sirindhorn International Institute of Technology Thammasat University ITS335. Access Control.

Classification/Decision Trees (II)

THE IMPACT OF INHERITANCE ON SECURITY IN OBJECT-ORIENTED DATABASE SYSTEMS

Role-Based Access Control (RBAC): Features and Motivations

High level conflict management strategies in advanced access control models

Chapter 7. Sealed-bid Auctions

What is a secret? Ruth Nelson

Network Security 網 路 安 全. Lecture 1 February 20, 2012 洪 國 寶

Database Monitoring Requirements. Salvatore Di Guida (CERN) On behalf of the CMS DB group

A Reputation Replica Propagation Strategy for Mobile Users in Mobile Distributed Database System

Access Control. 1 Overview of Access Control. Lecture Notes (Syracuse University) Access Control: 1. What is Access Control?

In initial planning phases In monitoring and execution phases

Data Structures Fibonacci Heaps, Amortized Analysis

1 File Management. 1.1 Naming. COMP 242 Class Notes Section 6: File Management

Operations: search;; min;; max;; predecessor;; successor. Time O(h) with h height of the tree (more on later).

Planning LDAP Integration with EMC Documentum Content Server and Frequently Asked Questions

Database Security. Soon M. Chung Department of Computer Science and Engineering Wright State University

Role-based access control. RBAC: Motivations

5.1 Bipartite Matching

Whitepaper: Manage Access Control for Network Resources with Securitay s Security Policy Manager

An Oracle White Paper March Oracle Label Security in Government and Defense Environments

Role Based Access Control

Domain 9 Security Architecture and Design

M. Sugumaran / (IJCSIT) International Journal of Computer Science and Information Technologies, Vol. 2 (3), 2011,

Binary Search Trees. Data in each node. Larger than the data in its left child Smaller than the data in its right child

10/6/2015 PKI. What Is PKI. Certificates. Certification Authorities (CA) PKI Models. Certificates

NAVAL POSTGRADUATE SCHOOL DISSERTATION

Authentication Application

Identity Management and Access Control

Fundamentals of Telecommunications

DISCRETIONARY ACCESS CONTROL. Tran Thi Que Nguyet Faculty of Computer Science & Engineering HCMC University of Technology ttqnguyet@cse.hcmut.edu.

Quality Control in Spreadsheets: A Software Engineering-Based Approach to Spreadsheet Development

Role Based Access Control: Adoption and Implementation in the Developing World

Contents III: Contents II: Contents: Rule Set Based Access Control (RSBAC) 4.2 Model Specifics 5.2 AUTH

Restore and Recovery Tasks. Copyright 2009, Oracle. All rights reserved.

CS 2112 Spring Instructions. Assignment 3 Data Structures and Web Filtering. 0.1 Grading. 0.2 Partners. 0.3 Restrictions

Security Implications of Distributed Database Management System Models

Access Control Matrix

PES Institute of Technology-BSC QUESTION BANK

Approximation Algorithms

Row Echelon Form and Reduced Row Echelon Form

Information Security Information & Network Security Lecture 2

Concurrency control. Concurrency problems. Database Management System

Chapter 14. Outline. Database Support for Decision Making. Data and Database Administration

USING USER ACCESS CONTROL LISTS (ACLS) TO MANAGE FILE PERMISSIONS WITH A LENOVO NETWORK STORAGE DEVICE

CHAPTER 22 Database Security Integration Using Role-Based Access Control

Introduction to Apache YARN Schedulers & Queues

This section describes how to set up, find and delete community strings.

6.852: Distributed Algorithms Fall, Class 2

Protecting Respondents' Identities in Microdata Release

Development of the conceptual schema of the osticket system by applying TDCM

Modern Systems Analysis and Design

Transcription:

1 Security Policy A document that expresses clearly and concisely what the protection mechanisms are to achieve A statement of the security we expect the system to enforce Bell & LaPadula Model Formalization and specialization of the access model Security level is a classification and a set of categories Subjects and Objects have security levels Subjects also have a current security level 1 2 Bell & LaPadula Model Security level is a classification and a set of categories Subjects and Objects have security levels Subjects also have a current security level Security level SL1 dominates security level SL2 iff SL1 s classification SL2 s classification Some subjects are trusted to violate the basic policies of the model. This extends the model SL1 s categories are a superset of SL2 s categories 3 4 Types of Access Permission Matrix Read-only Append Execute Read-write Contains an entry for each subject-object pair Entries indicate the type of access that may be granted to the subject for the object 5 6 1

2 Permission Matrix Contains an entry for each subject-object pair Entries indicate the type of access that may be granted to the subject for the object Current Access List of subject, object, access triples that indicate all of the currently granted accesses Basic Security Theorem A system is secure iff Its initial state is secure Each action that starts in a secure state results in a secure state 7 8 Basic Security Theorem Invariants for the Model A system is secure iff Its initial state is secure Each action that starts in a secure state results in a secure state Secure State Satisfies SS - property * - property DS - property Current security level every subject s current security level must be dominated by its security level Simple security condition if subject S currently has read-only or readwrite access to object O, then the security level of S must dominate the security level of O 9 10 Star property if subject S currently has read-only or readwrite access to object O1 and has append or read-write access to object O2, then the security level of O2 must dominate the security level of O1 or S must be a trusted subject A trusted subject can be relied on not to compromise security even if some of its current accesses violate the star property Discretionary security property if subject S currently has access A for object O, then the permission matrix entry for S,O must contain A 11 12 2

3 The model has a set of rules for changing state Rules define the allowable ways that a system can transition from one state to another Rule 1 Get read-only access (S,O) read-only and the static security level of S dominates O and the (current level of S dominates the level of O or S is trusted), (S,O,read-only) 13 14 Rule 2 Get append access (S,O) append and the (current level of S is dominated by the level of O or S is trusted), (S,O,append) Rule 2 Get append access (S,O) append and the (current level of S is dominated by the level of O or S is trusted), (S,O,append) Rule 3 Get execute access (S,O) execute, (S,O,execute) 15 16 Rule 4 Get read-write access (S,O) read-write, the static security level of S dominates the level of O, and (the current level of S is equal to the level of O or S is trusted), (S,O,read-write) Rule 5 Release access (S,O,A) the triple (S,O,A) is removed from the current access list of subject S Tranquility Principle of strong tranquility security levels do not change during the lifetime of the system Principle of weak tranquility security levels do not change in a way that violates the rules of a given security policy 17 18 3

4 Rule 10 Change subject current security level (S,L) if the requested level is dominated by the subject s level and the (subject is trusted or the requested level would not violate the star property or SS property) then the subject s current level becomes the requested level weak tranquility Rule 10 Change subject current security level (S,L) If the requested level is dominated by the subject s level and the (subject is trusted or for all objects if the current access list contains the triple (S,O, append) then the level of O dominates L if the current access list contains the triple (S,O, read-write) then L equals the level of O if the current access list contains the triple (S,O, read) then L dominates the level of O ) then the subject s current level becomes the requested level 19 20 The model also includes a tree-structured hierarchy This adds another invariant Hierarchy compatibility the security levels of objects encountered on any path from the root node outward must be monotonically non decreasing Rule 8 Create object (S,O1,O,L) if the subject currently has append or read-write access to object O, and the requested level L dominates the level of O, then the new object O1 is inserted in the hierarchy below O and with the requested security level 21 22 Rule 9 Delete object group (S,O) if the indicated object O is not the root and the subject S has write access to the parent, then object O and its children are removed from the hierarchy, all current accesses to object O and its children are removed, and permission matrix entries for object O and its children are set to empty Rule 6 Give access (S1,S2,O, A) if subject S1 currently has write access to object O s parent, then the permission matrix entry for subject S2 and object O will be updated to include access A 23 24 4

5 Rule 7 Rescind access (S1,S2,O, A) if subject S1 currently has write access to object O s parent, then the permission matrix entry for subject S2 and object O is updated to remove access A and if S2 currently has access A for object O it is removed from the current access list The model also has the following constraint Tranquility principle the static security level of a subject may not change and if the security level of an object changes then the object was inactive 25 26 System Z Rule 11 Change object security level (S,O,L) Reasoning About Security Models John McLean IEEE Computer, January 1990 Questioned the validity of the Bell & LaPadula model 27 28 System Z Initial state is secure Only one action when a subject requests any access to any object every subject and object is downgraded to the lowest level permission is added to the access matrix the access is recorded in the current access System Z satisfies the Basic Security Theorem Yet it is not secure! Or is it? 29 30 5

6 McLean s Conclusions Integrity Model Proving that states are secure is insufficient to prove the security of a system One must consider both states and transitions Integrity level is based on the sensitivity to modification of information The higher the integrity level, the more confidence one has that a program will execute correctly The higher the integrity level of data, the more accurate and/or reliable 31 32 Subjects and Objects Integrity Levels C - crucial VI - very important I - important Access O - observation M - modification E - execute I - invocation Integrity Model 33 Non-Discretionary Integrity Policies Low-water mark policy for subjects Low-water mark policy for objects Ring policy Strict integrity policy Discretionary Integrity Policies Access control lists Object hierarchy Rings 34 Low-water mark policy for subjects Low water mark policy for objects After each observation, the integrity level of a subject is decreased to the minimum of its integrity level and the level of the object it observes When an object is modified by a subject at a lower integrity level the object s integrity level is decreased to that of the subject A subject can receive modify access only to objects at an equal or lower integrity level and invoke access only to subjects at an equal or lower integrity level 35 36 6

7 Ring policy Strict integrity policy Integrity levels of both subjects and objects are fixed A subject may observe an object at any level A subject may modify an object or invoke a subject at an equal or lesser integrity level Simple integrity condition Integrity *-property Invocation property 37 38 Discretionary Integrity Access Control Lists Access control lists If a subject can modify an object then it can modify the object s ACL Object hierarchy Rings 39 40 Object Hierarchy Rings To access any object a subject must have observe access for all of the object s ancestors Lower numbered rings have higher privilege Subjects may invoke any subjects of equal or lower privilege and subjects of higher privilege within a range Subjects may observe objects in an allowed range Subjects may modify objects in an allowed range 41 42 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information