Intergrity Policies CS3SR3/SE3RA3. Ryszard Janicki. Outline Integrity Policies The Biba Integrity Model

Similar documents
May 1: Integrity Models

Chapter 6: Integrity Policies

CSE509: (Intro to) Systems Security

Integrity Policies. Murat Kantarcioglu

Discretionary Vs. Mandatory

CS 392/ CS Computer Security. Nasir Memon Polytechnic University Module 7 Security Policies

Access control models and policies. Tuomas Aura T Information security technology

Security Models Trusted Zones SPRING 2018: GANG WANG

Computer Security. Access control. 5 October 2017

Computability and Complexity

CCM Lecture 14. Security Models 2: Biba, Chinese Wall, Clark Wilson

Access control models and policies

CCM Lecture 12. Security Model 1: Bell-LaPadula Model

Access Control Models Part II

Policy, Models, and Trust

A SECURITY MODEL FOR MILITARY MESSAGE SYSTEMS

Lecture 4: Bell LaPadula

On Five Denitions of Data Integrity 1. George Mason University.

Lecture 5: Integrity Models

Complex Access Control. Steven M. Bellovin September 10,

Intrusion Detection Types

Access Control Part 3 CCM 4350

Operating System Security. Access control for memory Access control for files, BLP model Access control in Linux file systems (read on your own)

Access control models and policies

Access Control. Discretionary Access Control

Foundations of Computer Security

CSE Computer Security

Chapter 7: Hybrid Policies

A NEW APPROACH TO DYNAMIC INTEGRITY CONTROL

Asbestos Operating System

DAC vs. MAC. Most people familiar with discretionary access control (DAC)

Dion Model. Objects and their classification

DESIGNING THE GEMSOS SECURITY KERNEL FOR SECURITY AND PERFORMANCE * Dr. Roger R. Schell Dr. Tien F. Tao Mark Heckman

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

Access Control Models

Last time. User Authentication. Security Policies and Models. Beyond passwords Biometrics

Access Control (slides based Ch. 4 Gollmann)

8.3 Mandatory Flow Control Models

Advanced Systems Security: Integrity

Chapter 15: Information Flow

Towards generating a data integrity standard

Towards Formal Evaluation of a High-Assurance Guard

L17: Assurance. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

Chapter 9: Database Security: An Introduction. Nguyen Thi Ai Thao

An Overview of Production Rules. University of Florida. IBM Almaden Research Center. Abstract

Verifiable Security Goals

Lecture 2 - Graph Theory Fundamentals - Reachability and Exploration 1

Authorized licensed use limited to: Georgia State University. Downloaded on March 27, 2009 at 10:20 from IEEE Xplore. Restrictions apply.

Fault-Tolerant Real-Time Communication in FDDI-Based Networks. Biao Chen, Sanjay Kamat and Wei Zhao. Texas A&M University

ANIMATION OF ALGORITHMS ON GRAPHS

Real4Test. Real IT Certification Exam Study materials/braindumps

CS52600: Information Security

Different Aspects of Digital Preservation

CPSC 481/681 SPRING 2006 QUIZ #1 7 MAR 2006 NAME:

Recommendations for LXI systems containing devices supporting different versions of IEEE 1588

A Guide to Understanding Audit in Trusted Systems

PASSWORD. R2.5 : Certication Authority. Requirements. Michael Roe. Computer Security Group. Version 1.0

CSE Computer Security

A taxonomy of race. D. P. Helmbold, C. E. McDowell. September 28, University of California, Santa Cruz. Santa Cruz, CA

Transport protocols are of practical. login, le transfer, and remote procedure. calls. will operate on and therefore are generally

ER E P M S S I TRANSLATION OF CONDITIONAL COMPIL DEPARTMENT OF COMPUTER SCIENCE UNIVERSITY OF TAMPERE REPORT A

Fundamentals of Database Systems

Institut fur Informatik, Universitat Klagenfurt. Institut fur Informatik, Universitat Linz. Institut fur Witschaftsinformatik, Universitat Linz

processes on clients are assumed to be read-only. There has been some very recent concurrent related work [Pit99]. One of their approaches (based on s

A Comparison of Methods for Implementing Adaptive Security Policies

Requirements Specication

System design issues

DRAFT for FINAL VERSION. Accepted for CACSD'97, Gent, Belgium, April 1997 IMPLEMENTATION ASPECTS OF THE PLC STANDARD IEC

CS590U Access Control: Theory and Practice. Lecture 5 (January 24) Noninterference and Nondeducibility

Architectural Support for A More Secure Operating System

requests or displaying activities, hence they usually have soft deadlines, or no deadlines at all. Aperiodic tasks with hard deadlines are called spor

Information Security Theory vs. Reality

As a software engineering paradigm, techniques that support separation of concerns for synchronisation, real-time constraints, failures and others hav

P1_L6 Mandatory Access Control Page 1

Self-Organization Algorithms SelfLet Model and Architecture Self-Organization as Ability Conclusions

Cryptography and Network Security Overview & Chapter 1. Network Security. Chapter 0 Reader s s Guide. Standards Organizations.

