security policies and access control n.
Skip this Video
Loading SlideShow in 5 Seconds..
Security Policies and Access Control PowerPoint Presentation
Download Presentation
Security Policies and Access Control

Security Policies and Access Control

160 Views Download Presentation
Download Presentation

Security Policies and Access Control

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Security Policies and Access Control Dr. Weichao Wang

  2. Types of access control • Identity based access control (discretionary AC, the owner controls it): the access right is based on the identity of the subjects and objects • Mandatory access control (or rule based access control): a system controls access to an object and an individual user cannot override it • Originator controlled access control: the generator of the information controls access (not the owner. e.g. non-disclosure) • These methods can be used jointly

  3. Confidentiality policies: emphasize the protection of confidentiality. • Also called information flow policy • Prevent unauthorized disclosure of information • Example: Bell-LaPadula model

  4. Bell-LaPadula model: • One sentence description: no read up and no write down • Informal description • The simplest type of confidentiality classification is a set of security clearances arranged in ordering • A subject has a “security clearance” • An object has a “security classification” • Goal: prevent a subject with low clearance from reading objects at high classification

  5. The Bell-LaPadula model combine mandatory and discretionary AC • Simple security condition (in plain English): S can read O if and only if the classification of O is NOT higher than clearance of S, and S has discretionary read access to O. • Why do we need another rule? • Star-property (*-property in plain English): S can write O if and only if the classification of O is NOT lower than clearance of S, and S has discretionary write access to O.

  6. Basic security theorem (in plain English): A system has a secure initial state σ0, and a set of state transformations. If every transformation preserves the simple security condition and the star property, then every state σi is secure.

  7. Security clearance and classification provide one dimensional control for access, how can we control access to information at the same level? • Discretionary (it works, too much overhead) • Introduce a second dimension: category • Each category describes a kind of information. Both subjects and objects can be in multiple categories.

  8. Now every subject and object needs to be described by a two dimensional entry • Captain John Wayne: (Confidential, {army}) • Pres. Obama: (TS, {army, navy, air force}) • Lunch menu for Easy Company: (c, {army}) • Plan to attack xxxx: (TS, {army, navy, air}) • If S has the categories {army, navy}, she can read objects with {}, {army}, {navy}, and {army, navy} if the clearance and discretionary rights allow him/her to do so.

  9. Now we have to redefine the confidentiality policies • Definition: a security level (l, c) dominates the security level (l’, c’) if and only if l’ ≤ l and c’ is a subset of c. • Example: • George (s, {army, navy}), doc A (c, {army}), doc B (s, {army, air}), doc C (s, {navy}) • George dominates doc A and C, but not doc B

  10. Now we can rewrite the simple security condition and *-property • Simple security condition: s can read o if and only if s dominates o and s has the discretionary read access to o. • *-property: s can write to o if and only if o dominates s and s has the discretionary write access to o. • Now we see what we mean by “no read up” and “no write down”

  11. We can redefine basic security theorem as well • A system has a secure initial state σ0, and a set of state transformations. If every transformation preserves the simple security condition and the star property, then every state σi is secure.

  12. Now our system is safe from the view of confidentiality, but does it works • How can a General send a file to a captain? • The model introduces a mechanism to solve the problem • A subject has a maximum security level (msl) and current security level (csl) • msl must dominate csl • A subject can decrease to the level of csl for communication reasons

  13. Example: General Alice (s, {army, navy}), captain Bob (c, {army}). Alice changes her security level to (c, {army}) and talks to Bob.

  14. An example: Data General’s B2 Unix system • Enforce mandatory access control (MAC) • Use an updated version of Bell-LaPadula • Read down is permitted • Write has to be at the same level • To allow communication, B2 Unix provides processes and objects a range of labels, where the upper bound must dominate the lower bound

  15. Chinese Wall Model Try to handle both confidentiality and integrity Problem: • Tony advises American Bank about investments • He is asked to advise Toyland Bank about investments • Conflict of interest to accept, because his advice for either bank would affect his advice to the other bank • Something to think about: advertise for both Coke and Pepsi, and real estate broker

  16. Organization • Organize entities into “conflict of interest” classes • Control subject accesses to each class • Control writing to all classes to ensure information is not passed along in violation of rules • Allow sanitized data to be viewed by everyone

  17. Definitions • Objects: items of information related to a company • Company dataset (CD): contains objects related to a single company • CD(O): the data set that contains O • Conflict of interestclass (COI): contains datasets of companies in competition • COI(O): the COI class that contains O • Assume: each object belongs to exactly one COI class

  18. Bank COI Class Gasoline Company COI Class Bank of America Shell Oil Standard Oil Citibank Bank of the W est ARCO Union ’76 Example

  19. Temporal Element • There is a temporal issue we have to consider: the information now may have impact for a following period of time • If Anthony reads any CD in a COI, he should not read another CD in that COI • Possible that information learned earlier may allow him to make decisions later • Let PR(S) be set of objects that S has already read (this keeps a record of history) • In real life, the temporal element usually has an expiration period: otherwise ---

  20. CW-Simple Security Condition • s can read o iff either condition holds: • There is an o such that s has accessed o and CD(o) = CD(o) • Meaning s has read something in the same dataset • For all oO, o PR(s) COI(o) ≠ COI(o) • Meaning s has not read any objects in o’s conflict of interest class • With these rules, s can read either data in the same CD or it has to be in a different COI • Ignores sanitized data (see below) • Initially, PR(s) = , so initial read request granted

  21. Some derived results • If s has read something in a COI, the only other data that she can read in that COI is from the same CD • If a COI contains n CD, we need to have at least n people if we want to make sure every CD can be read by someone

  22. Sanitization • Public information may belong to a CD • As it is publicly available, no conflicts of interest arise • So, should not affect ability of analysts to read • Typically, all sensitive data removed from such information before it is released publicly (called sanitization) • Add third condition to CW-Simple Security Condition: 3. o is a sanitized object

  23. Prevent Disclosure through Writing • Anthony, Susan work in same trading house • Anthony can read Bank 1’s CD, Gas 1’s CD • Susan can read Bank 2’s CD, Gas 1’s CD • If Anthony could write to Gas 1’s CD, Susan can read it • Anthony read from Bank 1’s CD, write to Gas 1’s CD, now Susan can read it • Hence, indirectly, she can read information from Bank 1’s CD, a clear conflict of interest

  24. CW-*-Property • s can write to o iff both of the following hold: • The CW-simple security condition permits s to read o; and • For all unsanitized objects o, if s can read o, then CD(o) = CD(o) • What is implied: if s can write to an object, then all the (unsanitized) objects it can read are in the same dataset

  25. Compare to Bell-LaPadula • Fundamentally different • CW has no security labels, B-LP does • CW has notion of past accesses, B-LP does not • Bell-LaPadula can capture state at any time • Each (COI, CD) pair gets security category • Two clearances, S (sanitized) and U (unsanitized) • Subjects assigned clearance for compartments without multiple categories corresponding to CDs in same COI class • Both the simple condition and *-property will be enforced

  26. Compare to Bell-LaPadula • Bell-LaPadula cannot track changes over time • Susan becomes ill, Anna needs to take over • C-W history lets Anna know if she can • No way for Bell-LaPadula to capture this • Access constraints change over time • Initially, subjects in C-W can read any object • Bell-LaPadula constrains set of objects that a subject can access • Can’t clear all subjects for all categories, because this violates CW-simple security condition