Lecture 4: Bell LaPadula

Similar documents
Access Control Part 3 CCM 4350

CCM Lecture 12. Security Model 1: Bell-LaPadula Model

Access Control (slides based Ch. 4 Gollmann)

Discretionary Vs. Mandatory

Information Security CS526

Last time. User Authentication. Security Policies and Models. Beyond passwords Biometrics

Security Models Trusted Zones SPRING 2018: GANG WANG

Complex Access Control. Steven M. Bellovin September 10,

Access control models and policies. Tuomas Aura T Information security technology

CS 392/ CS Computer Security. Nasir Memon Polytechnic University Module 7 Security Policies

CS590U Access Control: Theory and Practice. Lecture 5 (January 24) Noninterference and Nondeducibility

Computer Security. Access control. 5 October 2017

Access Control. Discretionary Access Control

Access control models and policies

Mandatory Access Control

Mechanisms. Entity or procedure that enforces some part of the security policy

Access Control Models

Access control models and policies

DAC vs. MAC. Most people familiar with discretionary access control (DAC)

Computer Security 3e. Dieter Gollmann. Chapter 5: 1

Labels and Information Flow

Operating System Security. Access control for memory Access control for files, BLP model Access control in Linux file systems (read on your own)

CS 591: Introduction to Computer Security. Lecture 3: Policy

P1_L6 Mandatory Access Control Page 1

CCM Lecture 14. Security Models 2: Biba, Chinese Wall, Clark Wilson

Policy, Models, and Trust

CSE Computer Security

Access Control Mechanisms

CPSC 481/681 SPRING 2006 QUIZ #1 7 MAR 2006 NAME:

Verifiable Security Goals

Advanced Systems Security: Multics

Asset Analysis -I. 1. Fundamental business processes 2.Critical ICT resources for these processes 3.The impact for the organization if

Information Security Theory vs. Reality

Lecture 5: Integrity Models

Access Control Models Part II

Dion Model. Objects and their classification

Access Control. Steven M. Bellovin September 2,

CSE361 Web Security. Access Control. Nick Nikiforakis

A SECURITY MODEL FOR MILITARY MESSAGE SYSTEMS

Modelling Downgrading in Information Flow Security. A. Bossi, C. Piazza, and S. Rossi. Dipartimento di Informatica Università Ca Foscari di Venezia

Chapter 6: Integrity Policies

Access Control. Steven M. Bellovin September 13,

Security Principles and Policies CS 136 Computer Security Peter Reiher January 15, 2008

System design issues

CIS433/533 - Introduction to Computer and Network Security. Access Control

Chapter 7: Hybrid Policies

Issues of Operating Systems Security

Chapter 15: Information Flow

8.3 Mandatory Flow Control Models

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

Theoretical Corner: The Non-Interference Property

Chapter 9: Database Security: An Introduction. Nguyen Thi Ai Thao

Summary. Final Week. CNT-4403: 21.April

Intergrity Policies CS3SR3/SE3RA3. Ryszard Janicki. Outline Integrity Policies The Biba Integrity Model

Advanced Systems Security: Principles

Access Control Part 1 CCM 4350

Asbestos Operating System

CSE509: (Intro to) Systems Security

Advanced Systems Security: Principles

Lecture 21. Isolation: virtual machines, sandboxes Covert channels. The pump Why assurance? Trust and assurance Life cycle and assurance

Computer Security. 02. Operating System Access Control. Paul Krzyzanowski. Rutgers University. Spring 2018

Advanced Systems Security: Security Goals

Security Basics. Ruby B. Lee Princeton University HotChips Security Tutorial August

Database Security. Authentification: verifying the id of a user. Authorization: checking the access privileges

Security for Multithreaded Programs under Cooperative Scheduling

CS52600: Information Security

Data quality attributes in network-centric systems

A Multilevel Secure Object- Oriented Data Model

May 1: Integrity Models

Mandatory access control and information flow control

Formal Verification. Lecture 10

Intrusion Detection Types

? Resource. Outline. Lecture 9: Access Control and Operating System Security. Access control. Access control matrix. Two implementation concepts

CSE Computer Security (Fall 2006)

F.f..- HEWLETT. A Multilevel Security Model for a Distributed Object-Oriented System

[19] P. P. Chen. The Entity-Relationship Model - Towards a unified view of data. ACM Trans. Database Systems (ToDS), Vol. 1, No.