L1: Computer Security Overview. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

.Math 0450 Honors intro to analysis Spring, 2009 Notes #4 corrected (as of Monday evening, 1/12) some changes on page 6, as in .

Path Consistency Revisited. Moninder Singh. University of Pennsylvania. Philadelphia, PA

Global Transactions Global Transaction Global Manager Transaction Interface Global Global Scheduler Recovery Manager Global Log Server Log

Evaluation and lessons learnt from scenario on Real-time monitoring, reporting and response to security incidents related to a CSP

External CB. Evaluation. Conflict correcting. Strict. Evaluation. Loose. Conflict Identifying. Evaluation. Harmonization. Security Enforcement

World-Wide Network. Client host system. Proximity Server. Administrative Domain

Cryptography and Network Security Chapter 1

database (if it is there). The rules (1) and (2) have also an obvious declarative interpretation. To provide a precise semantics to revision programs,

Judith N. Froscher. Charles N. Payne, Jr. Code Naval Research Laboratory. Washington, D.C. October 12, 1992

Labels and Information Flow

A Formal Analysis of Solution Quality in. FA/C Distributed Sensor Interpretation Systems. Computer Science Department Computer Science Department

Documentation Open Graph Markup Language (OGML)

Parallel Rewriting of Graphs through the. Pullback Approach. Michel Bauderon 1. Laboratoire Bordelais de Recherche en Informatique

On Key Assignment for Hierarchical Access Control

Towards a Reference Framework. Gianpaolo Cugola and Carlo Ghezzi. [cugola, P.za Leonardo da Vinci 32.

To appear in: IEEE Transactions on Knowledge and Data Engineering. The Starburst Active Database Rule System. Jennifer Widom. Stanford University

Working Book Title: INFORMATION SYSTEM SECURITY: a management challenge. CHAPTER 3: Designing Technically Secure IS: formal models

Access Control Mechanisms

Outline. 1 About the course

Localization in Graphs. Richardson, TX Azriel Rosenfeld. Center for Automation Research. College Park, MD

Outline. Computer Science 331. Information Hiding. What This Lecture is About. Data Structures, Abstract Data Types, and Their Implementations

2 Data Reduction Techniques The granularity of reducible information is one of the main criteria for classifying the reduction techniques. While the t

LET S ENCRYPT SUBSCRIBER AGREEMENT

Transcription:

Intergrity Policies CS3SR3/SE3RA3 Ryszard Janicki Acknowledgments: Material based on Computer Security: Art and Science by Matt Bishop (Chapter 6) Ryszard Janicki Intergrity Policies 1 / 13

Outline 1 2 Ryszard Janicki Intergrity Policies 2 / 13

Outline Denition (Integrity) Trustworthiness of data or resources. Integrity policies focus on integrity rather than condentiality, as most commercial and industrial rms are more concerned with accuracy than disclosure. Commercial requirements dier from military requirements in their emphasizes on preserving data integrity. Ryszard Janicki Intergrity Policies 3 / 13

Goals & Requirements 1 Users will not write their own programs, but will use existing production programs and databases. 2 Programmers will develop and test programs on a non-production system; if they need access to actual data, they will be given production data via a special process, but will use it on their development system. 3 A special process must be followed to install a program from the development system onto the production system. 4 The special process in requirement 3 must be controlled and audited. 5 The managers and auditors must have access to both the system state and the system logs that are generated. Ryszard Janicki Intergrity Policies 4 / 13

Principles of Operation Example SEPARATION OF DUTY: If two or more steps are required to perform a critical function, at least two dierent people should perform the steps. Critical function = moving a program from the development system to the production system. SEPARATION OF FUNCTION: Do not develop new programs on existing production systems. Do not process real production data on development system. Development environment and actual production environment should be as similar as possible. AUDITING: The process of analyzing systems to determine what actions took place and who performed them. Commercial systems emphasize recovery and accountability. Ryszard Janicki Intergrity Policies 5 / 13

Denition (Biba Model) A system consists of a set S of subjects, a set O of objects, and a set I of integrity levels. For each i 1, i 2 I, we say i 1 < i 2 if i 2 dominates i 1. We assume < is a total order (for each i 1, i 2 : i 1 < i 2 i 2 < i 1 i 1 = i 2 ). The function min(i 1, i 2 ) giver the smaller (w.r.t. <) element. The function i : S O I returns the integrity level of an object or a subject. The relation r S O denes the ability of a subject to read an object. The relation w S O denes the ability of a subject to write to an object. The relation x S O denes the ability of a subject to invoke (execute) another object. Ryszard Janicki Intergrity Policies 6 / 13

Intuition of Biba Integrity Model The higher the level, the more condence one has that a program will execute correctly, or detect problems with its inputs and stop executing. Data at a higher level is more accurate and/or reliable (with respect to some metric) than data on lower level. TRUST: a process at a higher level than that of an object is considered more trustworthy than that object. Integrity labels, in general, are not also security labels. SECURITY LABELS: limit the ow of information, INTEGRITY LABELS: inhibit the modication of information. There are three versions of Biba's models: Low-Water-Mark, Ring and Strict Integrity. Ryszard Janicki Intergrity Policies 7 / 13

Information Transfer Path Denition An Information Transfer Path is a sequence of objects o 1,..., o n+1 and a corresponding sequence of subjects s 1,..., s n such that s i r o i and s i w o i+1, for all i = 1,..., n. Intuitively, data in the object o 1 can be transferred into the object o n+1 along an information ow pathy by a succession of reads and writes. Ryszard Janicki Intergrity Policies 8 / 13

Low Water Mark Policy Denition Whenever a subject accesses and object, the policy changes the integrity level of the subject to the lower of the subject and the object. Specically: 1 s S can write o O i(o) i(s), 2 if s S reads o O, then i (s) = min(i(s), i(o)), where i (s) is the subject's integrity level after the read, 3 s 1 S can execute s 2 S i(s 2 ) i(s 1 ). Rule (1) prevents writing to a higher level. This prevents a subject from writing to a more highly trusted object. Rule (2) causes a subject's integrity level to drop whenever it reads an object at a lower integrity level. Rule (3) allows a subject to execute another subject provided the second is not at a higher integrity level. Ryszard Janicki Intergrity Policies 9 / 13

Low Water Mark Policy: Motivations 1 Number one prevents a subject from writing to a more highly trusted object. Intuitively, if a subject were to alter a more trusted object, it could implant incorrect or false data (because the subject is less trusted that than the object). In some sense, the trustworthiness of the object would drop to that of the subject. Hence such writing is disallowed. 2 The idea is that the subject is relying on data less trustworthy than itself. Hence, its trustworthiness drops to the lesser trustworthy level. This prevents data from contaminating the subject or its action. 3 Otherwise, the less trusted invoker could control the execution of the invoked object, corrupting it even though it is more trustworthy. Ryszard Janicki Intergrity Policies 10 / 13

Low Water Mark Policy Theorem (Policy Constraints) If there is an information transfer path from object o 1 O to object o n+1 O, then enforcement of the low water mark policy requires that i(o n+1 ) i(o 1 ), for all n 1. This policy prevents direct modications that lower integrity labels. It also prevents indirect modication by lowering the integrity label of a subject that reads from an object with a lower integrity level. The problem with this policy is that, in practice, the subjects change integrity levels. In particular, the level of a subject is non-increasing, which means that it will soon be unable to access objects at a high integrity level. An alternative policy is to decrease object integrity levels rather than subject integrity levels, but this policy has the property of downgrading object integrity levels to the lowest level. Ryszard Janicki Intergrity Policies 11 / 13

Ring Policy Outline The Ring Policy ignores the issue of indirect modication and focuses on direct modication only. It solves the problems from the previous page! Denition (Ring Policy) 1 Any subject may read any object, regardless of integrity level. 2 s S can write o O i(o) i(s). 3 s 1 S can execute s 2 S i(s 2 ) i(s 1 ). The dierence between this policy and the low water mark policy is that any subject can read any object. Ryszard Janicki Intergrity Policies 12 / 13

Strict Integrity Policy Outline This model is dual to the Bell-LaPadula Model. Denition (Strict Integrity Policy) 1 s S can read o O i(s) i(o). 2 s S can write o O i(o) i(s). 3 s 1 S can execute s 2 S i(s 2 ) i(s 1 ). The Policy Constraint Theorem still holds. Rules (1) and (2) imply that if both read and write are allowed: i(o) = i(s). Like the low water mark policy, this policy prevents indirect as well as direct modication of entities without authorization. By replacing the notion of integrity level with integrity compartments, and adding the notion of discretionary control, one obtains the full dual of Bell-LaPadula. Ryszard Janicki Intergrity Policies 13 / 13

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback