Mandatory access control and information flow control

Similar documents
Access Control. Discretionary Access Control

Software Security. Martín Abadi FOSAD 2012

DAC vs. MAC. Most people familiar with discretionary access control (DAC)

Labels and Information Flow

Discretionary Vs. Mandatory

Secret Sharing, Random Numbers, and Information Hiding. Prof. Tom Austin San José State University Spring 2014

Last time. User Authentication. Security Policies and Models. Beyond passwords Biometrics

CIS433/533 - Introduction to Computer and Network Security. Access Control

CPSC 481/681 SPRING 2006 QUIZ #1 7 MAR 2006 NAME:

Chapter 9: Database Security: An Introduction. Nguyen Thi Ai Thao

Access Control Mechanisms

CSE Computer Security

Access Control and Protection

System design issues

Access Control Models

Security Models Trusted Zones SPRING 2018: GANG WANG

Access Control (slides based Ch. 4 Gollmann)

Computer Security. Access control. 5 October 2017

Asbestos Operating System

Information Security Theory vs. Reality

Access control models and policies

Verifiable Security Goals

CSCI 420: Mobile Application Security. Lecture 7. Prof. Adwait Nadkarni. Derived from slides by William Enck, Patrick McDaniel and Trent Jaeger

Access Control. Access Control: enacting a security policy. COMP 435 Fall 2017 Prof. Cynthia Sturton. Access Control: enacting a security policy

Access control models and policies. Tuomas Aura T Information security technology

Computer Security 3e. Dieter Gollmann. Chapter 5: 1

CCM Lecture 12. Security Model 1: Bell-LaPadula Model

Access control models and policies

Programming with Explicit Security Policies. Andrew Myers Cornell University

Access control. Frank Piessens KATHOLIEKE UNIVERSITEIT LEUVEN

Access Control. Discretionary Access Control

Policy, Models, and Trust

Operating System Security. Access control for memory Access control for files, BLP model Access control in Linux file systems (read on your own)

Access Control Part 3 CCM 4350

Protecting Information Assets - Week 10 - Identity Management and Access Control. MIS 5206 Protecting Information Assets

CS 591: Introduction to Computer Security. Lecture 3: Policy

CSE Computer Security

SELinux. Don Porter CSE 506

A Survey of Access Control Policies. Amanda Crowell

Security Principles and Policies CS 136 Computer Security Peter Reiher January 15, 2008

8.3 Mandatory Flow Control Models

Wrapup. CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger.

Access Control Part 1 CCM 4350

Lecture 4: Bell LaPadula

CS 161 Multilevel & Database Security. Military models of security

Security Philosophy. Humans have difficulty understanding risk

Summary. Final Week. CNT-4403: 21.April

Computer Security. 02r. Assignment 1 & Access Control Review. Paul Krzyzanowski David Domingo Ananya Jana. Rutgers University.

Server. Client LSA. Winlogon LSA. Library SAM SAM. Local logon NTLM. NTLM/Kerberos. EIT060 - Computer Security 2

We ve seen: Protection: ACLs, Capabilities, and More. Access control. Principle of Least Privilege. ? Resource. What makes it hard?

DAC vs. MAC. Bell-Lapadula model. Security levels. Security properties. The lattice model top-secret, {Nuclear, Crypto} Straw man MAC implementation

CSC 474/574 Information Systems Security

Topics in Systems and Program Security

CSE361 Web Security. Access Control. Nick Nikiforakis

Language-Based Information- Flow Security

Advanced Systems Security: Multics

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

Asset Analysis -I. 1. Fundamental business processes 2.Critical ICT resources for these processes 3.The impact for the organization if

CSE543 - Computer and Network Security Module: Virtualization

Introduction to Cryptography. Ramki Thurimella

Discretionary Access Control (DAC)

Image Steganography (cont.)

Access Control for Enterprise Apps. Dominic Duggan Stevens Ins8tute of Technology Based on material by Lars Olson and Ross Anderson

P1_L6 Mandatory Access Control Page 1

COMPUTER SECURITY: THE GOOD, THE BAD, AND THE UGLY (with applications to embedded systems)

RBAC: Motivations. Users: Permissions:

Chapter 7: Hybrid Policies

Access Control. Tom Chothia Computer Security, Lecture 5

Explicit Information Flow in the HiStar OS. Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, David Mazières

Access control. Frank Piessens KATHOLIEKE UNIVERSITEIT LEUVEN

DESIGNING THE GEMSOS SECURITY KERNEL FOR SECURITY AND PERFORMANCE * Dr. Roger R. Schell Dr. Tien F. Tao Mark Heckman

Security and Authorization

Defining Encryption. Lecture 2. Simulation & Indistinguishability

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Dion Model. Objects and their classification

Advanced Systems Security: Cloud Computing Security

Access Control to Information in Pervasive Computing Environments

Introduction to Computer Security

CSC 474/574 Information Systems Security

Multifactor authentication:

CSC 482/582: Computer Security. Security Policies

Mandatory Access Control

Computer Science and Artificial Intelligence Laboratory Technical Report. MIT-CSAIL-TR August 6, 2007

Computer Security 3/20/18

Computer Security. 08. Authentication. Paul Krzyzanowski. Rutgers University. Spring 2018

Security Basics. Ruby B. Lee Princeton University HotChips Security Tutorial August

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Information Security: Principles and Practice Second Edition. Mark Stamp

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Advanced Systems Security: Principles

Practical Mostly-Static Information Flow Control. Andrew Myers MIT Lab for Computer Science

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Lecture 15 Designing Trusted Operating Systems

[19] P. P. Chen. The Entity-Relationship Model - Towards a unified view of data. ACM Trans. Database Systems (ToDS), Vol. 1, No.

Access Control. Chester Rebeiro. Indian Institute of Technology Madras

Instructor: Jinze Liu. Fall 2008

CS 356 Lecture 7 Access Control. Spring 2013

Complex Access Control. Steven M. Bellovin September 10,

Adaptive Gateways for diverse multiple

HY-457 Information Systems Security

Transcription:

Mandatory access control and information flow control

Mandatory access controls and security levels

DAC vs. MAC Discretionary access control This is the familiar case. E.g., the owner of a file can make it accessible to anyone. This access control is intrinsically limited in saving principals from themselves. It is hard to enforce systemwide security. Mandatory access control The system assigns security attributes (labels) to both principals and objects. E.g., objects may be work or fun, and principals may be trusted or guest. These attributes constrain accesses. (Discretionary controls apply in addition.) E.g., guest principals cannot modify work objects.

MAC (cont.) MAC appeared in systems since the 1960s. Despite difficulties and disappointments, it also appears more recently, e.g., in Windows Mandatory Integrity Controls, where there are four levels for principals and objects: System integrity (e.g., system services) High integrity (e.g., administrative processes) Medium integrity (the default) Low integrity (e.g., for documents from the Internet) SELinux Security-Enhanced Linux (richer)

A manifestation: protected view of files that arrive by e-mail Applications in protected mode are subject to various restrictions. Some of these restrictions are achieved by running the applications at Low IL.

Multilevel security As in the examples, MAC is often associated with security levels. The security levels can pertain to secrecy and integrity properties in a variety of contexts. The levels need not be linearly ordered. Often, they form a partial order or a lattice. They may in part reflect a compartment structure.

A partial order System IL High IL Medium IL Low IL

Another partial order Low IL Medium IL High IL System IL

Another partial order (TopSecret, army+navy) (TopSecret, army) (Secret, army+navy) (TopSecret, navy) (Secret, army) (Secret, navy) Unclassified

Another partial order Sensitive User Information (Sensitive, Alice) Personal User Information (Sensitive, Bob) (Personal, Alice) (Personal, Bob) Public

Bell-LaPadula requirements No read-up: a principal at a given security level may not read an object at a higher security level. No write-down: a principal at a given security level may not write to an object at a lower security level. protects against Trojan horses (bad programs or other principals that work at high security levels)

Some difficulties: level creep, declassification, covert channels

Level creep Security levels may change over time. Security levels tend to creep up.

Level creep Security levels may change over time. Security levels tend to creep up. E.g.: P is a program that may run at any level. blog.html is a file of initial level Public, AliceDiary.txt is a file of initial level (Sensitive, Alice). P may start at Public and write to blog.html, then go to (Sensitive, Alice) and read AliceDiary.txt. Afterwards, P can no longer write to blog.html unless blog.html s level is raised to (Sensitive, Alice).

Level creep Security levels may change over time. Security levels tend to creep up. E.g.: P is a program that may run at any level. blog.html is a file of initial level Public, AliceDiary.txt is a file of initial level (Sensitive, Alice). P may start at Public and write to blog.html, then go to (Sensitive, Alice) and read AliceDiary.txt. Afterwards, P can no longer write to blog.html unless blog.html s level is raised to (Sensitive, Alice).

Level creep Security levels may change over time. Security levels tend to creep up. E.g.: P is a program that may run at any level. blog.html is a file of initial level Public, AliceDiary.txt is a file of initial level (Sensitive, Alice). P may start at Public and write to blog.html, then go to (Sensitive, Alice) and read AliceDiary.txt. Afterwards, P can no longer write to blog.html unless blog.html s level is raised to (Sensitive, Alice). blog.html

Level creep Security levels may change over time. Security levels tend to creep up. E.g.: P is a program that may run at any level. blog.html is a file of initial level Public, AliceDiary.txt is a file of initial level (Sensitive, Alice). P may start at Public and write to blog.html, then go to (Sensitive, Alice) and read AliceDiary.txt. Afterwards, P can no longer write to blog.html unless blog.html s level is raised to (Sensitive, Alice). AliceDiary.txt blog.html

Level creep Security levels may change over time. Security levels tend to creep up. E.g.: P is a program that may run at any level. blog.html is a file of initial level Public, AliceDiary.txt is a file of initial level (Sensitive, Alice). P may start at Public and write to blog.html, then go to (Sensitive, Alice) and read AliceDiary.txt. Afterwards, P can no longer write to blog.html unless blog.html s level is raised to (Sensitive, Alice). P AliceDiary.txt blog.html

Level creep Security levels may change over time. Security levels tend to creep up. E.g.: P is a program that may run at any level. blog.html is a file of initial level Public, AliceDiary.txt is a file of initial level (Sensitive, Alice). P may start at Public and write to blog.html, then go to (Sensitive, Alice) and read AliceDiary.txt. Afterwards, P can no longer write to blog.html unless blog.html s level is raised to (Sensitive, Alice). P AliceDiary.txt blog.html

Declassification Reclassification consists in changing the security attributes. Declassification is the case in which this is not automatically ok. Declassification is needed sometimes. E.g., the password-checking program reads a secret database and says yes/no to a user.

Declassification Reclassification consists in changing the security attributes. Declassification is the case in which this is not automatically ok. Declassification is needed sometimes. E.g., the password-checking program reads a secret database and says yes/no to a user. It is difficult because of hidden messages (in text, in pictures, )

Declassification Reclassification consists in changing the security attributes. Declassification is the case in which this is not automatically ok. Declassification is needed sometimes. E.g., the password-checking program reads a secret database and says yes/no to a user. It is difficult because of hidden messages (in text, in pictures, ) A boat, beneath a sunny sky Lingering onward dreamily In an evening of July - Children three that nestle near, Eager eye and willing ear,

Declassification Reclassification consists in changing the security attributes. Declassification is the case in which this is not automatically ok. Declassification is needed sometimes. E.g., the password-checking program reads a secret database and says yes/no to a user. It is difficult because of hidden messages (in text, in pictures, ) A L I C E

Declassification Reclassification consists in changing the security attributes. Declassification is the case in which this is not automatically ok. Declassification is needed sometimes. E.g., the password-checking program reads a secret database and says yes/no to a user. It is difficult because of hidden messages (in text, in pictures, )

Declassification Reclassification consists in changing the security attributes. Declassification is the case in which this is not automatically ok. Declassification is needed sometimes. E.g., the password-checking program reads a secret database and says yes/no to a user. It is difficult because of hidden messages (in text, in pictures, )

Declassification Reclassification consists in changing the security attributes. Declassification is the case in which this is not automatically ok. Declassification is needed sometimes. E.g., the password-checking program reads a secret database and says yes/no to a user. It is difficult because even the act of declassification may reveal some information

Declassification Reclassification consists in changing the security attributes. Declassification is the case in which this is not automatically ok. Declassification is needed sometimes. E.g., the password-checking program reads a secret database and says yes/no to a user. It is difficult. It is a special process, often manual.

Mutual distrust Consider a Web service S that offers information to users (e.g., advice or ads). S relies on proprietary information and user data (e.g., financial data, preferences, email, clicks). What is a reasonable policy? Who can declassify what? Alice Bob S Web medicine service Proprietary knowledge, user logs, business data,

Covert channels Covert channels are communication channels for which the model does not account and which were not intended for communication. E.g., programs may communicate by the use of shared resources: By varying its ratio of computing to input/output or its paging rate, the service can transmit information which a concurrently running process can receive by observing the performance of the system. Lampson, 1973 The service may be a Trojan horse, without network access. The concurrently running process may have a lower level and send any information that it receives on the network.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback