1 / 23

Special systems: MLS

Special systems: MLS. Multilevel security [“Red book” US-DOD 1987] Considers the assurance risk when composing multilevel secure systems evaluated under security evaluation criteria. Analyzing the security of interoperating and individually secure systems can be done in polynomial time.

Download Presentation

Special systems: MLS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Special systems: MLS • Multilevel security [“Red book” US-DOD 1987] • Considers the assurance risk when composing multilevel secure systems evaluated under security evaluation criteria. • Analyzing the security of interoperating and individually secure systems can be done in polynomial time. • Given a non-secure network configuration, then re-configuring the connections in an optimal way (to minimize the impact on interoperability) is NP.

  2. Multilevel Security (MLS)[Bell LaPadula Model] • Security levels L define classification of subjects (processes) and objects. • eg, Unclassified, Secret, Top-Secret. • Policy: lattice of security levels (L,<=) • x<=y: level x information may flow to level y. • Unclassified < Secret < Top-Secret

  3. Evaluation Criteria[“Orange” & “Red” Books] • MLS systems assured to different levels of assurance based on evaluation criteria. • (worst) D<C1<C2<C3<B1<B2<B3<A1 (best). • Evaluated systems must meet minimum risk requirements. • Systems storing high-risk combinations of data need high levels of assurance.

  4. B2 B3 TS TS B1 S S S U U Configuring MLS NetworksChannel Cascade Attacks • Each evaluated system meets criteria. • However, network has cascading risk: • Attacker breaks system A, copies TS data to S, • copies this data from System A to B to C, • breaks system C, copies S(TS) data to U. • B3 assurance required when protecting TS and U, but cascade attack breaks B2 and lower systems. B C A

  5. B2 B3 TS TS B2 B1 S S S B3 B3 B3 B1 U U Modeling MLS networksStrategy • effort((s,l),(s’,l’)) • The minimum effort required to compromise the network and copy/downgrade level l information held on system s to level l’ on system s’ • Cascade problem if exists s,s’ and l, l’: • effort((s,l),(s’,l’)) < system-assurance B C A

  6. B2 B3 TS TS B1 S S S B3 B2 B3 B1 U U Modeling MLS networksStrategy (using Constraints) • Systems as flow-constraints between the levels of data that they store. B C A

  7. B2 B3 TS TS B1 S S S U U Modeling MLS networksStrategy (using Constraints) • Systems as flow-constraints between the levels of data that they store. • Networks as flow-constraints that represent the channels that connect systems B C A

  8. B2 B3 TS TS B1 S S S U U Modeling MLS networksStrategy (using Constraints) • Systems as flow-constraints between the levels of data that they store. • Networks as flow-constraints that represent the channels that connect systems • Soft constraint semi-ring as assurance levels B 3 2 C A 0 0 3 1

  9. B2 B3 TS TS B1 S S S U U Modeling MLS networksStrategy (using Constraints) • Systems as flow-constraints between the levels of data that they store. • Networks as flow-constraints that represent the channels that connect systems • Soft constraint semi-ring as assurance levels • Cascade Detection: finding cascades. B 2 C A 0 3 3

  10. B2 B3 TS TS B1 S S S U U Modeling MLS networksStrategy (using Constraints) • Systems as flow-constraints between the levels of data that they store. • Networks as flow-constraints that represent the channels that connect systems • Soft constraint semi-ring as assurance levels • Cascade Detection: finding cascades. B 2 C A 0 0 1 3

  11. B TS A TS S S U C D S S U Ex1: Cascade Free Path

  12. B TS A TS S S U C D S S U Ex1: Cascade Free Path TsA TsB SsC *1s TdA SdB UdC *1d B2 B3 TS TS C A B1 S S S U U

  13. E = max( {0,0,3,0,1,0,0} ) = 3 TsA TsB SsC *1s 0 0 3 0 1 0 0 TdA SdB UdC *1d B R(TsA,SdB) 2 TS A TS S R(TsA,UdC) 3 S U C 0 R(TSA, *1d) D S S U R = max( {2,3,0} ) = 3 Ex1: Cascade Free Path

  14. B TS A TS S S U C D S S U Ex2: Cascading Path

  15. B TS A TS S S U C D S S U Ex2: Cascading Path B2 TS D C2 C A B1 S S S U

  16. E = max( {2,0,0,0,1,0,0} ) = 2 2 0 0 0 1 0 0 B R(TsA,SdD) 2 TS A TS S R(TsA,UdC) 3 S U C 0 R(TsA ,*1d) D S S U R = max( {2,3,0} ) = 3 Ex2: Cascading Path TsA SsD SsC *1s SdA SdD UdC *1d

  17. Conclusion • Secure interoperation is difficult! • Remember: when you compose two secure systems you could obtain a not secure system! • In real life: • Add comunications only when really needed!

  18. Questions? • Thank you for your attention

  19. C={pairwise-different} x1 {yellow} a} C, PC, con, def, V, D, {red,blue} x2 x3 {blue,yellow} x1 x2 x3 x4 x4 {red,blue,yellow} Crisp toward soft constraints P={ combination projection

  20. 5$ C={pairwise-different} x1 3$ {yellow} • C-semiring <A,+,´,0,1>: {red,blue} x2 2$ Weighted x3 {blue,yellow} <+,min,+,+,0> x1 x2 x3 x4 Probabilistic <[0,1],max,,0,1> x4 {red,blue,yellow} Fuzzy <[0,1],max,min,0,1> Classical <{false,true},,,false,true> 15$ 15$ Combination (+) 13$ 13$ 15$ Projection (min) Crisp toward soft constraints

  21. The Semiring Framework • A c-semiring is a tuple <A,+,×,0,1> such that: • A is the set of all consistency values and 0, 1A.0is thelowest consistency value and 1 is the highest consistency value; • +, the additive operator, is a closed, commutative, associativeand idempotent operation such that 1 is its absorbing elementand 0 is its unit element; • ×, the multiplicative operator, is a closed and associative operationsuch that 0is its absorbing element, 1is its unit elementand × distributes over +. Stefano Bistarelli, Ugo Montanari, and Francesca Rossi,Semiring-based Constraint Solving and Optimization Journal of the ACM, 44(2):201–236, Mar1997.

  22. Semiring-based Constraints • Given a semiring<A,+,×, 0, 1>, an ordered set of variablesV over a finite domain D, a constraint is a function which mapsan assignment  of the variables in the support of c, supp(c) toan element of A. • Notation c represents the constraint function c evaluated underinstantiation , returning a semiring value. • Given two constraints c1 and c2, their combination is defined as(c1c2) = c1×c2 . • The operation C represents the combination of a set ofconstraints C. • a· b iff a+b=b • c1v c2 iff 8 c1· c2 Stefano Bistarelli, Ugo Montanari and Francesca Rossi,Soft Concurrent Constraint Programming, Proceedings of ESOP-2002, LNCS, April 2002.

More Related