The Evolution of Secure Operating Systems

Involved subjects in this presentation Security and safety in real-time embedded systems Architectural description, AADL Partitioned architectures

INCREMENTAL SOFTWARE CONSTRUCTION WITH REFINEMENT DIAGRAMS

A Survey of Access Control Policies. Amanda Crowell

CSE Computer Security

Access Control. Access Control: enacting a security policy. COMP 435 Fall 2017 Prof. Cynthia Sturton. Access Control: enacting a security policy

Compositional Security Evaluation: The MILS approach

New Guidance on Privacy Controls for the Federal Government

Internet Engineering Task Force (IETF) Request for Comments: 7204 Category: Informational April 2014 ISSN:

CSC 482/582: Computer Security. Security Policies

CS 591: Introduction to Computer Security. Lecture 13: Evaluation

CS 591: Introduction to Computer Security. Lecture 13: Evaluation

Lecture 11 Lecture 11 Nov 5, 2014

CS 356 Lecture 7 Access Control. Spring 2013

Chapter 18: Evaluating Systems

Advanced Systems Security: Integrity

SECURITY FOR NEXT GENERATION HYPERTEXT SYSTEMS

Lattice Tutorial Version 1.0

CS422 - Programming Language Design

Advanced Systems Security: Principles

CS2 Algorithms and Data Structures Note 10. Depth-First Search and Topological Sorting

Seven Requirements for Successfully Implementing Information Security Policies and Standards

Discretionary Vs. Mandatory

A Practical Transaction Model and Untrusted Transaction Manager for a Multilevel-Secure Database System

Transcription:

CS 591: Introduction to Computer Security Lecture 4: Bell LaPadula James Hook

Objectives Introduce the Bell LaPadula framework for confidentiality policy Discuss realizations of Bell LaPadula

References: Bell retrospective Anderson Chapter 8 (first edition Chapter 7) Bishop Chapter 5

Access Control Policies Discretionary Access Control (DAC) An individual user can set allow or deny access to an object Mandatory Access Control (MAC) System mechanism controls access User cannot alter that access Originator Controlled Access Control (ORCON) Access control set by creator of information Owner (if different) can t alter AC Like copyright

Background Clearance levels Top Secret In-depth background check; highly trusted individual Secret Routine background check; trusted individual For Official Use Only/Sensitive No background check, but limited distribution; minimally trusted individuals May be exempt from disclosure Unclassified Unlimited distribution Untrusted individuals

Background Clearance levels are only half the story They give a level of trust of the subject The need to know policy provides an orthogonal structure called compartmentalization A category (or compartment) is a designation related to the need to know policy Examples: NUC: Nuclear EUR: Europe ASI: Asia

Categories and Coalitions Categories can be critical in complex coalitions The US may have two allies that do not wish to share information (perhaps Israel and Saudi Arabia) Policy must support: Top Secret, Israel Top Secret, Saudi Arabia Top Secret, Israel and Saudi Arabia (probably very few people in this set)

Classification Systems Both notions of classification induce a partial order TS is more trusted that S You can only see information if you are cleared to access all categories that label it Mathematicians Bell and LaPadula picked a lattice structure as a natural model for security levels

Partially Ordered Set A Set S with relation (written (S, ) is called a partially ordered set if is Anti-symmetric If a b and b a then a = b Reflexive For all a in S, a a Transitive For all a, b, c. a b and b c implies a c

Poset examples Natural numbers with less than (total order) Sets under the subset relation (not a total order) Natural numbers ordered by divisibility

Lattice Partially ordered set (S, ) and two operations: greatest lower bound (glb X) Greatest element less than all elements of set X least upper bound (lub X) Least element greater than all elements of set X Every lattice has bottom (glb L) a least element top (lub L) a greatest element

Lattice examples Natural numbers in an interval (0.. n) with less than Also the linear order of clearances (U FOUO S TS) The powerset of a set of generators under inclusion E.g. Powerset of security categories {NUC, Crypto, ASI, EUR} The divisors of a natural number under divisibility

New lattices from old The opposite of a lattice is a lattice The product of two lattices is a lattice The lattice of security classifications used by Bishop is the product of the lattice of clearances and the lattice of sets generated from the categories (compartments)

Mandatory Access Control In a MAC system all documents are assigned labels by a set of rules Documents can only be relabeled under defined special circumstances Violations of the policy are considered very serious offenses (criminal or treasonous acts)

Bell LaPadula Context Pre-Anderson report policy was not to mix data of different classifications on a single system Still a good idea if it meets your needs Anderson report identified on-line multi-level secure operation as a goal of computer security

From Paper to Computers How to apply MAC to computers? Documents are analogous to objects in Lampson s Access Control model Every object can be labeled with a classification Cleared personnel are analogous to subjects Every subject can be labeled with a clearance What about processes?

