1 / 26

Information Security: Confidentiality Policies (Chapter 4)

Information Security: Confidentiality Policies (Chapter 4). Dr. Shahriar Bijani Shahed University. Slides References. Matt Bishop, Computer Security: Art and Science , the author homepage, 2002-2004. Chris Clifton, CS 526: Information Security course, Purdue university , 2010. .

airell
Télécharger la présentation

Information Security: Confidentiality Policies (Chapter 4)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Security:Confidentiality Policies(Chapter 4) Dr. ShahriarBijani Shahed University

  2. Slides References • Matt Bishop, Computer Security: Art and Science, the author homepage, 2002-2004. • Chris Clifton, CS 526: Information Security course, Purdue university, 2010.

  3. Chapter 5: Confidentiality Policies • Overview • What is a confidentiality model • Bell-LaPadula Model • General idea • Informal description of rules • Formal description of rules • Tranquility • Controversy • †-property • System Z

  4. Overview • Bell-LaPadula • Informally • Formally • Example Instantiation • Tranquility • Controversy • System Z

  5. Confidentiality Policy • Goal: prevent the unauthorized disclosure of information • Deals with information flow • Multi-level security models are best-known examples • Bell-LaPadula Model basis for many, or most, of these

  6. Background • Clearance levels • Top Secret • In-depth background check; highly trusted individual • Secret • Routine background check; trusted individual • For Official Use Only/Sensitive • No background check, but limited distribution; minimally trusted individuals • May be exempt from disclosure • Unclassified • Unlimited distribution • Untrusted individuals

  7. Bell-LaPadulaModel (Step 1) • Security levels arranged in linear ordering • Top Secret: highest • Secret • Confidential • Unclassified: lowest • Levels consist of: • Subject has security clearance L(s) = ls • Object has security classification L(o) = lo • Clearance/Classification ordered: • li < li+1 • Mandatory access control

  8. Example • Bill can read all files • Claire cannot read Personnel or E-Mail Files • John can only read Telephone Lists

  9. Reading Information • Information flows up, not down • “Reads up” disallowed, “reads down” allowed • Simple Security Condition (Step 1) • Subject s can read object oiff, L(o) ≤ L(s) and shas permission to read o • Note: combines mandatory control (relationship of security levels) and discretionary control (the required permission) • Sometimes called “no reads up” rule

  10. Writing Information • Information flows up, not down • “Writes up” allowed, “writes down” disallowed • *-Property (Step 1) • Subject s can write object oiffL(s) ≤ L(o) and shas permission to write o • Note: combines mandatory control (relationship of security levels) and discretionary control (the required permission) • Sometimes called “no writes down” rule

  11. Basic Security Theorem, Step 1 • If a system is initially in a secure state, and every transition of the system satisfies the simple security condition, step 1, and the *-property, step 1, then every state of the system is secure • Proof: induct on the number of transitions

  12. Basics: Partially Ordered Set • A Set S with relation  (written (S, ) is called a partially ordered set if  is • Anti-symmetric • If a  b and b  a then a = b • Reflexive • For all a in S, a  a • Transitive • For all a, b, c. a  b and b  c implies a  c

  13. Background: Posetexamples • Natural numbers with less than (total order) • Sets under the subset relation (not a total order) • Natural numbers ordered by divisibility

  14. Background: Lattice • Partially ordered set (S, ) and two operations: • greatest lower bound (glb X) • Greatest element less than all elements of set X • least upper bound (lub X) • Least element greater than all elements of set X • Every lattice has • bottom (glb L) a least element • top (lubL) a greatest element

  15. Background: Lattice examples • Natural numbers in an interval (0 .. n) with less than • Also the linear order of clearances (U  FOUO  S  TS) • The powerset of a set of generators under inclusion • E.g. Powerset of security categories {NUC, Crypto, ASI, EUR} • The divisors of a natural number under divisibility

