1 / 48

CS363

Week 8 - Wednesday. CS363. Last time. What did we talk about last time? Authentication Challenge response Biometrics Started Bell-La Padula model. Questions?. Project 2. Security Presentation. Yuki Gage. Bell-La Padula Model. Bell-La Padula overview.

don
Download Presentation

CS363

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Week 8 - Wednesday CS363

  2. Last time • What did we talk about last time? • Authentication • Challenge response • Biometrics • Started Bell-La Padula model

  3. Questions?

  4. Project 2

  5. Security Presentation Yuki Gage

  6. Bell-La Padula Model

  7. Bell-La Padula overview • Confidentiality access control system • Military-style classifications • Uses a linear clearance hierarchy • All information is on a need-to-know basis • It uses clearance (or sensitivity) levels as well as project-specific compartments

  8. Security clearances • Both subjects (users) and objects (files) have security clearances • Below are the clearances arranged in a hierarchy

  9. Simple security condition • Let levelO be the clearance level of object O • Let levelS be the clearance level of subject S • The simple security condition states that S can read O if and only if the levelO≤ levelS and S has discretionary read access to O • In short, you can only read down • Example? • In a few slides, we will expand the simple security condition to make the concept of level

  10. *-Property • The *-property states that S can write O if and only if the levelS≤ levelO and S has discretionary write access to O • In short, you can only write up • Example?

  11. Basic security theorem • Assume your system starts in a secure initial state • Let T be all the possible state transformations • If every element in T preserves the simple security condition and the *-property, every reachable state is secure • This is sort of a stupid theorem, because we define “secure” to mean a system that preserves the security condition and the *-property

  12. Adding compartments • We add compartments such as NUC = Non-Union Countries, EUR = Europe, and US = United States • The possible sets of compartments are: •  • {NUC} • {EUR} • {US} • {NUC, EUR} • {NUC, US} • {EUR, US} • {NUC, EUR, US} • Put a clearance level with a compartment set and you get a security level • The literature does not always agree on terminology

  13. Romaine lattice • The subset relationship induces a lattice {NUC, EUR, US} {NUC, EUR} {NUC, US} {EUR, US} {NUC} {EUR} {US} 

  14. Updated properties • Let L be a clearance level and C be a category • Instead of talking about levelO≤ levelS, we say that security level (L, C) dominates security level (L’, C’) if and only if L’ ≤ L and C’ C • Simple security now requires (LS, CS) to dominate (LO, CO) and S to have read access • *-property now requires (LO, CO) to dominate (LS, CS) and S to have write access • Problems?

  15. Clark-Wilson Model

  16. Clark-Wilson model • Commercial model that focuses on transactions • Just like a bank, we want certain conditions to hold before a transaction and the same conditions to hold after • If conditions hold in both cases, we call the system consistent • Example: • D is the amount of money deposited today • W is the amount of money withdrawn today • YB is the amount of money in accounts at the end of business yesterday • TB is the amount of money currently in all accounts • Thus, D + YB – W = TB

  17. Clark-Wilson definitions • Data that has to follow integrity controls are called constrained data items or CDIs • The rest of the data items are unconstrained data items or UDIs • Integrity constraints (like the bank transaction rule) constrain the values of the CDIs • Two kinds of procedures: • Integrity verification procedures (IVPs) test that the CDIs conform to the integrity constraints • Transformation procedures (TPs) change the data in the system from one valid state to another

  18. Clark-Wilson rules • Clark-Wilson has a system of 9 rules designed to protect the integrity of the system • There are five certification rules that test to see if the system is in a valid state • There are four enforcement rules that give requirements for the system

  19. Certification Rules 1 and 2 • CR1: When any IVP is run, it must ensure that all CDIs are in a valid state • CR2: For some associated set of CDIs, a TP must transform those CDIs in a valid state into a (possibly different) valid state • By inference, a TP is only certified to work on a particular set of CDIs

  20. Enforcement Rules 1 and 2 • ER1: The system must maintain the certified relations, and must ensure that only TPs certified to run on a CDI manipulate that CDI • ER2: The system must associate a user with each TP and set of CDIs. The TP may access those CDIs on behalf of the associated user. If the user is not associated with a particular TP and CDI, then the TP cannot access that CDI on behalf of that user. • Thus, a user is only allowed to use certain TPs on certain CDIs

  21. Certification Rule 3 and Enforcement Rule 3 • CR3: The allowed relations must meet the requirements imposed by the principle of separation of duty • ER3: The system must authenticate each user attempting to execute a TP • In theory, this means that users don't necessarily have to log on if they are not going to interact with CDIs

  22. Certification Rules 4 and 5 • CR4: All TPs must append enough information to reconstruct the operation to an append-only CDI • Logging operations • CR5: Any TP that takes input as a UDI may perform only valid transformations, or no transformations, for all possible values of the UDI. The transformation either rejects the UDI or transforms it into a CDI • Gives a rule for bringing new information into the integrity system

  23. Enforcement Rule 4 • ER4: Only the certifier of a TP may change the list of entities associated with that TP. No certifier of a TP, or of any entity associated with that TP, may ever have execute permission with respect to that entity. • Separation of duties

  24. Clark-Wilson summary • Designed close to real commercial situations • No rigid multilevel scheme • Enforces separation of duty • Certification and enforcement are separated • Enforcement in a system depends simply on following given rules • Certification of a system is difficult to determine

  25. Chinese Wall Model

  26. Chinese Wall overview • The Chinese Wall model respects both confidentiality and integrity • It's very important in business situations where there are conflict of interest issues • Real systems, including British law, have policies similar to the Chinese Wall model • Most discussions around the Chinese Wall model are couched in business terms

  27. Chinese Wall definitions • We can imagine the Chinese Wall model as a policy controlling access in a database • The objects of the database are items of information relating to a company • A company dataset (CD) contains objects related to a single company • A conflict of interest (COI) class contains the datasets of companies in competition • Let COI(O) be the COI class containing object O • Let CD(O) be the CD that contains object O • We assume that each object belongs to exactly one COI

  28. COI Examples Bank COI Class Gasoline Company COI Class Bank of America a Citibank c Bank of the West b Shell Oil s Standard Oil e Union '76 u ARCO n

  29. CW-Simple Security Condition • Let PR(S) be the set of objects that S has read • Subject S can read O if and only if any of the following is true • There is an object O' such that S has accessed O' and CD(O') = CD(O) • For all objects O', O' PR(S) COI(O')  COI(O) • O is a sanitized object • Give examples of objects that can and cannot be read

  30. CW-*-Property • Subject S may write to an object O if and only if both of the following conditions hold • The CW-simple security condition permits S to read O • For all unsanitized objects O', S can read O'CD(O') = CD(O)

  31. Biba Model

  32. Biba overview • Integrity based access control system • Uses integrity levels, similar to the clearance levels of Bell-LaPadula • Precisely the dual of the Bell-LaPadula Model • That is, we can only read up and write down • Note that integrity levels are intended only to indicate integrity, not confidentiality • Actually a measure of accuracy or reliability

  33. Formal rules • S is the set of subjects and O is the set of objects • Integrity levels are ordered • i(s) and i(o) gives the integrity level of s or o, respectively • Rules: • s S can read o  O if and only if i(s) ≤ i(o) • s S can write to o  O if and only if i(o) ≤ i(s) • s1 S can execute s2  S if and only if i(s2) ≤ i(s1)

  34. Extensions • Rules 1 and 2 imply that, if both read and write are allowed, i(s) = i(o) • By adding the idea of integrity compartments and domination, we can get the full dual of the Bell-La Padula lattice framework • Real systems (for example the LOCUS operating system) usually have a command like run-untrusted • That way, users have to recognize the fact that a risk is being made • What if you used the same levels for integrity AND security, could you implement both Biba and Bell-La Padula on the same system?

  35. Theoretical Limitations on Access Control

  36. Determining security • How do we know if something is secure? • We define our security policy using our access control matrix • We say that a right is leaked if it is added to an element of the access control matrix that doesn’t already have it • A system is secure if there is no way rights can be leaked • Is there an algorithm to determine if a system is secure?

  37. Mono-operational systems • In a mono-operational system, each command consists of a single primitive command: • Create subject s • Create object o • Enter r into a[s,o] • Delete r from a[s,o] • Destroy subject s • Destroy object o • In this system, we could see if a right is leaked with a sequence of k commands

  38. Proof • Delete and Destroy commands can be ignored • No more than one Create command is needed (in the case that there are no subjects) • Entering rights is the trouble • We start with set S0 of subjects and O0 of objects • With n generic rights, we might add all n rights to everything before we leak a right • Thus, the maximum length of the command sequence that leaks a right is k ≤ n(|S0|+1)(|O0|+1) + 1 • If there are m different commands, how many different command sequences are possible?

  39. Turing machine • A Turing machine is a mathematical model for computation • It consists of a head, an infinitely long tape, a set of possible states, and an alphabet of characters that can be written on the tape • A list of rules saying what it should write and should it move left or right given the current symbol and state A

  40. Turing machine example • 3 state, 2 symbol “busy beaver” Turing machine: • Starting state A

  41. Church-Turing thesis • If an algorithm exists, a Turing machine can perform that algorithm • In essence, a Turing machine is the most powerful model we have of computation • Power, in this sense, means the ability to compute some function, not the speed associated with its computation

  42. Halting problem • Given a Turing machine and input x, does it reach the halt state? • It turns out that this problem is undecidable • That means that there is no algorithm that can be to determine if any Turing machine will go into an infinite loop • Consequently, there is no algorithm that can take any program and check to see if it goes into an infinite loop

  43. Leaking Undecidable

  44. Simulate a Turing machine • We can simulate a Turing machine using an access control matrix • We map the symbols, states and tape for the Turing machine onto the rights and cells of an access control matrix • Discovering whether or not the right leaks is equivalent to the Turing machine halting with a 1 or a 0

  45. The bad news • Without heavy restrictions on the rules for an access control, it is impossible to construct an algorithm that will determine if a right leaks • Even for a mono-operational system, the problem might take an infeasible amount of time • But, we don’t give up! • There are still lots of ways to model security • Some of them offer more practical results

  46. Upcoming

  47. Next time… • Finish theoretical limitations • Trusted system design elements • Common OS features and flaws • OS assurance and evaluation • Taylor Ryan presents

  48. Reminders • Read Sections 5.4 and 5.5 • Keep working on Project 2 • Finish Assignment 3

More Related