slide1 n.
Skip this Video
Loading SlideShow in 5 Seconds..
MLS PowerPoint Presentation


105 Views Download Presentation
Download Presentation


- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. MLS Dan Fleck CS 469: Security Engineering 1 Coming up: Multi-Level Security These slides are modified with permission from Bill Young (Univ of Texas)

  2. Multi-Level Security An early security problem was protection of confidentiality within a military setting. Given information at various sensitivity levels and individuals having various degrees of trustworthiness, how do you control access to information within the system to protect confidentiality? This problem is called multi-level security (MLS) and predates computers. 2 Coming up: MLS Thought Experiment

  3. MLS Thought Experiment Setting: General Eisenhower’s office in 1943 Europe. Assume an environment in which there are • informationat different “sensitivity” levels: the war plan, the defense budget, the base softball schedule, the cafeteria menu, etc.; • individualspermitted access to selected pieces of information: Gen. Eisenhower, privates, colonels, secretaries, janitors, spies, etc. The goal: Understand what “security” might mean in this context and define a policy (some rules) to implement it. 3 Coming up: Risk Assessment

  4. Risk Assessment Question: What are we protecting? Against what threats? Answer: The confidentiality of information—no person not authorized to view a piece of information may have access to it. Very important proviso: For this thought experiment we are only concerned with confidentiality, not integrity or availability. 4 Coming up: Confidentiality Questions

  5. Confidentiality Questions Some questions appropriate for considering a confidentiality policy: • Is all of my data equally sensitive? If not, how do I group and categorize data? • How do I characterize who is authorized to see what? • How are the permissions administered and checked? • According to what rules? • Can authorizations change over time? 5 Coming up: Categorizing Data

  6. Categorizing Data Back to Gen. Eisenhower’s office. The relevant “space” of information contains lots of individual atoms or factoids: • The base softball team has a game tomorrow at 3pm. • The Normandy invasion is scheduled for June 6. • The cafeteria is serving chopped beef on toast today. • Col. Jones just got a raise. • Col. Smith didn’t get a raise. • The British have broken the German Enigma codes. • and so on. Not all information is equally sensitive. How do we group and categorize information rationally? 6 Coming up: Object Sensitivity Labels

  7. Object Sensitivity Labels Information is parceled out into separate containers (documents/folders/objects/files) labeledaccording to their sensitivity level. • One part of the label is taken from a linearly ordered set: • Unclassified, Confidential, Secret, Top Secret. • There are also “need-to-know” categories, from an unordered set, expressing membership within some interest group, e.g., Crypto, Nuclear, Janitorial, Personnel,etc. 7 Coming up: Sensitivity Labels

  8. Sensitivity Labels Ideally, the label on any folder reflects the sensitivity of the information contained within that folder. The label contains both a hierarchical component and a set of categories. For example, two documents might have levels: (Secret: {Nuclear, Crypto}), (Top Secret: {Crypto}). One can infer that the first contains somewhat sensitive information related to the categories Nuclear and Crypto. This second contains very sensitive information in category Crypto. Some security officer makes these labeling decisions. How they are made is outside the scope of our concern. 8 Coming up: Mixed Information

  9. Mixed Information Question: How do you label a document that contains “mixed information”? • Suppose the document contains both sensitive and non-sensitive information? Use the highest appropriate level. • Suppose it contains information relating to both the Crypto and Nuclear domains? Use both categories. Aside: Sometimes a decision is made that a document classification should be changed. This is called downgrading (or upgrading). 9 Coming up: Lessons

  10. Lessons for Categorizing Data • For our MLS example, we partition information into containers and provide labels that reflect the sensitivity of the information. • The labels are structured, with a hierarchical component and a set of need-to-know categories. • A folder with “mixed” information must be labeled to protect the information at the highest hierarchical level and protect all categories of information. 10 Coming up: MLS Thought Experiment

  11. MLS Thought Experiment Setting: General Eisenhower’s office in 1943 Europe. Assume an environment in which we have: • information at different “sensitivity” levels; • individuals permitted access to selected pieces of information. The goal: Understand what “security” (confidentiality) could mean in this context and define a policy (rules) to implement it. 11 Coming up: Folder Sensitivity Labels

  12. Folder Sensitivity Labels Information is parceled out into separate containers (documents/folders) labeled according to sensitivity level. Examples: (Secret: {Nuclear, Crypto}), (Top Secret: {Crypto}). A question we suggested for confidentiality policies is: How do I characterize who is authorized to see what? 12 Coming up: Authorization Levels

  13. Authorization Levels Let’s assign individuals clearancesor authorization levels, of the same form as document sensitivity levels. That is, each individual has: • a hierarchical security level indicating the degree of trustworthiness to which he or she has been vetted; • a set of “need-to-know categories” indicating domains of interest in which he or she is authorized to operate. Notice that labels on documents indicate the sensitivity of the contained information; “labels” on humans indicate classes of information that person is authorized to access. 13 Coming up: Least Privilege: An Aside

  14. Least Privilege: An Aside The need-to-know categories are a reflection that even within a given security level (such as Top Secret) not everyone needs to know everything. This is an instance of: Principle of Least Privilege: Any subject should have access to the minimum amount of information needed to do its job. This is as close to an axiom as anything in security. Why does it make sense? 14 Coming up: Now What?

  15. Now What? Question: Given that we have labels for documents and clearances for individuals, how do we decide which humans are permitted access to which documents? Answer: Surely it’s some relationship between the subject level and the object level. But what? Should a human with the given clearance be able to read a document at the given sensitivity? Coming up: Lessons 15

  16. Lessons • To control access by individuals to documents/folders, we need “labels” for both. • For documents the labels indicate the sensitivity of the information contained. • For individuals, the labels indicate the authorization (clearance) to view certain classes of information. • An individual should be given the minimal authorization to perform the job assigned. (Least Privilege) • Whether an individual should be able to view a specific document depends on a relationship between the label of the document and the clearance of the individual. Coming up: MLS Thought Experiment 16

  17. MLS Thought Experiment Recall that we’ve assigned sensitivity labels to documents and clearances to individuals within our MLS environment. Now we’re attempting to answer the following confidentiality question: How are the permissions administered and checked? According to what rules? 17 Coming up: A Little Vocabulary

  18. A Little Vocabulary In the type of security policy we’re constructing, the following terms are often used: Objects: the information containers protected by the system(documents, folders, files, directories, databases, etc.) Subjects: entities (users, processes, etc.) that execute activities and request access to objects. Actions: operations, primitive or complex, executed on behalf of subjects that may affect objects. The subjects in our MLS example are the humans; the objectsare the folders containing information. 18 Coming up: The Dominates Relation

  19. The Dominates Relation Given a set of security labels (L, S), comprising hierarchical levels and categories, we can define an ordering relation among labels. Definition: (L1, S1) dominates (L2, S2) iff • L1≥ L2 in the ordering on levels, and • S2⊆ S1. We usually write (L1, S1) ≥ (L2, S2). Note that this is a partial order, not a total order. I.e., there are security labels A and B, such that neither A ≥ B nor B ≥ A. S2 is a subset of S1 or equal to 19 Can you think of one? Coming up: Dominates Example

  20. Dominates Example In the following table, for which pairs does Label 1dominate Label 2? Does this suggest how you might decide whether to allow a subject to read an object? 20 Coming up: Simple Security Property

  21. Simple Security Property The following rule appears to capture our intuition about when a subject can read an object. The Simple Security Property: Subject S with clearance (LS , CS ) may be granted read access to object O with classification (LO, CO) if and only if (LS , CS ) ≥ (LO, CO). Operationally, an individual asking to see a document must show that his clearance level dominatesthe sensitivity level of the document. 21 Coming up: Lessons

  22. Lessons • The dominates relation formalizes a relationship between any two labels. • The Simple Security Property shows how to use dominates to decide whether a read access should be allowed. 22 Coming up: MLS Thought Experiment

  23. MLS Thought Experiment We introduced the following rule, which appears to capture our intuition about when a subject can read an object. The Simple Security Property: Subject S with clearance (LS , CS ) may be granted read access to object O with classification (LO, CO) only if (LS , CS ) ≥ (LO, CO). Is it all we need? What about other types of access? 23 Coming up: Do We Need Secure Writing?

  24. Do We Need Secure Writing? The Simple Security property codifies restrictions on readaccess to documents. What about writeaccess? Suppose someone with access to a Top Secret document copies the information onto a piece of paper and sticks it into an Unclassified folder. Has Simple Security been violated? No! Has confidentiality been violated? Clearly. 24 Coming up: Secure Writing

  25. Secure Writing In general, subjects in the world of military documents are personstrusted not to write classified information where it can be accessed by unauthorized parties. Subjects in the world of computing are often programsoperating on behalf of a trusted user (and with his or her clearance). Some program I run may have embedded malicious logic (a “trojan horse”) that causes it to “leak” information without my knowledge or consent. 25 Coming up: The *-Property

  26. The *-Property We restrict write access according to the following rule: The *-Property: Subject S with clearance (LS , CS ) may be granted write access to object O with classification (LO, CO) only if (LS , CS ) ≤ (LO, CO). This is pronounced “the star property.” How does it help? 26 Coming up: The *-Property

  27. The *-Property Does this rule make sense? Is it too restrictive? Is it too lax? • Can a commanding general with a Top Secret clearance email marching orders to a foot soldier with no clearance? No! • Can a corporal with no clearance overwrite the war plan? Nothing in our rules stops it, but that’s an integrity problem! Simple security and the *-property are sometimes characterized as “read down” and “write up,” respectively. Alternatively, they’re characterized as “no read up” and “no write down.” 27 Coming up: Lessons

  28. Lessons • Control over read and write operations is needed to prevent confidentiality breaches. • The *-property uses dominates to decide whether a write access should be allowed. • Controlling write access is especially crucial for computers because the accessing subject may be a programexecuting on behalf of a user. The user has been cleared; the program has not. 28 End of presentation