Note on subject labels A person is generally cleared up to a level Cross level communication requires that a person be able to interact below their level of clearance Subjects are given two labels: The maximum level The current level Current never exceeds maximum We will focus on static labelings A subject will not dynamically change their current level

Bell LaPadula Task was to propose a theory of multilevel security supported by a mechanism implemented in an Anderson-style reference monitor prevents unwanted information flow

BLP model Adapt Lampson ACM Characterize system as state machine Characterize key actions, such as file system interaction, as transitions Classify actions as observation (reads) alteration (writes) [Aside: How to classify execute?] Show that only safe states are reachable

Simple Security The simple security property The current level of a subject dominates the level of every object that it observes This property strongly analogous to paper systems It is referred to by the slogan no read up

Problem Figure from Bell 2005

Problem Simple Security does not account for alterations (writes) Another property is needed to characterize alterations

* - Property Figure from Bell 2005

*- Property In any state, if a subject has simultaneous observe access to object-1 and alter access to object-2, then level (object-1) is dominated by level (object-2). From BLP 1976, Unified Exposition Slogan: No write down

Discretionary In addition to the MAC mechanisms of the simple security and *-properties, the BLP model also has a discretionary component All accesses must be allowed by both the MAC and discretionary rules

BLP Basic Security Theorem If all transitions (consdiered individually) satisfy simple security property * - property discretionary security property Then system security is preserved inductively (that is, all states reached from a secure state are secure )

Bell Retrospective Note: This presentation and Bishop largely follow unified exposition How did the *-property evolve? Where did current security level come from?

Bell Discussion What was the motivating example of a trusted subject Explain the concept How must the BLP model be adapted? Bell s paper changes mode in Section 5 transitions from description of BLP to reflections on impact Will return to these topics periodically

Systems Built on BLP BLP was a simple model Intent was that it could be enforced by simple mechanisms File system access control was the obvious choice Multics implemented BLP Unix inherited its discretionary AC from Multics

BLP in action Bishop describes Data General B2 UNIX system in detail Treatment addresses: Explicit and implicit labeling (applied to removable media) Multilevel directory management Consider challenges of a multilevel /tmp with traditional UNIX compilation tools MAC Regions (intervals of levels)

MAC Regions A&A database, audit Administrative Region Hierarchy levels VP 1 VP 2 VP 3 VP 4 VP 5 User data and applications Site executables User Region Trusted data Virus Prevention Region Executables not part of the TCB Executables part of the TCB Reserved for future use Categories IMPL_HI is maximum (least upper bound) of all levels IMPL_LO is minimum (greatest lower bound) of all levels Slide from Bishop 05.ppt

Discussion When would you choose to apply a model this restrictive?

Criticisms of Bell LaPadula BLP is straightforward, supports formal analysis Is it enough? McLean wrote a critical paper asserting BLP rules were insufficient

McLean s System Z Proposed System Z = BLP + (request for downgrade) User L gets file H by first requesting that H be downgraded to L and then doing a legal BLP read Proposed fix: tranquility Strong: Labels never change during operation Weak: Labels never change in a manner that would violate a defined policy

Alternatives Goguen & Meseguer, 1982: Noninterference Model computation as event systems Interleaved or concurrent computation can produce interleaved traces High actions have no effect on low actions The trace of a low trace of a system is the same for all high processes that are added to the mix Problem: Needs deterministic traces; does not scale to distributed systems

Nondeducibility Sutherland, 1986. Low can not deduce anything about high with 100% certainty Historically important, hopelessly weak Addressed issue of nondeterminism in distributed systems

Intranstitive non-interference Rushby, 1992 Updates Goguen & Meseguer to deal with the reality that some communication may be authorized (e.g. High can interefere with low if it is mediated by crypto)

Ross Anderson on MLS the contribution of the MLS model is not all positive. There is a tactical problem, and a strategic one. The tactical problem is that the existence of trusted system components has a strong tendency to displace critical thought. MLS systems, by making the classification process easier but controlled data sharing harder, actually impair operational effectiveness. [Comments at end of 7.6 in first edition]

Looking forward Integrity Policies Anderson Chapter 9 Brewer and Nash, The Chinese Wall Security Policy, IEEE Symposium on Research in Security and Privacy, May 1989. Information Warfare NY Times, March 29 article on Information Warfare, http://www.nytimes.com/2009/03/29/technology/29spy.html? emc=eta1 Nagaraja and Anderson, The snooping dragon: social-malware surveillance of the Tibetan movement, University of Cambridge Technical Report, http://www.cl.cam.ac.uk/techreports/ucam-cl-tr-746.html 10/7/09 13:25!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback