1 / 34

SESSION

SESSION. LATTICE-BASED ACCESS CONTROL MODELS Ravi Sandhu George Mason University Fairfax, Virginia USA. Denning's axioms and lattices Bell-LaPadula model (BLP) Integrity and information flow The Chinese Wall lattice. LATTICE-BASED MODELS. SC set of security classes

lisle
Télécharger la présentation

SESSION

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SESSION LATTICE-BASED ACCESS CONTROL MODELS Ravi Sandhu George Mason University Fairfax, Virginia USA

  2. Denning's axioms and lattices Bell-LaPadula model (BLP) Integrity and information flow The Chinese Wall lattice LATTICE-BASED MODELS

  3. SC set of security classes SC X SC flow relation (i.e., can-flow)  SC X SC -> SC class-combining operator DENNING'S AXIOMS < SC, ,  >

  4. SC is finite  is a partial order on SC SC has a lower bound L such that L  A for all A  SC  is a least upper bound (lub) operator on SC DENNING'S AXIOMS < SC, ,  > Justification for 1 and 2 is stronger than for 3 and 4. In practice we may therefore end up with a partially ordered set (poset) rather than a lattice.

  5. LATTICE STRUCTURES Compartments and Categories {ARMY, NUCLEAR, CRYPTO} {NUCLEAR, CRYPTO} {ARMY, NUCLEAR} {ARMY, CRYPTO} {NUCLEAR} {CRYPTO} {ARMY} {}

  6. LATTICE STRUCTURES Hierarchical Classes with Compartments {A,B} TS {B} {A} {} S product of 2 lattices is a lattice

  7. LATTICE STRUCTURES TS, {A,B} Hierarchical Classes with Compartments {B} {A} TS, TS, {} TS, S, {A,B} {A} S, {B} S, {} S,

  8. TS-AKLQWXYZ SMITH'SLATTICE TS-KLX TS-KQZ TS-KY TS-KL TS-X TS-W TS-X TS-Q TS-Z TS-L TS-Y TS-K S-LW TS S-L S-A S-W S C U

  9. With large lattices a vanishingly small fraction of the labels will actually be used Smith's lattice: 4 hierarchical levels, 8 compartments, therefore number of possible labels = 4*2^8 = 1024 Only 21 labels are actually used (2%) Consider 16 hierarchical levels, 64 compartments which gives 10^20 labels SMITH'S LATTICE

  10. EMBEDDING A POSET IN A LATTICE {A,B,C,D} {A,B,D} {A,B,C} {A,B,D} {A,B,C}  {A,B} {B} {A} {B} {A} such embedding is always possible {}

  11. SIMPLE-SECURITY Subject S can read object O only if label(S) dominates label(O) information can flow from label(O) to label(S) STAR-PROPERTY Subject S can write object O only if label(O) dominates label(S) information can flow from label(S) to label(O) BELL LAPADULA (BLP) MODEL

  12. BLP MODEL Top Secret Secret Confidential Unclassified dominance  can-flow

  13. Tranquility (most common): SECURE label is static for subjects and objects High water mark on subjects: SECURE label is static for objects label may increase but not decrease for subjects High water mark on objects: INSECURE label is static for subjects label may increase but not decrease for objects DYNAMIC LABELS IN BLP

  14. BIBA MODEL High Integrity Some Integrity Suspicious Garbage dominance  can-flow

  15. SIMPLE-INTEGRITY Subject S can read object O only if label(O) dominates label(S) information can flow from label(O) to label(S) STAR-PROPERTY Subject S can write object O only if label(S) dominates label(O) information can flow from label(S) to label(O) BIBA MODEL

  16. EQUIVALENCE OF BLP AND BIBA HI (High Integrity) LI (Low Integrity)  LI (Low Integrity) HI (High Integrity) BIBA LATTICE EQUIVALENT BLP LATTICE

  17. EQUIVALENCE OF BLP AND BIBA HS (High Secrecy) LS (Low Secrecy)  LS (Low Secrecy) HS (High Secrecy) BLP LATTICE EQUIVALENT BIBA LATTICE

  18. COMBINATION OF DISTINCT LATTICES HI HS, LI HS  LS, LI HS, HI LI LS, HI LS BLP BIBA EQUIVALENT BLP LATTICE GIVEN

  19. BLP and Biba are fundamentally equivalent and interchangeable Lattice-based access control is a mechanism for enforcing one-way information flow, which can be applied to confidentiality or integrity goals We will use the BLP formulation with high confidentiality at the top of the lattice, and high integrity at the bottom BLP AND BIBA

  20. S: System Managers O: Audit Trail LIPNER'SLATTICE S: System Control S: Application Programmers O: Development Code and Data S: System Programmers O: System Code in Development S: Repair S: Production Users O: Production Data O: Tools O: Repair Code O: Production Code LEGEND S: Subjects O: Objects O: System Programs

  21. Uses 9 labels from a possible space of 192 labels Audit trail is at lowest integrity Production users are only allowed to execute production code System control subjects are allowed to write down (with respect to confidentiality) or equivalently write up (with respect to integrity) LIPNER'S LATTICE

  22. Example of a commercial security policy for confidentiality Mixture of free choice (discretionary) and mandatory controls Introduced by Brewer-Nash in Oakland '89 CHINESE WALL POLICY

  23. A consultant can access information about at most one company in each conflict of interest class CHINESE WALL EXAMPLE ALL OBJECTS CONFLICT OF INTEREST CLASSES OIL COMPANIES BANKS X Y A B COMPANY DATASETS

  24. BREWER-NASH SIMPLE SECURITY S can read O only if O is in the same company dataset as some object previously read by S (i.e., O is within the wall) or O belongs to a conflict of interest class within which S has not read any object (i.e., O is in the open) READ ACCESS

  25. BREWER-NASH STAR-PROPERTY S can write O only if S can read O by the simple security rule and no object can be read which is in a different company dataset to the one for which write access is requested WRITE ACCESS

  26. cooperating Trojan Horses can transfer Bank A information to Bank B objects, and vice versa, using Oil Company X objects as intermediaries REASON FOR BN STAR-PROPERTY ALICE'S WALL BOB'S WALL Bank A Bank B Oil Company X Oil Company X

  27. Either S cannot write at all or S is limited to reading and writing one company dataset IMPLICATIONS OF BN STAR-PROPERTY

  28. Failure to clearly distinguish user labels from subject labels. WHY THIS IMPASSE?

  29. The high water mark of a user's principal can float up so long as it remain below SYSHIGH CHINESE WALL LATTICE SYSHIGH A, Y A, X B, X B, Y B, - -, X -, Y A, - SYSLOW

  30. USERS, PRINCIPALS, SUBJECTS ALICE.BANK A & OIL COMPANY X ALICE.OIL COMPANY X ALICE ALICE.BANK A ALICE.nothing USER PRINCIPALS

  31. USERS, PRINCIPALS, SUBJECTS JOE.TOP-SECRET JOE.SECRET JOE JOE.CONFIDENTIAL JOE.UNCLASSIFIED USER PRINCIPALS

  32. The Bell-LaPadula star-property is applied not to Joe but rather to Joe's principals Similarly, the Brewer-Nash star-property applies not to Alice but to Alice's principals USERS, PRINCIPALS, SUBJECTS

  33. So long as Denning’s axioms are satisfied we will get a lattice-based information flow policy One-directional information flow in a lattice can be used for secrecy as well as for integrity but does not solve either problem completely To properly understand and enforce Information Security policies we must distinguish between policy applied to users, and policy applied to principals and subjects CONCLUSION

  34. Ravi Sandhu, "Lattice-Based Access Control Models." IEEE Computer, November 1993, pages 9-19 REFERENCES

More Related