  16. Bell-LaPadulaModel (Step 2) • Total order of classifications not flexible enough • Solution: Categories • S can access O if C(O)  C(S) • Combining with clearance: • (L,C) dominates (L’,C’) L’ = L and C’  C • Induces lattice instead of levels • Expand notion of security level to include categories • Security level is (clearance, category set)

  17. Bell-LaPadulaModel (blp) • Lattice Example1 • Lattice Example2 • ( Top Secret, { NUC, EUR, ASI } ) • ( Confidential, { EUR, ASI } ) • ( Secret, { NUC, ASI } ) {NUC, EUR, US} {NUC, EUR} {NUC, US} {EUR, US} {EUR} {US} {NUC} 

  18. Levels and Lattices • dom (dominates) relation • (L, C) dom(L, C) iffL≤ Land CC • Examples • (Top Secret, {NUC, ASI}) dom (Secret, {NUC}) • (Secret, {NUC, EUR}) dom (Confidential,{NUC, EUR}) • (Top Secret, {NUC}) dom (Confidential, {EUR}) • Let C be set of clearances, K set of categories. Set of security levels L = C  K, dom form lattice • lub(L) = (max(L),C) • glb(L) = (min(L), )

  19. Levels and Ordering • Security levels partially ordered • Any pair of security levels may (or may not) be related by dom • “dominates” serves the role of “greater than” in step 1 • But “greater than” is a total ordering,

  20. Reading Information • Information flows up, not down • “Reads up” disallowed, “reads down” allowed • Simple Security Condition (Step 2) • Subject s can read object oiffL(s) domL(o) ands has permission to read o • Note: combines mandatory control (relationship of security levels) and discretionary control (the required permission) • Sometimes called “no reads up” rule

  21. Writing Information • Information flows up, not down • “Writes up” allowed, “writes down” disallowed • *-Property (Step 2) • Subject s can write object oiffL(o) domL(s) ands has permission to write o • Note: combines mandatory control (relationship of security levels) and discretionary control (the required permission) • Sometimes called “no writes down” rule

  22. Basic Security Theorem (Step 2) • If a system is initially in a secure state, and every transition of the system satisfies the simple security condition (step 2) and the *-property (step 2) then every state of the system is secure • Proof: induct on the number of transitions

  23. Example • George is cleared into security level (SECRET,{NUC, EUR}), DocAis classified as ( CONFIDENTIAL, { NUC } ), DocBis classified as ( SECRET, { EUR, US}), and DocCis classified as (SECRET, { EUR }). Then: • George domDocAas CONFIDENTIAL ≤SECRET and{ NUC }  { NUC, EUR } • George ¬domDocBas { EUR, US } { NUC, EUR } • George domDocCas SECRET ≤SECRET and { EUR } { NUC, EUR } • George can read DocA and DocC but not DocB(assuming the discretionary access controls allow such access). • Suppose Paul is cleared as (SECRET, { EUR, US, NUC }) and has discretionary read access to DocB. Paul can read DocB; were he to copy its contents to DocA and set its access permissions accordingly. George could then read DocB!? • *-property (step 2) prevents this

  24. Problem • Colonel has (Secret, {NUC, EUR}) clearance • Major has (Secret, {EUR}) clearance • Major can talk to colonel (“write up” or “read down”) • Colonel cannot talk to major (“read up” or “write down”) • Not Desired!

  25. Solution • Define maximum, current levels for subjects • maxlevel(s) domcurlevel(s) • Example • Treat Major as an object (Colonel is writing to him) • Colonel has maxlevel (Secret, { NUC, EUR }) • Colonel sets curlevel to (Secret, { EUR }) • Now L(Major) domcurlevel(Colonel) • Colonel can write to Major without violating “no writes down”

  26. Systems Built on Bell-LaPadula(BLP) • BLP was a simple model • Intent was that it could be enforced by simple mechanisms • File system access control was the obvious choice • Multics (1965) implemented BLP • Unix inherited its discretionary AC from Multics

More Related